Scribd Logo
Upload

Welcome to Scribd!

  • Symantec Data Loss Prevention Help Center 16.0RU

    Uploaded by

    Kamel Khelifi
    5 views2,101 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    5 views2,101 pages

    Symantec Data Loss Prevention Help Center 16.0RU

    Uploaded by

    Kamel Khelifi

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 2101

    Symantec Data Loss Prevention 16.0.

    1 Release Update (RU)

    Version 16.0.1

    Last updated: September 13, 2023


    Table of Contents
    About What's New in Data Loss Prevention 16.0.1........................................................................62
    Enforce Server Features in Data Loss Prevention 16.0.1..........................................................................................62
    Platform Features in Data Loss Prevention 16.0.1.....................................................................................................63
    Endpoint Features in Data Loss Prevention 16.0.1....................................................................................................64
    Discover Features in Data Loss Prevention 16.0.1.................................................................................................... 65
    Detection Features in Data Loss Prevention 16.0.1................................................................................................... 66
    Removed and Deprecated Features and Platforms in Data Loss Prevention 16.0.1.............................................. 69
    Release Notes.....................................................................................................................................72
    Subscribe to Receive Updates by Email..................................................................................................................... 72
    Symantec Data Loss Prevention 16.0.1 Release Notes............................................................................................. 72
    Fixed Issues in 16.0.1...............................................................................................................................................72
    Installation and Upgrade Fixed Issues.............................................................................................................. 72
    Enforce Server Fixed Issues............................................................................................................................. 73
    Detection Fixed Issues...................................................................................................................................... 75
    Discover Fixed Issues........................................................................................................................................75
    Endpoint Fixed Issues....................................................................................................................................... 76
    DLP Known Issues.........................................................................................................................................................77
    Known Issues in 16.0.1............................................................................................................................................ 77
    Endpoint Known Issues in 16.0.1......................................................................................................................77
    Enforce Server Known Issues in 16.0.1............................................................................................................79
    Detection Known Issues in 16.0.1.....................................................................................................................80
    Discover Known Issues in 16.0.1...................................................................................................................... 80
    Installation and Upgrade Known Issues in 16.0.1............................................................................................. 81
    Known Issues in 16.0............................................................................................................................................... 81
    Enforce Server Known Issues in 16.0...............................................................................................................81
    Enforce Platform Known Issues in 16.0............................................................................................................ 81
    Endpoint Known Issues in 16.0.........................................................................................................................82
    Discover Known Issues in 16.0......................................................................................................................... 84
    Detection Known Issues in 16.0........................................................................................................................84
    Known issues in 16.0 MP1................................................................................................................................85
    Known issues in 15.8 MP1....................................................................................................................................... 86
    Detection known issues in 15.8 MP1................................................................................................................ 86
    Endpoint known issues in 15.8 MP1................................................................................................................. 86
    Known issues in 15.8 MP2....................................................................................................................................... 86
    Installation and upgrade known issues in 15.8 MP2.........................................................................................87
    Detection known issues in 15.8 MP2................................................................................................................ 87

    2
    Known issues in 15.8 MP3....................................................................................................................................... 87
    Installation and upgrade known issues in 15.8 MP3.........................................................................................88
    Endpoint known issues in 15.8 MP3................................................................................................................. 88
    Symantec Data Loss Prevention Release Types........................................................................................................ 88
    Major Release........................................................................................................................................................... 89
    Minor Release........................................................................................................................................................... 89
    Release Update.........................................................................................................................................................89
    Getting started....................................................................................................................................91
    About updates to the Symantec Data Loss Prevention Help Center....................................................................... 91
    News and Alerts............................................................................................................................................................. 91
    Subscribing to Alerts................................................................................................................................................. 91
    Introducing Symantec Data Loss Prevention............................................................................................................. 92
    About the Enforce Server platform........................................................................................................................... 93
    About Network Monitor and Prevent........................................................................................................................ 93
    About Network Discover........................................................................................................................................... 94
    About Network Protect.............................................................................................................................................. 94
    About Endpoint Discover.......................................................................................................................................... 95
    About Endpoint Prevent............................................................................................................................................ 95
    Getting Started Administering Symantec Data Loss Prevention..............................................................................95
    About Symantec Data Loss Prevention administration............................................................................................ 96
    About the Enforce Server administration console.................................................................................................... 96
    Logging On and Off the Enforce Server Administration Console.............................................................................97
    About the administrator account............................................................................................................................... 98
    Performing Initial Setup Tasks.................................................................................................................................. 98
    Changing the Administrator Password..................................................................................................................... 98
    Adding an administrator email account.................................................................................................................... 99
    Editing a user profile.................................................................................................................................................99
    Changing your password........................................................................................................................................ 100
    About support for character sets, languages, and locales..................................................................................... 101
    Supported languages for detection........................................................................................................................... 101
    Working with international characters.......................................................................................................................103
    About Symantec Data Loss Prevention language packs........................................................................................ 103
    About locales................................................................................................................................................................ 104
    Using a non-English language on the Enforce Server administration console.................................................... 104
    Using the Language Pack Utility................................................................................................................................105
    Add a language pack on Linux...............................................................................................................................106
    Remove a language pack....................................................................................................................................... 106
    DLP System Requirements............................................................................................................. 107
    About system requirements........................................................................................................................................107

    3
    About updates to Symantec Data Loss Prevention system requirements............................................................. 107
    About deprecated platforms....................................................................................................................................107
    System requirements and recommendations........................................................................................................... 107
    Deployment planning considerations...................................................................................................................... 108
    The Effect of Scale on System Requirements....................................................................................................... 108
    Minimum System Requirements for Symantec Data Loss Prevention Servers..................................................... 109
    Minimum Supported Hardware Requirements for Enforce Servers....................................................................... 110
    Single-tier Installation Minimum Hardware Requirements......................................................................................110
    Small Installation Hardware Recommendations..................................................................................................... 111
    Medium Installation Hardware Recommendations................................................................................................. 113
    Large Enterprise Hardware Recommendations......................................................................................................115
    Operating system requirements for servers........................................................................................................... 118
    Enforce Server, Detection Server, and Network Discover Cluster Requirements........................................... 118
    Operating system requirements for Single Server deployments.....................................................................118
    Operating System Requirements for the Domain Controller Agent................................................................ 119
    Installing patches for Windows Server 2012 R2............................................................................................. 119
    Installing fonts on Linux servers......................................................................................................................119
    Linux partition guidelines................................................................................................................................. 120
    System Requirements for OCR Servers.................................................................................................................121
    Endpoint computer requirements for the Symantec DLP Agent............................................................................ 121
    Minimum Hardware Requirements for Endpoints............................................................................................121
    Windows Operating System Requirements for Endpoint Systems................................................................. 122
    macOS operating system requirements for endpoint systems........................................................................124
    Linux Operating System Requirements for Endpoint Systems....................................................................... 126
    Supported languages for detection.........................................................................................................................127
    Available language packs....................................................................................................................................... 128
    Oracle database requirements................................................................................................................................128
    Running Oracle 19c Standard Edition 2 software on alternate platforms....................................................... 129
    Browser requirements for accessing the Enforce Server administration console.................................................. 130
    Deploying Data Loss Prevention on public cloud infrastructures........................................................................... 130
    Deploying Symantec Data Loss Prevention on Amazon Web Services infrastructure....................................130
    Deploying Symantec Data Loss Prevention on Microsoft Azure.....................................................................131
    Deploying Symantec Data Loss Prevention on Oracle Cloud.........................................................................131
    Virtual machine support.......................................................................................................................................... 132
    Virtual Server Support..................................................................................................................................... 132
    Virtual desktop and virtual application support with Endpoint Prevent............................................................133
    Supported operating systems for the EMDI, EDM, and IDM Remote Indexers..................................................... 134
    Third-party software requirements and recommendations..................................................................................... 135
    Required third-party software.......................................................................................................................... 135
    Required Linux RPMs......................................................................................................................................136

    4
    Required Linux dependencies......................................................................................................................... 137
    Recommended third-party software.................................................................................................................137
    Product compatibility...................................................................................................................................................138
    Environment Compatibility and Requirements for Network Prevent for Email and Cloud Prevent for Email
    Servers.................................................................................................................................................................... 138
    Proxy Server Compatibility with Network Prevent for Web.................................................................................... 139
    SSL monitoring with Network Monitor.................................................................................................................... 139
    Secure ICAP support for Network Prevent for Web...............................................................................................139
    High-speed packet capture card.............................................................................................................................140
    Veritas Data Insight compatibility with Symantec Data Loss Prevention............................................................... 140
    Integrations with other Symantec products............................................................................................................ 141
    Support for IPv6 addresses.................................................................................................................................... 142
    Network Discover compatibility............................................................................................................................... 142
    Supported File System Targets....................................................................................................................... 142
    Supported IBM (Lotus) Notes targets..............................................................................................................143
    Supported SQL database targets.................................................................................................................... 143
    Supported SharePoint server targets.............................................................................................................. 144
    Supported Exchange Server targets............................................................................................................... 144
    Supported File System Scanner Targets.........................................................................................................145
    Supported web server scanner targets........................................................................................................... 145
    Endpoint Prevent Supported Applications.............................................................................................................. 145
    Applications Supported by Endpoint Prevent on Windows............................................................................. 146
    Applications Supported by Endpoint Prevent on macOS................................................................................149
    Browser Beta Compatibility and Testing..........................................................................................................151
    Support for Monitoring Applications Protected by System Integrity Protection............................................... 154
    Implementing the Database............................................................................................................ 155
    About this content....................................................................................................................................................... 155
    About updates to the Oracle database content......................................................................................................155
    About using this content to migrate the Symantec Data Loss Prevention database to Oracle 19c........................155
    Overview—preparing to migrate the database................................................................................................155
    Overview—migrating the database..................................................................................................................156
    Preparing Oracle 19c for use with Symantec Data Loss Prevention..................................................................... 156
    Using Oracle 19c with Symantec Data Loss Prevention........................................................................................ 156
    Applying the latest Oracle Release Update (RU)............................................................................................157
    About Oracle Real Application Clusters................................................................................................................. 158
    About the Oracle multitenant environment............................................................................................................. 158
    About deploying Oracle to Amazon Web Services (AWS)..................................................................................... 158
    Installing Oracle 19c on Windows..............................................................................................................................158
    About Installing Oracle 19c on Windows................................................................................................................159
    Oracle Client Requirement...............................................................................................................................159

    5
    Oracle 19c Database Templates..................................................................................................................... 159
    Steps to install Oracle 19c on Windows.................................................................................................................159
    Preparing the Windows environment......................................................................................................................160
    Installing the Oracle 19c software on Windows..................................................................................................... 161
    Creating the Symantec Data Loss Prevention database on Windows...................................................................162
    Creating the Symantec Data Loss Prevention database on RAC with a multitenant environment on Windows.....164
    Verifying and PDB database for RAC on Windows............................................................................................... 165
    Configuring the database connection on Windows................................................................................................ 166
    Configuring the TNS Listener and Net Service Name.................................................................................... 166
    Verifying tnsnames.ora contents...................................................................................................................... 167
    Modifying the listener.ora file............................................................................................................................168
    Verifying that the PDB listener is created and registered on Windows.................................................................. 169
    Setting the protect PDB to autostart on Windows..................................................................................................171
    Adding required tablespaces to the PDB database on Windows...........................................................................172
    Creating the Oracle user account for Symantec Data Loss Prevention on Windows............................................ 173
    Verifying the Symantec Data Loss Prevention database on Windows...................................................................174
    Installing Oracle 19c on Linux....................................................................................................................................174
    About installing Oracle 19c on Linux......................................................................................................................175
    Oracle Client requirement................................................................................................................................ 175
    Oracle 19c database templates.......................................................................................................................175
    Steps to install Oracle 19c on Linux...................................................................................................................... 176
    Performing the Linux preinstallation steps..............................................................................................................176
    Preparing the Linux environment.....................................................................................................................177
    Installing the Oracle 19c software on Linux........................................................................................................... 178
    Creating the Symantec Data Loss Prevention database on Linux.........................................................................180
    Creating the Symantec Data Loss Prevention database on RAC with a multitenant environment on Linux.......... 182
    Verifying the PDB database on Linux.....................................................................................................................183
    Configuring the database connection on Linux...................................................................................................... 184
    Configuring TNS Listener and Net Service Name.......................................................................................... 184
    Verifying tnsnames.ora contents...................................................................................................................... 185
    Modifying the listener.ora file............................................................................................................................186
    Verifying that the PDB listener is created and registered on Linux........................................................................188
    Setting the protect PDB to autostart on Linux........................................................................................................190
    Adding required tablespaces to the PDB database on Linux.................................................................................190
    Verifying the Symantec Data Loss Prevention database on Linux........................................................................ 191
    Creating the Oracle user account for Symantec Data Loss Prevention on Linux.................................................. 192
    Configuring automatic startup and shutdown of the database............................................................................... 193
    Upgrading the database to Oracle 19c......................................................................................................................193
    About upgrading the Symantec Data Loss Prevention database to Oracle 19c.................................................... 193
    Steps to upgrade the Symantec Data Loss Prevention database to Oracle 19c................................................... 193

    6
    Setting Privileges for the Oracle User.............................................................................................................193
    Upgrading to Oracle 19c................................................................................................................................. 194
    Migrating the database to Oracle 19c........................................................................................................................195
    About migrating the Symantec Data Loss Prevention database to Oracle 19c..................................................... 195
    Steps to migrate the Symantec Data Loss Prevention database to Oracle 19c.................................................... 196
    Confirm the schema row count before the export on Windows...................................................................... 197
    Confirm the schema row count before the export on Linux............................................................................ 198
    Confirm the DATA PUMP directory................................................................................................................. 198
    Stop all Symantec Data Loss Prevention services......................................................................................... 199
    Export the database from the Oracle source database system......................................................................199
    Add data files for large databases.................................................................................................................. 200
    Import the database to the Oracle 19c system...............................................................................................201
    Connect the Enforce Server to the Oracle 19c database............................................................................... 202
    Update the database server connection on Windows.....................................................................................202
    Update the database server connection on Linux...........................................................................................203
    Restart all Symantec Data Loss Prevention services..................................................................................... 203
    Confirm the schema row count after the import on Windows......................................................................... 203
    Confirm the schema row count after the import on Linux............................................................................... 204
    Migrating to an Oracle multitenant environment on Windows................................................................................205
    Migrating to an Oracle multitenant environment on Linux......................................................................................205
    Installing DLP................................................................................................................................... 207
    Planning the installation..............................................................................................................................................207
    About installation tiers.............................................................................................................................................207
    About single sign-on............................................................................................................................................... 208
    About hosted Network Prevent deployments......................................................................................................... 209
    About Symantec Data Loss Prevention system requirements............................................................................... 209
    Symantec Data Loss Prevention Required Items...................................................................................................209
    Standard ASCII characters required for all installation parameters....................................................................... 210
    Performing a three-tier installation—high-level steps............................................................................................. 210
    Performing a two-tier installation—high-level steps................................................................................................212
    Performing a single-tier installation—high-level steps............................................................................................ 213
    Symantec Data Loss Prevention Preinstallation Steps.......................................................................................... 214
    Confirming the Oracle database user permissions................................................................................................ 215
    About external storage for incident attachments.................................................................................................... 216
    Verifying that servers are ready for Symantec Data Loss Prevention installation.................................................. 216
    Installing an Enforce Server....................................................................................................................................... 218
    Preparing for an Enforce Server installation.......................................................................................................... 218
    Installing on Windows............................................................................................................................................. 219
    Installing the Java Runtime Environment on the Enforce Server on Windows............................................... 219
    Installing an Enforce Server on Windows........................................................................................................219

    7
    Installing on Linux................................................................................................................................................... 224
    Installing the Java Runtime Environment on the Enforce Server on Linux..................................................... 224
    Signing RPM Files for Server Components.....................................................................................................224
    Installing an Enforce Server on Linux............................................................................................................. 225
    Configuring a new Enforce Server installation on Linux................................................................................. 225
    Verifying an Enforce Server installation..................................................................................................................230
    Installing a New License File..................................................................................................................................231
    Importing a solution pack........................................................................................................................................... 231
    About Symantec Data Loss Prevention solution packs..........................................................................................231
    Importing a Solution Pack.......................................................................................................................................232
    Installing and registering detection servers............................................................................................................. 234
    Detection Servers.................................................................................................................................................... 234
    Network Discover Clusters......................................................................................................................................235
    Preparing for a Detection Server Installation......................................................................................................... 236
    Installing a detection server on Windows...............................................................................................................236
    Install the Java Runtime Environment on a detection server on Windows..................................................... 237
    Installing a detection server on Windows........................................................................................................237
    Preparing Your Environment for Microsoft Rights Management File Monitoring.............................................240
    Installing a Network Discover Cluster on Windows................................................................................................243
    Before you Begin............................................................................................................................................. 243
    Steps to Install a Network Discover Cluster on Windows............................................................................... 243
    Installing a detection server on Linux.....................................................................................................................248
    Installing the Java Runtime Environment on a Detection Server on Linux..................................................... 249
    Installing a detection server on Linux..............................................................................................................249
    Configuring a Detection Server....................................................................................................................... 250
    Installing a Network Discover Cluster on Linux......................................................................................................251
    Before you Begin............................................................................................................................................. 251
    Steps to Install a Network Discover Cluster on Linux..................................................................................... 251
    Verifying a Detection Server or Node Installation....................................................................................................257
    Registering a detection server................................................................................................................................ 257
    Configuring certificates for secure server communications...................................................................................259
    About the sslkeytool utility and server certificates..................................................................................................259
    About sslkeytool Command Line Options....................................................................................................... 259
    Using sslkeytool to generate new Enforce Server and detection server certificates.......................................261
    Using sslkeytool to add new detection server certificates...............................................................................262
    Verifying server certificate usage.....................................................................................................................264
    About securing communications between the Enforce Server and the database.................................................. 264
    About orapki command line options................................................................................................................ 265
    Using orapki to generate the server certificate on the Oracle database.........................................................265
    Configuring communication on the Enforce Server.........................................................................................267

    8
    Configuring the Server Certificate on the Enforce Server...............................................................................269
    Verifying the Enforce Server database certificate usage................................................................................ 270
    About securing communications between the Enforce Server and Amazon RDS for Oracle................................ 270
    Configuring Oracle RDS Option Group with SSL............................................................................................271
    Configuring the Server Certificate on the Enforce Server...............................................................................271
    Setting up an SSL connection over JDBC...................................................................................................... 272
    Verifying the Enforce Server-Oracle RDS database certificate usage............................................................ 272
    Installing the domain controller agent to identify users in incidents.................................................................... 273
    About the domain controller agent......................................................................................................................... 273
    Domain controller agent installation prerequisites..................................................................................................273
    Installing the domain controller agent.....................................................................................................................274
    Domain controller agent post-installation tasks...................................................................................................... 275
    Exclude an IP address or IP range from event collection...............................................................................275
    Updating configuration settings after installation.............................................................................................275
    Troubleshooting the domain controller agent......................................................................................................... 276
    Uninstalling the domain controller agent................................................................................................................ 277
    Performing a single-tier installation...........................................................................................................................277
    Preparing for a single-tier installation..................................................................................................................... 277
    Install a single-tier system on Windows................................................................................................................. 277
    Installing the Java Runtime Environment for a Single-tier Installation on Windows........................................277
    Installing a single-tier server on Windows.......................................................................................................278
    Install a single-tier server on Linux.........................................................................................................................282
    Installing the Java Runtime Environment for a single-tier installation.............................................................283
    Installing a single-tier server on Linux............................................................................................................. 283
    Configuring a new single-tier installation.........................................................................................................283
    Verifying a single-tier installation............................................................................................................................ 287
    Policy authoring considerations.............................................................................................................................. 288
    About migrating to a two-tier deployment...............................................................................................................288
    Registering the Single Tier Monitor........................................................................................................................ 288
    Installing Symantec DLP Agents................................................................................................................................289
    About secure communications between DLP Agents and Endpoint Servers......................................................... 290
    Generating agent installation packages.......................................................................................................... 291
    Agent installation package contents................................................................................................................ 293
    Identify security applications running on endpoints................................................................................................294
    About Endpoint Server redundancy........................................................................................................................295
    Installing the DLP Agent on Windows.....................................................................................................................295
    Use the Elevated Command Prompt with Windows 10.................................................................................. 296
    Install the DLP Agent for Windows Manually..................................................................................................297
    Install the DLP Agent for Windows silently..................................................................................................... 297
    Confirming that the Windows agent is running............................................................................................... 300

    9
    What gets installed for DLP Agents installed on Windows endpoints.............................................................300
    Installing the DLP Agent for macOS.......................................................................................................................301
    Understanding the DLP Agent Installation Process........................................................................................ 301
    Before You Begin............................................................................................................................................. 302
    Steps to Install the Agent on macOS Endpoints.............................................................................................302
    Complete macOS Endpoint Agent Installation Prerequisites.......................................................................... 302
    Install the DLP Agent for macOS.....................................................................................................................310
    Confirm that the macOS agent is running.......................................................................................................316
    Troubleshoot the macOS Agent Installation.................................................................................................... 316
    Installing the DLP Agent on Linux.......................................................................................................................... 316
    Before You Begin the Installation.................................................................................................................... 317
    Steps to Install the Agent on Linux Endpoints.................................................................................................317
    Complete the Linux Endpoint Agent Installation Prerequisites....................................................................... 317
    Sign RPM Files for Linux Endpoints............................................................................................................... 318
    Install the DLP Agent for Linux....................................................................................................................... 318
    Confirm That the Linux Agent is Running....................................................................................................... 319
    Endpoint Tools.........................................................................................................................................................319
    Preparing to Use Endpoint Tools.....................................................................................................................321
    Shutting Down the Agent and Watchdog Services on Endpoints................................................................... 322
    Inspecting the Database Files Accessed by the Agent...................................................................................322
    Viewing Extended Log Files............................................................................................................................ 323
    Using the Device ID Utilities............................................................................................................................325
    Generating Third-party Application Information Using the GetAppInfo Tool....................................................327
    Starting Agents That Have Been Shutdown................................................................................................... 328
    About uninstallation passwords.............................................................................................................................. 329
    Using uninstallation passwords....................................................................................................................... 329
    Upgrading agents and uninstallation passwords.............................................................................................330
    About agent password management...............................................................................................................330
    Installing language packs........................................................................................................................................... 330
    About Symantec Data Loss Prevention language packs....................................................................................... 331
    About locales...........................................................................................................................................................331
    Using a non-English language on the Enforce Server administration console...................................................... 331
    Using the Language Pack Utility............................................................................................................................ 332
    Add a language pack on Windows..................................................................................................................333
    Add a language pack on Linux....................................................................................................................... 333
    Remove a language pack................................................................................................................................334
    Post-installation tasks................................................................................................................................................. 334
    About post-installation tasks................................................................................................................................... 335
    Backing up your system after installation...............................................................................................................335
    About post-installation security configuration......................................................................................................... 335

    10
    About server security and SSL/TLS certificates..............................................................................................335
    About Symantec Data Loss Prevention and antivirus software...................................................................... 339
    Corporate firewall configuration....................................................................................................................... 342
    Windows security lockdown guidelines........................................................................................................... 342
    Windows Administrative security settings........................................................................................................344
    About System Events and Syslog Servers.............................................................................................................347
    Enforce Servers and unused NICs.........................................................................................................................347
    Performing initial setup tasks on the Enforce Server............................................................................................. 348
    Set up Symantec Data Loss Prevention......................................................................................................... 348
    Add SQL*Plus to the SymantecDLP user path............................................................................................... 349
    About FIPS encryption............................................................................................................................................ 349
    Configuring Internet Explorer when using FIPS..................................................................................................... 349
    Upgrading DLP................................................................................................................................. 351
    Preparing to upgrade...................................................................................................................................................351
    About Updates to the Symantec Data Loss Prevention Upgrade Content.............................................................351
    Preparing to Upgrade Symantec Data Loss Prevention........................................................................................ 351
    Symantec Data Loss Prevention Upgrade Phases................................................................................................ 352
    Minimum System Requirements for Upgrading to the Current Release................................................................ 353
    Requirement for Language Pack Upgrades........................................................................................................... 354
    Preparing the Oracle Database for a Symantec Data Loss Prevention Upgrade.................................................. 354
    Checking the database update readiness....................................................................................................... 354
    Setting ORACLE_HOME and PATH variables................................................................................................ 364
    Confirming the Oracle database user permissions......................................................................................... 364
    Enabling Network Detection Uptime Protection...................................................................................................... 365
    Backward Compatibility for Agent Upgrades.......................................................................................................... 365
    Upgrade Requirements and Restrictions................................................................................................................366
    Preparing your system for the upgrade..................................................................................................................367
    Deleting ICT Components Before Upgrading......................................................................................................... 368
    Deleting ICE components from the Enforce Server............................................................................................... 368
    Remove ICE response rules........................................................................................................................... 369
    Remove ICE settings....................................................................................................................................... 369
    Disable ICE settings in the agent configuration.............................................................................................. 369
    Preparing Your Environment for Microsoft Rights Management File Monitoring....................................................369
    Prepare the AD RMS Environment for RMS Monitoring................................................................................. 370
    Prepare the Azure RMS environment for RMS monitoring............................................................................. 370
    Enabling Microsoft Rights Management File Monitoring................................................................................. 370
    Upgrading to a new release........................................................................................................................................372
    Upgrading Symantec Data Loss Prevention...........................................................................................................372
    Downloading and extracting the upgrade software................................................................................................ 373
    Migrating on Windows.............................................................................................................................................374

    11
    Migrating the Previous Version to a New Enforce Server Installation on Windows........................................ 374
    Migrating a Previous Version Detection Server or Cluster to the Latest Version on Windows........................ 379
    Migrating previous version data to a new single-tier installation on Windows................................................ 389
    Migrating on Linux...................................................................................................................................................394
    Migrating the previous version to a new Enforce Server installation on Linux................................................394
    Migrating a Previous Version Detection Server or Cluster to the Latest Version on Linux..............................398
    Migrating Previous Version Data to a New Single-Tier Installation on Linux.................................................. 408
    Parameters for install.sh.................................................................................................................................. 411
    Backing up your system......................................................................................................................................... 411
    Verifying that the Enforce Server and the detection servers are running...............................................................412
    Applying the updated configuration to Endpoint Prevent servers.......................................................................... 412
    Upgrading your scanners........................................................................................................................................412
    Upgrading Endpoint Prevent group directory connections..................................................................................... 412
    Upgrading or installing Npcap for Network Monitor................................................................................................412
    Updating an appliance............................................................................................................................................ 413
    Upgrading Symantec DLP Agents..............................................................................................................................413
    About Symantec Data Loss Prevention Agent upgrades....................................................................................... 413
    Secure Communications between DLP Agents and Endpoint Servers..................................................................414
    Generating agent installation packages.......................................................................................................... 415
    Agent installation package contents................................................................................................................ 417
    Working with endpoint certificates................................................................................................................... 419
    Process to upgrade the DLP Agent on Windows...................................................................................................419
    Upgrading previous version DLP Agents with Windows Safe Mode monitoring enabled............................... 420
    Upgrading the Windows agent manually.........................................................................................................420
    Upgrading the Windows agent silently............................................................................................................ 420
    Process to upgrade the DLP Agent on Mac........................................................................................................... 421
    Packaging Mac agent upgrade files................................................................................................................ 422
    Upgrading the DLP Agent for Mac manually.................................................................................................. 423
    Upgrading DLP Agents on Mac endpoints silently.......................................................................................... 424
    Confirming that the Mac agent is Running......................................................................................................424
    What gets upgraded for DLP Agents on Mac endpoints................................................................................. 425
    Upgrading the DLP Agent on Linux........................................................................................................................425
    Before You Begin the Upgrade........................................................................................................................425
    Steps to Install the Agent on Linux Endpoints.................................................................................................426
    Completing the Linux Endpoint Agent Upgrade Prerequisites........................................................................ 426
    Signing RPM Files for Linux Endpoints...........................................................................................................426
    Performing the DLP Agent Upgrade for Linux................................................................................................ 427
    Confirm That the Linux Agent is Running....................................................................................................... 428
    Post-upgrade tasks...................................................................................................................................................... 428
    Verifying Symantec Data Loss Prevention operations........................................................................................... 429

    12
    Updating Connections to the Cloud Detection Service.......................................................................................... 429
    Syncing the Application Detection Configurations to Cloud Detectors............................................................429
    Adding a Cloud Detector and Configuring Gatelets or Securlets....................................................................429
    Migrating Plug-ins....................................................................................................................................................430
    About securing communications between the Enforce Server and the database.................................................. 431
    About orapki command line options................................................................................................................ 431
    Using orapki to generate the server certificate on the Oracle database.........................................................432
    Configuring communication on the Enforce Server.........................................................................................434
    Configuring the Server Certificate on the Enforce Server...............................................................................436
    Verifying the Enforce Server database certificate usage................................................................................ 437
    About remote indexers............................................................................................................................................437
    About updating the JRE to the latest version.........................................................................................................437
    Steps to update the JRE................................................................................................................................. 437
    Backing up the cacerts file.............................................................................................................................. 438
    Installing the OpenJRE.................................................................................................................................... 438
    Updating the JRE to the latest version on Windows.......................................................................................439
    Updating the JRE to the latest version on Linux............................................................................................ 440
    Reinstate CA certificates................................................................................................................................. 442
    Reverting a JRE version to a previous release.............................................................................................. 442
    Symantec Data Loss Prevention upgrade troubleshooting and recovery............................................................. 443
    About troubleshooting Symantec Data Loss Prevention upgrade problems.......................................................... 443
    Stop all Symantec Data Loss Prevention database sessions................................................................................ 444
    Troubleshooting Enforce Server services............................................................................................................... 445
    Rolling back to the previous Symantec Data Loss Prevention release..................................................................445
    Reverting the Enforce Server to a Previous Release..................................................................................... 446
    Reverting Detection Servers and Network Discover Clusters to the Previous Release.................................. 447
    Creating the Enforce Reinstallation Resources file................................................................................................ 449
    Creating the Enforce Reinstallation Resources file on Windows.....................................................................449
    Creating the Enforce Reinstallation Resources file on Linux...........................................................................449
    Maintaining the DLP System...........................................................................................................450
    About the System Maintenance Schedule................................................................................................................ 450
    Understanding Underlying System Resources.........................................................................................................451
    Enforce Server Directory Structure.........................................................................................................................451
    Detection Server and Network Discover Cluster Directory Structure..................................................................... 453
    Detection Server.............................................................................................................................................. 453
    Network Discover Cluster................................................................................................................................ 455
    Incident Attachment External Storage Directory.....................................................................................................456
    Configuring the Incident Attachment External Storage Directory after Installation or Upgrade....................... 457
    Disable External Storage for Incident Attachments.........................................................................................457
    Symantec Data Loss Prevention Services............................................................................................................. 457

    13
    Increase the Max Memory............................................................................................................................... 458
    Starting and Stopping Services on Windows.................................................................................................. 458
    Starting and Stopping Services on Linux........................................................................................................ 461
    Using Log Files....................................................................................................................................................... 463
    DLP Agent Logs......................................................................................................................................................464
    Symantec Data Loss Prevention System Statistics................................................................................................464
    Monitoring the Incident Count.................................................................................................................................464
    Incident Hiding.........................................................................................................................................................465
    System Event Reports and Alerts..............................................................................................................................466
    System Events........................................................................................................................................................ 466
    System Events Reports................................................................................................................................... 467
    Server and Detectors Event Detail..................................................................................................................469
    Working with Saved System Reports.............................................................................................................. 470
    Configuring Event Thresholds and Triggers.................................................................................................... 471
    About System Svent Responses..................................................................................................................... 472
    Enabling a Syslog Server................................................................................................................................ 473
    System Alerts.......................................................................................................................................................... 474
    Configuring the Enforce Server to Send Email Alerts.....................................................................................475
    Configuring System Alerts............................................................................................................................... 476
    Using Diagnostic Tools................................................................................................................................................477
    Diagnostic Tools...................................................................................................................................................... 478
    System Information Review.................................................................................................................................... 478
    Log Collection Utility............................................................................................................................................... 478
    Working with the DLP database..................................................................................................................................479
    Working with Symantec Data Loss Prevention database diagnostic tools.............................................................479
    Viewing Tablespaces and Data File Allocations..................................................................................................... 479
    Adjusting warning thresholds for tablespace usage in large databases................................................................ 480
    Generating a Database Report...............................................................................................................................481
    Viewing Table Details.............................................................................................................................................. 481
    Recovering from Symantec Data Loss Prevention database connectivity issues.................................................. 482
    Backing Up and Recovering on Windows.................................................................................................................482
    About Backup and Recovery on Windows............................................................................................................. 483
    About periodic system backups on Windows......................................................................................................... 483
    About scheduling a system backup on Windows............................................................................................484
    About partial backups on Windows........................................................................................................................ 484
    Preparing the backup location on Windows........................................................................................................... 484
    Determining the Size of the Backup on Windows...........................................................................................485
    Identifying a backup location on Windows...................................................................................................... 486
    Creating Backup Directories on Windows....................................................................................................... 487
    Performing a cold backup of the Oracle database on Windows............................................................................ 487

    14
    Creating Recovery Aid Files on Windows.......................................................................................................488
    Collecting a List of Files to be Backed up...................................................................................................... 489
    Creating a Copy of the spfile on Windows................................................................................................. 489
    Shutting Down the Symantec Data Loss Prevention System on Windows.....................................................490
    Copying the database files to the backup location on Windows.....................................................................490
    Restarting the system on Windows.................................................................................................................491
    Backing up the server configuration files on Windows...........................................................................................491
    Backing up files stored on the file system on Windows.........................................................................................492
    Backing up custom configuration changes on Windows................................................................................. 492
    Backing up system logs on Windows..............................................................................................................492
    Backing up keystore files on Windows............................................................................................................493
    Backing up the Network Discover incremental scan index on Windows.........................................................493
    Backing up services on Windows....................................................................................................................494
    Oracle hot backups on Windows platforms............................................................................................................494
    About Windows System Recovery..........................................................................................................................494
    Recovery Information Worksheet for Windows................................................................................................494
    About recovering your system on Windows platforms.................................................................................... 495
    Backing up and recovering on Linux........................................................................................................................ 500
    About backup and recovery on Linux.....................................................................................................................501
    About periodic system backups on Linux...............................................................................................................501
    About Scheduling a System Backup on Linux................................................................................................ 501
    About partial backups on Linux.............................................................................................................................. 502
    Preparing the backup location on Linux................................................................................................................. 502
    Determining the Size of the Backup on Linux.................................................................................................502
    Identifying a backup location on Linux............................................................................................................ 504
    Creating backup directories on Linux..............................................................................................................505
    Performing a Cold Backup of the Oracle Database on Linux................................................................................ 505
    Creating Recovery Aid Files on Linux.............................................................................................................506
    Collecting a list of files to be backed up......................................................................................................... 507
    Creating a Copy of the spfile on Linux....................................................................................................... 507
    Shutting Down the Symantec Data Loss Prevention System on Linux...........................................................508
    Copying the Database Files to the Backup Location on Linux....................................................................... 509
    Restarting the System on Linux...................................................................................................................... 509
    Backing up the server configuration files on Linux................................................................................................ 510
    Backing up Files Stored on the File System on Linux........................................................................................... 510
    Backing up custom configuration changes on Linux.......................................................................................511
    Backing up System Logs on Linux..................................................................................................................511
    Backing up Keystore Files on Linux................................................................................................................512
    Backing up the Network Discover Incremental Scan Index on Linux............................................................. 512
    Backing up Services on Linux......................................................................................................................... 513

    15
    Oracle hot backups on Linux platforms..................................................................................................................513
    Recovering Your System on Linux......................................................................................................................... 513
    Recovery Information Worksheet for Linux..................................................................................................... 513
    About recovering the database on Linux........................................................................................................ 514
    Restoring an Existing Database on Linux....................................................................................................... 515
    Creating a New Database on Linux................................................................................................................ 516
    Recovering the Enforce Server on Linux........................................................................................................ 517
    Recovering a Detection Server on Linux........................................................................................................ 518
    Log files.........................................................................................................................................................................518
    Operational Log Files..............................................................................................................................................519
    Debug Log Files......................................................................................................................................................520
    Log collection and configuration screen................................................................................................................. 524
    Configuring Server Logging Behavior.....................................................................................................................525
    Change the Log Configuration for a Symantec Data Loss Prevention Server................................................527
    Collecting Server Logs and Configuration Files..................................................................................................... 528
    About log event codes............................................................................................................................................ 531
    Network Prevent for Web Operational Log Files and Event Codes....................................................................... 531
    Network Prevent for Web Access Log Files and Fields.........................................................................................532
    Network Prevent for Web protocol debug log files.................................................................................................533
    Network Prevent for Email Log Levels................................................................................................................... 534
    Network Prevent for Email operational log codes.................................................................................................. 534
    Network Prevent for Email Originated Responses and Codes.............................................................................. 536
    Uninstalling Data Loss Prevention components...................................................................................................... 538
    Uninstalling a server............................................................................................................................................... 538
    Creating the Enforce Reinstallation Resources file................................................................................................ 539
    Creating the Enforce Reinstallation Resources file on Windows.....................................................................539
    Creating the Enforce Reinstallation Resources file on Linux...........................................................................539
    Uninstalling a server from a Windows system....................................................................................................... 539
    Uninstalling Using a Graphical User Interface.................................................................................................540
    Uninstalling Silently.......................................................................................................................................... 540
    Uninstalling a Server from a Linux system.............................................................................................................540
    About Symantec DLP Agent removal..................................................................................................................... 541
    Removing a DLP Agent from a Windows endpoint.........................................................................................541
    Removing DLP Agents from Windows Endpoints Using System Management Software............................... 541
    Removing DLP Agents from Mac endpoints Using System Management Software....................................... 542
    Removing a DLP Agent from a Mac Endpoint................................................................................................543
    Removing a DLP Agent from a Linux Endpoint.............................................................................................. 543
    About High Availability and Disaster Recovery for Symantec Data Loss Prevention.......................................... 543
    Testing and Qualification Disclaimer.......................................................................................................................544
    Governance Considerations....................................................................................................................................544

    16
    General Considerations for DLP Data Flow and Incident Data Storage......................................................... 544
    Best-Practice Considerations for Optimizing Symantec Data Loss Prevention for High Availability and Disaster
    Recovery.......................................................................................................................................................... 545
    Regulatory Requirements Affecting High Availability and Disaster Recovery................................................. 545
    Cybersecurity Control Frameworks..................................................................................................................545
    Control Categories........................................................................................................................................... 546
    Architectural Considerations................................................................................................................................... 546
    Oracle Architectural Considerations................................................................................................................ 547
    Enforce Server Architectural Considerations...................................................................................................548
    Detection Server Architectural Considerations................................................................................................ 549
    Cloud Architectural Considerations................................................................................................................. 551
    Best Practices......................................................................................................................................................... 551
    Configure Oracle 19c Enterprise Edition for High Availability and Disaster Recovery.................................... 552
    Configure Oracle 19c Standard Edition for High Availability and Disaster Recovery......................................553
    Configure the Enforce Server for High Availability and Disaster Recovery.....................................................554
    Configure Detection Servers for High Availability and Disaster Recovery...................................................... 561
    Configure Network Discover Clusters for High Availability and Disaster Recovery........................................ 568
    Configure Information Centric Analytics for High Availability and Disaster Recovery..................................... 570
    Managing the Enforce Server......................................................................................................... 574
    Managing Enforce Server services and settings......................................................................................................574
    Symantec Data Loss Prevention Services............................................................................................................. 574
    Increase the Max Memory............................................................................................................................... 575
    Starting and Stopping Services on Windows......................................................................................................... 575
    Starting an Enforce Server on Windows......................................................................................................... 575
    Stopping an Enforce Server on Windows....................................................................................................... 576
    Starting a Detection Server on Windows........................................................................................................ 576
    Stopping a Detection Server on Windows...................................................................................................... 576
    Starting Services on Single-tier Windows Installations................................................................................... 577
    Stopping Services on Single-tier Windows Installations..................................................................................577
    Starting and Stopping Services on Linux............................................................................................................... 577
    Starting an Enforce Server on Linux............................................................................................................... 578
    Stopping an Enforce Server on Linux............................................................................................................. 578
    Starting a Detection Server on Linux.............................................................................................................. 578
    Stopping a Detection Server on Linux............................................................................................................ 578
    Starting services on single-tier Linux installations...........................................................................................579
    Stopping Services on Single-tier Linux Installations....................................................................................... 579
    Working with General Settings............................................................................................................................... 579
    About protocol filtering............................................................................................................................................ 580
    Traffic screen (Traffic report)........................................................................................................................... 580
    Traffic screen (Traffic detail)............................................................................................................................ 581

    17
    Protocols screen.............................................................................................................................................. 582
    Configure a protocol........................................................................................................................................ 583
    Protocol configuration examples......................................................................................................................590
    About Enforce Server screen load performance.................................................................................................... 592
    Test platform and configurations......................................................................................................................592
    About screen load performance testing.......................................................................................................... 592
    Enforce Server screen load test results.......................................................................................................... 593
    About the Endpoint and Network Discover communications settings.................................................................... 594
    Managing roles and users...........................................................................................................................................595
    About role-based access control............................................................................................................................ 595
    About authenticating users..................................................................................................................................... 596
    Configuring user authentication.............................................................................................................................. 598
    About SAML authentication............................................................................................................................. 598
    Setting up authentication................................................................................................................................. 598
    Administrator Bypass URL...............................................................................................................................599
    Set up and configure the authentication method............................................................................................ 599
    Set up the SAML authentication configuration................................................................................................ 600
    Set Up the IdP Authentication Method............................................................................................................601
    Generate or download Enforce (service providers) SAML metadata..............................................................601
    Configure the Enforce Server as a SAML service provider with the IdP (Create an application in your identity
    provider)........................................................................................................................................................... 602
    Export the IdP metadata to DLP..................................................................................................................... 602
    Configuring Active Directory authentication.....................................................................................................602
    Configuring forms-based authentication.......................................................................................................... 603
    Configuring certificate authentication...............................................................................................................603
    About configuring roles and users..........................................................................................................................603
    About recommended roles for your organization................................................................................................... 603
    Roles included with solution packs.........................................................................................................................604
    Configuring Roles....................................................................................................................................................605
    Configuring user accounts...................................................................................................................................... 610
    Configuring user authentication and role assignment using Active Directory........................................................ 612
    Steps to use AD to provide user access to the Enforce Server administration console................................. 612
    Upgrading manually managed roles to AD-managed roles............................................................................ 615
    Configuring password enforcement settings...........................................................................................................615
    Resetting the Administrator Password....................................................................................................................615
    Manage and add roles............................................................................................................................................616
    Manage and add users...........................................................................................................................................616
    Integrating Active Directory for user authentication................................................................................................617
    Creating the Configuration File for Active Directory Integration...................................................................... 618
    Verifying the Active Directory connection........................................................................................................ 619

    18
    Configuring the Enforce Server for Active Directory authentication................................................................ 619
    About certificate authentication configuration......................................................................................................... 620
    Configuring Certificate Authentication for the Enforce Server Administration Console................................... 621
    Adding certificate authority (CA) certificates to the Tomcat trust store........................................................... 623
    Mapping Common Name (CN) values to Symantec Data Loss Prevention user accounts.............................625
    About certificate revocation checks................................................................................................................. 625
    Troubleshooting Certificate Authentication...................................................................................................... 627
    Disabling password authentication and forms-based logon............................................................................ 628
    Connecting to group directories................................................................................................................................ 628
    Creating connections to LDAP servers.................................................................................................................. 628
    Configuring directory server connections............................................................................................................... 629
    Scheduling Directory Server Indexing.................................................................................................................... 630
    Credential Store............................................................................................................................................................631
    Adding new credentials to the credential store...................................................................................................... 632
    Configuring endpoint credentials............................................................................................................................ 632
    Managing credentials in the credential store..........................................................................................................633
    Managing Stored Credentials................................................................................................................................. 633
    Add a Stored Credential.................................................................................................................................. 633
    Delete a Stored Credential.............................................................................................................................. 634
    Edit a Stored Credential.................................................................................................................................. 634
    Managing System Events and Messages..................................................................................................................634
    Using Audit Logs.....................................................................................................................................................634
    System Events........................................................................................................................................................ 635
    System Events Reports.......................................................................................................................................... 636
    Filter the List of System Events by Date of Occurrence.................................................................................637
    Apply Additional Advanced Filters................................................................................................................... 637
    Working with Saved System Reports..................................................................................................................... 638
    Server and Detectors Event Detail......................................................................................................................... 639
    Configuring Event Thresholds and Triggers........................................................................................................... 640
    About System Svent Responses............................................................................................................................ 641
    Enabling a Syslog Server....................................................................................................................................... 642
    System Alerts.......................................................................................................................................................... 643
    Configuring the Enforce Server to Send Email Alerts............................................................................................ 644
    Configuring System Alerts...................................................................................................................................... 645
    About Log Review...................................................................................................................................................646
    System event codes and messages.......................................................................................................................647
    Managing the Symantec Data Loss Prevention database....................................................................................... 666
    Working with Symantec Data Loss Prevention database diagnostic tools.............................................................666
    Viewing Tablespaces and Data File Allocations..................................................................................................... 666
    Adjusting warning thresholds for tablespace usage in large databases......................................................... 667

    19
    Generating a Database Report........................................................................................................................668
    Viewing Table Details.............................................................................................................................................. 668
    Secure Communications Between DLP Agents and Endpoint Servers................................................................. 669
    Configuring Endpoint Prevent Servers to Use Custom Certificates....................................................................... 670
    Configuring DLP Agents to Use Custom Certificates.............................................................................................671
    Adding and Modifying Custom Keystores for Endpoint Prevent Servers............................................................... 672
    Adding and Modifying Custom Truststores for Endpoints and Endpoint Prevent Servers......................................673
    Deleting Custom Keystores and Truststores.......................................................................................................... 673
    Using the agent_communication_updater utility..................................................................................................... 674
    Limitations of DLP support for custom certificates................................................................................................. 675
    Advanced Endpoint Prevent Server Settings That Support Custom Certificates................................................... 675
    Revocation Checks For Custom Certificates..........................................................................................................676
    Certificate Management.......................................................................................................................................... 676
    Adding a new product module................................................................................................................................... 676
    Installing a New License File..................................................................................................................................677
    Deploy Symantec Data Loss Prevention servers on Amazon Web Services.........................................................677
    What you should know.................................................................................................................................... 677
    Introducing Symantec Data Loss Prevention on Amazon Web Services........................................................678
    Considerations for deploying supported servers on Amazon Web Services...................................................681
    Workflow for deploying a Data Loss Prevention detection server on AWS.....................................................685
    Configuring certificates for securing communications between the Enforce Server and Amazon RDS for
    Oracle............................................................................................................................................................... 689
    Upgrading an Enforce Server running in AWS............................................................................................... 691
    System Readiness and Appliances Update........................................................................................................... 696
    Working with Microsoft Information Protection....................................................................................................... 696
    About the Symantec integration with MIP for DLP..........................................................................................696
    Implementing MIP capabilities for DLP Agents and on-premises detection servers....................................... 697
    Authorizing Symantec Data Loss Prevention on the Microsoft Azure portal...................................................700
    Enabling MIP on the Azure portal for detection servers................................................................................. 700
    Configuring proxy server details for AIP Insight Deployment..........................................................................701
    Managing MIP credential profiles for agents and on-premises detection servers...........................................702
    Using the Content Matches MIP Tag rule....................................................................................................... 704
    Configuring response rules using MIP Classification labels in the Enforce Server administration console..... 705
    Integrating MIP classification labels in the Enforce Server administration console.........................................706
    About MIP incident and matches behavior..................................................................................................... 706
    Troubleshooting the Symantec integration with MIP for DLP..........................................................................708
    Configuring the connection between the Enforce Server and Data Insight............................................................708
    Generating Local Telemetry Reports......................................................................................................................... 709
    Viewing Local Telemetry Reports...............................................................................................................................710
    Telemetry Reporting..................................................................................................................................................... 710

    20
    Using ICA with Symantec Data Loss Prevention..................................................................................................... 711
    Create an API user in ICA...................................................................................................................................... 712
    Managing Detection Servers...........................................................................................................713
    Installing and managing detection servers and cloud detectors........................................................................... 713
    About managing Symantec Data Loss Prevention servers.................................................................................... 714
    About Microsoft Rights Management file and email monitoring............................................................................. 714
    Enabling Microsoft Rights Management file monitoring.................................................................................. 715
    Enabling Advanced Process Control...................................................................................................................... 716
    Server controls........................................................................................................................................................ 717
    Server configuration—basic.................................................................................................................................... 718
    Network Monitor Server—Basic Configuration................................................................................................ 719
    Network Prevent for Web Server—Basic Configuration..................................................................................720
    Network Discover Server and Network Protect—basic configuration............................................................. 722
    Endpoint Prevent Server—Basic Configuration...............................................................................................722
    Single Tier Monitor — basic configuration...................................................................................................... 723
    Editing a detector.................................................................................................................................................... 724
    Server and detector configuration—advanced....................................................................................................... 724
    Adding a detection server....................................................................................................................................... 724
    Adding a cloud detector..........................................................................................................................................726
    Adding an appliance............................................................................................................................................... 727
    Configuring an appliance........................................................................................................................................ 727
    Configuring the API Detection for Developer Apps Appliance............................................................................... 728
    Removing a server..................................................................................................................................................728
    Importing SSL certificates to Enforce or Discover servers.....................................................................................729
    About the Overview screen.................................................................................................................................... 729
    Configuring the Enforce Server to use a proxy to connect to cloud services........................................................ 730
    Safelisting Cloud Proxy Connections............................................................................................................... 731
    Server and detector status overview...................................................................................................................... 731
    Recent error and warning events list......................................................................................................................733
    Server/Detector Detail screen................................................................................................................................. 733
    Configure Server - Edit Protocol Filtering...............................................................................................................734
    Advanced Server Settings...................................................................................................................................... 734
    Advanced detector settings.....................................................................................................................................761
    About using load balancers in an endpoint deployment........................................................................................ 763
    Endpoint Prevent Server Support For Deploying An NGINX Server As A Reverse Proxy.....................................765
    Managing Log Files......................................................................................................................................................765
    Log files................................................................................................................................................................... 765
    Operational Log Files.......................................................................................................................................766
    Debug Log Files...............................................................................................................................................768
    Log collection and configuration screen................................................................................................................. 772

    21
    Configuring Server Logging Behavior.....................................................................................................................772
    Change the Log Configuration for a Symantec Data Loss Prevention Server................................................774
    Collecting Server Logs and Configuration Files..................................................................................................... 775
    About log event codes............................................................................................................................................ 778
    Network Prevent for Web Operational Log Files and Event Codes................................................................ 778
    Network Prevent for Web Access Log Files and Fields..................................................................................779
    Network Prevent for Web protocol debug log files..........................................................................................781
    Network Prevent for Email Log Levels............................................................................................................781
    Network Prevent for Email operational log codes........................................................................................... 781
    Network Prevent for Email Originated Responses and Codes....................................................................... 784
    Using Symantec Data Loss Prevention utilities....................................................................................................... 785
    About Symantec Data Loss Prevention utilities......................................................................................................785
    About Endpoint utilities........................................................................................................................................... 786
    DBPasswordChanger.............................................................................................................................................. 786
    DBPasswordChanger Syntax...........................................................................................................................787
    Example of using DBPasswordChanger......................................................................................................... 787
    Increasing the inspection content size......................................................................................................................787
    Guidelines for Increasing System Memory on Detection Servers..........................................................................790
    About Data Loss Prevention Policy Authoring............................................................................ 793
    Handling Non-BMP Unicode Characters in Data Loss Prevention 16.0.1.............................................................. 793
    Policy components.......................................................................................................................................................794
    Policy templates........................................................................................................................................................... 795
    Solution packs.............................................................................................................................................................. 796
    Policy groups................................................................................................................................................................796
    Policy deployment........................................................................................................................................................797
    Policy severity.............................................................................................................................................................. 797
    Policy authoring privileges......................................................................................................................................... 798
    Data Profiles..................................................................................................................................................................798
    User Groups..................................................................................................................................................................799
    Policy template import and export.............................................................................................................................800
    Workflow for implementing policies.......................................................................................................................... 800
    Viewing, printing, and downloading policy details.................................................................................................. 801
    Detecting data loss...................................................................................................................................................... 801
    Content that can be detected................................................................................................................................. 802
    Files that can be detected...................................................................................................................................... 802
    Protocols that can be monitored.............................................................................................................................802
    Endpoint events that can be detected....................................................................................................................802
    Identities that can be detected............................................................................................................................... 803
    Languages that can be detected............................................................................................................................ 803
    Data Loss Prevention policy detection technologies.............................................................................................. 803

    22
    Policy Evaluation Engine Details for DLP 16.0.........................................................................................................804
    Changes in the 16.0 Policy Evaluation Engine.........................................................................................................805
    Handling Large Policies for Legacy (pre-DLP 16.0) Agents.................................................................................... 805
    Policy matching conditions........................................................................................................................................ 806
    Content matching conditions...................................................................................................................................807
    File property matching conditions........................................................................................................................... 808
    Protocol matching condition for network.................................................................................................................808
    Endpoint matching conditions................................................................................................................................. 808
    Groups (identity) matching conditions.................................................................................................................... 809
    Detection Messages and Message Components......................................................................................................810
    Exception Conditions...................................................................................................................................................812
    Compound rules........................................................................................................................................................... 813
    Policy Detection Execution......................................................................................................................................... 813
    Two-Tier Detection for DLP Agents........................................................................................................................... 814
    Creating a policy from a template..............................................................................................................................815
    US Regulatory Enforcement policy Templates......................................................................................................... 816
    General Data Protection Regulation (GDPR) policy Templates.............................................................................. 817
    International Regulatory Enforcement policy Templates.........................................................................................818
    Customer and Employee Data Protection policy Templates................................................................................... 819
    Confidential or Classified Data Protection policy Templates..................................................................................819
    Network Security Enforcement policy Templates.....................................................................................................820
    Acceptable Use Enforcement policy Templates....................................................................................................... 821
    Columbia Personal Data Regulatory Enforcement Policy Template...................................................................... 821
    Choosing an Exact Data Profile................................................................................................................................. 822
    Choosing an Indexed Document Profile....................................................................................................................823
    Adding a new policy or PolicyProfile Template........................................................................................................824
    Configuring policies.....................................................................................................................................................824
    Adding a Rule to a Policy............................................................................................................................................825
    Configuring Policy Rules............................................................................................................................................ 827
    Defining rule severity...................................................................................................................................................829
    Configuring Match Counting.......................................................................................................................................829
    Selecting components to match on........................................................................................................................... 831
    Adding an Exception to a Policy................................................................................................................................ 831
    Configuring Policy Exceptions................................................................................................................................... 833
    Configuring compound rules...................................................................................................................................... 835
    Input character limits for policy configuration......................................................................................................... 836
    Manage and add policies............................................................................................................................................ 836
    Manage and add policy groups..................................................................................................................................838
    Creating and modifying policy groups...................................................................................................................... 838
    Importing policies.........................................................................................................................................................839

    23
    About importing policies..........................................................................................................................................839
    About Policy References.........................................................................................................................................840
    Exporting policies........................................................................................................................................................ 841
    About policy export................................................................................................................................................. 841
    Cloning policies............................................................................................................................................................841
    Importing Policy Templates.........................................................................................................................................842
    Exporting policy detection as a template................................................................................................................. 842
    Adding an automated response rule to a policy...................................................................................................... 843
    Removing policies and policy groups....................................................................................................................... 843
    Viewing and printing policy details............................................................................................................................844
    Downloading policy details......................................................................................................................................... 844
    Troubleshooting policies............................................................................................................................................. 845
    Updating EDM and IDM profiles to the latest version............................................................................................. 845
    Updating policies after upgrading to the latest version.......................................................................................... 846
    About Installing Remote Indexers..............................................................................................................................847
    Installing a remote indexer on Windows...................................................................................................................847
    Installing a remote indexer on Linux.........................................................................................................................849
    Configuring a Remote Indexer on Linux................................................................................................................... 849
    Best practices for authoring policies........................................................................................................................ 850
    Develop a policy strategy that supports your data security objectives................................................................ 851
    Use a limited number of policies to get started.......................................................................................................851
    Use policy templates but modify them to meet your requirements....................................................................... 851
    Use the appropriate match condition for your data loss prevention objectives...................................................852
    Test and tune policies to improve match accuracy................................................................................................. 852
    Start with high match thresholds to reduce false positives................................................................................... 853
    Use a limited number of exceptions to narrow detection scope............................................................................853
    Use compound rules to improve match accuracy................................................................................................... 854
    Author policies to limit the potential effect of two-tier detection...........................................................................854
    Use policy groups to manage policy lifecycle......................................................................................................... 855
    Follow detection-specific best practices...................................................................................................................855
    Introducing Structured Data Identifiers..................................................................................................................... 855
    Structured Data Identifiers Requirements and Options..........................................................................................856
    Creating a Content Matches Structured Data Identifier Rule................................................................................. 861
    Advanced Configuration Settings for Structured Data Matching............................................................................ 861
    Introducing Exact Match Data Identifiers (EMDI)..................................................................................................... 862
    About using EMDI to protect content..................................................................................................................... 862
    About EMDI policy features.................................................................................................................................... 862
    EMDI compared to EDM.........................................................................................................................................863
    About the Exact Match Data Identifier profile and index........................................................................................864
    About the Exact Match Data Identifier source file..................................................................................................865

    24
    About cleansing the Exact Match Data Identifier source file..................................................................................865
    About EMDI and key columns................................................................................................................................ 866
    About EMDI index scheduling.................................................................................................................................866
    Configuring Exact Match Data Identifier profiles..................................................................................................... 867
    Creating the Exact Match Data Identifier source file..............................................................................................868
    Preparing the Exact Match Data Identifier source for indexing..............................................................................868
    Uploading the Exact Match Data Identifier Source Files to the Enforce Server.....................................................869
    Adding Exact Match Data Identifier Profiles........................................................................................................... 871
    Creating and Modifying the Exact Match Data Identifier Profiles...........................................................................871
    Scheduling EMDI profile indexing...........................................................................................................................873
    Associating data identifiers with your data source (EMDI).....................................................................................874
    Adding an EMDI check to a built-in or custom data identifier condition in a policy................................................875
    Optimized Index Distribution to Endpoints for EMDI.............................................................................................. 875
    Creating an incremental index for EMDI......................................................................................................... 876
    Using keep_all_files=true for EMDI................................................................................................................. 876
    Understanding the limitations of incremental indexing with EMDI.................................................................. 876
    Configuring parameters for EMDI.............................................................................................................................. 877
    Memory requirements for EMDI..................................................................................................................................877
    EMDI memory configuration and limitations........................................................................................................... 877
    Overview of configuring memory and indexing the data source for EMDI............................................................. 878
    Determining requirements for both local indexers and remote indexers for EMDI.................................................878
    Detection server memory requirements for EMDI.................................................................................................. 879
    Increasing the memory for the detection server (File Reader) for EMDI............................................................... 880
    Profile size limitations on the DLP Agent for EMDI............................................................................................... 881
    EMDI memory configuration and limitations........................................................................................................... 881
    Properties File Settings for EMDI...............................................................................................................................882
    Best practices for using EMDI....................................................................................................................................883
    Never use a personal identifier as an optional column in EMDI............................................................................ 884
    Use three or more columns in a match for EMDI.................................................................................................. 884
    Don’t use EMDI validators as both optional and required for a given data identifier in a policy.............................884
    Use additional validators with EMDI where possible..............................................................................................884
    Limit the required number of columns to two or three for EMDI............................................................................884
    When matching with only a single optional column, avoid adding low-variability values as optional columns with
    EMDI........................................................................................................................................................................ 885
    Use full disk encryption on EMDI endpoint deployments.......................................................................................885
    Cleanse the EMDI data source file of blank columns and duplicate rows............................................................. 885
    Remove ambiguous character types from the EMDI data source file....................................................................885
    Clean up your EMDI data source for multi-token matching................................................................................... 886
    Do not use the comma delimiter if the EMDI data source has number fields........................................................ 886
    Ensure that the EMDI data source is clean for indexing........................................................................................886

    25
    Include column headers as the first row of the EMDI data source file...................................................................887
    Check the EMDI system alerts to tune profile accuracy........................................................................................ 887
    Use scheduled indexing to automate EMDI profile updates.................................................................................. 887
    Never use a personal identifier as an optional column in EMDI............................................................................ 887
    Use three or more columns in a match for EMDI.................................................................................................. 888
    Don’t use EMDI validators as both optional and required for a given data identifier in a policy.............................888
    Use additional validators with EMDI where possible..............................................................................................888
    Limit the required number of columns to two or three for EMDI............................................................................888
    When matching with only a single optional column, avoid adding low-variability values as optional columns with
    EMDI........................................................................................................................................................................ 888
    Use full disk encryption on EMDI endpoint deployments.......................................................................................888
    Remove ambiguous character types from the EMDI data source file....................................................................888
    Clean up your EMDI data source for multi-token matching................................................................................... 889
    Cleanse the EMDI data source file of blank columns and duplicate rows............................................................. 889
    Do not use the comma delimiter if the EMDI data source has number fields........................................................ 890
    Ensure that the EMDI data source is clean for indexing........................................................................................890
    Include column headers as the first row of the EMDI data source file...................................................................890
    Check the EMDI system alerts to tune profile accuracy........................................................................................ 890
    Use scheduled indexing to automate EMDI profile updates.................................................................................. 890
    Match on two or more optional columns in an EMDI condition to increase detection accuracy............................. 891
    Use the minimum matches field to fine-tune EMDI rules.......................................................................................891
    EMDI Troubleshooting................................................................................................................................................. 892
    The EMDI index doesn’t get published to the Endpoint Agent.............................................................................. 892
    The EMDI index doesn’t get published to the Endpoint Agent and the EnabledOnAgents setting is true.............. 892
    A key column that is in an EMDI index doesn’t generate an incident....................................................................892
    EMDI generates an unexpectedly high number of false positives......................................................................... 892
    The EMDI index doesn’t get published to the Endpoint Agent.............................................................................. 892
    The EMDI index doesn’t get published to the Endpoint Agent and the EnabledOnAgents setting is true.............. 892
    A key column that is in an EMDI index doesn’t generate an incident....................................................................892
    EMDI generates an unexpectedly high number of false positives......................................................................... 892
    Introducing Exact Data Matching (EDM)................................................................................................................... 893
    About using EDM to protect content...................................................................................................................... 893
    EDM policy features................................................................................................................................................894
    EDM policy Templates..................................................................................................................................... 894
    About the Exact Data Profile and index................................................................................................................. 895
    About the exact data source file.............................................................................................................................896
    About cleansing the exact data source file for EDM.............................................................................................. 897
    About EMDI and key columns................................................................................................................................ 897
    About using System Fields for data source validation with EDM...........................................................................898
    About index scheduling for EDM............................................................................................................................ 898

    26
    About the Content Matches Exact Data From condition for EDM..........................................................................899
    About Data Owner Exception for EDM...................................................................................................................899
    About profiled Directory Group Matching (DGM) for EDM..................................................................................... 899
    About Two-tier Detection for EDM on the Endpoint............................................................................................... 900
    About upgrading EDM deployments....................................................................................................................... 900
    Configuring Exact Data profiles for EDM.................................................................................................................. 900
    Creating the exact data source file for EDM.......................................................................................................... 901
    Creating the exact data source file for Data Owner Exception for EDM................................................................902
    Creating the Exact Data Source File for Profiled DGM..........................................................................................902
    Preparing the exact data source file for indexing for EDM.................................................................................... 903
    Uploading Exact Data Source Files for EDM to the Enforce Server......................................................................904
    Creating and modifying Exact Data Profiles for EDM............................................................................................ 906
    Mapping Exact Data Profile fields for EDM............................................................................................................909
    Using system-provided pattern validators for EDM profiles................................................................................... 910
    Scheduling Exact Data Profile indexing for EDM................................................................................................... 911
    Managing and adding Exact Data Profiles for EDM...............................................................................................912
    Configuring EDM policies........................................................................................................................................... 913
    Configuring the Content Matches Exact Data policy condition for EDM................................................................ 913
    Configuring the Data Owner Exception for EDM policy conditions........................................................................ 915
    Configuring the Sender/User based on a Profiled Directory policy condition for EDM...........................................915
    Configuring the Recipient based on a Profiled Directory policy condition for EDM................................................916
    About configuring natural language processing for Chinese, Japanese, and Korean for EDM policies................. 916
    Introducing EDM token matching.................................................................................................................... 917
    EDM token matching examples for CJK languages........................................................................................917
    Enabling and using CJK token verification for EDM....................................................................................... 917
    Configuring Advanced Settings for EDM policies...................................................................................................918
    Using multi-token matching with EDM...................................................................................................................... 919
    Characteristics of multi-token cells (EDM)..............................................................................................................920
    Multi-token with spaces (EDM)............................................................................................................................... 920
    Multi-token with Stopwords (EDM)......................................................................................................................... 920
    Multi-token with mixed language characters (EDM)...............................................................................................921
    Multi-token with punctuation (EDM)........................................................................................................................921
    Additional examples for multi-token cells with punctuation (EDM).........................................................................922
    Some special use cases for system-recognized data patterns (EDM)...................................................................924
    Multi-token punctuation characters (EDM)............................................................................................................. 925
    Match count variant examples (EDM).................................................................................................................... 926
    Proximity matching example for EDM.................................................................................................................... 927
    Updating EDM indexes to the latest version............................................................................................................ 928
    Update process using the Remote EDM Indexer...................................................................................................929
    Update process using the Enforce Server for EDM............................................................................................... 930

    27
    EDM index out-of-date error codes........................................................................................................................ 931
    Memory requirements for EDM...................................................................................................................................931
    About memory requirements for EDM.................................................................................................................... 932
    Determining requirements for both local and remote indexers for EDM................................................................ 932
    Overview of configuring memory and indexing the data source for EDM.............................................................. 933
    Increasing the memory for the Enforce Server EDM indexer................................................................................ 934
    Increasing the Memory for the Remote EDM Indexer............................................................................................934
    Detection server memory requirements for EDM................................................................................................... 935
    Increasing the memory for the detection server (File Reader) for EDM................................................................ 936
    Using the EDM Memory Requirements Spreadsheet............................................................................................ 937
    Remote EDM indexing................................................................................................................................................. 937
    About the Remote EDM Indexer............................................................................................................................ 938
    About the SQL Preindexer for EDM....................................................................................................................... 938
    System requirements for remote EDM indexing.....................................................................................................938
    Workflow for Remote EDM Indexing...................................................................................................................... 938
    About installing and running the Remote EDM Indexer and SQL Preindexer utilities............................................939
    Creating an EDM profile template for remote indexing.......................................................................................... 940
    Downloading and copying the EDM profile file to a remote system.......................................................................941
    Generating remote index files for EDM.................................................................................................................. 942
    Remote indexing examples using data source file (EDM)..................................................................................... 942
    Remote indexing examples using SQL Preindexer (EDM).................................................................................... 943
    Copying and loading remote EDM index files to the Enforce Server.....................................................................944
    SQL Preindexer command options (EDM)............................................................................................................. 944
    Remote EDM Indexer command options................................................................................................................945
    Troubleshooting preindexing errors for EDM..........................................................................................................946
    Troubleshooting remote indexing errors for EDM.................................................................................................. 947
    Installing the Remote EDM Indexer........................................................................................................................948
    Permissions for users to run the remote indexers (EDM)...............................................................................948
    Best practices for using EDM.....................................................................................................................................948
    Ensure data source has at least one column of unique data (EDM)..................................................................... 949
    Cleanse the data source file of blank columns and duplicate rows (EDM)............................................................950
    Remove ambiguous character types from the data source file (EDM).................................................................. 950
    Understand how multi-token cell matching functions (EDM)..................................................................................951
    Do not use the comma delimiter if the data source has number fields (EDM).......................................................951
    Map data source column to system fields to leverage validation (EDM)............................................................... 951
    Ensure that the data source is clean for indexing (EDM)...................................................................................... 952
    Leverage EDM policy templates when possible.....................................................................................................952
    Include column headers as the first row of the data source file (EDM)................................................................. 952
    Check the system alerts to tune profile accuracy (EDM).......................................................................................953
    Use stopwords to exclude common words from detection (EDM)......................................................................... 953

    28
    Use scheduled indexing to automate profile updates (EDM)................................................................................. 953
    Match on 3 columns in an EDM condition to increase detection accuracy............................................................954
    Leverage exception tuples to avoid false positives (EDM).................................................................................... 954
    Use a WHERE clause to detect records that meet specific criteria (EDM)............................................................955
    Use the minimum matches field to fine tune EDM rules........................................................................................955
    Combine Data Identifiers with EDM rules to limit the impact of two-tier detection................................................. 955
    Include an email address field in the Exact Data Profile for profiled DGM (EDM)................................................. 955
    Use profiled DGM for Network Prevent for Web identity detection (EDM).............................................................955
    Introducing Indexed Document Matching (IDM)....................................................................................................... 955
    About using IDM..................................................................................................................................................... 956
    Supported forms of matching for IDM.................................................................................................................... 956
    Types of IDM detection...........................................................................................................................................957
    Agent IDM detection........................................................................................................................................ 957
    Server IDM detection....................................................................................................................................... 957
    Two-tier IDM detection.....................................................................................................................................957
    About the Indexed Document Profile......................................................................................................................958
    About the document data source........................................................................................................................... 958
    About the indexing process.................................................................................................................................... 958
    About indexing remote documents......................................................................................................................... 959
    About the server index files and the agent index files........................................................................................... 959
    About index deployment and logging..................................................................................................................... 960
    Using IDM to detect exact files.............................................................................................................................. 961
    Using IDM to Detect Exact and Partial File Contents............................................................................................ 962
    About using the Content Matches Document Signature policy condition...............................................................963
    About Safe Listing Partial File Contents.................................................................................................................964
    Configuring IDM Profiles and Policy Conditions......................................................................................................964
    Preparing the document data source for indexing................................................................................................. 965
    Safe Listing File Contents to Exclude from Partial Matching................................................................................. 965
    Manage and add Indexed Document Profiles........................................................................................................ 966
    Creating and modifying Indexed Document Profiles.............................................................................................. 967
    Configure endpoint partial content matching.......................................................................................................... 969
    Uploading a document archive to the Enforce Server........................................................................................... 969
    Referencing a document archive on the Enforce Server....................................................................................... 970
    Using local path on Enforce Server........................................................................................................................971
    Using the remote SMB share option to index file shares.......................................................................................972
    Using the remote SMB share option to index SharePoint documents................................................................... 972
    Enabling WebDAV for Microsoft IIS.................................................................................................................973
    Troubleshooting SharePoint document indexing............................................................................................. 974
    Filtering documents by file name............................................................................................................................974
    Filtering documents by file size.............................................................................................................................. 976

    29
    Scheduling Document Profile Indexing...................................................................................................................976
    Changing the Default Indexer Properties............................................................................................................... 977
    Enabling Agent IDM................................................................................................................................................ 978
    Estimating endpoint memory use for agent IDM.................................................................................................... 978
    Configuring the Content Matches Document Signature policy condition............................................................... 979
    Best Practices for Using IDM..................................................................................................................................... 979
    Reindex IDM profiles after upgrade........................................................................................................................980
    Do not compress files in the document source......................................................................................................980
    Do not index empty documents..............................................................................................................................981
    Prefer partial matching over exact matching on the DLP Agent............................................................................ 981
    Understanding the Limitations of Exact Matching.................................................................................................. 981
    Use Safe Listing to Exclude Non-Sensitive Content from Partial Matching........................................................... 982
    Filter documents from indexing to reduce false positives...................................................................................... 982
    Distinguish IDM Exceptions from Safe Listing and Filtering...................................................................................983
    Create separate profiles to index large document sources....................................................................................983
    Use WebDAV or CIFS to index remote document data sources........................................................................... 983
    Use scheduled indexing to keep profiles up to date.............................................................................................. 983
    Use parallel IDM rules to tune match thresholds................................................................................................... 984
    About the Remote IDM Indexer.................................................................................................................................. 984
    Installing the Remote IDM Indexer......................................................................................................................... 985
    Setting up permissions for users to run the remote indexers......................................................................... 986
    Indexing the Document Data Source Using the GUI Edition (Windows only)........................................................ 986
    Indexing the document data source using the properties file.................................................................................988
    Indexing the Document Data Source Using the CLI.............................................................................................. 989
    Scheduling remote indexing....................................................................................................................................990
    Scheduling remote indexing with the Remote IDM Indexer app for Windows....................................................... 991
    Incremental indexing for IDM..................................................................................................................................992
    Always keep files for IDM................................................................................................................................993
    Logging and Troubleshooting..................................................................................................................................993
    Copying the preindex file to the Enforce Server host............................................................................................ 993
    Loading the Remote Index File on to the Enforce Server......................................................................................993
    Using a Password File with Remote Indexing................................................................................................ 994
    Introducing Vector Machine Learning (VML)............................................................................................................ 994
    About the Vector Machine Learning Profile............................................................................................................995
    About the content you train.................................................................................................................................... 995
    About the base accuracy from training percentage rates...................................................................................... 996
    About the Similarity Threshold and Similarity Score.............................................................................................. 996
    About using unaccepted VML profiles in policies...................................................................................................997
    Configuring VML profiles and policy conditions......................................................................................................997
    Creating new VML profiles..................................................................................................................................... 998

    30
    Working with the Current Profile and Temporary Workspace tabs.........................................................................999
    Uploading example documents for training............................................................................................................ 999
    Training VML profiles............................................................................................................................................ 1000
    Adjusting the memory allocation...........................................................................................................................1002
    Managing training set documents.........................................................................................................................1003
    Managing VML profiles......................................................................................................................................... 1003
    Changing names and descriptions for VML profiles.............................................................................................1005
    Configuring the Detect using Vector Machine Learning Profile condition.............................................................1005
    Configuring VML policy exceptions.......................................................................................................................1006
    Adjusting the Similarity Threshold........................................................................................................................ 1007
    Testing and tuning VML profiles........................................................................................................................... 1007
    Properties for configuring training.........................................................................................................................1008
    Log files for troubleshooting VML training and policy detection...........................................................................1010
    Best practices for using VML................................................................................................................................... 1010
    When to use VML................................................................................................................................................. 1011
    When not to use VML...........................................................................................................................................1012
    Recommendations for training set definition........................................................................................................ 1012
    Guidelines for training set sizing.......................................................................................................................... 1013
    Recommendations for uploading documents for training..................................................................................... 1014
    Guidelines for profile sizing...................................................................................................................................1014
    Recommendations for accepting or rejecting a profile......................................................................................... 1014
    Guidelines for Accepting or Rejecting Training Results....................................................................................... 1015
    Recommendations for deploying profiles..............................................................................................................1016
    About Form Recognition detection..........................................................................................................................1016
    How Form Recognition works...............................................................................................................................1016
    Configuring Form Recognition detection................................................................................................................ 1017
    Preparing a Form Recognition Gallery Archive.................................................................................................... 1017
    Configuring a Form Recognition profile................................................................................................................ 1018
    Configuring the Form Recognition detection rule................................................................................................. 1018
    Configuring the Form Recognition exception rule................................................................................................ 1019
    Managing Form Recognition profiles...................................................................................................................... 1019
    Advanced server settings for Form Recognition.................................................................................................. 1021
    Viewing a Form Recognition incident......................................................................................................................1021
    About Content Detection with On Premises OCR..................................................................................................1021
    Installing an On Premises OCR Sensitive Image Recognition License............................................................... 1022
    Setting Up On-Premises OCR Servers.................................................................................................................... 1022
    Exporting Private Keys, Certificates, and Trusted Certificates from a 15.x OCR Server....................................1024
    Using Diagnostics for Sizing OCR Server Deployments....................................................................................... 1025
    Creating a null policy to assist in OCR diagnostics for Discover Servers..........................................................1026
    Using the OCR Server Sizing Estimator..................................................................................................................1026

    31
    OCR Server System Requirements.......................................................................................................................... 1029
    File Types Supported for On Premises OCR Extraction........................................................................................1029
    Detection Types Supported for On Premises OCR Extraction..............................................................................1029
    More About Languages and Dictionaries................................................................................................................1030
    Adding or Editing an On Premises OCR Configuration........................................................................................ 1030
    Creating an OCR Configuration................................................................................................................................1030
    Viewing OCR Incidents in Reports...........................................................................................................................1032
    Setting Up TLS Trust................................................................................................................................................. 1032
    Introducing User Risk Based Detection.................................................................................................................. 1033
    Data Identifiers............................................................................................................................................................ 1034
    System-defined data identifiers.............................................................................................................................1035
    Personal identity data identifiers....................................................................................................................1035
    Financial data identifiers................................................................................................................................ 1043
    Healthcare data identifiers............................................................................................................................. 1043
    Information technology data identifiers..........................................................................................................1044
    International keywords for PII data identifiers............................................................................................... 1044
    Extending and customizing data identifiers.......................................................................................................... 1044
    About data identifier configuration........................................................................................................................ 1044
    About data identifier breadths...............................................................................................................................1045
    About optional validators for data identifiers........................................................................................................ 1045
    About data identifier patterns................................................................................................................................1045
    About pattern validators........................................................................................................................................ 1046
    About data normalizers......................................................................................................................................... 1046
    About cross-component matching........................................................................................................................ 1046
    About unique match counting............................................................................................................................... 1047
    Configuring data identifier policy conditions......................................................................................................... 1047
    Workflow for configuring data identifier policies............................................................................................ 1047
    Managing and Adding Data Identifiers.......................................................................................................... 1047
    Editing data identifiers................................................................................................................................... 1048
    Configuring the Content Matches data identifier condition............................................................................1049
    Using data identifier breadths........................................................................................................................1050
    Selecting a data identifier breadth.................................................................................................................1050
    Using optional validators................................................................................................................................1066
    Configuring optional validators...................................................................................................................... 1067
    Acceptable characters for optional validators................................................................................................1067
    Using unique match counting........................................................................................................................ 1075
    Configuring unique match counting............................................................................................................... 1076
    Modifying system data identifiers..........................................................................................................................1076
    Cloning a system data identifier before modifying it..................................................................................... 1077
    Editing pattern validator input........................................................................................................................ 1077

    32
    List of pattern validators that accept input data............................................................................................ 1078
    Editing keywords for international PII data identifiers................................................................................... 1079
    List of keywords for international system data identifiers..............................................................................1079
    Updating policies to use the US Randomized SSN data identifier............................................................... 1102
    Creating custom data identifiers........................................................................................................................... 1103
    Workflow for creating custom data identifiers............................................................................................... 1104
    Custom Data Identifier Configuration............................................................................................................ 1105
    Using the legacy data identifier pattern language.........................................................................................1106
    Writing data identifier patterns to match data............................................................................................... 1108
    Using pattern validators................................................................................................................................. 1109
    Selecting pattern validators........................................................................................................................... 1116
    Selecting a data normalizer........................................................................................................................... 1117
    Creating custom script validators.................................................................................................................. 1117
    Configuring pre- and post-validators............................................................................................................. 1118
    Best practices for using data identifiers............................................................................................................... 1119
    Use data identifiers instead of regular expressions to improve accuracy..................................................... 1120
    Clone system-defined data identifiers before modifying to preserve original state....................................... 1120
    Modify data identifier definitions when you want tuning to apply globally..................................................... 1120
    Consider using multiple breadths in parallel to detect different severities of confidential data......................1121
    Avoid matching on the Envelope over HTTP to reduce false positives........................................................ 1121
    Use the US Randomized SSN data identifier to detect SSNs...................................................................... 1121
    Use unique match counting to improve accuracy and ease remediation......................................................1121
    Introducing keyword matching................................................................................................................................. 1122
    About keyword matching for Chinese, Japanese, and Korean (CJK) languages.................................................1122
    About keyword proximity.......................................................................................................................................1123
    Keyword matching syntax..................................................................................................................................... 1123
    Keyword matching examples................................................................................................................................ 1124
    Keyword matching examples for CJK languages.................................................................................................1125
    About updates to the Drug, Disease, and Treatment keyword lists..................................................................... 1125
    Configuring keyword matching................................................................................................................................ 1126
    Configuring the Content Matches Keyword condition.......................................................................................... 1126
    Enabling and using CJK token verification for server keyword matching.............................................................1128
    Updating the Drug, Disease, and Treatment keyword lists for your HIPAA and Caldicott policies....................... 1129
    Best practices for using keyword matching........................................................................................................... 1129
    Enable token verification on the server to reduce false positives for CJK keyword detection..............................1130
    Keep the keyword lists for your HIPAA and Caldicott policies up to date............................................................ 1130
    Tune keywords lists for data identifiers to improve match accuracy.................................................................... 1130
    Use keyword matching to detect document metadata......................................................................................... 1131
    Use VML to generate and maintain large keyword dictionaries...........................................................................1131
    Introducing regular expression matching............................................................................................................... 1131

    33
    About the updated regular expression engine....................................................................................................... 1131
    About writing regular expressions for policy condition matching....................................................................... 1131
    Configuring the Content Matches Regular Expression condition........................................................................ 1132
    Best practices for using regular expression matching......................................................................................... 1133
    When to use regular expression matching...........................................................................................................1133
    Use look ahead and look behind characters to improve regular expression accuracy........................................ 1134
    Use regular expressions sparingly to support efficient performance....................................................................1134
    Test regular expressions before deployment to improve accuracy...................................................................... 1134
    Detecting non-English language content................................................................................................................ 1134
    Best practices for detecting non-English language content................................................................................. 1134
    Use international policy templates for policy creation.......................................................................................... 1135
    Use custom keywords for system data identifiers................................................................................................ 1135
    Enable token validation to match Chinese, Japanese, and Korean keywords on the server............................... 1159
    Introducing file property detection.......................................................................................................................... 1160
    About file type matching....................................................................................................................................... 1160
    About file format support for file type matching................................................................................................... 1160
    About custom file type identification..................................................................................................................... 1160
    About file size matching........................................................................................................................................1161
    About file name matching..................................................................................................................................... 1162
    Configuring file property matching..........................................................................................................................1162
    Configuring the Message Attachment or File Type Match condition.................................................................... 1162
    Configuring the Message Attachment or File Size Match condition.....................................................................1163
    Configuring the Message Attachment or File Name Match condition.................................................................. 1164
    File name matching syntax................................................................................................................................... 1165
    File name matching examples.............................................................................................................................. 1165
    Enabling the Custom File Type Signature Condition in the Policy Console......................................................... 1166
    Configuring the Custom File Type Signature condition........................................................................................ 1166
    Best practices for using file property matching.....................................................................................................1167
    Use compound file property rules to protect design and multimedia files............................................................1167
    Do Not Use File Type Matching to Detect Content.............................................................................................. 1167
    Calculate file size properly to improve match accuracy....................................................................................... 1167
    Use expression patterns to match file names...................................................................................................... 1167
    Use scripts and plugins to detect custom file types............................................................................................. 1168
    About detection customization.................................................................................................................................1168
    About the scripting language................................................................................................................................ 1168
    About the scripting language syntax............................................................................................................. 1169
    System variables............................................................................................................................................1169
    Assert statement............................................................................................................................................ 1170
    If/Else statements...........................................................................................................................................1170
    Evaluate statement........................................................................................................................................ 1171

    34
    Evaluate statement functions.........................................................................................................................1172
    Example scripts for custom file type detection..............................................................................................1174
    Example scripts for custom validators...........................................................................................................1175
    About the File Type Analyzer utility...................................................................................................................... 1177
    Installing the File Type Analyzer utility.......................................................................................................... 1177
    Launching the File Type Analyzer utility........................................................................................................1178
    Creating the data set..................................................................................................................................... 1178
    Analyzing data set results............................................................................................................................. 1179
    Testing the script solution.............................................................................................................................. 1180
    Saving, opening, editing a data set...............................................................................................................1180
    Increasing the Java heap size for large or recursive data sets.................................................................... 1181
    Increasing the number of bytes that are analyzed........................................................................................1181
    Detection Customization Tutorials........................................................................................................................ 1181
    Workflow for detecting custom file types.......................................................................................................1182
    Tutorial 1: Detecting Java class files.............................................................................................................1182
    Tutorial 2: Detecting an encrypted ZIP file format........................................................................................ 1184
    Implementing custom script validators.......................................................................................................... 1186
    Introducing protocol monitoring for network......................................................................................................... 1186
    Configuring the Protocol Monitoring condition for network detection................................................................ 1186
    Best practices for using network protocol matching............................................................................................ 1187
    Use separate policies for specific protocols......................................................................................................... 1187
    Consider detection server network placement to support IP address matching.................................................. 1187
    Introducing endpoint event detection......................................................................................................................1187
    About endpoint protocol monitoring...................................................................................................................... 1188
    About endpoint destination monitoring................................................................................................................. 1188
    About endpoint global application monitoring.......................................................................................................1188
    About endpoint location detection.........................................................................................................................1189
    About endpoint device detection...........................................................................................................................1189
    Configuring endpoint event detection conditions..................................................................................................1189
    Configuring the Endpoint Monitoring condition.....................................................................................................1190
    Configuring the Endpoint Location condition........................................................................................................ 1190
    Configuring the Endpoint Device Class or ID condition....................................................................................... 1191
    Gathering endpoint device IDs for removable devices.........................................................................................1192
    Creating and modifying endpoint device configurations....................................................................................... 1192
    Best practices for using endpoint detection.......................................................................................................... 1193
    Introducing described identity matching................................................................................................................ 1194
    Described identity matching examples................................................................................................................... 1194
    Configuring described identity matching policy conditions................................................................................. 1195
    About Reusable Sender/Recipient Patterns......................................................................................................... 1195
    Configuring the Sender/User Matches Pattern condition..................................................................................... 1195

    35
    Configuring a Reusable Sender Pattern...............................................................................................................1196
    Configuring the Recipient Matches Pattern condition.......................................................................................... 1197
    Configuring a Reusable Recipient Pattern........................................................................................................... 1198
    Best practices for using described identity matching...........................................................................................1199
    Define precise identity patterns to match users................................................................................................... 1199
    Specify email addresses exactly to improve accuracy.........................................................................................1199
    Match domains instead of IP addresses to improve accuracy.............................................................................1200
    Introducing Synchronized Directory Group Matching (DGM)............................................................................... 1200
    Use Synchronized DGM for Network Prevent for Web Identity Detection........................................................... 1200
    About Two-tier Detection for Synchronized DGM.................................................................................................. 1200
    Configuring User Groups.......................................................................................................................................... 1201
    Configuring synchronized DGM policy conditions................................................................................................ 1202
    Configuring the Sender/User based on a Directory Server Group condition....................................................... 1203
    Configuring the Recipient based on a Directory Server Group condition.............................................................1203
    Best Practices for Using Synchronized DGM......................................................................................................... 1204
    Refresh the directory on initial save of the User Group.......................................................................................1204
    Distinguish Synchronized DGM from Other Types of Endpoint Detection........................................................... 1204
    Introducing Profiled Directory Group Matching (DGM)......................................................................................... 1204
    About two-tier detection for profiled DGM..............................................................................................................1205
    Configuring Exact Data profiles for DGM................................................................................................................1205
    Configuring profiled DGM policy conditions.......................................................................................................... 1206
    Configuring the Sender/User Based on a Profiled Directory Condition................................................................1206
    Configuring the Recipient based on a Profiled Directory condition...................................................................... 1207
    Best practices for using profiled DGM....................................................................................................................1207
    Follow EDM best practices when implementing profiled DGM............................................................................ 1207
    Include an email address field in the Exact Data Profile for profiled DGM.......................................................... 1207
    Use Profiled DGM for Network Prevent for Web Identity Detection..................................................................... 1207
    Introducing Contextual Attributes for User Risk Scores.......................................................................................1208
    Introducing contextual attributes for cloud applications...................................................................................... 1208
    Configuring contextual attribute conditions........................................................................................................... 1208
    Contextual attribute categories............................................................................................................................. 1209
    Overview of detection file format support.............................................................................................................. 1216
    Supported formats for file type identification.........................................................................................................1217
    Supported formats for content extraction...............................................................................................................1227
    Supported word-processing formats for content extraction.................................................................................. 1228
    Supported presentation formats for content extraction........................................................................................ 1229
    Supported spreadsheet formats for content extraction........................................................................................ 1229
    Supported text and markup formats for content extraction.................................................................................. 1230
    Supported email formats for content extraction....................................................................................................1231
    Supported CAD formats for content extraction.....................................................................................................1231

    36
    Supported graphics formats for content extraction...............................................................................................1231
    Supported database formats for content extraction............................................................................................. 1232
    Other File Formats Supported for Content Extraction..........................................................................................1232
    Supported encapsulation formats for subfile extraction.......................................................................................1233
    Supported file formats for metadata extraction..................................................................................................... 1233
    About document metadata detection.................................................................................................................... 1234
    Enabling server metadata detection..................................................................................................................... 1234
    Enabling endpoint metadata detection................................................................................................................. 1235
    Best practices for using metadata detection........................................................................................................ 1235
    Always Use the Filter Utility to Verify File Format Metadata Support........................................................... 1235
    Distinguish Metadata from File Content and Application Data......................................................................1237
    Use and tune keyword lists to avoid false positives on metadata................................................................ 1238
    Understand performance implications of enabling endpoint metadata detection.......................................... 1238
    Create a separate endpoint configuration for metadata detection................................................................ 1238
    Use response rules to tag incidents with metadata...................................................................................... 1238
    About high-performance content extraction for Office Open XML formats.........................................................1238
    Enabling High-performance Content Extraction for Office Open XML Files....................................................... 1239
    About metadata extraction for Office Open XML files...........................................................................................1240
    About Subfile Extraction for Office Open XML files.............................................................................................. 1241
    Library of Policy Templates...................................................................................................................................... 1243
    Caldicott Report Policy Template..........................................................................................................................1243
    California Consumer Privacy Act Policy Template............................................................................................... 1245
    Canadian Social Insurance Numbers Policy Template.........................................................................................1245
    CAN-SPAM Act Policy Templates.........................................................................................................................1246
    Colombian Personal Data Protection Law 1581 Policy Template........................................................................ 1247
    Common Spyware Upload Sites Policy Template................................................................................................ 1247
    Confidential Documents Policy Template............................................................................................................. 1247
    Competitor Communications Policy Template...................................................................................................... 1248
    Credit Card Numbers Policy Template................................................................................................................. 1249
    Customer Data Protection Policy Template.......................................................................................................... 1249
    Data Protection Act 1998 Policy Template........................................................................................................... 1250
    Data Protection Directives (EU) Policy Template................................................................................................. 1251
    Defense Message System (DMS) GENSER Classification Policy Template........................................................1252
    Design Documents Policy Template..................................................................................................................... 1253
    Developer Keys and Secrets Policy Template......................................................................................................1254
    Employee Data Protection Policy Template..........................................................................................................1255
    Encrypted Data Policy Template...........................................................................................................................1255
    Enhanced Credit Card Numbers with Individual Users PolicyProfile Template.................................................... 1256
    Export Administration Regulations (EAR) Policy Template.................................................................................. 1257
    FACTA 2003 (Red Flag Rules) Policy Template.................................................................................................. 1257

    37
    Financial Information Policy Template.................................................................................................................. 1260
    Forbidden Websites Policy Template....................................................................................................................1261
    Gambling Policy Template.................................................................................................................................... 1261
    General Data Protection Regulation (Banking and Finance)............................................................................... 1262
    General Data Protection Regulation (Digital Identity)...........................................................................................1277
    General Data Protection Regulation (Government Identification)........................................................................ 1277
    General Data Protection Regulation (Healthcare and Insurance)........................................................................ 1292
    General Data Protection Regulation (Personal Profile) Policy Template..............................................................1299
    General Data Protection Regulation (Travel)........................................................................................................1301
    Gramm-Leach-Bliley Policy Template................................................................................................................... 1306
    HIPAA and HITECH (including PHI) Policy Template.......................................................................................... 1307
    Human Rights Act 1998 policy Template............................................................................................................. 1310
    Illegal Drugs Policy Template................................................................................................................................1311
    Individual Taxpayer Identification Numbers (ITIN) Policy Template......................................................................1311
    International Traffic in Arms Regulations (ITAR) Policy Template........................................................................ 1311
    Media Files Policy template.................................................................................................................................. 1312
    Medicare and Medicaid (including PHI)................................................................................................................1312
    Merger and Acquisition Agreements Policy Template.......................................................................................... 1313
    NASD Rule 2711 and NYSE Rules 351 and 472 Policy Template...................................................................... 1314
    NASD Rule 3010 and NYSE Rule 342 Policy Template...................................................................................... 1315
    NERC Security Guidelines for Electric Utilities policy template........................................................................... 1316
    Network Diagrams Policy Template...................................................................................................................... 1318
    Network Security Policy Template........................................................................................................................ 1318
    Offensive Language Policy Template................................................................................................................... 1318
    Office of Foreign Assets Control (OFAC) Policy Template...................................................................................1318
    OMB Memo 06-16 and FIPS 199 Regulations Policy Template.......................................................................... 1320
    Passwords Policy Template.................................................................................................................................. 1321
    Password Files Policy Template........................................................................................................................... 1323
    Payment Card Industry (PCI) Data Security Standard Policy Template...............................................................1323
    PIPEDA Policy Template.......................................................................................................................................1324
    Price Information Policy Template........................................................................................................................ 1325
    Project Data Policy Template................................................................................................................................1326
    Proprietary Media Files Policy Template.............................................................................................................. 1326
    Publishing Documents Policy Template................................................................................................................1327
    Racist Language Policy Template.........................................................................................................................1327
    Restricted Files Policy Template...........................................................................................................................1327
    Restricted Recipients Policy Template..................................................................................................................1328
    Resumes Policy Template.....................................................................................................................................1328
    Russian Federal Law on Personal Data (No. 152-FZ) PolicyProfile Template.....................................................1328
    Sarbanes-Oxley Policy Template.......................................................................................................................... 1330

    38
    SEC Fair Disclosure Regulation PolicyProfile Template.......................................................................................1331
    Sexually Explicit Language Policy Template........................................................................................................ 1333
    Source Code Policy Template...............................................................................................................................1333
    State Data Privacy Policy Template..................................................................................................................... 1334
    SWIFT Codes Policy Template............................................................................................................................. 1336
    Turkish Personal Data Protection Law 6698 policy Templates............................................................................ 1336
    Symantec DLP Awareness and Avoidance Policy Template................................................................................1337
    UK Drivers License Numbers Policy Template.....................................................................................................1337
    UK Electoral Roll Numbers Policy Template........................................................................................................ 1338
    UK National Health Service (NHS) Number Policy Template...............................................................................1338
    UK National Insurance Numbers Policy Template................................................................................................1338
    UK Passport Numbers Policy Template................................................................................................................1338
    UK Tax ID Numbers Policy Template................................................................................................................... 1339
    US Intelligence Control Markings (CAPCO) and DCID 1/7 Policy Template........................................................1339
    US Social Security Numbers Policy Template......................................................................................................1340
    US States Driver's License Number Policy Template...........................................................................................1340
    Violence and Weapons Policy Template.............................................................................................................. 1344
    Virginia Consumer Data Protection Act Policy Template......................................................................................1345
    Webmail Policy Template...................................................................................................................................... 1345
    Yahoo Message Board Activity Policy Template.................................................................................................. 1346
    Yahoo and MSN Messengers on Port 80 Policy Template.................................................................................. 1347
    Response Rules............................................................................................................................. 1350
    About response rule actions.................................................................................................................................... 1350
    Response rule actions for all detection servers.................................................................................................... 1351
    Response rule actions for endpoint detection....................................................................................................... 1351
    Response rule actions for Network Prevent detection.......................................................................................... 1352
    Response rule actions for Network Protect detection...........................................................................................1352
    Response rule actions for Cloud Applications and API appliance detectors..................................................... 1353
    About response rule execution types......................................................................................................................1357
    About Automated Response rules........................................................................................................................... 1357
    About Smart Response rules....................................................................................................................................1357
    Response Rule Conditions........................................................................................................................................ 1358
    About response rule action execution priority.......................................................................................................1359
    About response rule authoring privileges.............................................................................................................. 1361
    Implementing response rules................................................................................................................................... 1361
    Response rule best practices................................................................................................................................... 1362
    Manage response rules............................................................................................................................................. 1363
    Adding a new response rule.....................................................................................................................................1364
    Configuring response rules...................................................................................................................................... 1364
    About configuring Smart Response rules...............................................................................................................1365

    39
    Configuring response rule conditions.....................................................................................................................1365
    Configuring Response Rule Actions....................................................................................................................... 1366
    Modifying response rule ordering............................................................................................................................1368
    About removing response rules...............................................................................................................................1368
    Configuring the Endpoint Location response condition....................................................................................... 1369
    Configuring the Endpoint Device response condition...........................................................................................1369
    Configuring the Incident Type response condition................................................................................................1370
    Configuring the Incident Match Count response condition.................................................................................. 1371
    Configuring the Protocol or Endpoint Monitoring response condition............................................................... 1372
    Configuring the Severity response condition.........................................................................................................1373
    Configuring the Add Note action............................................................................................................................. 1374
    Configuring the Encrypt Smart Response action.................................................................................................. 1374
    Configuring the Limit Incident Data Retention action........................................................................................... 1374
    Retaining data for endpoint incidents................................................................................................................... 1375
    Discarding data for network incidents.................................................................................................................. 1376
    Configuring the Log to a Syslog Server action......................................................................................................1376
    Configuring the Send Email Notification action..................................................................................................... 1377
    Configuring the Server FlexResponse action.........................................................................................................1378
    Configuring the Set Attribute action........................................................................................................................1379
    Configuring the Set Status action............................................................................................................................1380
    Configuring the Quarantine Smart Response action............................................................................................. 1380
    Configuring the Network Protect: SharePoint Quarantine smart response action............................................. 1381
    Configuring the Network Protect: SharePoint Release from Quarantine smart response action......................1382
    Configuring the Remove Collaborator Access Smart Response action.............................................................. 1383
    Configuring the Remove Shared Links Smart Response action.......................................................................... 1383
    Configuring the Restore File Smart Response action........................................................................................... 1384
    Configuring the Remove Shared Links in Data-at-Rest action............................................................................. 1384
    Configuring the Custom Action on Data-at-Rest action........................................................................................ 1385
    Configuring the Delete Data-at-Rest action............................................................................................................ 1385
    Configuring the Encrypt Data-at-Rest action..........................................................................................................1386
    Configuring the Perform DRM on Data-at-Rest action...........................................................................................1386
    Configuring the Quarantine Data-at-Rest action.................................................................................................... 1387
    Configuring the Tag Data-at-Rest action................................................................................................................. 1388
    Configuring the Prevent download, copy, print action.......................................................................................... 1388
    Configuring the Remove Collaborator Access action........................................................................................... 1389
    Configuring the Set Collaborator Access to 'Edit' action..................................................................................... 1389
    Configuring the Set Collaborator Access to 'Preview' action...............................................................................1390
    Configuring the Set Collaborator Access to 'Read' action................................................................................... 1390
    Configuring the Set File Access to 'All Read' action.............................................................................................1390
    Configuring the Set File Access to 'Internal Edit'.................................................................................................. 1391

    40
    Configuring the Set File Access to 'Internal Read' action.................................................................................... 1391
    Configuring the Add two-factor authentication action.......................................................................................... 1392
    Configuring the Block Data-in-Motion action......................................................................................................... 1392
    Configuring the Custom Action on Data-in-Motion action.................................................................................... 1393
    Configuring the Encrypt Data-in-Motion action...................................................................................................... 1393
    Configuring the Perform DRM on Data-in-Motion action.......................................................................................1394
    Configuring the Quarantine Data-in-Motion action................................................................................................ 1395
    Configuring the Redact Data-in-Motion action....................................................................................................... 1395
    Configuring the Endpoint: FlexResponse action................................................................................................... 1396
    Configuring the Endpoint Discover: Quarantine File action................................................................................. 1396
    Configuring the Endpoint Prevent: Block action................................................................................................... 1398
    Configuring the Endpoint Prevent: Encrypt action................................................................................................ 1400
    Configuring the Endpoint Prevent: Notify action................................................................................................... 1402
    Configuring the Endpoint Prevent: User Cancel action........................................................................................ 1404
    Configuring the Network Prevent for Web: Block FTP Request action............................................................... 1406
    Configuring the Network Prevent for Web: Block HTTP/S action........................................................................ 1407
    Configuring the Network Prevent: Block SMTP Message action..........................................................................1407
    Configuring the Network Prevent: Modify SMTP Message action........................................................................1408
    Configuring the Network Prevent for Web: Remove HTTP/S Content action...................................................... 1409
    Configuring the Network Protect: Copy File action............................................................................................... 1410
    Configuring the Network Protect: Quarantine File action..................................................................................... 1410
    Configuring the Endpoint: MIP Classification action.............................................................................................1411
    Configuring the User Risk Response Condition.................................................................................................... 1413
    Incidents.......................................................................................................................................... 1415
    Remediating incidents............................................................................................................................................... 1415
    About incident remediation................................................................................................................................... 1415
    Remediating incidents........................................................................................................................................... 1417
    Overview of End User Remediation..................................................................................................................... 1418
    About End User Remediation........................................................................................................................ 1418
    Applications of End User Remediation..........................................................................................................1420
    About the End User Remediation architecture..............................................................................................1420
    About remediating incidents using End User Remediation........................................................................... 1421
    Overview of steps to implement End User Remediation...............................................................................1422
    Configurations for End User Remediation............................................................................................................ 1423
    Configurations for End User Remediation on ServiceNow........................................................................... 1424
    Configurations for End User Remediation on Enforce.................................................................................. 1427
    Working with the DLP incidents in ServiceNow................................................................................................... 1434
    Remediating incidents using the EUR application.........................................................................................1436
    Reassigning incidents using the EUR application.........................................................................................1437
    Desyncing incidents using the EUR application............................................................................................ 1437

    41
    Customizations in ServiceNow when using End User Remediation.................................................................... 1438
    About workflows in ServiceNow.................................................................................................................... 1438
    About Customizing Email Templates............................................................................................................. 1445
    Security guidelines for selecting incident attributes when using End User Remediation..................................... 1449
    Security Aspects in ServiceNow....................................................................................................................1449
    About Troubleshooting Incidents...........................................................................................................................1451
    Troubleshooting incidents.............................................................................................................................. 1452
    Performance guidelines for End User Remediation............................................................................................. 1453
    Executing Smart response rules...........................................................................................................................1454
    Incident remediation action commands................................................................................................................ 1454
    Response action variables....................................................................................................................................1455
    General incident variables............................................................................................................................. 1456
    Network Monitor and Network Prevent incident variables........................................................................... 1456
    Discover incident variables............................................................................................................................ 1457
    Endpoint incident variables............................................................................................................................1457
    Application incident variables........................................................................................................................ 1457
    Remediating Network incidents................................................................................................................................1457
    Network incident list.............................................................................................................................................. 1458
    Network incident list—Actions...............................................................................................................................1460
    Network incident list—Columns............................................................................................................................ 1461
    Network Incident Snapshots................................................................................................................................. 1462
    Network incident snapshot—Heading and navigation.......................................................................................... 1462
    Network Incident Snapshot—General Information............................................................................................... 1462
    Network incident snapshot—Matches...................................................................................................................1464
    Network incident snapshot—Attributes................................................................................................................. 1464
    Network summary report.......................................................................................................................................1464
    Remediating Endpoint incidents.............................................................................................................................. 1465
    About endpoint incident lists................................................................................................................................. 1465
    Endpoint incident snapshot...................................................................................................................................1467
    Reporting on Endpoint Prevent response rules............................................................................................ 1471
    Endpoint incident destination or protocol-specific information...................................................................... 1471
    Reporting on Endpoint Prevent response rules............................................................................................ 1472
    Endpoint incident destination or protocol-specific information...................................................................... 1473
    Endpoint incident summary reports...................................................................................................................... 1474
    Remediating Discover incidents...............................................................................................................................1475
    About reports for Network Discover..................................................................................................................... 1475
    About incident reports for Network Discover........................................................................................................ 1476
    Discover incident reports...................................................................................................................................... 1477
    Discover incident lists........................................................................................................................................... 1477
    Discover incident actions...................................................................................................................................... 1477

    42
    Discover incident entries..................................................................................................................................... 1478
    Discover incident snapshot................................................................................................................................... 1480
    Discover summary reports.................................................................................................................................... 1482
    Working with Application incidents......................................................................................................................... 1482
    About Applications incident reports...................................................................................................................... 1482
    Applications incident list........................................................................................................................................1483
    Applications incident entries................................................................................................................................. 1484
    Applications incident actions.................................................................................................................................1485
    Applications incident snapshot..............................................................................................................................1486
    Applications summary reports...............................................................................................................................1488
    Viewing, managing, and reporting incidents.......................................................................................................... 1489
    Viewing Incidents.................................................................................................................................................. 1491
    Incident List Control Features Overview...............................................................................................................1491
    Incident Masking Overview................................................................................................................................... 1495
    Setting Up Masking for Roles...............................................................................................................................1496
    Setting Up Masking for Data Identifiers................................................................................................................1496
    About Symantec Data Loss Prevention Reports.................................................................................................. 1497
    About Strategies for Using Reports...................................................................................................................... 1498
    Setting Report Preferences...................................................................................................................................1498
    About Incident Reports......................................................................................................................................... 1499
    About dashboard reports and executive summaries............................................................................................ 1500
    Viewing dashboards.............................................................................................................................................. 1501
    Creating dashboard reports.................................................................................................................................. 1502
    Configuring dashboard reports............................................................................................................................. 1503
    Choosing reports to include in a dashboard........................................................................................................ 1504
    About summary reports.........................................................................................................................................1504
    Viewing summary reports......................................................................................................................................1504
    Creating summary reports.................................................................................................................................... 1505
    About custom reports and dashboards................................................................................................................ 1505
    Using IT Analytics to manage incidents............................................................................................................... 1506
    Filtering Incident Lists and Reports using the Filter By controls.......................................................................... 1506
    Saving custom incident reports.............................................................................................................................1507
    Scheduling Custom Incident Reports................................................................................................................... 1508
    Delivery Schedule Options for Incident and System Reports.............................................................................. 1509
    Delivery schedule options for dashboard reports................................................................................................. 1510
    Using the date widget to schedule reports...........................................................................................................1511
    Editing custom dashboards and reports............................................................................................................... 1512
    Exporting Incident Reports....................................................................................................................................1512
    Exported fields for Network Monitor..................................................................................................................... 1513
    Exported fields for Network Discover................................................................................................................... 1513

    43
    Exported fields for Endpoint Discover.................................................................................................................. 1514
    Deleting incidents.................................................................................................................................................. 1514
    About the incident deletion process.............................................................................................................. 1515
    Configuring the incident deletion job schedule..............................................................................................1516
    Starting and stopping incident deletion jobs................................................................................................. 1516
    Working with the deletion jobs history...........................................................................................................1517
    About automatically flagging incidents for deletion....................................................................................... 1517
    About creating incident reports for automatic incident deletion flagging....................................................... 1518
    Configuring automatic incident deletion flagging...........................................................................................1518
    Managing automatic incident deletion flagging............................................................................................. 1519
    Troubleshooting automatic incident deletion flagging....................................................................................1519
    Deleting custom dashboards and reports.............................................................................................................1520
    Common incident report features......................................................................................................................... 1520
    Page navigation in incident reports...................................................................................................................... 1521
    Incident report filter and summary options........................................................................................................... 1521
    Sending incident reports by email........................................................................................................................ 1522
    Printing incident reports........................................................................................................................................ 1522
    Incident snapshot history tab................................................................................................................................ 1522
    Incident snapshot notes tab..................................................................................................................................1523
    Incident snapshot attributes section..................................................................................................................... 1523
    Incident snapshot correlations tab........................................................................................................................ 1523
    Incident snapshot policy section........................................................................................................................... 1523
    Incident snapshot matches section.......................................................................................................................1523
    Incident snapshot access information section...................................................................................................... 1524
    Customizing incident snapshot pages.................................................................................................................. 1524
    About filters and summary options for reports..................................................................................................... 1524
    General filters for reports...................................................................................................................................... 1525
    Summary options for incident reports...................................................................................................................1527
    Advanced filter options for reports........................................................................................................................1530
    Hiding incidents..........................................................................................................................................................1535
    Incident Hiding.......................................................................................................................................................1535
    Hiding incidents..................................................................................................................................................... 1536
    Unhiding hidden incidents.....................................................................................................................................1536
    Preventing incidents from being hidden............................................................................................................... 1537
    Deleting hidden incidents......................................................................................................................................1537
    Working with incident data....................................................................................................................................... 1538
    About incident status attributes.............................................................................................................................1538
    Configuring status attributes and values.............................................................................................................. 1539
    Configuring status groups..................................................................................................................................... 1540
    Export Web Archive.............................................................................................................................................. 1541

    44
    Export web archive—Create Archive....................................................................................................................1542
    Export web archive—All Recent Events............................................................................................................... 1542
    About custom attributes........................................................................................................................................ 1542
    About using custom attributes.............................................................................................................................. 1544
    How custom attributes are populated................................................................................................................... 1544
    Configuring custom attributes............................................................................................................................... 1544
    Setting the values of custom attributes manually.................................................................................................1545
    Working with user risk.............................................................................................................................................. 1545
    User Data Sources................................................................................................................................................1545
    Defining custom attributes for user data....................................................................................................... 1546
    Bringing in User Data..................................................................................................................................... 1547
    About identifying users in web incidents....................................................................................................... 1551
    Viewing the User List.....................................................................................................................................1553
    Viewing user details....................................................................................................................................... 1554
    Working with the User Risk Summary.......................................................................................................... 1554
    Reviewing the User Risk in Incidents............................................................................................................ 1555
    About End User Remediation................................................................................................................................... 1555
    Implementing lookup plug-ins.................................................................................................................................. 1557
    About lookup plug-ins........................................................................................................................................... 1557
    Types of lookup plug-ins................................................................................................................................1558
    About lookup parameters...............................................................................................................................1559
    About plug-in deployment.............................................................................................................................. 1560
    About plug-in chaining................................................................................................................................... 1560
    About upgrading lookup plug-ins................................................................................................................... 1561
    Implementing and testing lookup plug-ins............................................................................................................ 1561
    Managing and configuring lookup plug-ins....................................................................................................1562
    Creating new lookup plug-ins........................................................................................................................ 1563
    Selecting lookup parameters......................................................................................................................... 1564
    Enabling lookup plug-ins................................................................................................................................1567
    Chaining lookup plug-ins............................................................................................................................... 1568
    Reloading lookup plug-ins............................................................................................................................. 1568
    Troubleshooting lookup plug-ins.................................................................................................................... 1568
    Configuring detailed logging for lookup plug-ins........................................................................................... 1569
    Configuring advanced plug-in properties.......................................................................................................1570
    Configuring the CSV Lookup Plug-In................................................................................................................... 1571
    Requirements for creating the CSV file.........................................................................................................1572
    Specifying the CSV File Path........................................................................................................................ 1573
    Choosing the CSV file delimiter.................................................................................................................... 1573
    Selecting the CSV file character set............................................................................................................. 1574
    Mapping attributes and parameter keys to CSV fields..................................................................................1574

    45
    CSV attribute mapping example....................................................................................................................1575
    Testing and troubleshooting the CSV Lookup Plug-In.................................................................................. 1576
    CSV Lookup Plug-In Tutorial......................................................................................................................... 1576
    Configuring LDAP Lookup Plug-Ins...................................................................................................................... 1578
    Requirements for LDAP server connections................................................................................................. 1578
    Mapping attributes to LDAP data.................................................................................................................. 1579
    Attribute mapping examples for LDAP.......................................................................................................... 1579
    Testing and troubleshooting LDAP Lookup Plug-ins..................................................................................... 1580
    LDAP Lookup Plug-In tutorial........................................................................................................................ 1580
    Configuring Script Lookup Plug-Ins...................................................................................................................... 1581
    Writing scripts for Script Lookup Plug-Ins..................................................................................................... 1582
    Specifying the Script Command.................................................................................................................... 1583
    Specifying the Arguments..............................................................................................................................1583
    Enabling the stdin and stdout options........................................................................................................... 1584
    Enabling incident protocol filtering for scripts................................................................................................1584
    Enabling and Encrypting Script Credentials.................................................................................................. 1585
    Chaining multiple Script Lookup Plug-Ins......................................................................................................1586
    Script Lookup Plug-In tutorial........................................................................................................................ 1586
    Example script................................................................................................................................................1587
    Configuring migrated Custom (Legacy) Lookup Plug-Ins.....................................................................................1589
    DLP REST APIs.............................................................................................................................. 1590
    Accessing the Symantec Data Loss Prevention APIs........................................................................................... 1590
    Creating a User and Role for the Symantec Data Loss Prevention API client.................................................... 1595
    Code Samples for the Symantec Data Loss Prevention REST API......................................................................1596
    Managing Discover Scan Targets................................................................................................ 1597
    Configuring Network Discover and Endpoint Discover targets............................................................................1600
    How Network Discover works...................................................................................................................................1600
    How Network Discover scanners work....................................................................................................................1601
    Setting up and configuring Network Discover....................................................................................................... 1602
    About Discover and Endpoint Discover Servers.................................................................................................. 1602
    Modifying the Network Discover Server configuration..........................................................................................1603
    Adding a new Network Discover target................................................................................................................ 1604
    Adding items to scan............................................................................................................................................ 1604
    Editing scan target items...................................................................................................................................... 1605
    Editing an existing Network Discover target.........................................................................................................1607
    Network Discover scan target configuration options............................................................................................ 1607
    Configuring the required fields for Network Discover targets...............................................................................1608
    Scheduling Network Discover scans.................................................................................................................... 1609
    Providing credentials for Network Discover scanned content...............................................................................1610

    46
    Encrypting passwords in configuration files..........................................................................................................1611
    Setting up Network Discover filters to include or exclude items from the scan....................................................1611
    Recommended file types to exclude............................................................................................................. 1613
    Filtering Discover targets by item size................................................................................................................. 1613
    Filtering Discover targets by date last accessed or modified...............................................................................1614
    Optimizing resources with Network Discover scan throttling................................................................................1615
    Inventory Scanning for a content root of unprotected sensitive data................................................................... 1616
    Managing Network Discover target scans.............................................................................................................. 1618
    Managing Network Discover targets.....................................................................................................................1618
    About the Network Discover scan target list................................................................................................. 1618
    Working with Network Discover scan targets................................................................................................1619
    Removing Network Discover scan targets.................................................................................................... 1619
    Managing Network Discover scan histories..........................................................................................................1620
    About Discover and Endpoint Discover scan histories................................................................................. 1620
    Working with Network Discover scan histories............................................................................................. 1621
    Deleting Network Discover scans..................................................................................................................1622
    About Discover scan details.......................................................................................................................... 1622
    Working with Network Discover scan details................................................................................................ 1626
    Managing Network Discover Servers................................................................................................................... 1627
    Viewing Network Discover server status....................................................................................................... 1627
    About Network Discover scan optimization.......................................................................................................... 1627
    About Network Discover incremental scans......................................................................................................... 1629
    About re-using incremental index for file system target incremental scans......................................................... 1630
    About Network Discover differential scans........................................................................................................... 1630
    About the difference between Network Discover incremental scans and differential scans................................. 1631
    Configuring parallel scanning of Network Discover targets..................................................................................1631
    Troubleshooting Network Discover content extraction errors............................................................................... 1632
    About grid scanning.............................................................................................................................................. 1633
    Configuring grid scanning..................................................................................................................................... 1634
    Renewing grid communication certificates for Discover detection servers...........................................................1636
    Migrating a Discover scan from a single server to a grid.................................................................................... 1638
    Grid scanning performance guidelines................................................................................................................. 1638
    Understanding and using grid scan performance feedback................................................................................. 1640
    Troubleshooting grid scans................................................................................................................................... 1641
    Need help sizing your grid?..................................................................................................................................1642
    Overview of Network Discover Cluster....................................................................................................................1642
    Network Discover Cluster..................................................................................................................................... 1642
    Architecture of the Network Discover Cluster.......................................................................................................1643
    Summary of Tasks for Network Discover Cluster to Work................................................................................... 1645
    View Information on the Discover Cluster Details Screen....................................................................................1645

    47
    Setting up Server Scans of File System - High Speed Discovery........................................................................ 1650
    File System - High Speed Discovery Target Scan.............................................................................................. 1650
    Configuring the File System - High Speed Discovery Target Scans.................................................................... 1651
    Configuring File System - High Speed Discovery Scans of Microsoft Outlook Personal Folders..................1660
    Internal Pause and Resume Functionality for a File System - High Speed Discovery Scan........................1660
    Configuring Parallel Scanning for the File System - High Speed Discovery Target Scan............................. 1662
    View Information on the File System - High Speed Discovery Scan Details Screen........................................... 1662
    Best Practices for the File System - High Speed Discovery Scan.......................................................................1666
    Troubleshooting the File System - High Speed Discovery Scans........................................................................1666
    Setting up server scans of file systems..................................................................................................................1669
    Supported File System Targets.............................................................................................................................1670
    Automatically discovering servers and shares before configuring a file system target........................................ 1671
    Working with Content Root Enumeration scans............................................................................................1671
    Troubleshooting Content Root Enumeration scans.......................................................................................1674
    About automatically tracking incident remediation status.....................................................................................1674
    Configuration options for Automated Incident Remediation Tracking........................................................... 1675
    Troubleshooting automated incident remediation tracking............................................................................ 1677
    Excluding internal DFS folders............................................................................................................................. 1678
    Configuring scans of Microsoft Outlook Personal Folders (.pst files) for file system target scan......................... 1678
    Configuring the file system target scans.............................................................................................................. 1678
    Configuring Network Protect for file shares..........................................................................................................1688
    Priority of credentials for file shares..................................................................................................................... 1689
    Setting up server scans of IBM (Lotus) Notes databases.....................................................................................1690
    Supported IBM (Lotus) Notes targets................................................................................................................... 1690
    Configuring and running IBM (Lotus) Notes scans.............................................................................................. 1690
    Configuring IBM (Lotus) Notes DIIOP mode configuration scan options............................................................. 1692
    Setting up server scans of SQL databases............................................................................................................ 1693
    Supported SQL database targets......................................................................................................................... 1694
    Required JDBC drivers for SQL database targets........................................................................................ 1694
    Configuring and running SQL database scans.....................................................................................................1694
    Installing the JDBC driver for SQL database targets........................................................................................... 1696
    SQL database scan configuration properties....................................................................................................... 1697
    Setting up server scans of SharePoint servers......................................................................................................1698
    About scans of SharePoint servers...................................................................................................................... 1699
    Supported SharePoint server targets................................................................................................................... 1699
    Access privileges for SharePoint scans............................................................................................................... 1700
    About Alternate Access Mapping Collections.......................................................................................................1700
    Configuring and running SharePoint server scans...............................................................................................1700
    Configuring Network Protect for SharePoint servers............................................................................................1703
    Installing the SharePoint solution on the Web Front Ends in a farm................................................................... 1705

    48
    Enabling SharePoint scanning without installing the SharePoint solution............................................................1706
    Setting up SharePoint scans to use Kerberos authentication.............................................................................. 1706
    Troubleshooting SharePoint scans....................................................................................................................... 1707
    Setting up server scans of Exchange repositories................................................................................................1708
    About scans of Exchange servers........................................................................................................................1709
    Configuring Exchange Server scans.................................................................................................................... 1709
    Setting up Exchange scans to use Kerberos authentication................................................................................1712
    Example configurations and use cases for Exchange scans............................................................................... 1712
    Troubleshooting Exchange scans......................................................................................................................... 1713
    Client Access Throttling in Exchange scans................................................................................................. 1713
    Client Access Throttling in Exchange scans................................................................................................. 1713
    About Network Discover scanners.......................................................................................................................... 1714
    How Network Discover scanners work................................................................................................................. 1714
    Troubleshooting scanners..................................................................................................................................... 1714
    Scanner processes................................................................................................................................................1715
    Scanner installation directory structure.................................................................................................................1716
    Scanner configuration files....................................................................................................................................1717
    Scanner controller configuration options.............................................................................................................. 1717
    Setting up remote scanning of file systems........................................................................................................... 1718
    Supported File System Scanner Targets.............................................................................................................. 1719
    Installing file system scanners.............................................................................................................................. 1719
    Starting file system scans..................................................................................................................................... 1721
    Installing file system scanners silently from the command line............................................................................1722
    Configuration options for file system scanners.....................................................................................................1722
    Example configuration for scanning the C drive on a Windows computer...........................................................1723
    Example configuration for scanning the /usr directory on UNIX...........................................................................1723
    Example configuration for scanning with include filters........................................................................................1724
    Example configuration for scanning with exclude filters.......................................................................................1724
    Example configuration for scanning with include and exclude filters................................................................... 1724
    Example configuration for scanning with date filtering......................................................................................... 1725
    Example configuration for scanning with file size filtering.................................................................................... 1725
    Example configuration for scanning that skips symbolic links on UNIX systems................................................. 1725
    Setting up Scanning of Web Server Scanners....................................................................................................... 1726
    About Web Server Scanners................................................................................................................................ 1726
    Web server scanner requirements........................................................................................................................1727
    Configuring the Web Server Scanner Target Type...............................................................................................1727
    Configuration Options for Web Server Scanners................................................................................................. 1730
    Configure the Web Server Scanner Configuration File................................................................................. 1730
    Complete Additional Configuration Tasks......................................................................................................1733
    Configuring the Web Server Scanner to Use Form-Based Authentication...........................................................1733

    49
    Starting web server scans.................................................................................................................................... 1735
    Best Practices for Web Server Scanning............................................................................................................. 1735
    Troubleshooting the Web Server Scanner............................................................................................................1736
    Generic Network Discover scanner targets for future support............................................................................ 1737
    Setting up Web Services for custom scan targets................................................................................................ 1738
    About setting up the Web Services Definition Language (WSDL)....................................................................... 1738
    Example of a Web Services Java client...............................................................................................................1739
    Sample Java code for the Web Services example.............................................................................................. 1739
    Web Services WSDL............................................................................................................................................ 1742
    Web Services SOAP request................................................................................................................................1744
    Using Data Insight......................................................................................................................................................1745
    About Data Insight................................................................................................................................................ 1745
    Components of the Symantec Data Loss Prevention integration with Veritas Data Insight.......................... 1746
    How Data Insight works with Data Loss Prevention..................................................................................... 1747
    What you can do with Veritas Data Insight and Symantec Data Loss Prevention........................................ 1747
    Where to get more information about Veritas Data Insight........................................................................... 1748
    Locating and managing data at risk.............................................................................................................. 1749
    Implementing Data Insight for Data Loss Prevention to manage data at risk............................................... 1749
    Configuring the connection between the Enforce Server and Data Insight...................................................1751
    Introducing the Data Insight lookup plug-in...................................................................................................1752
    Configuring Data Loss Prevention to retrieve attribute values from Data Insight..........................................1753
    Mapping attributes to Data Insight data fields...............................................................................................1754
    Enabling the Data Insight lookup plug-in...................................................................................................... 1756
    Chaining the Data Insight lookup plug-in...................................................................................................... 1756
    Enabling lookup plug-in parameter keys....................................................................................................... 1756
    Testing the Data Insight lookup plug-in configuration................................................................................... 1757
    Troubleshooting the Data Insight lookup plug-in........................................................................................... 1758
    Changing Data Insight refresh intervals........................................................................................................ 1759
    Best practices for finding and reporting on data at risk................................................................................ 1759
    Accessing reports of folders at risk............................................................................................................... 1760
    Configuring the risk score and timeframes for the report of folders at risk................................................... 1760
    Viewing folders ranked by risk, path, or folder exposure.............................................................................. 1761
    Viewing details of a folder at risk.................................................................................................................. 1762
    Filtering the information in the report of folders at risk................................................................................. 1763
    Saving a report of folders at risk...................................................................................................................1765
    Finding data users and accesses in incident reports....................................................................................1765
    Viewing Data Insight incident details.............................................................................................................1766
    Accessing the history of a file in the Veritas Data Insight console............................................................... 1767
    Selecting custom attributes for data user details.......................................................................................... 1767
    Creating summary reports for Data Insight................................................................................................... 1768

    50
    Creating and distributing aggregated incident reports to data owners..........................................................1769
    Guidelines for Tuning Network Discover................................................................................................................ 1770
    Using DLP Tuning Tests....................................................................................................................................... 1770
    Tuning Guidelines for Network Discover scans....................................................................................................1771
    About Tuning Network Discover Scans.........................................................................................................1771
    Overview of Implementing the Guidelines for Tuning Network Discover Scans........................................... 1772
    Factors that Affect Network Discover Scan Performance............................................................................. 1772
    Best Practices for Configuring File System Scan Targets.............................................................................1772
    Best Practices for Configuring Microsoft SharePoint Scan Targets.............................................................. 1772
    Tuning Network Discover Scans................................................................................................................... 1773
    Sample Tuning Configuration for Network Discover Scans.......................................................................... 1775
    Tuning Guidelines for Network Discover Cluster.................................................................................................. 1775
    Factors Affecting the File System - High Speed Discovery Scan Throughput.............................................. 1775
    Prerequisites for Deploying a Network Discover Cluster...............................................................................1775
    Deployment Guidelines for a Network Discover Cluster............................................................................... 1776
    Best Practices to Configure a File System - High Speed Discovery Scan in a Network Discover Cluster.... 1777
    DLP Parameters that Impact the File System - High Speed Discovery Scan Throughput............................ 1777
    Guidelines for Sizing a Network Discover Cluster........................................................................................ 1778
    Implementing Network Monitor.................................................................................................... 1779
    About IPv6 support for Network Monitor................................................................................................................ 1780
    Choosing a network packet capture method..........................................................................................................1780
    About packet capture software installation and configuration.............................................................................1781
    Installing Npcap on a Windows platform.............................................................................................................. 1781
    Installing and Updating the Napatech Network Adapter and Driver Software......................................................1781
    Sample Napatech Capture Configuration File...............................................................................................1783
    About Network Performance Tests.......................................................................................................................... 1784
    About network performance sizing guidelines...................................................................................................... 1784
    About the Network Monitor performance test environment with Napatech cards......................................... 1785
    About the Network Monitor performance test methodology for an environment with Napatech cards.......... 1786
    Network Monitor performance test results and sizing guidelines for environments with Napatech cards......1787
    About the Network Prevent for Email performance test environment.................................................................. 1788
    About the Network Prevent for Email performance test methodology.......................................................... 1788
    Network Prevent for Email Performance Test Results and Sizing Guidelines.............................................. 1789
    About the Network Prevent for Web performance test environment....................................................................1790
    About the Network Prevent for Web performance test methodology............................................................ 1791
    Network Prevent for Web performance test results and sizing guidelines.................................................... 1791
    Configuring the Network Monitor Server................................................................................................................ 1793
    Enabling GET processing with Network Monitor................................................................................................... 1794
    Creating a policy for Network Monitor.................................................................................................................... 1795
    Implementing Network Prevent for Email................................................................................................................1795

    51
    About Mail Transfer Agent (MTA) integration......................................................................................................... 1796
    About the Network Prevent for Email Server......................................................................................................... 1796
    Operating modes for Network Prevent for Email Server......................................................................................1797
    About hosted Network Prevent deployments....................................................................................................... 1797
    Environment Compatibility and Requirements for Network Prevent for Email..................................................... 1798
    About selecting an integration architecture.......................................................................................................... 1798
    About Network Prevent for Email response rules..................................................................................................1798
    About message blocking.......................................................................................................................................1798
    About messages redirecting................................................................................................................................. 1799
    About downstream message tagging................................................................................................................... 1799
    About integration architectures................................................................................................................................1800
    About the Network Prevent for Email Server message chain.............................................................................. 1800
    Integration architectures for reflecting mode........................................................................................................ 1802
    About second SMTP listener-based routing..................................................................................................1802
    About SMTP client IP address-based routing............................................................................................... 1803
    About HELO identification string-based routing............................................................................................ 1804
    About message header-based routing.......................................................................................................... 1805
    About the integration architecture for forwarding mode....................................................................................... 1806
    About next-hop MTA selection.......................................................................................................................1807
    About TLS authentication......................................................................................................................................1807
    Configuring keys and certificates for TLS..................................................................................................... 1808
    Changing the Network Prevent for Email Server Keystore Password.......................................................... 1809
    Generating Network Prevent for Email Server Keys.....................................................................................1810
    Exporting the Network Prevent for Email Server public key certificate......................................................... 1811
    Importing Public Key Certificates to the Network Prevent for Email Server Keystore...................................1811
    Configuring Network Prevent for Email Server for reflecting or forwarding mode.........................................1813
    About capacity and fault tolerance................................................................................................................ 1816
    About fault tolerance planning....................................................................................................................... 1819
    About MX-based bypass................................................................................................................................1819
    About MTA-based queue management.........................................................................................................1820
    About Network Prevent for Email Server integration testing................................................................................ 1820
    About functional tests.................................................................................................................................... 1820
    About basic failover tests.............................................................................................................................. 1821
    About store and forward email systems............................................................................................................... 1821
    About the DNS system.................................................................................................................................. 1822
    About the MTA integration checklist..................................................................................................................... 1822
    Completing the Network Prevent for Email Server integration prerequisites................................................ 1822
    Selecting an integration architecture............................................................................................................. 1823
    Evaluating message stream component capacity......................................................................................... 1823
    Integrating Network Prevent for Email with MTAs.........................................................................................1823

    52
    Configuring Network Prevent for Email Server for reflecting or forwarding mode.............................................1825
    Specifying one or more upstream mail transfer agents (MTAs)........................................................................... 1827
    Creating a policy for Network Prevent for Email....................................................................................................1827
    About policy violation data headers........................................................................................................................ 1828
    Enabling policy violation data headers................................................................................................................... 1829
    Testing Network Prevent for Email.......................................................................................................................... 1829
    Implementing Network Prevent for Web..................................................................................................................1830
    Configuring Network Prevent for Web Server........................................................................................................ 1830
    Configuring a Secure ICAP keystore for Network Prevent for Web..................................................................... 1832
    About Proxy Server Configuration...........................................................................................................................1834
    Configuring request and response mode services............................................................................................... 1834
    Specifying One or More Proxy Servers...................................................................................................................1835
    Enabling GET processing for Network Prevent for Web....................................................................................... 1836
    Creating policies for Network Prevent for Web......................................................................................................1836
    Testing Network Prevent for Web............................................................................................................................ 1837
    Troubleshooting information for Network Prevent for Web Server...................................................................... 1837
    About discovering and preventing data loss on endpoints......................................................1838
    Secure Communications Between DLP Agents and Endpoint Servers............................................................... 1839
    Generating agent installation packages.................................................................................................................. 1839
    Agent installation package contents....................................................................................................................... 1842
    Windows Agent Package Contents...................................................................................................................... 1842
    macOS Agent Package Contents......................................................................................................................... 1842
    Linux Agent Package Contents............................................................................................................................ 1843
    Guidelines for authoring Endpoint policies............................................................................................................ 1843
    DLP Agent Version 16.0.1 Monitoring Support.......................................................................................................1844
    DLP Agent feature-level support for Mac endpoints............................................................................................ 1845
    Mac agent installation and tools feature details............................................................................................ 1846
    Mac agent management features..................................................................................................................1847
    Overview of Mac agent detection technologies and policy authoring features............................................. 1847
    Mac agent monitoring support....................................................................................................................... 1850
    Endpoint Prevent for Mac agent advanced agent settings features............................................................. 1857
    Endpoint Discover for Mac targets features.................................................................................................. 1857
    Endpoint Discover for Mac file system support.............................................................................................1858
    Endpoint Discover for Mac advanced agent settings....................................................................................1858
    DLP Agent feature-level support for Linux endpoints...........................................................................................1858
    Linux agent installation support..................................................................................................................... 1858
    Linux agent detection technologies............................................................................................................... 1859
    Linux agent groups features.......................................................................................................................... 1861
    Endpoint Discover for Linux targets features................................................................................................ 1862
    Endpoint discover for Linux file system support............................................................................................1862

    53
    Linux endpoint tools features.........................................................................................................................1862
    Endpoint Discover for Linux Advanced Agent Settings.................................................................................1863
    About Endpoint Prevent monitoring........................................................................................................................ 1863
    About removable storage monitoring....................................................................................................................1864
    About endpoint network monitoring...................................................................................................................... 1864
    About CD/DVD monitoring.................................................................................................................................... 1866
    About print/fax monitoring..................................................................................................................................... 1866
    About network share monitoring........................................................................................................................... 1867
    Supported network share monitoring protocols on Windows endpoints....................................................... 1868
    Supported network share monitoring protocols on Mac endpoints............................................................... 1868
    About clipboard monitoring................................................................................................................................... 1868
    About global application monitoring......................................................................................................................1868
    About group-specific application monitoring: using overrides.............................................................................. 1869
    About cloud storage application monitoring..........................................................................................................1869
    About virtual desktop support with Endpoint Prevent...........................................................................................1871
    About Azure Virtual Desktop support............................................................................................................ 1871
    About Citrix XenDesktop and Citrix XenApp support....................................................................................1873
    About VMware Fusion implementation..........................................................................................................1874
    About rules results caching (RRC)....................................................................................................................... 1874
    About policy creation for Endpoint Prevent........................................................................................................... 1874
    About monitoring policies with response rules for Endpoint Servers................................................................... 1875
    About Endpoint Block.................................................................................................................................... 1875
    About Endpoint Notify.................................................................................................................................... 1875
    Endpoint User Cancel....................................................................................................................................1876
    How to implement Endpoint Prevent....................................................................................................................... 1877
    Setting the endpoint location................................................................................................................................ 1878
    About Endpoint Prevent response rules in different locales.................................................................................1879
    Setting Endpoint Prevent response rules for different locales...................................................................... 1879
    About Endpoint Discover.......................................................................................................................................... 1880
    About Endpoint Discover Scanning.........................................................................................................................1880
    About scanning targeted endpoints...................................................................................................................... 1880
    About Endpoint Discover full scanning................................................................................................................. 1881
    About Endpoint Discover incremental scanning................................................................................................... 1881
    How incremental scan for Endpoint Discover works.....................................................................................1881
    About parallel scans on targeted endpoints......................................................................................................... 1882
    Optimizing the scan for endpoint performance.....................................................................................................1883
    Preparing to set up Endpoint Discover................................................................................................................... 1883
    Creating a policy group for Endpoint Discover.....................................................................................................1884
    Creating a policy for Endpoint Discover............................................................................................................... 1884
    Adding a rule for Endpoint Discover.....................................................................................................................1885

    54
    About Endpoint Quarantine........................................................................................................................... 1885
    Setting up and configuring Endpoint Discover...................................................................................................... 1886
    Creating an Endpoint Discover scan....................................................................................................................... 1886
    Creating a new Endpoint Discover target.............................................................................................................1887
    Selecting multiple servers for an Endpoint Discover scan................................................................................... 1889
    About Endpoint Discover filters.............................................................................................................................1890
    Using include and exclude filters...................................................................................................................1890
    Setting up Endpoint Discover filters to include or exclude items from the scan............................................1892
    Using environment variables in Endpoint Discover scans............................................................................ 1892
    Configuring Endpoint Discover scan timeout settings.......................................................................................... 1895
    Managing Endpoint Discover target scans............................................................................................................. 1895
    About managing Endpoint Discover scans...........................................................................................................1896
    About Endpoint Discover targeted endpoints scan details................................................................................... 1896
    About remediating Endpoint Discover incidents................................................................................................... 1897
    About Endpoint reports......................................................................................................................................... 1898
    About agent configurations...................................................................................................................................... 1898
    About cloning agent configurations.......................................................................................................................1899
    Adding and editing agent configurations................................................................................................................1899
    Channel settings....................................................................................................................................................1900
    Enable monitoring settings............................................................................................................................ 1900
    Channel Filters settings........................................................................................................................................ 1905
    Filter by File Properties settings....................................................................................................................1906
    Filter by Network Properties settings............................................................................................................ 1909
    Ignore User Identities for Cloud Storage Applications settings..................................................................... 1911
    Filter by Printer Properties settings............................................................................................................... 1912
    Application Monitoring settings............................................................................................................................. 1912
    Selecting applications to monitor (override global settings).......................................................................... 1913
    Classification settings............................................................................................................................................1913
    Device Control settings......................................................................................................................................... 1914
    Agent settings........................................................................................................................................................1914
    Server Communication settings.....................................................................................................................1915
    Browser Extension Enablement Reminder....................................................................................................1915
    Resource Consumption on the Endpoint Host settings................................................................................ 1916
    Resource Consumption for Endpoint Discover Scans settings.....................................................................1916
    File Recovery Area Location settings............................................................................................................1917
    LiveUpdate for Data Loss Prevention........................................................................................................... 1918
    Safe Mode settings........................................................................................................................................ 1925
    Cloud Storage settings.................................................................................................................................. 1925
    Printer/Fax settings........................................................................................................................................ 1926
    Agent proxy settings...................................................................................................................................... 1928

    55
    Microsoft Information Protection settings...................................................................................................... 1928
    Advanced agent settings.......................................................................................................................................1929
    Setting specific channels to monitor based on the endpoint location.................................................................. 1954
    Applying agent configurations to an agent group................................................................................................. 1954
    Configuring the agent connection status................................................................................................................1955
    About agent groups................................................................................................................................................... 1955
    Developing a Strategy for Deploying Agent Groups............................................................................................. 1956
    Overview of the Agent Group Deployment Process.............................................................................................. 1956
    Creating and managing agent attributes.................................................................................................................1957
    Creating an Agent Attribute.................................................................................................................................. 1957
    Defining a search filter for creating user-defined attributes..................................................................................1958
    Verifying attribute queries with the Attribute Query Resolver tool........................................................................ 1958
    Applying a new attribute or changed attribute to agents......................................................................................1959
    Undoing changes to agent attributes....................................................................................................................1959
    Editing user-defined agent attributes.................................................................................................................... 1960
    Defining a search filter for creating user-defined attributes..................................................................................1960
    Verifying attribute queries with the Attribute Query Resolver tool........................................................................ 1960
    Applying a new attribute or changed attribute to agents......................................................................................1961
    Undoing changes to agent attributes....................................................................................................................1961
    Editing user-defined agent attributes.................................................................................................................... 1961
    Manage and add endpoint devices.......................................................................................................................... 1961
    Creating and modifying endpoint device configurations....................................................................................... 1962
    Viewing and managing agent groups...................................................................................................................... 1963
    Agent group conditions......................................................................................................................................... 1964
    Creating a new agent group................................................................................................................................. 1964
    Assigning configurations to deploy groups........................................................................................................... 1965
    Updating outdated agent configurations............................................................................................................... 1965
    Verify that group assignments are correct............................................................................................................1965
    Agent group conditions......................................................................................................................................... 1965
    Assigning configurations to deploy groups........................................................................................................... 1966
    Updating outdated agent configurations............................................................................................................... 1966
    Verify that group assignments are correct............................................................................................................1966
    Viewing Group Conflicts............................................................................................................................................1966
    How to resolve group conflicts................................................................................................................................ 1967
    Changing groups........................................................................................................................................................1967
    About Symantec DLP Agent administration........................................................................................................... 1968
    Agent Overview screen.........................................................................................................................................1968
    Using the Agent List screen.......................................................................................................................... 1969
    Using the Summary Reports screen............................................................................................................. 1974
    Agent task confirmation screen..................................................................................................................... 1978

    56
    Changing the Endpoint Prevent Server.........................................................................................................1980
    About agent events............................................................................................................................................... 1981
    Summarizing agent events............................................................................................................................ 1981
    Agent Event Detail screen............................................................................................................................. 1982
    Troubleshooting Agent Alerts.........................................................................................................................1982
    About Symantec DLP Agent removal................................................................................................................... 1987
    Removing DLP Agents from Windows Endpoints Using System Management Software............................. 1987
    Removing a DLP Agent from a Windows endpoint.......................................................................................1988
    Removing DLP Agents from Mac endpoints Using System Management Software..................................... 1988
    Removing a DLP Agent from a Mac Endpoint..............................................................................................1989
    DLP Agent Logs......................................................................................................................................................... 1989
    Setting the log levels for an Endpoint Agent........................................................................................................1989
    About agent password management....................................................................................................................... 1990
    Create a new agent uninstall or Endpoint tools password................................................................................... 1991
    Change an existing agent uninstall or Endpoint tools password..........................................................................1991
    Retain existing agent uninstall or Endpoint tools passwords............................................................................... 1992
    About global application monitoring....................................................................................................................... 1992
    Changing global application monitoring settings.................................................................................................. 1993
    Monitoring instant messenger applications on Mac endpoints.............................................................................1994
    List of CD/DVD applications................................................................................................................................. 1994
    About adding applications........................................................................................................................................ 1995
    Adding a Windows application.................................................................................................................................1996
    Generating Third-party Application Information Using the GetAppInfo Tool.........................................................1997
    Adding a macOS application.................................................................................................................................... 1998
    Defining macOS application binary names...........................................................................................................1999
    Ignoring macOS applications....................................................................................................................................2000
    About Application File Access monitoring............................................................................................................. 2000
    Implementing Application File Access monitoring................................................................................................ 2001
    About Endpoint FlexResponse................................................................................................................................. 2001
    Deploying Endpoint FlexResponse.......................................................................................................................... 2002
    About deploying Endpoint FlexResponse plug-ins on endpoints........................................................................2003
    Deploying Endpoint FlexResponse plug-ins using a silent installation process................................................2003
    About the Endpoint FlexResponse utility............................................................................................................... 2004
    Deploying an Endpoint FlexResponse plug-in using the Endpoint FlexResponse utility.................................. 2005
    Enabling Endpoint FlexResponse on the Enforce Server..................................................................................... 2006
    Uninstalling an Endpoint FlexResponse plug-in using the Endpoint FlexResponse utility...............................2006
    Retrieving an Endpoint FlexResponse plug-in from a specific endpoint............................................................ 2007
    Retrieving a list of Endpoint FlexResponse plug-ins from an endpoint.............................................................. 2007
    About the SEP Intensive Protection file reputation service..................................................................................2007
    Enabling SEP Intensive Protection.......................................................................................................................... 2008

    57
    Setting the SEP Intensity Level................................................................................................................................2009
    Adding a SEP Intensive Protection response rule.................................................................................................2009
    Monitoring Google Chrome using the Chrome Content Analysis Connector Agent SDK on Windows endpoints
    (Feature Preview)........................................................................................................................................................2010
    Configuring Google Chrome Monitoring for Windows Endpoints Using the Google Chrome Content Analysis
    Connector Agent SDK...........................................................................................................................................2010
    About Endpoint Notifications....................................................................................................................................2011
    Customizing Endpoint Notification Strings............................................................................................................2012
    Adding Non-English Endpoint Notification Strings................................................................................................2012
    Removing Non-English Endpoint Notification Strings...........................................................................................2013
    Language Support for Endpoint Notification Strings............................................................................................ 2013
    Customizing Endpoint Notification Strings for Agents Earlier than DLP 16.0.......................................................2014
    Endpoint Notifications............................................................................................................................................2015
    AIPBlockAuthentication endpoint notification category..................................................................................2016
    AIPSuggestAuthentication endpoint notification category............................................................................. 2017
    Browser.Extension.Notifications endpoint notification category.....................................................................2017
    Common.Messages endpoint notification category....................................................................................... 2018
    Device.Control endpoint notification category............................................................................................... 2019
    Response.Rule.Common.Messages endpoint notification category............................................................. 2019
    Response.Rule.Variable.Text endpoint notification category.........................................................................2019
    Using cloud services to prevent data loss................................................................................. 2022
    About the Cloud Management Portal (CMP)........................................................................................................... 2022
    Accessing the Cloud Management Portal from the Enforce Server administration console.................................2022
    Using the Cloud Management Portal................................................................................................................... 2022
    About Application Detection..................................................................................................................................... 2023
    Managing Application Detection...............................................................................................................................2023
    About Symantec Data Loss Prevention Cloud Service for Email.........................................................................2027
    Customer roles for Cloud Service for Email......................................................................................................... 2027
    About Symantec Email Security.cloud and Symantec Cloud Service for Email................................................... 2028
    About the enrollment bundle.................................................................................................................................2028
    Support for Symantec Cloud Service for Email....................................................................................................2029
    Cloud Service for Email components and workflow............................................................................................. 2029
    System requirements for Symantec Cloud Service for Email............................................................................. 2030
    Preparing to implement Cloud Service for Email................................................................................................. 2030
    Symantec Cloud Service for Email Implementation overview.............................................................................. 2030
    Saving the enrollment bundle............................................................................................................................... 2031
    Opening a port for communication with the cloud service................................................................................... 2032
    Enabling incident reconciliation.............................................................................................................................2032
    Configuring on-premises Microsoft Exchange to use Symantec Email Security.cloud for delivery (Forwarding
    Mode).....................................................................................................................................................................2033

    58
    Configuring Microsoft 365 to use Symantec Email Security.cloud for email delivery (Forwarding mode)............ 2036
    Configuring Microsoft 365 to use Microsoft 365 for email delivery (Reflecting mode)......................................... 2038
    Detecting emails from a subset of Microsoft 365 Exchange Online users...........................................................2041
    Configuring Google Workspace Gmail to send outbound emails to Cloud Service for Email.............................. 2041
    Detecting emails from a subset of Google Workspace Gmail users.................................................................... 2042
    About updating email domains in the Enforce Server administration console..................................................... 2043
    Viewing Cloud Service for Email detector details......................................................................................... 2043
    Adding the unique TXT record to your DNS settings....................................................................................2044
    Updating Email Domains............................................................................................................................... 2044
    Update override by the Broadcom Symantec Cloud Service........................................................................2045
    Upgrading from Data Loss Prevention 15.8 if you use reflecting mode........................................................2045
    Testing Symantec Cloud Service for Email.......................................................................................................... 2046
    Creating and Publishing a Policy Group for Symantec Cloud Service for Email..................................................2046
    Modifying SPF records in Email Security.cloud to ensure email delivery.............................................................2047
    Deleting the Cloud Detector to reset the cloud service........................................................................................2047
    Requesting a new Cloud certificate......................................................................................................................2047
    Installing cloud certificates for detectors...............................................................................................................2048
    Understanding size limits for profiles....................................................................................................................2048
    Using Symantec Email Security.cloud Data Protection........................................................................................ 2048
    Configuring the Enforce Server to sync with Email Security.cloud Email Quarantine.......................................... 2049
    Setting up the Enforce Server to work with Email Security.cloud to quarantine messages and remediate email
    incidents.................................................................................................................................................................2049
    About the Cloud Detection Service for Web Security Service (WSS).................................................................. 2050
    About roles for implementing the Cloud Detection Service for Web Security Services (WSS)............................ 2050
    Cloud Detection Service solution architecture and process flow........................................................................ 2050
    System and deployment requirements................................................................................................................. 2051
    Process for deploying the Cloud Detection Service............................................................................................. 2051
    Saving the enrollment bundle............................................................................................................................... 2052
    Registering the Cloud Detection Service..............................................................................................................2053
    About Integrating the Symantec Web Security Service with Symantec Data Loss Prevention............................ 2053
    Configuring the Symantec Web Security Service integration with Symantec Data Loss Prevention....................2054
    Working with Symantec Web Security Services incidents................................................................................... 2054
    About the Symantec integration with MIP for DLP Cloud..................................................................................... 2054
    About your Microsoft MIP credentials...................................................................................................................2055
    Enabling MIP for DLP Cloud on the Azure portal................................................................................................ 2055
    Configuring DLP cloud detectors with MIP access credentials............................................................................ 2056
    Deleting MIP Insight credential profiles................................................................................................................ 2056
    About content detection with OCR in the Cloud....................................................................................................2057
    Language support for OCR in the Cloud content extraction................................................................................ 2057
    Detection types supported for OCR in the Cloud content extraction................................................................... 2059

    59
    File types supported for OCR in the cloud extraction......................................................................................... 2059
    About DLP Appliances.................................................................................................................. 2060
    Obtaining License Files for the API Detection for Developer Apps Appliance or Virtual Appliance................. 2060
    Deployment overview for the virtual appliance...................................................................................................... 2061
    Setting up the virtual appliance............................................................................................................................... 2062
    Unbinding or resetting a DLP appliance................................................................................................................. 2064
    Updating appliance software.................................................................................................................................... 2064
    Log Files and Logging for Appliances.................................................................................................................... 2065
    Introducing and deploying the API Detection for Developer Apps Appliance.................................................... 2065
    About the API Detection for Developer Apps Appliance...................................................................................... 2065
    About the Command Line Interface (CLI)............................................................................................................ 2066
    Deployment overview for the API Detection for Developer Apps Appliance........................................................ 2066
    Setting up the API Detection for Developer Apps Appliance............................................................................... 2067
    Upload the Symantec license file......................................................................................................................... 2069
    Adding the API Detection for Developer Apps Appliance.................................................................................... 2069
    Configuring the API Detection for Developer Apps Appliance............................................................................. 2069
    Post-deployment tasks.......................................................................................................................................... 2070
    Updating to a new release from the Enforce Server administration console....................................................... 2070
    About the Symantec Data Loss Prevention Detection REST API.........................................................................2071
    About the Detection REST API 2.0 Topics...........................................................................................................2071
    Overview of the Symantec Data Loss Prevention Detection REST API 2.0........................................................ 2072
    Detection Requests for the DLP Detection REST API 2.0..................................................................................... 2072
    URL........................................................................................................................................................................2073
    HTTP Method........................................................................................................................................................ 2073
    HTTP Request Headers........................................................................................................................................2073
    HTTP Body............................................................................................................................................................2073
    Detection Request Format and Definitions...........................................................................................................2073
    Context Entries...............................................................................................................................................2074
    Content Blocks............................................................................................................................................... 2078
    Option Entry................................................................................................................................................... 2079
    Sample Request....................................................................................................................................................2080
    Input Validation...........................................................................................................................................................2081
    Detection Results....................................................................................................................................................... 2082
    HTTP Response Headers.....................................................................................................................................2082
    HTTP Response Codes........................................................................................................................................ 2082
    Detection Result Format and Definitions.............................................................................................................. 2083
    Policy.............................................................................................................................................................. 2083
    Response Action............................................................................................................................................ 2084
    Response Action Parameters........................................................................................................................ 2085
    Warning..................................................................................................................................................................2086

    60
    Content Detail........................................................................................................................................................2086
    Error Messages..................................................................................................................................................... 2086
    Sample Response................................................................................................................................................. 2087
    Action Acknowledgment Requests.......................................................................................................................... 2087
    URL........................................................................................................................................................................2088
    HTTP Method........................................................................................................................................................ 2088
    HTTP Body............................................................................................................................................................2088
    Action Acknowledgment Request Format and Descriptions.................................................................................2088
    Actions Taken.................................................................................................................................................2088
    Sample Action Acknowledgment Request............................................................................................................2089
    Supported File Types for DLP REST API 2.0 Detection.........................................................................................2089
    Word Processing File Types Supported for REST API 2.0 Detection.................................................................. 2090
    Multimedia File Types Supported for REST API 2.0 Detection............................................................................2091
    Spreadsheet File Types Supported for REST API 2.0 Detection......................................................................... 2091
    Presentation File Types Supported for REST API 2.0 Detection......................................................................... 2091
    Image File Types Supported for REST API 2.0 Detection................................................................................... 2092
    Encapsulation File Types Supported for REST API 2.0 Detection.......................................................................2093
    Encryption File Types Supported for REST API 2.0 Detection............................................................................ 2093
    Other File Types Supported for REST API 2.0 Detection.................................................................................... 2094
    Product Usage License Data (Telemetry)....................................................................................2095
    Related Documents........................................................................................................................2099
    Documentation Legal Notice........................................................................................................ 2100

    61
    About What's New in Data Loss Prevention 16.0.1
    What's New and What's Changed topics describe new and changed features and capabilities in Symantec Data Loss
    Prevention 16.0.1.
    Significant changes relative to previous releases are highlighted, including removal of features or supported platforms.
    This content provides enough detail to help you understand the features. Feature descriptions provide links to detailed
    deployment information, where applicable. Specific implementation or configuration details for these new features are not
    provided.
    NOTE
    The Symantec Data Loss Prevention 16.0.1 release represents the first release update (RU). See Symantec
    Data Loss Prevention Release Types.
    Click the links for descriptions of the new and changed features.
    • Enforce Server Features in Data Loss Prevention 16.0.1
    • Platform Features in Data Loss Prevention 16.0.1
    • Endpoint Features in Data Loss Prevention 16.0.1
    • Discover Features in Data Loss Prevention 16.0.1
    • Detection Features in Data Loss Prevention 16.0.1
    • Removed and Deprecated Features and Platforms in Data Loss Prevention 16.0.1

    Enforce Server Features in Data Loss Prevention 16.0.1


    New and changed Enforce Server administration console features in Data Loss prevention 16.0.1 include the ability
    to view and manage audit logs, many updates to incident lists and reporting, and the ability to set an absolute session
    timeout.
    The following sections provide detailed descriptions of each new and changed feature for the Data Loss Prevention 16.0.1
    Enforce Server administration console.
    • Ability to View and Manage Audit Logs in the Enforce Server Administration Console
    • Incident Report Page Enhancements and Changed Behaviors
    • Removal of the Hard-Coded Limit of 10,000 Exported Items
    • Absolute Session Timeout
    See Enforce Server Fixed Issues in the DLP 16.0.1 Release Notes.

    Ability to View and Manage Audit Logs in the Enforce Server Administration Console
    You can now filter and view log information at System > Servers and Detectors > Audit Logs in the Enforce Server
    administration console.
    You can filter the logs by date, IP address, user name, role, entity, and action.
    You can view event details such as time, user IP address, user name, user ID, user status, role, entity, action, and detail.
    See Using Audit Logs .

    Incident Report Page Enhancements and Changed Behaviors


    The Incidents List page has several new capabilities, including:

    62
    • The column selection dropdown on Incident Report pages is changed to a modal dialog box.
    • More Summary Attributes, Select Columns, and Filter Attributes are available for the Incident Report page
    • Ability to expand and collapse all rows and individual rows in the Incident Report
    • Ability to expand or to collapse the Applied Filters section in the Incident Report
    See About Incident Reports.

    Removal of the Hard-Coded Limit of 10,000 Exported Items


    The default limit and warning message for over 10,000 Incident List exported items in csv, json, or xml format is
    removed. You can set the export limit on the server.

    Absolute Session Timeout


    The absolute session timeout is used to control the maximum session time that a user can be active. The session is
    closed and invalidated when the defined absolute period is reached. After the session is invalidated, the user must
    authenticate again in Enforce and must establish a new session. You can set the limit in the Manager.properties
    file. This feature is off by default.

    Platform Features in Data Loss Prevention 16.0.1


    New and changed platform features in Data Loss Prevention 16.0.1.
    The following sections provide detailed descriptions of each new and changed feature for the Data Loss Prevention
    platform.
    • Enforce Server APIs
    • Introducing the Release Update (RU) Release Type
    • Added Oracle JDBC 19.8.0.0 support

    Enforce Server APIs


    The following new APIs are available with Symantec Data Loss Prevention 16.0.1:
    • Updated the Incident Details API to include the ability to pull the unique message ID of the message that caused an
    incident.
    • Added the Audit Log API, which provides you with the ability to export audit information from the Symantec Data Loss
    Prevention database to your reporting or analytic system for centralized application security and operations monitoring.
    NOTE
    Documentation specific to the Audit Log API will be available at the Symantec Enterprise Security Products -
    API Documentation portal starting on 28 September 2023.
    You can access API documentation at DLP REST APIs.

    Introducing the Release Update (RU) Release Type


    Symantec Data Loss Prevention version 16.0.1 represents the first release update (RU) release type.
    NOTE
    The process to upgrade to Data Loss Prevention 16.0 RU includes prerequisites for upgrading Network Discover
    Clusters.

    Added Oracle JDBC 19.8.0.0 support


    Added support for the Oracle JDBC 19.8.0.0 driver for SQL database targets.

    63
    Endpoint Features in Data Loss Prevention 16.0.1
    New and changed features for Endpoint include platform support for Ubuntu 20.04LTS and 22.04LTS, support for the User
    Cancel response rule on macOS endpoints, and more Chrome monitor support.
    The following sections provide detailed descriptions of the new and changed features for Endpoint.
    • Support for Ubuntu Endpoints
    • Support for upgrading to the 16.0.1 agent using LiveUpdate on Windows and macOS endpoints
    • Support for User Cancel response rule on macOS Endpoints
    • Monitoring Google Chrome using the Chrome Content Analysis Connector Agent SDK on Windows endpoints (Feature
    Preview)
    • Increased Domain Filter Character Limit

    Support for Ubuntu Endpoints


    The DLP Agent now supports the following Ubuntu platforms:
    • 20.04LTS
    • 22.04LTS
    You can generate an Ubuntu agent installation package from the Enforce Server administration console and can deploy
    the package using your preferred method. For more information, see Installing the DLP Agent on Linux.
    The new DLP Agent for Ubuntu endpoints enables you to run Endpoint Discover scans to detect sensitive information that
    is stored on the local disks of Ubuntu endpoints.
    For more information, see DLP Agent feature-level support for Linux endpoints.

    Support for upgrading to the 16.0.1 agent using LiveUpdate on Windows and macOS endpoints
    Symantec Data Loss Prevention 16.0.1 supports upgrading to the DLP Agent using LiveUpdate on Windows and macOS
    endpoints.
    To upgrade to the 16.0.1 agent, you must have version 16.0 installed. You cannot upgrade from a version earlier than 16.0
    using LiveUpdate.

    Support for User Cancel response rule on macOS Endpoints


    Endpoint Prevent now supports the User Cancel response rule on macOS endpoints. The Endpoint Prevent: User Cancel
    response rule action displays a time-sensitive notification on macOS endpoints to the user when a policy is violated.

    Monitoring Google Chrome using the Chrome Content Analysis Connector Agent SDK on Windows endpoints
    (Feature Preview)
    The Chrome Content Analysis Connector Agent SDK provides an alternate mechanism for the DLP Agent to interface with
    Google Chrome (starting with version 117) for data loss monitoring on Windows endpoints. You can enable this integration
    as an alternative to deploying the Symantec Extension.
    NOTE
    Support for this feature preview covers monitoring scenarios as described below. Work is underway to stabilize
    support for browser print monitoring and Broadcom invites customer feedback about the feature preview in your
    testing environments.
    Broadcom will announce the General Availability (GA) of this feature for deployment in production environments
    at a future date.

    64
    The integration between the DLP Agent and the Chrome Content Analysis Connector Agent SDK supports the following
    monitoring scenarios:
    • File uploads
    • Clipboard actions
    • Print actions
    To configure Chrome monitoring through the Chrome Content Analysis Connector Agent SDK, you must configure a
    Chrome Browser Cloud Management policy and must enroll the browsers that you want to manage.
    You do not need to remove the Symantec extension from the browsers on the Endpoint to enable the Chrome SDK setting
    and configure a CBCM policy. The advanced agent setting, not the presence of the extension, drives the behavior.
    In addition, this integration introduces the following new agent responses in Endpoint incidents:
    For more information, see Configuring Google Chrome Monitoring for Windows Endpoints Using the Google Chrome
    Content Analysis Connector Agent SDK.

    Increased Domain Filter Character Limit


    In the Filter by Properties section of the Channel Filters tab of agent configurations, the character limits of the HTTP
    and HTTPS domain filter text boxes is increased from 1024 to 4000 characters.

    Endpoint Prevent Application Monitoring Support on macOS


    The following applications are supported for monitoring on macOS:
    • Safari 16
    • Dropbox for Mac 180.4.4912
    • OneDrive for Mac 23.x

    Discover Features in Data Loss Prevention 16.0.1


    New and changed features for Network Discover include support for generating local telemetry reports and enhancing
    filter capabilities on the Discover Targets page.
    The following sections provide detailed descriptions of the new and changed features for Network Discover.
    • Generate Local Telemetry Reports for Network Discover
    • Enhanced filtering capabilities on the Discover Targets page

    Generate Local Telemetry Reports for Network Discover


    The System > Telemetry Report page of the Enforce Server administration console lets you generate granular
    reports about Network Discover. Telemetry reports help you to better understand your Network Discover environment
    including scan targets set up and usage, feature usage, and scanned data metrics.
    The collected data is saved as a CSV file that you can download. The Enforce Server does not share this data
    with Broadcom.
    Complete documentation for Network Discover Telemetry reports will be provided soon.

    Enhanced filtering capabilities on the Discover Targets page


    For enhancing the filtering capabilities, added the Operator: Is Any Of in the Custom Filter section on the Discover
    Targets page.
    For more information, see Managing Discover Scan Targets.

    65
    Detection Features in Data Loss Prevention 16.0.1
    New and changed detection features in Symantec DLP 16.0.1 include new logging and other tools to identify non-BMP
    characters, new and modified data identifiers and policy templates, and quicker uploading of EDM indexes.
    The following sections provide detailed descriptions of each new and changed feature for Data Loss Prevention 16.0.1
    detection.
    • Handling Non-BMP Characters in Content Scanned in DLP
    • OCR Library Upgrade
    • New Structured Data Identifiers
    • New Data Identifiers
    • Modified Structured Data Identifier
    • Modified Data Identifiers
    • New Policy Templates
    • Modified Policy Templates
    • Quicker Loading of EDM Indexes After Re-indexing
    • MIP SDK Upgrade

    Handling Non-BMP Characters in Content Scanned in DLP


    If policies and data identifiers include non-BMP Unicode characters, the correctness of matcher results and any incident
    snapshots is compromised.
    DLP 16.0.1 includes several detection and rendering fixes that are related to non-BMP characters found in the content
    scanned by DLP.
    When you upgrade from DLP 16.0 to 16.0.1 using the Upgrade Readiness Tool (URT), policies and data identifiers
    (DIs) containing non-BMP Unicode points are logged verbosely. You can use the logs to identify which policies and data
    identifiers contain non-BMP characters. You must remove the non-BMP characters from policies and data identifiers.
    Then, run the upgrade again.
    The Enforce user interface restricts you from entering non-BMP Unicode characters into relevant fields that are used
    for message scanning for detection. An error message (upon save) helps you identify fields containing such non-BMP
    Unicode characters.
    Running the Update Readiness Tool at the Command Line
    Finding Non-BMP Unicode Characters in Policies
    Handling Non-BMP Unicode Characters in Data Loss Prevention 16.0.1

    OCR Library Upgrade


    The OCR Library has been upgraded. Asian language accuracy is improved in this release.
    This latest version of the OCR library has accuracy issues with the Windows 2012 R2 operating system. If you need
    support for Windows 2012 R2 operating system, you do not have to upgrade.
    You may want to upgrade to the new OCR Library because you need more accurate identification of Asian characters.
    Then, you must upgrade the operating system of your OCR server to a version later than the Windows 2012 R2 operating
    system.

    New Structured Data Identifiers


    The following structured data identifiers are added:
    • Japan PII is used to detect information such as

    66
    – Japanese first and last names
    – credit card number
    – Japan My Number
    – Japan Driver License number
    • US Social Security Number is used to detect information such as
    – first and last names
    – email addresses
    – US Social Security numbers

    New Data Identifiers


    The following data identifiers are added:
    • Australia Holder Identification Number
    • Database Connection Strings
    • Private Keys and Certificates
    • GitHub Access Tokens
    • SaaS API Keys - AWS
    • SaaS API Keys - Azure
    • SaaS API Keys - GCP
    • Slack Access Tokens
    Keys and Secrets Data Identifiers
    Every SaaS application and service uses a key to identify and authorize client transactions. Secrets are also used to
    authorize access to containerized applications that require a login. These credentials are widely used by public-facing
    services and internal and external REST APIs everywhere. Examples include the AWS IAM access key, the Google API
    access token, the GitHub personal access token.
    These secrets often provide authorization to sensitive information or actions such as data base or file access, including
    • create
    • read
    • update
    • delete (CRUD) operations
    You must carefully manage and store these artifacts to protect against data breaches and other security issues. Careful
    management is especially important when secure variables are hard coded and mistakenly left in a public repository, such
    as GitHub.
    Symantec DLP 16.0.1 adds new data identifiers to protect these Keys and Secrets and connection strings that provide
    access to sensitive data stored in various repositories. The new data identifiers include
    • Identification of SaaS API keys for IaaS services such as GCP, AWS, and Azure
    • Slack access tokens
    • GitHub access tokens
    • Private Keys and Certificates
    • Database connection strings
    Symantec DLP 16.0.1 also adds a new “Developer Keys and Secrets” policy template that has policy rule conditions to
    protect these Keys and Secrets from exposure.

    Modified Structured Data Identifier


    The following structured data identifier is modified:

    67
    PII (Structured Data Identifier) Modified by excluding the US SSN Data Identifier from the
    national ID numbers.

    Modified Data Identifiers


    The following data identifiers are updated:

    Data identifier Description of change

    Finland Tax Identification Number Modified the Validators.


    Irish Personal Public Service Number Modified the Validators.
    Credit Card Number - American Express Modified the Patterns.
    Credit Card Number - Diners Club Modified the Patterns.
    Credit Card Number - Discover Modified the Patterns.
    Credit Card Number - Japan Credit Bureau (JCB) Modified the Patterns.
    Credit Card Number - Maestro Modified the Patterns.
    Credit Card Number - Mastercard Modified the Patterns.
    Credit Card Number - Visa Modified the Patterns.
    Credit Card Number Magnetic Stripe Data Deleted the legacy patterns to reduce false positives.
    France Driver Licence Number • Added the Exclude beginning characters Validator to the
    wide and narrow breadths.
    • Modified the keyword list in the narrow breadth.
    France Tax Identification Number Modified the Validators.
    Healthcare Common Procedure Coding System (HCPCS CPT Added new Patterns.
    Code)
    India Aadhaar Card Number (National Identification Number) Modified the Keywords list in the narrow breadth.
    IPv6 Address • Modified the Patterns.
    • Modified the Validators.
    Italy Codice Fiscale Code Modified the Validators.
    Poland Driver Licence Number • Modified the Patterns.
    • Modified the Keywords list in the narrow breadth.
    Romanian Numerical Personal Code Modified the Patterns.
    Spanish DNI Modified the Validators.
    Sweden VAT Number Modified the Validators.
    UK NHS Number • Added the Exclude beginning characters Validator to the
    medium and narrow breadths.
    • Modified the Keywords list in the narrow breadth.
    US Passport Number • Modified the Pattern.
    • Added the Exclude ending characters Validator.
    • Modified the Normalizer.

    68
    New Policy Templates
    The following policy templates are added:

    Policy template Description

    Passwords Uses a regular expression to detect user passwords.


    Developer Keys and Secrets Detects SaaS based API keys, tokens, DB connection strings,
    Private keys, and Certificates from code repositories.

    Modified Policy Templates


    The US States Driver's License Number policy template includes the following changes:
    • Removed the duplicate entry of the US Driver License Number - US Virgin Islands data identifier.
    • Added the following data identifiers:
    – US Driver License Number - LA State
    – US Driver License Number - TN State
    – US Driver License Number - MO State

    Quicker Loading of EDM Indexes After Re-indexing


    DLP 16.0.1 includes improvements in loading EDM indexes on the Detection server after reindexing. The new EDM index
    is loaded before the old index is unloaded, resulting in zero downtime during EDM updates.

    MIP SDK Upgrade


    The version of the MIP SDK used in DLP is upgraded. This upgrade ensures that DLP can decrypt content that is
    protected using the AES CBC 256 encryption algorithm. AES CBC 256 is the default algorithm that is used by all Microsoft
    applications for protecting content going forward.

    Removed and Deprecated Features and Platforms in Data Loss


    Prevention 16.0.1
    The following features are deprecated in or removed from Symantec Data Loss Prevention 16.0.1.

    Removed Features for the Enforce Server

    Table 1: Removed Features for the Enforce Server

    Feature Notes

    The previous Incident Reporting page is no longer supported. Use the new Incident Reporting page.
    This page will not appear in the next release.
    Incident Reports page sizes of 5000 and 10000 are removed. Incident Reports now offer page sizes of 10, 20, 50 (default), 100,
    500, and 1000.

    69
    Removed Features for Detection

    Table 2: Removed Platforms and Features for Detection

    Feature Notes

    Email Quarantine Connect FlexResponse plug-in The installer for the Email Quarantine Connect FlexResponse
    plugin
    Symantec_DLP_Plugin_Email_Quarantine_Connect.exe
    is not shipped with Symantec Data Loss Prevention. Previous
    versions of the plug-in are compatible with DLP 16.0.1.
    SOAP APIs for incident reporting and update The SOAP APIs for Incident Reporting and Update are deprecated
    starting with version 15.7 and will not be supported in a
    subsequent release.

    Removed Features for the Symantec Data Loss Prevention REST API

    Table 3: Removed Features for the Symantec Data Loss Prevention REST API

    Feature Notes

    The SymantecRestApiUIClient-16.0.zip sample Java


    client application is no longer provided.

    Removed Platforms for Discover

    Table 4: Removed Platforms and Features for Discover

    Feature Notes

    Remediation for CIFS on Windows Server 2012 R2 is no longer


    supported.
    Remediation for DFS on Windows Server 2012 R2 and Windows
    Server 2016 is no longer supported.
    Removed support for the Oracle JDBC 10.2.0.3.0 driver for SQL
    database targets

    Removed Platforms for Endpoint

    Table 5: Removed Platforms and Features for Endpoint

    Feature Notes

    Support for macOS 10.15.x Support is removed.

    Deprecated Support
    When a feature is “deprecated” it is supported in the current release, but Symantec plans to remove support in an
    upcoming release. If your Symantec Data Loss Prevention environment includes a deprecated feature, you should plan on
    updating it to a later supported version or a different supported feature as soon as possible.

    70
    Table 6: Deprecated Platform Support

    Product area Feature Notes

    Platform Single-tier installations


    Red Hat Enterprise Linux 7.x
    The SOAP APIs for incident reporting and
    update were deprecated in Symantec Data
    Loss Prevention 15.7. These APIs will be
    removed in the next release of Symantec
    Data Loss Prevention.
    Network Discover Network Discover targets:
    • Oracle 18c
    • Oracle 12.2.x
    • Outlook 2013
    • Microsoft Exchange Server 2013 SP1
    • Microsoft Office SharePoint Server
    2013 SP1
    • Windows Server 2012 R2
    • SQL Database DB2 10.5

    Enforce Server The Export as XML feature is deprecated Reports that are exported to XML in DLP
    in DLP 16.0 and will be removed in a future 16.0 are limited to the hard-coded DLP 15.8
    release. format. They are not customizable.
    Endpoint macOS 11.x

    71
    Release Notes
    Review fixed issues and known issues.
    The release notes list fixed issues for a given release, platforms that are no longer supported or that are deprecated, other
    important information, and late-breaking updates.

    Subscribe to Receive Updates by Email


    You can choose to receive proactive notifications by email that list changes to Symantec Data Loss Prevention, including
    when known issues are found.
    See News and Alerts for details about subscribing to proactive notifications.

    Symantec Data Loss Prevention 16.0.1 Release Notes


    Data Loss Prevention 16.0.1 includes important product defect fixes for the Enforce Server, detection servers, and
    DLP Agents. Symantec recommends that you apply the release update (RU) to all components as soon as possible.
    You can find the release notes for other Symantec products that integrate with Data Loss Prevention at the Broadcom
    Tech Docs Portal.
    For more details about DLP 16.0.1, refer to the following topics:
    • Fixed Issues in 16.0.1
    • DLP Known Issues
    Fixed Issues in 16.0.1
    Review issues that were fixed in Symantec Data Loss Prevention version 16.0.1.

    Installation and Upgrade Fixed Issues

    Table 7: Installation and Upgrade Fixed Issues

    Issue ID Description

    DLP-74339 After the upgrade, the ContentExtraction.OfficeOpenXMLPlugin


    setting is preserved, allowing Symantec Data Loss Prevention to
    detect Excel files that include macros.
    DLP-73840, DLP-73794 The upgrade process no longer fails with the error
    message "ALTER TABLE CERTIFICATE MODIFY NAME NOT
    NULL" with error ORA-02296: cannot enable (PROTECT.) - null
    values found.
    DLP-73817 The upgrade process no longer fails after the database migration
    completes.
    DLP-73519 After upgrading DLP, SAML authentication no longer stops
    working when idp_metadata.xml contains a metadata
    signature.
    DLP-72253 After upgrading DLP, you can successfully add a detection server,
    and no CSRF errors appear.

    72
    Issue ID Description

    DLP-39781 The upgrade process no longer fails as a result of multi-column


    foreign key creation failures.
    DLP-36666 The URT no longer returns the false positive error for missing
    unique ID_INCIDENT_SNAPSHOT indexes.
    DLP-44502 The Update Readiness Tool (URT) no longer fails if the protect
    schema includes customer-defined tables with UNIQUE indexes in
    an INVALID state.
    DLP-42990 Duplicate Tomcat logs about i18n keys are no longer returned
    after upgrading to a new DLP version.

    Enforce Server Fixed Issues

    Table 8: Enforce Server Fixed Issues

    Issue ID Description

    DLP-67931 Discover reports that include a removed detection server no


    longer display an error message when you attempt to save them.
    DLP-68912 You can now log in to the Enforce Server administration console
    from bookmarked URLs without getting login errors.
    DLP-71614 The Recipient field now displays in Endpoint Incident list reports.
    DLP-71642 The Password policy template now detects data on endpoints.
    DLP-71668 After migration, all LiveUpdate subcategories have correct
    severities.
    DLP-71673 You can now modify the lookup plugin chain.
    DLP-71675 The User List page under Incidents now loads after upgrading to
    16.0.
    DLP-71676 The Symantec DLP Domain Controller Agent Windows Service
    now starts because the jsoncpp.dll file is no longer missing.
    DLP-71718 Deleting a DLP user that has previously customized and saved
    the columns definition for a specific report in the incident report UI
    now succeeds.
    DLP-71719 Removing the ID column from the incident list UI no longer breaks
    incident selection or access to the incident snapshot.
    DLP-71720 The incident deleter now works when incidents that are set for
    deletion are associated to a message that has ProxyMessageInfo
    records.
    DLP-71787 Incident reports no longer fail when the SMTP hardcoded startTLS
    requirement cannot resolve trust with the SMTP server.
    DLP-71932 EDM policies generate incidents for any EDM index match only
    above the minimum match count setting that is configured for
    EDM.
    DLP-72061 Column selection on the incident list page is working correctly.
    DLP-72064 Incident reports that use a Contains Ignore Case filter with a string
    including an underscore character now work.

    73
    Issue ID Description

    DLP-72065 Incident report filtering by Incident History Issuer "Is None Of"
    is correct and does not include incidents that should be filtered
    out.
    DLP-72066 Double Summary reports including Status as primary variable no
    longer generate an empty incident list when the user drills down
    from one summary line item.
    DLP-72196 The Enforce Server administration console now allows passwords
    that are 30 characters or longer.
    DLP-72389 Profile report preferences change the delimiter for CSV Exported
    Reports.
    DLP-72398 Cyrillic characters in summarization values work in summarized
    reports.
    DLP-72433 Reports summarized by a custom attribute display the attribute
    label in the pending/applied filters list.
    DLP-73151 In DLP 16.0 the Application MD5 Hash, Application SHA-256
    Hash, and Application user columns are no longer missing.
    DLP-73272 When users have an unsupported language set as their locale on
    the Enforce Server administration console, the default language
    context-sensitive help now displays when the user clicks the
    Help (?) icon.
    DLP-73344 Pressing the Apply button while an incident report is loading
    no longer resubmits the report for processing in parallel, so
    performance is not impacted.
    DLP-73474 Scheduled reports summarized by a custom incident attribute are
    sent on schedule.
    DLP-73641 The incident reports no longer execute slowly.
    DLP-73650 TheBlobExternalization folder no longer fills up with
    orphaned message folders from failed incident persistence.
    DLP-73652 When you implement an Enforce Server without detection servers
    and only CDS connections, you can now access the Logs screen
    successfully.
    DLP-73695 The RSOD no longer displays after you attempt to delete a user
    with a scheduled, saved report.
    DLP-73899 Endpoint Servers that include illegal characters in the name field
    can now start and report to the Enforce Server.
    DLP-73920 Sorting summarized reports works successfully for more than one
    column.
    DLP-73949 After a user changes the Summarization field, the page loads
    without errors.
    DLP-74063 After an Active Directory import to create protect users, the DLP
    Manager Service starts without errors.
    DLP-74096 When a user sends an email to guest email accounts (external
    users from a trusted domain) selected from the first instance of the
    Offline Global Address List in the Outlook Address Book list,
    the recipient email address is no longer shown as null in incident
    reports and empty in incident snapshots.
    DLP-74110 A user who has two assigned roles can edit the role that has the
    All Channels report associated with that role.

    74
    Issue ID Description

    DLP-74115 Scheduled dashboard reports that are sent through email now
    contain the details of the dashboard report. The report is sent with
    data in the displayed message and the email contains the body of
    the report.

    Detection Fixed Issues

    Table 9: Detection Fixed Issues

    Issue ID Description

    DLP-65290 User Risk Score conditions are not evaluated when ANDed with
    an EDM condition.
    DLP-67079 There is now a valid value for the "Device Inside Office" on the
    Application incident list page.
    DLP-71743 Sensitive data inserted in a text box, or a shape added to a
    Microsoft Excel file are now detected.
    DLP-71744 Exported Google Sheets .xlsx files now generate DLP Endpoint
    incidents.
    DLP-73467 Excessive logging of Regex matching, which caused logs to
    roll over, no longer occurs. Logs are now moved from INFO to
    FINEST.
    DLP-73550 Detection servers no longer take an extended period to connect
    to the Enforce Server when many data identifiers are used in a
    policy.
    DLP-73552 Endpoint detection works when there are empty data identifier pre-
    or post-validator characters.
    DLP-73839 The Custom script error logging Print() advanced function now
    works.
    DLP-74117 Improved handling of non-BMP characters in DLP. For more
    information on non-BMP characters in DLP 16.0.1, see Detection
    Features in Data Loss Prevention 16.0.1.

    Discover Fixed Issues

    Table 10: Discover fixed issues

    Issue ID Description

    DLP-71435 The Get Discover Targets API is optimized to quickly list many
    Network Discover scan targets on the Discover Targets screen.
    There is a performance improvement in the time to load the
    Discover Targets screen with many targets configured.
    DLP-72079 The longer content root paths for Network Discover
    scan targets are displayed completely in the Scan
    Detail > Download Scan Statistics report.

    75
    Endpoint Fixed Issues

    Table 11: Endpoint fixed issues

    Issue ID Description

    DLP-35696 On macOS endpoints, the DLP Agent no longer generates


    Outlook events or changes the agent status to Critical when there
    are no configured mailboxes.
    DLP-45249 On macOS endpoints, the DLP Agent now detects attempts to
    print sections of web sites in Google Chrome.
    DLP-46945 On Windows endpoints, the DLP Agent now monitors file uploads
    from the Office add-in in Google Chrome and Microsoft Edge.
    DLP-60588 On macOS endpoints, the DLP Agent now monitors print actions
    on websites like Atlassian Confluence, dlpt-test.com, Gmail, and
    Outlook Web Access.
    DLP-61034 On Windows endpoints, the DLP Agent is able to load application
    hooks after enabling the Code Integrity Guard feature in Windows.
    DLP-62039 On macOS endpoints, the DLP Agent now monitors print actions
    from Google Drive in Safari.
    DLP-65685 On the Agent list page of the Enforce Server administration
    console, the Username field no longer appears blank when users
    connect to Linux endpoints remotely using the SSH protocol only.
    DLP-67006 On Windows endpoints, the browser extension events and
    notifications now work correctly after enabling the Startup boost
    feature in Microsoft Edge.
    DLP-71430 Fixed the incorrect keywords list in the narrow breadth of the
    India Aadhaar Card Number (National Identification Number) data
    identifier.
    DLP-71668 LiveUpdate no longer causes upgraded agents to display an
    incorrect severity state.
    DLP-71714 On Windows endpoints, optimized Endpoint Discover scans so
    that the epda process no longer crashes due to insufficient system
    resources.
    DLP-71766 On Windows and macOS endpoints, the performance of data
    identifiers with the Find Keywords validator using proximity is
    improved.
    DLP-71807 In the Enforce Server administration console, the following
    yellow banner error message no longer appears when you
    view HTTPS Endpoint incidents:
    There was an error highlighting the
    violating text for this incident
    DLP-71831 On Windows endpoints, an Access Violation error no longer
    causes the csa(64).dll file to crash when users attempt to
    save a document in a Microsoft Office application.
    DLP-71836 The EndpointTTD folder no longer fills with *.bad files if no
    recipient email addresses are defined.
    DLP-71920 On Windows, delays in print requests no longer occur while the
    edpa process is running.

    76
    Issue ID Description

    DLP-71933 On macOS endpoints, optimized memory usage in the SEHA


    application so that the DLP Agent no longer slows down.
    DLP-71969 On Windows endpoints, the System started timestamp in the logs
    no longer incorrectly indicates the epda service start time instead.
    DLP-71970 On Windows endpoints, the DLP Agent no longer gets stuck in a
    false Note Reporting status.
    DLP-72015 On Windows endpoints, after you configure a channel filter in
    which the UNC path to a mapped drive uses the NetBIOS host
    name, when you open a document on the mapped drive, the
    viewing application no longer creates a temporary SNP file.
    DLP-73426 On Windows endpoints, the DLP Agent can now detect file content
    after a user renames a folder and copies it to an Android phone.
    DLP-73552 DLP Agents are no longer in a critical state due to a corrupted
    agent store.
    DLP-73669 On Windows endpoints, the edpa process no longer overwrites
    any ExtensionInstallForcelist registry entries that you created
    manually.

    DLP Known Issues


    Review the latest known issues that affect all supported versions of Symantec Data Loss Prevention.
    These topics contain last-minute features and changes that affect all platforms of Symantec Data Loss Prevention.
    This content is occasionally updated as new information becomes available. Check back to this page for a summary of
    changes as they are published.

    Known Issues in 16.0.1


    This section lists the known issues that were discovered in version 16.0.1.

    Endpoint Known Issues in 16.0.1

    Table 12: Endpoint Known Issues in 16.0.1

    Issue ID Description Workaround

    DLP-16787 On macOS endpoints, domain filters stop Don't switch browser tabs until you've
    working after users navigate to a different finished uploading all desired files to the
    browser tab and then return to the original filtered domain.
    tab.
    DLP-71824 On Windows endpoints, the DLP Agent This issue is a result of recent changes in
    fails to detect existing MIP encryption on Microsoft 365. Symantec will provide an
    emails in Microsoft 365. As a result the update when new information is available.
    Endpoint: MIP Classification response rule
    incorrectly suggests or enforces new labels
    for these emails.

    77
    Issue ID Description Workaround

    DLP-73381 On macOS endpoints, Chromium- None.


    based browsers (Google Chrome and
    Microsoft Edge) do not accept content
    for the clipboard paste operation after
    approximately 10 seconds.
    This issue occurs if the end user does not
    respond to the operation within 10 seconds
    on the User Cancel pop-up notification.
    DLP-73959, DLP-73987, DLP-74004 The following Clipboard-related known None.
    issues may occur on macOS endpoints
    where policies use User Cancel response
    rules:
    • When a user pastes sensitive content
    to a browser, a User Cancel pop-up
    notification appears. If the user does not
    click a button on the User Cancel pop-
    up, pastes content to an unmonitored
    application (for example, Microsoft
    Word), then clicks Cancel on the initial
    User Cancel pop-up notification, then
    the unmonitored application such as
    Microsoft Word might throw errors.
    • When a user copies sensitive content
    from an application and pastes it
    to a browser, a User Cancel pop-
    up notification appears. If the user
    copies the same content to a different
    browser, and the user clicks Allow
    on the User Cancel pop-up, sensitive
    data is pasted to both browsers and
    an incident is logged only for the first
    browser. If a user clicks Cancel in the
    same scenario, the policy is applied
    and an incident is logged for the first
    browser; DLP prevents data from being
    pasted to other applications.
    • When a user pastes sensitive content
    to a browser, a User Cancel pop-up
    notification appears. If the user does
    not click a button on the User Cancel
    popup and tries to copy a new content,
    DLP clears the entire clipboard content.
    In this case, no data is pasted for the
    clipboard paste operation and this
    results in a false positive incident.

    DLP-74239 On Linux endpoints, after upgrading the You can ignore this warning message.
    DLP Agent, the agent service generates the
    following warning message at startup:
    symantec-dpl-agent.service
    changed on disk

    78
    Issue ID Description Workaround

    DLP-74332 After you delete the non-English strings None.


    from the CSV file on the Endpoint
    Notifications page of the Enforce
    Server administration console, endpoint
    notifications for those languages do not
    default to the English strings.

    Enforce Server Known Issues in 16.0.1

    Table 13: Enforce Server Known Issues in 16.0.1

    Issue ID Description Workaround

    DLP-71700 The Agent Connection Status None.


    Configuration setting is not working as
    expected.
    DLP-72062 Policies that have EMDI added as a None.
    validator to a Custom data identifier cannot
    be imported.
    DLP-73220 The Policy rule filter is not working correctly None.
    under certain conditions.
    DLP-73414 Lookup fails if Data Insight version 6.5 is None.
    used with Data Loss Prevention versions
    15.8, 16.0, 16.0 MP1, 16.0 MP2, and
    16.0.1.
    DLP-73957 Sorting incidents in ascending order does None.
    not display digits first.
    DLP-73958 Sorting incidents based on some columns None.
    results in periodic blank rows.
    DLP-73972 When you apply incident actions, for Navigate to a different page. Then, reload
    example, Set Status and Set Severity, on to the original page.
    all incidents of the last page of the incident
    report and filters are applied, an empty
    page displays.

    79
    Issue ID Description Workaround

    DLP-74144 An Unknown result is shown twice with There are two reasons for two rows
    different counts in the Summary Report. showing as Unknown:
    1. A string text literal Unknown is in the
    database for the attribute that is used in
    the summarization.
    2. There are NULLs in the database
    for the attribute that is used in the
    summarization.
    The Unknown resulting from NULLs is
    found toward the bottom of the result set
    displayed on the screen.
    You can add a filter and can use an
    appropriate operator. The Is
    Unassigned operator reports the
    rows with NULL . You can use Equality
    comparison operators for the string literal
    Unknown .
    DLP-74377 When a negation filter operand (for None. The XML exported data is not the
    example, "does not contain") is used in same as the XML data seen in the user
    an incident report and you export the interface. XML export was deprecated
    report as XML, the report does not list the in DLP 16.0 and is not supported in the next
    same number of incidents as listed on the major DLP release.
    Incidents screen. The Incidents screen lists
    the correct number of incidents.

    Detection Known Issues in 16.0.1

    Table 14: Detection Known Issues in 16.0.1

    Issue ID Description Workaround

    DLP-74292 DLP 16.0.1 OCR running on Windows None.


    Server 2012 R2 fails to extract text if a
    combination of Chinese, Japanese, and
    Korean languages are selected in the OCR
    configuration.

    Discover Known Issues in 16.0.1

    80
    Table 15: Discover Known Issues in 16.0.1

    Issue ID Description Workaround

    DLP-73093 If the Target Name, Policy Groups or None.


    Server Names fields have at least one
    of the following characters in its name,
    then these fields fail to filter the Discover
    Targets list. This issue exists when the Is
    Any Of operator is selected in Custom
    Filter on the Discover Targets page:
    • , (comma)
    • " (quotation mark)
    • <space>OR<space>
    DLP-73414 Lookup fails when you use Data Insight The DLP-Data Insight integration works
    version 6.5 with Data Loss Prevention with 6.4.1 or earlier versions of Data
    versions including 15.8, 16.0, 16.0MP1, Insight.
    16.0MP2, and 16.0.1.

    Installation and Upgrade Known Issues in 16.0.1

    Table 16: Installation and Upgrade Known Issues in 16.0.1

    Issue ID Description Workaround

    DLP-74673 The JREMigrationUtility does not upgrade Uninstall the affected indexer then reinstall
    the JRE for indexers that are installed in it and point it to the new OpenJRE location.
    standalone mode.

    Known Issues in 16.0


    This section lists the known issues that were discovered in version 16.0.

    Enforce Server Known Issues in 16.0

    Table 17: Enforce Server Known Issues in 16.0

    Issue Description Workaround

    DLP-67034 Text on the Scan Details None.


    and Cluster Details
    screens display in French
    when the English langauge
    is used and a language
    pack is imported.

    Enforce Platform Known Issues in 16.0

    81
    Table 18: Enforce Platform Known Issues in 16.0

    Issue Description Workaround

    CDM-101117 Use of a keyboard to navigate and send controls Use of the mouse is required on these pages.
    DLP-66625 is not available in the new data grid tables that are
    used on the Incident List and Discover Target pages.
    DLP-65826 The ICD Response Rule was removed from Data Remove all ICD response rules before migration to
    Loss Prevention 16.0. ICD has also been removed 16.0. See the Symantec Data Loss Prevention Help Center
    as a configuration option on the Enforce Server for more information.
    administration console. Legacy policies with ICD
    response rules (that were created and exported in
    previous versions) do not process.
    DLP-67049 The DAG plugin automatic flex response requires The manual flex response plugin for DAG works out of the
    that you copy jars from the tomcat library. box. But for automatic flex response, you must copy the
    following five jersey jars to serverplatformcommon
    from the tomcat library:
    • jersey-client-2.26.jar
    • jersey-common-2.26.jar
    • jersey-entity-filtering-2.26.jar
    • jersey-hk2-2.26.jar
    • jersey-media-json-jackson-2.26.jar

    Endpoint Known Issues in 16.0

    Table 19: Endpoint Known Issues in 16.0

    Issue Description Workaround

    DLP-29402 On macOS endpoints, the domain filter does not None.


    work properly when browser tabs are switched in
    Google Chrome and Mozilla Firefox.
    DLP-27086, Outlook monitoring does not work when the For issue DLP-31871, see DLP not monitoring new
    DLP-27131, Outlook add-in is not triggered in following Outlook for Mac, with workaround. These issues have
    DLP-27596, situations: been reported to Microsoft, and a support ticket has been
    DLP-27098, • When responding, canceling, or sometimes, opened.
    DLP-27218 forwarding the meeting invitees auto replies like
    OOF.
    • When the content of a Word document is
    selected and shared as an HTML document
    through Mail. The option to share in Microsoft
    Word is File > Share > Send as HTML.
    • For an OWA meeting invite that is created inline
    in the calendar pane.
    • For encrypted email or emails marked with Do
    Not Forward.
    • For emails that are updated when in Outbox.
    These issues apply to the Outlook client and
    Outlook web access and are known Microsoft
    limitations.

    82
    Issue Description Workaround

    DLP-36061 A file with a sensitive keyword in the filename None.


    generates multiple browser incidents when copied
    using clipboard, while the user is navigating in
    the browser. Continuous notification popups are
    displayed.
    DLP-36661 Sensitive content is not monitored on Firefox for None.
    the following cases:
    • Printing of sensitive files that are opened in a
    browser such as PDF or text files.
    • Printing from web applications that allow
    opening and editing documents online.
    • Printing of sensitive content present on a
    webpage Printing of attachments present in a
    web email.
    DLP-55701 On Windows endpoints, filters for HTTPS are not Add * to the beginning and end of the HTTPS filter. For
    applied to files saved using a Save As operation example, if the existing HTTPS filter is -dav.box.com,
    from Microsoft Office applications to SharePoint or which correctly applies a filter to Internet Explorer and
    OneDrive. Firefox, add another filter (*dav.box.com*) to monitor
    Save As operations from Office applications.
    DLP-29402 On Windows and macOS endpoints, sensitive files Symantec Data Loss Prevention does not support Chrome
    are not detected in the Guest profile, in Incognito monitoring in Incognito mode with a Guest profile because
    mode in Google Chrome, and in Microsoft Edge. extensions do not load. This same limitation exists for
    Chrome support on macOS. Symantec recommends that
    you disable Incognito mode and Guest profile in Google
    Chrome by an appropriate Group policy configuration, or
    an MDM profile on macOS. Disable Incognito mode and
    guest mode in Google Chrome and private mode in Mozilla
    Firefox using MDM settings.
    DLP-36230 On Windows endpoints, file-based print monitoring None.
    always falls back to buffer-based monitoring for
    Microsoft Word documents. When a user tries to
    print specific pages, file-based monitoring does not
    work because only the selected pages are sent for
    detection.
    DLP-44161 On Linux endpoints, the endpoint agent incorrectly None.
    scans mounted virtual hard drives.
    DLP-46945 On Windows endpoints, DLP policy enforcement For more information, see https://
    fails for the files that are uploaded using the Office microsoftedge.microsoft.com/addons/detail/office/
    add-in in Google Chrome and Microsoft Edge gggmmkjegpiggikcnhidnjjhmicpib.
    browsers.
    DLP-61034 On Windows endpoints, DLP cannot monitor None.
    applications that have Code Integrity Guard
    enabled as Microsoft Code Integrity Guard blocks
    the loading of any binary into a process that is not
    signed by Microsoft.
    DLP-65983 When remote users connect to Azure Virtual None.
    DLP-66708 Desktop endpoints using the Remote Desktop
    web client, DLP policy enforcement is not applied.
    This occurs when they attempt to open confidential
    files, even when monitoring is enabled for the
    Application File Access channel. This also occurs
    when they perform Save As to their local drive
    (client drive).

    83
    Issue Description Workaround

    DLP-66961 When remote users connect to Azure Virtual Refer to the Microsoft Remote Desktop Services
    Desktop endpoints using the Remote Desktop web documentation for information about securing or disabling
    client, DLP cannot monitor file transfers and file the the Remote Desktop Virtual Drive.
    acess on the virtual hard drive. See https://learn.microsoft.com/en-us/windows-server/
    remote/remote-desktop-services/clients/remote-desktop-
    web-client.
    DLP-67006 The Microsoft Edge Startup boost feature must be None.
    disabled to get a DLP Edge Extension event.
    DLP-67016 On Windows endpoints: None.
    After MIP Classification labels are enforced for
    Office documents that are synced to Microsoft
    OneDrive, temporary backup files are not deleted
    from OneDrive.
    DLP-67275 When a user prints a document from an application None.
    such as Google Drive or Firefox, the application
    converts the document to an image or gibberish
    text, and then print monitoring does not work.

    Discover Known Issues in 16.0

    Table 20: Discover Known Issues in 16.0

    Issue Description Workaround

    DLP-67034 The following UI elements are not getting translated on None.


    the Enforce Server administration console once you log
    in using a supported non-English language:
    • The Items per page label on the Discover Targets
    list, File System - High Speed Discovery Scan
    Details, and Discover Cluster Details pages
    • The Total Items label on the File System - High
    Speed Discovery Scan Details page
    • The Download Scan Details Report button on the
    File System - High Speed Discovery Scan Details
    page
    • The navigation screen name for the File System -
    High Speed Discovery Scan Details and Discover
    Cluster Details pages
    Also, the navigation screen name for the Discover
    Cluster Details page is not displayed.

    Detection Known Issues in 16.0

    84
    Table 21: Detection Known Issues in 16.0

    Issue Description Workaround Fixed in

    DLP-65290 User Risk: None. 16.0.1


    No match or
    incident is
    generated
    when ICA rules
    are used
    with EDM. This
    occurs if EDM is
    configured to run
    in TTD mode for
    endpoints.
    DLP-65867 Structured Data None.
    DLP-65902 Matching:
    DLP-65970 The following
    table issues may
    result in incidents
    with split tables:
    • Empty, but
    formatted,
    cells present
    in Excel
    documents
    • Unquoted
    TAB
    characters
    present in
    Excel files
    • Some PDF
    files that have
    superfluous
    space
    characters
    DLP-65923 Structured Data None.
    Matching:
    SDM does
    not work with
    tables in RTF and
    HTML docs.

    Known issues in 16.0 MP1


    This section lists the known issues that were discovered in version 16.0 after it was released.
    Enforce Server Known Issues in 16.0 MP1

    This table lists the Enforce Server known issues in 16.0 MP1.

    Issue ID Description Workaround

    CRE-12747 While calling the incidentId API to generate None


    a list in the CSV format, the API returns a
    list of policy names instead of policy IDs.

    85
    Known issues in 15.8 MP1
    This section lists the known issues that were discovered in version 15.8 after it was released.

    Detection known issues in 15.8 MP1

    Table 22: Detection known issues in 15.8 MP1

    Issue ID Description Workaround

    DLP-36269 After Data Loss Prevention added To perform detection on the body of the
    support for S/MIME .p7m files, new S/ original S/MIME email, you must select
    MIME encrypted emails were sent as Attachment for all Policy conditions.
    attachments.

    Endpoint known issues in 15.8 MP1

    Table 23: Endpoint known issues in 15.8 MP1

    Issue ID Description Workaround

    DLP-40682 When users save a Microsoft PowerPoint None.


    presentation and overwrite a file that is
    stored in OneDrive, the file becomes
    corrupted.
    DLP-40683 When users add sensitive information to a None.
    Word document that is stored in OneDrive,
    two incidents are generated instead of one.
    DLP-40826 When users create and save a new Edit the file and then save it again to trigger
    Microsoft Word document to Microsoft inspection.
    OneDrive, the file is not inspected.

    Known issues in 15.8 MP2


    This section lists the known issues that were discovered in version 15.8 after it was released.

    86
    Installation and upgrade known issues in 15.8 MP2

    Table 24: Installation and upgrade known issues in 15.8 MP2

    Issue ID Description Workaround

    DLP-61433 If you upgrade to 15.8 MP2 from a 15.8 1. To uninstall the 15.8 MP1 hotfix and
    MP1 hotfix, you cannot uninstall 15.8 MP2. 15.8 MP2 simultaneously, run the
    following command:
    msiexec /i <product
    code or path of
    the DLP 15.8 installer>
    MSIPATCHREMOVE=<PATCHGUID
    of the 15.8 MP1 hotfix or
    file path of
    the 15.8 MP2 MSP
    file>;<PATCHGUID of 18.5
    MP2 or file path of the
    15.8 MP2 MSP file> /qb
    2. To complete the downgrade, re-
    apply the 15.8 MP1 hotfix.

    Detection known issues in 15.8 MP2

    Table 25: Detection known issues in 15.8 MP2

    Issue ID Description Workaround

    DLP-62038 Proximity count (Word Distance of the None.


    Find keywords validator) fails to perform
    deduplication for unique matches.

    Known issues in 15.8 MP3


    This section lists the known issues that were discovered in version 15.8 after it was released.

    87
    Installation and upgrade known issues in 15.8 MP3

    Table 26: Installation and upgrade known issues in 15.8 MP3

    Issue ID Description Workaround

    DLP-61433 If you upgrade to a Maintenance Pack from 1. To uninstall the Maintenance Pack and
    an earlier hotfix, you cannot uninstall the the earlier hotfix simultaneously, run the
    Maintenance Pack to downgrade to the following command:
    earlier hotfix. msiexec /i <product
    code or path of
    the DLP 15.8 installer>
    MSIPATCHREMOVE=<PATCHGUID
    of the hotfix or file path
    of the Maintenance Pack
    MSP file>;<PATCHGUID of
    Maintenance Pack or file
    path of the Maintenance
    Pack MSP file> /qb
    2. To complete the downgrade, re-apply
    the earlier hotfix.

    Endpoint known issues in 15.8 MP3

    Table 27: Endpoint known issues in 15.8 MP3

    Issue ID Description Workaround

    DLP-16787 On macOS endpoints, the domain filter Don't switch browser tabs until you've
    does not work properly when browser tabs finished uploading all of the desired files to
    are switched in Google Chrome and Mozille the filtered domain.
    Firefox.
    DLP-30011 On macOS endpoints, after disabling or This is a known issue in the Chrome
    enabling the Chrome extension, file upload extension API. It works differently for
    monitoring stops working. published and non-published extensions.
    Symantec has filed the following issue
    with the Chrome team: Issue 1133121:
    chrome.runtime.onInstalled not fired for
    published extension.
    DLP-30012 On macOS endpoints, when you Symantec recommends that you
    use Google Chrome in incognito mode or disable Incognito mode and guest mode
    guest mode or Mozilla Firefox in private in Google Chrome and private mode
    mode, monitoring is unavailable. in Mozilla Firefox using MDM settings.
    This behavior is expected as third-party
    browser extensions, such as the Symantec
    extension, are not loaded in Incognito mode
    and private mode.

    Symantec Data Loss Prevention Release Types


    Updates for Symantec Data Loss Prevention come in the form of various release types.
    The following section describes the release types and their impact on a Symantec Data Loss Prevention deployment.
    Understanding release types allows you to make an informed decision on when and why to apply a particular Symantec
    Data Loss Prevention release.

    88
    Symantec Data Loss Prevention includes the following release types:
    • Major release
    • Minor release
    • Release update (RU)
    Major Release
    A major release incorporates all updates since the last release. You can install a major release for the first time, or can
    upgrade to a major release from a previous release.
    A major release can include all or some of the following programmatic updates:
    • New features and enhancements, such as architectural changes, major feature changes, or new platform or operating
    system support.
    • Bug fixes
    • Database schema changes (typically)
    • New SKUs.
    A major release version number reads XX.0, where XX is the major release version. For example, Symantec Data Loss
    Prevention version 16.0 is a major release.

    Minor Release
    A minor release incorporates all updates since the last major or minor release. You can install a minor release for the first
    time, or can upgrade to a major release from a previous release.
    A minor release can include all or some of the following programmatic updates:
    • Minor features and enhancements, such as architectural changes, feature changes, or new platform or operating
    system support
    • Bug fixes
    • Database schema changes (typically)
    • New SKUs
    A minor release version number reads XX.YY, where XX is the preceding major release version and YY is the minor
    release number. For example, Symantec Data Loss Prevention version 15.8 is a minor release.

    Release Update
    A release update incorporates all updates since the last major or minor release. You can install a release update for the
    first time, or you can upgrade to a release update from the previous major release.
    A release update (RU) can include all or some of the following programmatic updates:
    • Customer-reported bug fixes
    • Security fixes
    • Database schema changes (occasionally)
    A release update version number reads XX.YY.ZZ, where variables are defined in the following list:
    • XX is the preceding major release version
    • YY is the minor release number, if applicable
    • ZZ is the RU version
    For example, Symantec Data Loss Prevention version 16.0.1 is a release update.

    89
    Related Links
    Planning the installation on page 207
    Preparing to upgrade on page 351
    Applying a server Maintenance Pack

    90
    Getting started
    Learn about getting started with Symantec Data Loss Prevention.
    About updates to the Symantec Data Loss Prevention Help Center
    News and Alerts
    Introducing Symantec Data Loss Prevention
    Getting Started Administering Symantec Data Loss Prevention
    Working with languages and locales

    About updates to the Symantec Data Loss Prevention Help Center


    This content is occasionally updated as new information becomes available. Check back to this page for a summary of
    changes as they are published.
    The following sections provide the history of updates to the Symantec Data Loss Prevention Help Center content:
    • DLP System Requirements

    DLP System Requirements

    Table 28: Change history for the Symantec Data Loss Prevention system requirements

    Date Description

    13 September 2023 Added support for Chrome 117 on both Windows and macOS.
    12 September 2023 Added support for DLP Agents on macOS 11.7.10 and 12.6.9.

    News and Alerts


    Lists the latest Symantec Data Loss Prevention-related news and alerts.
    Use the DLP News and Alerts screen to review important information about your Symantec Data Loss Prevention
    implementation. Learn about critical updates, latest hot fixes, release announcements, and so on.
    Click the Details link for more information.
    News and alerts are updated daily from the Symantec Cloud Service and each update is confirmed with a DLP Alert
    Synchronization event. See System Events Reports.

    Subscribing to Alerts
    You can also subscribe to proactive notifications to receive updates by email.
    Complete the following steps to subscribe to notifications or update existing notifications:
    1. Go to https://support.broadcom.com/, click Login, and enter credentials.
    2. Click the bell icon, then the gear icon to display the Notification Settings page.
    3. Enter Data Loss Prevention in the Search by Product Name field.
    4. Select Symantec Data Loss Prevention components for which you want to be notified and the notification type to
    receive. Your changes are saved as you make selections.

    91
    Introducing Symantec Data Loss Prevention
    Symantec Data Loss Prevention enables you to:
    • Discover and locate confidential information in repositories, on file and web servers, in databases, and on endpoints
    (desk and laptop systems)
    • Protect confidential information through quarantine
    • Monitor network traffic for transmission of confidential data
    • Monitor the use of sensitive data on endpoints
    • Prevent transmission of confidential data to outside locations
    • Automatically enforce data security and encryption policies
    Symantec Data Loss Prevention includes the following components:
    • Enforce Server
    About the Enforce Server platform
    About Symantec Data Loss Prevention administration
    About the Enforce Server administration console
    • Network Discover
    About Network Discover
    • Network Protect
    About Network Protect
    • Network Monitor
    About Network Monitor and Prevent
    • Network Prevent
    About Network Monitor and Prevent
    • Endpoint Discover
    About Endpoint Discover
    • Endpoint Prevent
    About Endpoint Prevent
    The Discover, Protect, Monitor, and Prevent modules can be deployed as stand-alone products or in combination.
    Regardless of which stand-alone products you deploy, the Enforce Server is always provided for central management.
    Note that the Network Protect module requires the Network Discover module.
    Associated with each product module are corresponding detection servers and cloud detectors:
    • Network Discover Server locates the exposed confidential data on a broad range of enterprise data repositories
    including:
    – File servers
    – Databases
    – Microsoft SharePoint
    – IBM/Lotus Notes
    – EMC Documentum
    – Livelink
    – Microsoft Exchange
    – Web servers
    – Other data repositories
    If you are licensed for Network Protect, this server also copies and quarantines sensitive data on file servers as
    specified in your policies.
    About Network Discover
    • Network Monitor Server monitors the traffic on your network.

    92
    About Network Monitor and Prevent
    • Network Prevent for Email Server blocks emails that contain sensitive data.
    About Network Monitor and Prevent
    • Network Prevent for Web Server blocks HTTP postings and FTP transfers that contain sensitive data.
    About Network Monitor and Prevent
    • Endpoint Server monitors and prevents the misuse of confidential data on endpoints.
    About Endpoint Discover
    About Endpoint Prevent
    The distributed architecture of Symantec Data Loss Prevention allows organizations to:
    • Perform centralized management and reporting.
    • Centrally manage data security policies once and deploy immediately across the entire Symantec Data Loss
    Prevention suite.
    • Scale data loss prevention according to the size of your organization.
    About the Enforce Server platform
    The Symantec Data Loss Prevention Enforce Server is the central management platform that enables you to define,
    deploy, and enforce data loss prevention and security policies. The Enforce Server administration console provides a
    centralized, web-based interface for deploying detection servers, authoring policies, remediating incidents, and managing
    the system.
    Introducing Symantec Data Loss Prevention
    The Enforce platform provides you with the following capabilities:
    • Build and deploy accurate data loss prevention policies. You can choose among various detection technologies, define
    rules, and specify actions to include in your data loss prevention policies. Using provided regulatory and best-practice
    policy templates, you can meet your regulatory compliance, data protection and acceptable-use requirements, and
    address specific security threats.
    • Automatically deploy and enforce data loss prevention policies. You can automate policy enforcement options for
    notification, remediation workflow, blocking, and encryption.
    • Measure risk reduction and demonstrate compliance. The reporting features of the Enforce Server enables you to
    create actionable reports identifying risk reduction trends over time. You can also create compliance reports to address
    conformance with regulatory requirements.
    • Empower rapid remediation. Based on incident severity, you can automate the entire remediation process using
    detailed incident reporting and workflow automation. Role-based access controls empower individual business units
    and departments to review and remediate those incidents that are relevant to their business or employees.
    • Safeguard employee privacy. You can use the Enforce Server to review incidents without revealing the sender identity
    or message content. In this way, multi-national companies can meet legal requirements on monitoring European Union
    employees and transferring personal data across national boundaries.
    About role-based access control

    About Network Monitor and Prevent


    The Symantec Data Loss Prevention network data monitoring and prevention products include:
    • Network Monitor
    Network Monitor captures and analyzes traffic on your network. It detects confidential data and significant traffic
    metadata over the protocols that you specify. For example, SMTP, FTP, HTTP, and various IM protocols. You can

    93
    configure a Network Monitor Server to monitor custom protocols and to use a variety of filters (per protocol) to filter out
    low-risk traffic.
    • Network Prevent for Email
    Network Prevent for Email integrates with standard MTAs and hosted email services to provide in-line active SMTP
    email management. Policies that are deployed on in-line Network Prevent for Email Server direct the next-hop mail
    server to block, reroute, or tag email messages. These blocks are based on specific content and other message
    attributes. Communication between MTAs and Network Prevent for Email Server can be secured as necessary using
    TLS.
    Implement Network Monitor, review the incidents it captures, and refine your policies accordingly before you implement
    Network Prevent for Email.
    • Network Prevent for Web
    For in-line active web request management, Network Prevent for Web integrates with an HTTP, HTTPS, or FTP proxy
    server. This integration uses the Internet Content Adaptation Protocol (ICAP). The Network Prevent for Web Server
    detects confidential data in HTTP, HTTPS, or FTP content. When it does, it causes the proxy to reject requests or
    remove HTML content as specified by the governing policies.

    About Network Discover


    Network Discover scans networked file shares, web content servers, databases, document repositories, and endpoint
    systems at high speeds to detect exposed data and documents. Network Discover enables companies to understand
    exactly where confidential data is exposed and helps significantly reduce the risk of data loss.
    Network Discover gives organizations the following capabilities:
    • Pinpoint unprotected confidential data. Network Discover helps organizations accurately locate at risk data that is
    stored on their networks. You can then inform shared file server owners to protect the data.
    • Reduce proliferation of confidential data. Network Discover helps organizations to detect the spread of sensitive
    information throughout the company and reduce the risk of data loss.
    • Automate investigations and audits. Network Discover streamlines data security investigations and compliance audits.
    It accomplishes this task by enabling users to scan for confidential data automatically, as well as review access control
    and encryption policies.
    • During incident remediation, Veritas Data Insight helps organizations solve the problem of identifying data owners
    and responsible parties for information due to incomplete or inaccurate metadata or tracking information. For more
    information, see Using Data Insight.
    • To provide additional flexibility in remediating Network Discover incidents, use the FlexResponse application
    programming interface (API), or the FlexResponse plug-ins that are available.
    See the Symantec Data Loss Prevention FlexResponse Platform Developers Guide, or contact Symantec Professional
    Services for a list of plug-ins.
    About Symantec Data Loss Prevention

    About Network Protect


    Network Protect reduces your risk by removing exposed confidential data, intellectual property, and classified information
    from open file shares on network servers or desktop computers. Note that there is no separate Network Protect server;
    the Network Protect product module adds protection functionality to the Network Discover Server.
    Network Protect gives organizations the following capabilities:
    • Quarantine exposed files. Network Protect can automatically move those files that violate policies to a quarantine
    area that re-creates the source file structure for easy location. Optionally, Symantec Data Loss Prevention can place a

    94
    marker text file in the original location of the offending file. The marker file can explain why and where the original file
    was quarantined.
    • Copy exposed or suspicious files. Network Protect can automatically copy those files that violate policies to a
    quarantine area. The quarantine area can re-create the source file structure for easy location, and leave the original file
    in place.
    • Quarantine file restoration. Network Protect can easily restore quarantined files to their original or a new location.
    • Enforce access control and encryption policies. Network Protect proactively ensures workforce compliance with
    existing access control and encryption policies.
    About Symantec Data Loss Prevention

    About Endpoint Discover


    Endpoint Discover detects sensitive data on your desktop or your laptop endpoints. It consists of at least one Endpoint
    Server and at least one Symantec DLP Agent that runs on an endpoint. You can have many Symantec DLP Agents
    connected to a single Endpoint Server. Symantec DLP Agents:
    • Detect sensitive data in the endpoint file system.
    • Collect data on that activity.
    • Send incidents to the Endpoint Server.
    • Send the data to the associated Endpoint Server for analysis, if necessary.
    About Endpoint Prevent
    About Symantec Data Loss Prevention

    About Endpoint Prevent


    Endpoint Prevent detects and prevents sensitive data from leaving from your desktop or your laptop endpoints. It consists
    of at least one Endpoint Server and all the Symantec DLP Agents running on the endpoint systems that are connected
    to it. You can have many Symantec DLP Agents connected to a single Endpoint Server. Endpoint Prevent detects on the
    following data transfers:
    • Application monitoring
    • CD/DVD
    • Clipboard
    • Email/SMTP
    • eSATA removable drives
    • FTP
    • HTTP/HTTPS
    • IM
    • Network shares
    • Print/Fax
    • USB removable media devices
    About Endpoint Discover
    About Symantec Data Loss Prevention

    Getting Started Administering Symantec Data Loss Prevention


    This content includes the following topics:

    95
    • About Symantec Data Loss Prevention administration
    • About the Enforce Server administration console
    • Logging On and Off the Enforce Server Administration Console
    • About the administrator account
    • Performing Initial Setup Tasks
    • Changing the Administrator Password
    • Adding an administrator email account
    • Editing a user profile
    • Changing your password

    About Symantec Data Loss Prevention administration


    The Symantec Data Loss Prevention system consists of one Enforce Server and one or more detection servers.
    The Enforce Server stores all system configuration, policies, saved reports, and other Symantec Data Loss Prevention
    information and manages all activities.
    System administration is performed from the Enforce Server administration console, which is accessed by a Firefox or
    Internet Explorer Web browser. The Enforce console is displayed after you log on.
    After completing the installation steps, you must perform initial configuration tasks to get Symantec Data Loss Prevention
    up and running for the first time. These are essential tasks that you must perform before the system can begin monitoring
    data on your network.

    Related Links
    Installing DLP on page 207
    Install the Enforce Server, detection servers, and DLP Agents.
    About the Enforce Server administration console on page 96
    Performing Initial Setup Tasks on page 98

    About the Enforce Server administration console


    You administer the Symantec Data Loss Prevention system through the Enforce Server administration console.
    The Administrator user can see and access all parts of the administration console. Other users can see only the parts to
    which their roles grant them access. The user account under which you are currently logged on appears at the top right of
    the screen.
    When you first log on to the administration console, the default Home page is displayed. You and your users can change
    the default Home page using the Home page selection button.
    Administration console navigation and operation icons
    To navigate through the system, select items from one of the four menu clusters (Home, Incidents, Manage, and
    System).
    Located in the upper-right portion of the administration console are the following navigation and operation icons:

    96
    Table 29: Administration console navigation and operation icons

    Icon Description

    Help. Click this icon to access the context-sensitive online help for your current page.

    Select this page as your Home page. If the current screen cannot be selected as your Home page, this icon is
    unavailable.
    Back to previous screen. Symantec recommends using this Back button rather than your browser Back button. Use
    of your browser Back button may lead to unpredictable behavior and is not recommended.
    Screen refresh. Symantec recommends using this Refresh button rather than your browser Reload or Refresh
    button. Use of your browser buttons may lead to unpredictable behavior and is not recommended.
    Print the current report. If the current screen contents cannot be sent to the printer, this icon is unavailable.

    Email the current report to one or more recipients. If the current screen contents cannot be sent as an email, this icon
    is unavailable.

    Logging On and Off the Enforce Server Administration Console

    Logging On and Off the Enforce Server Administration Console


    If you are assigned more than one role, you can only log on under one role at a time. You must specify the role name and
    user name at logon.
    To log on to the Enforce Server
    1. On the Enforce Server host, open a browser and point it to the URL for your server (as provided by the Symantec Data
    Loss Prevention administrator).
    2. On the Symantec Data Loss Prevention logon screen, enter your user name in the Username field. For the
    administrator role, this user name is always Administrator. Users with multiple roles should specify the role name
    and the user name in the format role\user (for example, ReportViewer\bsmith). If they do not, Symantec Data Loss
    Prevention assigns the user a role upon logon.
    Configuring Roles
    3. In the Password field, type the password. For the administrator at first logon, this password is the password you
    created during the installation.
    For installation details, see Installing DLP.
    4. Click login.
    The Enforce Server administration console appears. The administrator can access all parts of the administration
    console, but another user can see only those parts that are authorized for that particular role.
    To log out of the Enforce Server
    5. Click logout at the top right of the screen.
    6. Click OK to confirm.
    Symantec Data Loss Prevention displays a message confirming the logout was successful.

    Editing a user profile

    97
    About the administrator account
    The Symantec Data Loss Prevention system is preconfigured with a permanent administrator account. Note that the name
    is case sensitive and cannot be changed. You configured a password for the administrator account during installation.
    See Installing DLP for more information.
    Only the administrator can see or modify the administrator account. Role options do not appear on the administrator
    configure screen, because the administrator always has access to every part of the system.

    Related Links
    Changing the Administrator Password on page 98
    Adding an administrator email account on page 99

    Performing Initial Setup Tasks


    After completing the installation steps, you must perform initial configuration tasks to get Symantec Data Loss Prevention
    up and running for the first time. These are essential tasks that you must perform before the system can begin monitoring
    data on your network.
    • Change the Administrator's password to a unique password only you know, and add an email address for the
    Administrator user account so you can be notified of various system events.
    About the administrator account
    • Add and configure your detection servers.
    Adding a detection server
    Server configuration—basic
    • Add any user accounts you need in addition to those supplied by your Symantec Data Loss Prevention solution pack.
    • Review the policy templates provided with your Symantec Data Loss Prevention solution pack to familiarize yourself
    with their content and data requirements. Revise the polices or create new ones as needed.
    • Add the data profiles that you plan to associate with policies.
    Data profiles are not always required. This step is necessary only if you are licensed for data profiles and if you intend
    to use them in policies.

    Related Links
    Installing DLP on page 207
    Install the Enforce Server, detection servers, and DLP Agents.

    Changing the Administrator Password


    During installation, you created a generic administrator password. When you log on for the first time, you should change
    this password to a unique, secret password.
    See Installing DLP for more information.
    Passwords are case-sensitive and they must contain at least eight characters.
    Note that you can configure Symantec Data Loss Prevention to require strong passwords. Strong passwords are
    passwords specifically designed to be difficult to break. Password policy is configured from the System > Settings >
    General > Configure screen.
    When your password expires, Symantec Data Loss Prevention displays the Password Renewal window at the next logon.
    When the Password Renewal window appears, type your old password, and then type your new password and confirm it.

    98
    Configuring user accounts
    1. Log on as administrator.
    2. Click Profile in the upper-right corner of the administration console.
    3. On the Edit Profile screen:
    • Enter your new password in the New Password field.
    • Re-enter your new password in the Re-enter New Password field. The two new passwords must be identical.
    Note that passwords are case-sensitive.
    4. Click Save.
    Related Links
    About the administrator account on page 98
    About the Enforce Server administration console on page 96
    on page 729

    Adding an administrator email account


    You can specify an email address to receive administrator account related messages.
    To add or change an administrator email account
    1. Click Profile in the upper-right corner of the administration console.
    2. Type the new (or changed) administrator email address in the email Address field.
    The email addresses must include a fully qualified domain name. For example: my_name@acme.com.
    3. Click Save.

    About the administrator account


    About the Enforce Server administration console
    About the Overview screen

    Editing a user profile


    System users can use the Profile screen to configure their profile passwords, email addresses, and languages.
    Users can also specify their report preferences at the Profile screen.
    To display the Profile screen, click the drop-down list at the top-right of the Enforce Server administration console, then
    select Profile.
    The Profile screen is divided into the following sections:
    • Authentication. Use this section to change your password, or select certificate authentication, if available.
    • General. Use this section to specify your email address, choose a language preference, and view your selected home
    page.
    • Report Preferences. Use this section to specify your preferred text encoding, CSV delimiter, and XML export
    preferences.
    • Roles This section displays your role. Note that this section is not displayed for the administrator because the
    administrator is authorized to perform all roles.
    The Authentication section:
    To change your password

    99
    1. Enter your new password in the New Password field.
    2. Re-enter your new password in the Re-enter New Password field.
    3. Click Save.
    To use certificate authentication
    4. If certificate authentication is available to you, select Use Certificate authentication.
    5. Enter your LDAP common name (CN) in the Common Name (CN) field.
    6. Click Save.
    7. In the Email Address field enter your personal email address.
    8. Click Save.
    9. Click the option next to your language choice.
    10. Click Save.
    The Enforce Server administration console is re-displayed in the new language.
    11. Select a text encoding option:
    • Use browser default encoding. Check this box to specify that text files use the same encoding as your browser.
    • Pull down menu. Click on an encoding option in the pull down menu to select it.
    12. Click Save.
    The new text encoding is applied to CSV exported files. This encoding lets you select a text encoding that matches the
    encoding that is expected by CSV applications.
    To select a CSV delimiter
    13. Choose one of the delimiters from the pull-down menu.
    14. Click Save.
    The new delimiter is applied to the next comma-separated values (CSV) list that you export.
    15. Include Incident Violations in XML Export. If this box is checked, reports exported to XML include the highlighted
    matches on each incident snapshot.
    16. Include Incident History in XML Export. If this box is checked, reports exported to XML include the incident history
    data that is contained in the History tab of each incident snapshot.
    17. Click Save.
    Your selections are applied to the next report you export to XML.

    If neither box is checked, the exported XML report contains only the basic incident information.

    Changing your password


    When your password expires, Symantec Data Loss Prevention displays the Password Renewal window at the next logon.
    When the Password Renewal window appears, enter your new password and confirm it.
    When your password expires, the system requires you to specify a new one the next time you attempt to log on. If you are
    required to change your password, the Password Renewal window appears.
    To change your password from the Password Renewal window

    100
    1. Enter your old password in the Old password field of the Password Renewal window.
    2. Enter your new password in the New Password field of the Password Renewal window.
    3. Re-enter your new password in the Re-enter New Password field of the Password Renewal window.

    The next time you log on, you must use your new password.
    You can also change your password at any time from the Profile screen.
    Editing a user profile
    About the administrator account
    Logging On and Off the Enforce Server Administration Console

    About support for character sets, languages, and locales


    Symantec Data Loss Prevention fully supports international deployments by offering a large number of languages and
    localization options:
    • Policy creation and violation detection across many languages.
    The supported languages can be used in keywords, data identifiers, regular expressions, exact data profiles (EDM)
    and document profiles (IDM).
    Supported languages for detection
    • Operation on localized and Multilingual User Interface (MUI) versions of Windows operating systems.
    • International character sets. To view and work with international character sets, the system on which you are viewing
    the Enforce Server administration console must have the appropriate capabilities.
    Working with international characters
    • Locale-based date and number formats, as well as sort orders for lists and reports.
    About locales
    • Localized user interface (UI) and Help system. Language packs for Symantec Data Loss Prevention provide language-
    specific versions of the Enforce Server administration console. They may also provide language-specific versions of
    the online Help system.
    NOTE
    These language packs are added separately following initial product installation.
    • Localized product documentation.
    • Language-specific notification pop-ups. Endpoint notification pop-ups appear in the display language that is selected
    on the endpoint instead of the system locale language. For example, if the system locale is set to English and the user
    sets the display language to German, the notification pop-up appears in German.
    NOTE
    A mixed language notification pop-up displays if the user locale language does not match the language used
    in the response rule.

    Supported languages for detection


    Symantec Data Loss Prevention supports a large number of languages for detection. Policies can be defined that
    accurately detect and report on the violations that are found in content in these languages:

    101
    • Arabic
    • Brazilian Portuguese
    • Chinese (traditional)
    • Chinese (simplified)
    • Czech
    • Danish
    • Dutch
    • English
    • Finnish
    • French
    • German
    • Greek
    • Hebrew
    • Hungarian
    • Italian
    • Japanese
    • Korean
    • Norwegian
    • Polish
    • Portuguese
    • Romanian
    • Russian
    • Spanish
    • Swedish
    • Turkish
    NOTE
    Symantec Data Loss Prevention cannot be installed on a Windows operating system that is localized for the
    Turkish language, and you cannot choose Turkish as an alternate locale.
    A number of capabilities are not implied by this support:
    • Technical support provided in a non-English language. Because Symantec Data Loss Prevention supports a particular
    language does not imply that technical support is delivered in that language.
    • Localized administrative user interface (UI) and documentation. Support for a language does not imply that the UI
    or product documentation has been localized into that language. However, even without a localized UI, user-defined
    portions of the UI such as pop-up notification messages on the endpoint can still be localized into any language by
    entering the appropriate text in the UI.
    • Localized content. Keywords are used in a number of areas of the product, including policy templates and data
    identifiers. Support for a language does not imply that these keywords have been translated into that language. Users
    may, however, add keywords in the new language through the Enforce Server administration console.
    • New file types, protocols, applications, or encodings. Support for a language does not imply support for any new file
    types, protocols, applications, or encodings that may be prevalent in that language or region other than what is already
    supported in the product.
    • Language-specific normalization. An example of normalization is to treat accented and unaccented versions of
    a character as the same. The product already performs a number of normalizations, including standard Unicode
    normalization that should cover the vast majority of cases. However, it does not mean that all potential normalizations
    are included.
    • Region-specific normalization and validation. An example of this is the awareness that the product has of the format
    of North American phone numbers, which allows it to treat different versions of a number as the same, and to identify

    102
    invalid numbers in EDM source files. Support for a language does not imply this kind of functionality for that language
    or region.
    Items in these excluded categories are tracked as individual product enhancements on a language- or region-specific
    basis. Contact Symantec Technical Support for additional information on language-related enhancements or plans for the
    languages not listed.
    About support for character sets, languages, and locales

    Working with international characters


    You can use a variety of languages in Symantec Data Loss Prevention, based on:
    • The operating system-based character set installed on the computer from which you view the Enforce Server
    administration console
    • The capabilities of your browser
    For example, an incident report on a scan of Russian-language data would contain Cyrillic characters. To view that report,
    the computer and browser you use to access the Enforce Server administration console must be capable of displaying
    these characters. Here are some general guidelines:
    • If the computer you use to access the Enforce Server administration console has an operating system localized for a
    particular language, you should be able to view and use a character set that supports that language.
    • If the operating system of the computer you use to access the administration console is not localized for a particular
    language, you may need to add supplemental language support. This supplemental language support is added to the
    computer you use to access the administration console, not on the Enforce Server.
    – On a Windows system, you add supplemental language support using the Control Panel > Regional and
    Language Options > Languages (tab) - Supplemental Language Support to add fonts for some character sets.
    • It may also be necessary to set your browser to accommodate the characters you want to view and enter.
    NOTE
    The Enforce Server administration console supports UTF-8 encoded data.
    • On a Windows system, it may also be necessary to use the Languages – Supplemental Language Support tab
    under Control Panel > Regional and Language Options to add fonts for some character sets.
    Related Links
    About support for character sets, languages, and locales on page 101

    About Symantec Data Loss Prevention language packs


    Language packs for Symantec Data Loss Prevention localize the product for a particular language on Windows-based
    systems. After a language pack is added to Symantec Data Loss Prevention, administrators can specify it as the system-
    wide default. If administrators make multiple language packs available for use, individual users can choose the language
    they want to work in.
    Using a non-English language on the Enforce Server administration console
    Language packs provide the following:
    • The locale of the selected language becomes available to administrators and end users in Enforce Server
    Configuration screen.
    • Enforce Server screens, menu items, commands, and messages appear in the language.
    • The Symantec Data Loss Prevention online Help system may be displayed in the language.
    Language packs for Symantec Data Loss Prevention are available from Product Downloads at the Broadcom Support
    Portal.

    103
    CAUTION
    When you install a new version of Symantec Data Loss Prevention, any language packs you have installed are
    deleted. For a new, localized version of Symantec Data Loss Prevention, you must upgrade to a new version of
    the language pack.
    Related Links
    About locales on page 331
    About support for character sets, languages, and locales on page 101

    About locales
    Locales are installed as part of a language pack.
    A locale provides the following:
    • Displays dates and numbers in formats appropriate for that locale.
    • Sorts lists and reports based on text columns, such as "policy name" or "file owner," alphabetically according to the
    rules of the locale.
    An administrator can also configure an additional locale for use by individual users. This additional locale need only be
    supported by the required version of Java.
    For a list of these locales, see https://www.oracle.com/technetwork/java/javase/java8locales-2095355.html.
    You use the Language Pack Utility to specify a locale if one is not specified at product installation time.
    Using a non-English language on the Enforce Server administration console
    About support for character sets, languages, and locales

    Using a non-English language on the Enforce Server administration


    console
    The use of locales and languages is specified through the Enforce Server administration console by the following roles:
    • Symantec Data Loss Prevention administrator. Specifies that one of the available languages be the default system-
    wide language and sets the locale.
    • Individual Symantec Data Loss Prevention user. Chooses which of the available locales to use.
    NOTE
    The addition of multiple language packs could slightly affect Enforce Server performance, depending on the
    number of languages and customizations present. This occurs because an additional set of indexes has to be
    built and maintained for each language.
    WARNING
    Do not modify the Oracle database NLS_LANGUAGE and NLS_TERRITORY settings.
    About Symantec Data Loss Prevention language packs
    About locales
    A Symantec Data Loss Prevention administrator specifies which of the available languages is the default system-wide
    language.
    To choose the default language for all users
    1. On the Enforce Server, go to System > Settings > General and click Configure.
    The Edit General Settings screen is displayed.

    104
    2. Scroll to the Language section of the Edit General Settings screen, and click the button next to the language you
    want to use as the system-wide default.
    3. Click Save.

    Individual Symantec Data Loss Prevention users can choose which of the available languages and locales they want to
    use by updating their profiles.
    Editing a user profile
    Administrators can use the Language Pack Utility to update the available languages.
    Using the Language Pack Utility
    About support for character sets, languages, and locales
    NOTE
    If the Enforce Server runs on a Linux host, you must install language fonts on the host machine using the Linux
    Package Manager application. Language font packages begin with fonts-<language_name>. For example,
    fonts-japanese-0.20061016-4.el5.noarch

    Using the Language Pack Utility


    To make a specific locale available for Symantec Data Loss Prevention, you add language packs through the Language
    Pack Utility.
    You run the Language Pack Utility from the command line. Its executable, LanguagePackUtility.exe, resides in one
    of the following directories based on your platform:
    • Windows:
    • Linux: /opt/Symantec/DataLossPrevention/EnforceServer/16.0.10000/Protect/bin
    To use the Language Pack Utility, you must have Read, Write, and Execute permissions on the folders and subfolders
    listed below (for your platform):
    • Windows:
    • Linux: /opt/Symantec/DataLossPrevention/EnforceServer/16.0.10000
    If you are running the utility on Linux, you must be a root user.
    To display help for the utility, such as the list of valid options and their flags, enter LanguagePackUtility without any
    flags.
    NOTE
    Running the Language Pack Utility causes the SymantecDLPManagerService and
    SymantecDLPIncidentPersisterService services to stop for as long as 20 seconds. Any users who are
    logged on to the Enforce Server administration console are logged out automatically. When finished making its
    updates, the utility restarts the services automatically, and users can log back on to the administration console.
    Language packs for Symantec Data Loss Prevention can be obtained from Product Downloads at the Broadcom Support
    Portal.

    NOTE
    Administrators can only make one other locale available for users that is not based on a previously installed
    Symantec Data Loss Prevention language pack.
    About support for character sets, languages, and locales

    105
    Add a language pack on Linux
    1. Advise other users that anyone currently using the Enforce Server administration console must save their work and log
    off.
    2. Open a terminal session to the Enforce Server host and switch to the DLP_system_account by running the following
    command:
    su - DLP_system_account
    3. Run the following command:
    DLP_home/Protect/bin/LanguagePackUtility -a <path to language pack zip file>
    4. Log on to the Enforce Server administration console and confirm that the new language option is available on the Edit
    General Settings screen. To do this, go to System > Settings > General > Configure > Edit General Settings.

    Remove a language pack


    1. Advise users that anyone currently using the Enforce Server administration console must save their work and log off.
    2. Run the Language Pack Utility with the -r flag followed by the Java locale code of the language pack you want to
    remove. Enter:
    LanguagePackUtility -r locale

    Where locale is a valid Java locale code corresponding to a Symantec Data Loss Prevention language pack.
    For example, to remove the French language pack enter:
    LanguagePackUtility -r fr_FR

    To remove multiple language packs during the same session, specify multiple file names, which are separated by
    spaces.
    3. Log on to the Enforce Server administration console and confirm that the language pack is no longer available on the
    Edit General Settings screen. To do this, go to System > Settings > General > Configure > Edit General Settings.
    4. Advise users that anyone currently using the Enforce Server administration console must save their work and log off.
    5. Run the Language Pack Utility using the -c flag followed by the Java locale code for the locale that you want to
    change or add. Enter:
    LanguagePackUtility -c locale

    Where locale is a valid locale code that is recognized by Java, such as pt_PT for Portuguese.
    For example, to change the locale to Brazilian Portuguese enter:
    LanguagePackUtility -c pt_BR

    6. Log on to the Enforce Server administration console and confirm that the new alternate locale is now available on the
    Edit General Settings screen. To confirm the local, go to System > Settings > General > Configure > Edit General
    Settings.
    If you specify a locale for which there is no language pack, "Translations not available" appears next to
    the locale name. This means that formatting and sort order are appropriate for the locale, but the Enforce Server
    administration console screens and online Help are not translated.
    Related Links
    About Symantec Data Loss Prevention language packs on page 331

    106
    DLP System Requirements
    System requirements, recommendations, and deprecations.
    About system requirements
    System requirements and recommendations
    Product compatibility

    About system requirements


    • About updates to Symantec Data Loss Prevention system requirements
    • About deprecated platforms
    About updates to Symantec Data Loss Prevention system requirements
    This content is updated as new platforms are tested and certified. See About updates to the Symantec Data Loss
    Prevention Help Center for a summary of the latest updates.

    About deprecated platforms


    Certain platforms are referred to as “deprecated.” That indicates that while the deprecated platform is supported in the
    current release, Symantec plans to remove support in an upcoming release. If your Symantec Data Loss Prevention
    environment includes a deprecated platform, you should plan on updating the platform to a later supported version or a
    different supported platform as soon as possible.

    System requirements and recommendations


    Deployment planning considerations
    The Effect of Scale on System Requirements
    Minimum System Requirements for Symantec Data Loss Prevention Servers
    Single-tier Installation Minimum Hardware Requirements
    Small Installation Hardware Recommendations
    Medium Installation Hardware Recommendations
    Large Enterprise Hardware Recommendations
    Operating system requirements for servers
    System Requirements for OCR Servers
    Endpoint computer requirements for the Symantec DLP Agent
    Supported languages for detection
    Available language packs
    Oracle database requirements
    Browser requirements for accessing the Enforce Server administration console
    Deploying Data Loss Prevention on public cloud infrastructures

    107
    Virtual machine support
    Supported operating systems for the EMDI, EDM, and IDM Remote Indexers
    Third-party software requirements and recommendations

    Deployment planning considerations


    Installation planning and system requirements for Symantec Data Loss Prevention depend on:
    • The type and amount of information you want to protect
    • The amount of network traffic you want to monitor
    • The size of your organization
    • The type of Symantec Data Loss Prevention detection servers you choose to install
    These factors affect both:
    • The type of installation tier you choose to deploy (three-tier, two-tier, or single-tier)
    • The system requirements for your Symantec Data Loss Prevention installation

    The Effect of Scale on System Requirements


    Some system requirements vary depending on the size of the Symantec Data Loss Prevention software deployment.
    Determine the size of your organization and the corresponding Symantec Data Loss Prevention deployment using the
    information in this section.
    Consider the following deployment factors when determining the deployment size:
    • Number of Enforce Server users
    • Number of detection servers
    • Number of Network Discover clusters
    • Volume of data to scan
    • Daily incident volume
    • Amount of network traffic to monitor
    • Size of Exact Data Match profile (EDM), Exact Match Data Identifier profile (EMDI), or Indexed Data Match profile
    (IDM)
    • Size of your Form Recognition profile
    The following table outlines five sample deployments based on enterprise size. Review these sample deployments to
    understand which best matches your organization’s environment.

    Table 30: Types of enterprise deployments

    Variable Single tier Small Medium Large

    Number of Enforce N/A 10 20 30


    Server users
    Number of detection N/A 10 50 100+
    servers

    108
    Variable Single tier Small Medium Large

    Number of Network Not supported • A single Network • A single Network • Three or more
    Discover clusters Discover cluster Discover cluster Network Discover
    • Up to ten detection • Up to ten detection clusters with up to
    servers servers forty-four worker
    • A single scan target • Up to ten scan targets nodes in each cluster
    • Minimal policies • Up to fifty policies • One hundred
    detection servers
    • Ten scan targets
    • One hundred policies
    Daily incident volume N/A 10,000 50,000 100,000
    Volume of network traffic 30-40 Mbps 30-40 Mbps 30-40 Mbps >40 Mbps
    to monitor
    EDM/EMDI/IDM index EDM 4 million cells See Data Loss See Data Loss See Data Loss
    size or IDM 250 MB (1400 Prevention policy Prevention policy Prevention policy
    files). See Data Loss detection technologies for detection technologies for detection technologies for
    Prevention policy information about EDM, information about EDM, information about EDM,
    detection technologies for IDM, and EMDI impact IDM, and EMDI impact IDM, and EMDI impact
    information about EDM, on sizing for enterprise on sizing for enterprise on sizing for enterprise
    IDM, and EMDI impact deployments. deployments. deployments.
    on sizing for enterprise
    deployments.
    Form Recognition profile See Form Recognition See Form Recognition See Form Recognition See Form Recognition
    size sizing and performance sizing and performance sizing and performance sizing and performance
    for information about for information about for information about for information about
    Form Recognition sizing. Form Recognition sizing. Form Recognition sizing. Form Recognition sizing.
    Hardware requirements Single-tier Installation Small Installation Medium Installation Large Enterprise
    Minimum Hardware Hardware Recommendations
    Hardware Hardware
    Requirements Recommendations Recommendations

    For additional information see About Network Performance Tests.

    Minimum System Requirements for Symantec Data Loss Prevention Servers


    All Symantec Data Loss Prevention servers must meet or exceed the minimum hardware specifications and run on one of
    the supported operating systems.
    • Minimum Supported Hardware Requirements for Enforce Servers
    • Single-tier Installation Minimum Hardware Requirements
    • Small Installation Hardware Recommendations
    • Medium Installation Hardware Recommendations
    • Large Enterprise Hardware Recommendations
    • Operating system requirements for servers
    NOTE
    Requirements for Symantec Data Loss Prevention Virtual Appliances are the same as for the software server
    counterparts, except for virtual environment support. Virtual Server Support
    If the Oracle database for Symantec Data Loss Prevention is installed on a dedicated computer (a three-tier deployment),
    that system must meet its own set of system requirements.
    Oracle database requirements

    109
    Minimum Supported Hardware Requirements for Enforce Servers
    The following table lists minimum supported hardware requirements for Enforce Servers.
    Meet minimum hardware requirements to ensure prior to installing the Enforce Server on your hardware.

    Table 31: Enforce Server minimum hardware requirements

    Processor Memory Disk NICs

    Four-core CPU 8 GB RAM 500 GB hard drive storage One copper or fiber 1
    The following DLP services For Network Discover deployments, Gb/100 Mb Ethernet NIC to
    should have 8 GB allocated approximately 150 MB of disk space is communicate with detection
    of the total available RAM required to maintain incremental scan servers.
    (minimum RAM requirements indexes. This is based on an overhead of
    are listed individually): 5 MB per incremental scan target and 50
    bytes per item in the target.
    • Symantec DLP Manager (minimum
    2 GB)
    • Symantec DLP Detection
    Server Controller (minimum
    1 GB)
    • Symantec DLP Incident
    Persister (minimum 2 GB)
    Allocate 1 GB of the total RAM
    to the Symantec DLP Notifier
    service and a minimum 256
    MB.

    Single-tier Installation Minimum Hardware Requirements


    Review the table for system requirements for branch office or small organization single-tier deployments.
    NOTE
    Single-tier installations are deprecated in Symantec Data Loss Prevention 16.0.1.
    Because single-tier deployments include the Enforce Server, the Oracle database, and the detection server all on the
    same computer, the processing and memory requirements are higher than they might be on dedicated servers in a two- or
    three-tier deployment.
    NOTE
    The default content size for detection is 30 MB. If you plan to scan files larger than 30 MB, see Symantec Data
    Loss Prevention Tuning Guidelines for Inspecting Large Files for information about tuning your system for large
    file inspection.

    Table 32: Single-tier installation minimum hardware requirements

    Required for Single Server Installation

    Processor Eight-core CPU


    Memory 64 GB RAM
    Disk 3 TB, RAID 5 configuration (with a minimum of five spindles)
    NICs 1 copper or fiber 1 Gb Ethernet NIC (if you are using Network Monitor you will need a minimum of two
    NICs)

    110
    Small Installation Hardware Recommendations
    The following table provides the system recommendations for a small installation of Symantec Data Loss Prevention.
    A small installation can be a three-tier installation, in which the Enforce Server and Oracle database are hosted on
    separate computers.
    Ensure optimal performance for the Network Discover cluster deployment by setting the max memory setting for the
    SymantecDetectionServerController process on the cluster server to 6 GB.
    Symantec recommends that you plan to meet hardware recommendations to ensure optimal performance.
    NOTE
    The default content size for detection is 30 MB. If you plan to scan files larger than 30 MB, see Symantec Data
    Loss Prevention Tuning Guidelines for Inspecting Large Files for information about tuning your system for large
    file inspection.

    Table 33: Enforce Server hardware recommendations for a small installation

    Processor Memory Disk NICs

    Eight-core CPU 32 GB RAM 500 GB hard drive storage One copper or fiber 1
    The following DLP services For Network Discover deployments, Gb/100 Mb Ethernet NIC to
    should have 8 GB allocated approximately 150 MB of disk space is communicate with detection
    of the total available RAM required to maintain incremental scan servers.
    (minimum RAM requirements indexes. This is based on an overhead of
    are listed individually): 5 MB per incremental scan target and 50
    bytes per item in the target.
    • Symantec DLP Manager (minimum
    2 GB)
    • Symantec DLP Detection
    Server Controller (minimum
    1 GB)
    • Symantec DLP Incident
    Persister (minimum 2 GB)
    Allocate 1 GB of the total RAM
    to the Symantec DLP Notifier
    service and a minimum 256
    MB.

    Table 34: Oracle database minimum hardware requirements for a small installation

    Processor Memory Disk

    Two-core CPU 8 GB RAM 500 GB - 1 TB


    Oracle database requirements

    111
    Table 35: Network Monitor minimum hardware requirements for a small installation

    Processor Memory Disk NICs Packet capture cards

    Four-core CPU 6–8 GB RAM 140 GB 1 copper or fiber 1 Gb/100 Generic: 1 copper or fiber 1
    For information MB Ethernet NIC to GB/100 MB Ethernet NIC.
    about EDM, IDM, communicate with the
    and EMDI impact Enforce Server.
    on sizing, see the
    following topics:
    • About memory
    requirements for
    EDM
    • Memory
    requirements for
    EMDI
    • Estimating
    endpoint memory
    use for agent IDM
    See Form Recognition
    sizing and
    performance at the
    Tech Docs Portal for
    information about
    Form Recognition
    sizing.

    Table 36: Network Discover Network Prevent, Cloud Prevent for Email, or Endpoint Prevent small installation
    minimum hardware requirements

    Processor Memory Disk NICs

    Four-core CPU 6–8 GB RAM 140 GB 1 copper or fiber 1 GB/100 MB Ethernet


    For information about EDM, For Network Discover NIC to communicate with the Enforce
    IDM, and EMDI impact on deployments, approximately 150 Server.
    sizing, see the following MB of disk space is required
    topics: to maintain incremental scan
    indexes. This space requirement
    • About memory is based on an overhead of 5
    requirements for EDM
    MB per incremental scan target
    • Memory requirements and 50 bytes per item in the
    for EMDI target. Add an extra 50 GB of
    • Estimating endpoint disk space for Network Discover
    memory use for agent servers if you are running the web
    IDM server scanner feature. For better
    See Form Recognition performance during web server
    sizing and performance at scans, Symantec recommends
    the Tech Docs Portal for that you use a faster disk with a
    information about Form higher I/O throughput.
    Recognition sizing.

    112
    Table 37: Network Discover cluster small installation minimum hardware requirements

    Cluster component Processor Memory Disk

    Data node Eight-core CPU 32 GB 500 GB (SSD recommended)


    Worker node Eight-core CPU 12 GB 140 GB

    Medium Installation Hardware Recommendations


    The following table provides the system recommendations for medium installations of Symantec Data Loss Prevention.
    This is a three-tier installation, with the Enforce Server and Oracle database hosted on separate computers.
    Ensure optimal performance for the Network Discover cluster deployment by setting the max memory setting for the
    SymantecDetectionServerController process on the cluster server to 12 GB.
    The following tables list recommendations. Symantec recommends that you plan to meet hardware recommendations to
    ensure optimal performance.
    NOTE
    The default content size for detection is 30 MB. If you plan to scan files larger than 30 MB, see Symantec Data
    Loss Prevention Tuning Guidelines for Inspecting Large Files for information about tuning your system for large
    file inspection.

    Table 38: Enforce Server hardware recommendations for a medium installation

    Processor Memory Disk NICs

    Twelve-core CPU 64 GB RAM 500 GB hard drive storage (SSD 1 copper or fiber 1 Gb/100 Mb
    The following DLP services recommended) Ethernet NIC to communicate
    should have 16 GB allocated of For Network Discover deployments, with detection servers.
    the total available RAM: approximately 150 MB of disk space is
    required to maintain incremental scan
    • Symantec DLP Manager indexes. This requirment is based on an
    • Symantec DLP Detection overhead of 5 MB per incremental scan
    Server Controller target and 50 bytes per item in the target.
    • Symantec DLP Incident
    Persister
    Allocate 1 GB of the total RAM
    to the Symantec DLP Notifier
    service.
    For information about EDM,
    IDM, and EMDI impact on
    sizing, see the following topics:
    • About memory
    requirements for EDM
    • Memory requirements for
    EMDI
    • Estimating endpoint
    memory use for agent IDM
    See Form Recognition
    sizing and performance
    for information about Form
    Recognition sizing.

    113
    Table 39: Oracle database hardware recommendations for a medium installation

    Processor Memory Disk

    Four-core CPU 32 GB RAM 500 GB - 1 TB


    RAM should be allocated according to the Oracle database requirements
    following memory sub-categories:
    • Oracle database
    pga_aggregate_limit: 4 GB
    • Oracle database sga_target: 16 GB
    • Oracle database memory_target:
    Disable Automatic Memory
    Management (AMM) by setting to 0.
    Oracle AMM only supports up to 3 GB.

    Table 40: Network Monitor hardware recommendations for a medium installation

    Processor Memory Disk NICs Packet capture cards

    Four-core CPU 6–8 GB RAM 140 GB 1 copper or fiber 1 Gb/100 Generic: 1 copper or fiber 1
    For information Mb Ethernet NIC to Gb/100 MB Ethernet NIC.
    about EDM, IDM, communicate with the
    and EMDI impact Enforce Server.
    on sizing, see the
    following topics:
    • About memory
    requirements for
    EDM
    • Memory
    requirements for
    EMDI
    • Estimating
    endpoint memory
    use for agent IDM
    See Form Recognition
    sizing and
    performance for
    information about
    Form Recognition
    sizing.

    114
    Table 41: Network Discover, Network Prevent, Cloud Prevent for Email, or Endpoint Prevent medium installation
    hardware recommendations

    Processor Memory Disk NICs

    Four-core CPU 6–8 GB RAM 140 GB 1 copper or fiber 1 Gb/100 Mb Ethernet


    For information about EDM, For Network Discover NIC to communicate with the Enforce
    IDM, and EMDI impact on deployments, approximately 150 Server.
    sizing, see the following MB of disk space is required
    topics: to maintain incremental scan
    indexes. This space requirement
    • About memory is based on an overhead of 5 MB
    requirements for EDM
    per incremental scan target and
    • Memory requirements 50 bytes per item in the target.
    for EMDI
    Add an extra 50 GB of disk space
    • Estimating endpoint for Network Discover servers if
    memory use for agent you are running the web server
    IDM scanner feature. For better
    See Form Recognition performance during web server
    sizing and performance scans, Symantec recommends
    for information about Form that you use a faster disk with a
    Recognition sizing. higher I/O throughput.

    Table 42: Network Discover cluster medium installation hardware recommendations

    Cluster component Processor Memory Disk

    Data node Eight-core CPU 32 GB 500 GB (SSD recommended)


    Worker node Eight-core CPU 12 GB 140 GB

    Oracle database requirements


    The effect of scale on system requirements

    Large Enterprise Hardware Recommendations


    The following table provides the system recommendations for large installations of Symantec Data Loss Prevention.
    A large installation is a three-tier installation, with the Enforce Server and Oracle database hosted on separate computers.
    Ensure optimal performance for the Network Discover cluster deployment by setting the max memory setting for the
    SymantecDetectionServerController process on the cluster server to 24 GB.
    The following tables list recommendations. Symantec recommends that you plan to meet hardware recommendations to
    ensure optimal performance.
    NOTE
    The default content size for detection is 30 MB. If you plan to scan files larger than 30 MB, see Symantec Data
    Loss Prevention Tuning Guidelines for Inspecting Large Files for information about tuning your system for large
    file inspection.

    115
    Table 43: Enforce Server hardware recommendations for a large installation

    Processor Memory Disk NICs

    Sixteen-core CPU 128 GB RAM 1 TB storage (SSD or SAN) To communicate with detection
    The following DLP services For Network Discover deployments, servers:
    should have 24 GB allocatedapproximately 1 GB of disk space 1 copper or fiber 1 Gb/100 Mb
    of the total RAM for each: is required to maintain incremental Ethernet NIC
    scan indexes. This is based on an
    • Symantec DLP Manager
    overhead of 5 MB per incremental
    • Symantec DLP Detection scan target and 50 bytes per item in
    Server Controller the target.
    • Symantec DLP Incident
    Persister
    Allocate 1 GB of the total
    RAM to the Symantec
    DLP Notifier service
    For information about EDM,
    IDM, and EMDI impact on
    sizing, see the following
    topics:
    • About memory
    requirements for EDM
    • Memory requirements for
    EMDI
    • Estimating endpoint
    memory use for agent
    IDM
    See Form Recognition
    sizing and performance
    for information about Form
    Recognition sizing.)

    Table 44: Oracle database hardware recommendations for a large installation

    Processor Memory Disk

    Six-core CPU 32 GB RAM 2 TB - 32 TB


    Recommended RAM should be allocated Oracle database requirements
    according to the following memory sub-
    categories:
    • Oracle database pga_aggregate_limit:
    4 GB
    • Oracle database sga_target: 24 GB
    • Oracle database memory_target:
    Disable Automatic Memory
    Management (AMM) by setting to 0.
    Oracle AMM supports up to 3 GB.

    116
    Table 45: Network Monitor hardware recommendations for a large installation

    High-speed packet
    Processor Memory Disk NICs
    capture cards
    Eight-core CPU 8–16 GB RAM 140 GB 1 copper or fiber 1 Gb/100 High-speed packet capture card
    For information Mb Ethernet NIC to
    about EDM, IDM, communicate with the
    and EMDI impact Enforce Server.
    on sizing, see the
    following topics:
    • About memory
    requirements for
    EDM
    • Memory
    requirements for
    EMDI
    • Estimating
    endpoint memory
    use for agent IDM
    See Form Recognition
    sizing and
    performance for
    information about
    Form Recognition
    sizing.

    Table 46: Network Discover Network Prevent, Cloud Prevent for Email, or Endpoint Prevent large installation
    hardware recommendations

    Processor Memory Disk NICs

    Eight-core CPU 8–16 GB RAM 140 GB To communicate with the Enforce Server:
    For information about EDM, For Network Discover 1 copper or fiber 1 Gb/100 Mb Ethernet
    IDM, and EMDI impact on deployments, approximately NIC
    sizing, see the following 1 GB of disk space is
    topics: required to maintain
    incremental scan indexes.
    • About memory
    This is based on an
    requirements for EDM
    overhead of 5 MB per
    • Memory requirements for incremental scan target
    EMDI and 50 bytes per item in the
    • Estimating endpoint target.
    memory use for agent
    IDM
    See Form Recognition
    sizing and performance
    for information about Form
    Recognition sizing.

    117
    Table 47: Network Discover cluster large installation hardware recommendations

    Cluster component Processor Memory Disk

    Data node Sixteen-core CPU 32 GB 2048 GB (SSD recommended)


    Worker node Sixteen-core CPU 32 GB 250 GB

    Related Links
    The Effect of Scale on System Requirements on page 108
    Oracle database requirements on page 128

    Operating system requirements for servers


    Symantec Data Loss Prevention servers can be installed on a supported Linux or Windows operating system. Different
    operating systems can be used for different servers in a heterogeneous environment.

    Enforce Server, Detection Server, and Network Discover Cluster Requirements


    Symantec Data Loss Prevention supports the following 64-bit operating systems for Enforce Server, detection server, and
    Network Discover cluster computers:
    • Microsoft Windows Server 2012 R2, Datacenter Edition with patches
    Installing patches for Windows Server 2012 R2
    • Microsoft Windows Server 2012 R2, Standard Edition with patches
    Installing patches for Windows Server 2012 R2
    • Microsoft Windows Server 2016, Standard Edition
    • Microsoft Windows Server 2016, Datacenter Edition
    Symantec Data Loss Prevention supports the 64-bit operating system for detection server computers on Microsoft
    Windows Server 2016, Core.
    • Microsoft Windows Server 2019, Datacenter and Standard
    NOTE
    You can run detection servers on Microsoft Windows Server Core.
    • Microsoft Windows Server 2022, Standard
    • Red Hat Enterprise Linux 7.5 through 7.9
    Installing fonts on Linux servers
    NOTE
    Red Hat Enterprise Linux 7.x is deprecated in Symantec Data Loss Prevention 16.0.1.
    • Red Hat Enterprise Linux 8.0, 8.3 through 8.4, 8.6, and 8.8
    Installing fonts on Linux servers
    • Oracle Linux 7.5 through 7.9 and 8.3
    Installing fonts on Linux servers

    Operating system requirements for Single Server deployments


    Symantec Data Loss Prevention supports the following 64-bit operating systems for Single Server deployments:
    • Microsoft Windows Server 2012 R2, Datacenter Edition with patches
    Installing patches for Windows Server 2012 R2
    • Microsoft Windows Server 2012 R2, Standard Edition with patches

    118
    Installing patches for Windows Server 2012 R2
    • Microsoft Windows Server 2016, Standard Edition
    • Microsoft Windows Server 2016, Datacenter Edition
    • Microsoft Windows Server 2019, Datacenter and Standard
    • Red Hat Enterprise Linux 7.5 through 7.9
    Installing fonts on Linux servers
    NOTE
    Red Hat Enterprise Linux 7.x is deprecated in Symantec Data Loss Prevention 16.0.1.
    • Red Hat Enterprise Linux 8.0, 8.3 through 8.4, 8.6, and 8.8
    Installing fonts on Linux servers
    • Oracle Linux 7.5 through 7.9 and 8.3
    Installing fonts on Linux servers
    English language and localized versions of both Linux and Windows operating systems are supported. See Supported
    languages for detection for detailed information about supported languages and character sets.

    Operating System Requirements for the Domain Controller Agent

    The domain controller agent enables you to resolve user names from IPv4 addresses in HTTP/S and FTP incidents. See
    Installing DLP for domain controller agent installation details.
    Symantec Data Loss Prevention supports the following operating systems for the domain controller agent:
    • Microsoft Windows Server 2012, Datacenter Edition (64-bit)
    • Microsoft Windows Server 2012, Standard Edition (64-bit)
    • Microsoft Windows Server 2012 R2, Datacenter Edition with patches
    Installing patches for Windows Server 2012 R2
    • Microsoft Windows Server 2012 R2, Standard Edition with patches
    Installing patches for Windows Server 2012 R2
    • Microsoft Windows Server 2016, Standard Edition
    • Microsoft Windows Server 2016, Datacenter Edition
    • Microsoft Windows Server 2019, Datacenter and Standard

    Installing patches for Windows Server 2012 R2


    If you use Windows Server 2012 R2, you must install three Microsoft patches: KB2919355, KB2919442, and KB2999226.
    Go to https://support.microsoft.com/en-us/kb/2919355 and install KB2919355.
    Go to https://support.microsoft.com/en-us/kb/2919442 and install KB2919442.
    Go to https://support.microsoft.com/en-us/kb/2999226 and install KB2999226.

    Installing fonts on Linux servers


    You must have at least one font installed on your Linux servers. However, Symantec recommends installing all available
    fonts on your Linux servers if you intend to use Form Recognition detection. To install all available fonts, run: yum
    groupinstall fonts on each Linux Enforce Server and detection server.

    119
    Linux partition guidelines
    Minimum free space requirements for Linux partitions vary according to the specific details of your Symantec Data
    Loss Prevention installation. The table below provides general guidelines that should be adapted to your installation as
    circumstances warrant. Symantec recommends using separate partitions for the different file systems, as indicated in the
    table. If you combine multiple file systems onto fewer partitions, or onto a single root partition, make sure the partition has
    enough free space to hold the combined sizes of the file systems listed in the table.
    NOTE
    Partition size guidelines for detection servers are similar to those for Enforce Server without an Oracle database.
    Linux partition minimum size guidelines—Enforce Server without a database, or detection server

    Table 48: Linux partition minimum size guidelines—Enforce Server with Oracle database

    Partition Minimum free space Description and comments

    /home 6 GB Store the Oracle installation tools, Oracle installation ZIP


    files, and Oracle critical patch update (CPU) files in /
    home.
    /tmp 1.2 GB The Oracle installer and installation tools require space in
    this directory.
    /opt 500 GB for Small/Medium installations Contains installed programs such as Symantec Data
    1 TB for Large installations Loss Prevention, the Oracle server, and the Oracle
    database. The Oracle database requires significant
    space in this directory. For improved performance, you
    may want to mount this partition on different disks/SAN/
    RAID from where the root partition is mounted.
    /var 15 GB for Small/Medium installations Contains logs, EDM/IDM indexes, Form Recognition
    46 GB for Large installations indexes, incremental scan indexes, and network packet
    capture directories.
    Note: The /var/spool/pcap and /var/
    SymantecDLP/drop_pcap directories must reside
    on the same partition or mount point.

    /boot 100 MB This must be in its own ext2 or ext3 partition, not part of
    soft RAID (hardware RAID is supported).
    swap Equal to RAM If you need to have the memory dump in case of system
    crash (for debugging), you may want to increase these
    amounts.

    120
    Table 49: Linux partition minimum size guidelines—Enforce Server without a database, or detection server

    Partition Minimum size guidelines Description and comments

    /opt 10 GB Contains installed programs such as Symantec Data


    Loss Prevention and the Oracle client.
    /var 15 GB for Small/Medium installations Contains logs, EDM/IDM indexes, Form Recognition
    46 GB for Large installations indexes, incremental scan indexes, and network packet
    capture directories.
    Note: The /var/spool/pcap and /var/
    Symantec/DataLossPrevention/drop_pcap
    directories must reside on the same partition or mount
    point.

    /boot 100 MB This must be in its own ext2 or ext3 partition, not part of
    soft RAID (hardware RAID is supported).
    swap Equal to RAM If you need to have the memory dump in case of system
    crash (for debugging), you may want to increase these
    amounts.

    System Requirements for OCR Servers


    Symantec supports deployment of OCR Servers on the Windows operating system. The same Windows servers that are
    supported for installation of the Enforce Server are supported for installation of OCR Servers.
    Operating system requirements for servers
    Symantec Data Loss Prevention compatibility with OCR Servers
    OCR Server 16.0.1 is only compatible with Symantec Data Loss Prevention version 16.0.1 detection servers. Symantec
    Data Loss Prevention version 16.0.1 detection servers are compatible with 15.8, 16.0, and 16.0.1 OCR servers.
    The 16.0.1 OCR server is not supported on Windows 2012. If you need to continue using Windows 2012 for the OCR
    server, you should use the older version of the OCR server. If accuracy of Asian characters is important, plan to upgrade
    your operating system on your on OCR servers to a higher supported OS version.

    Endpoint computer requirements for the Symantec DLP Agent


    To implement Endpoint Prevent, the endpoint computers on which you install the Symantec DLP Agent must meet the
    requirements that are described in the following sections.
    • Minimum Hardware Requirements for Endpoints
    • Windows Operating System Requirements for Endpoint Systems
    • macOS operating system requirements for endpoint systems
    • Linux Operating System Requirements for Endpoint Systems

    Minimum Hardware Requirements for Endpoints

    All endpoints where the DLP Agent is installed must meet or exceed the minimum hardware specifications.
    The following table provides the minimum hardware requirements for supported endpoint platforms.
    NOTE
    RAM and disk requirements vary based on the number and complexity of DLP policies, detection load,
    connection period to the Endpoint Server, and so on.

    121
    Table 50: Endpoint minimum hardware requirements

    Required for Windows macOS Linux

    Processor 64-bit (x86_64) Intel Core (64-bit) 64-bit (x86_64)


    Apple Silicon M1 (64-bit)
    RAM 2 GB 4 GB 4 GB
    Disk 2 GB of available hard disk 2 GB of available hard disk 2 GB available disk space if /
    space for the installation space for the installation var, /opt, and /tmp share the
    More space may be required More space may be required same file system or volume
    based on policies, EDM, EMDI, based on detection and More space may be required
    and communication communication requirements. based on detection and
    requirements. communication requirements.

    Related Links
    Windows Operating System Requirements for Endpoint Systems on page 122
    macOS operating system requirements for endpoint systems on page 124
    Linux Operating System Requirements for Endpoint Systems on page 126

    Windows Operating System Requirements for Endpoint Systems


    Endpoint Data Loss Prevention can operate on Endpoint systems that use the following Windows operating systems:
    • Windows Server
    • Windows 10 Enterprise Edition (64-bit)
    • Windows 11
    The DLP Agent supports Microsoft operating systems and service packs that Microsoft officially supports. The DLP Agent
    does not support operating systems that are not covered under the Microsoft extended end date.

    Windows Server

    Version DLP version 15.8 DLP version 16.0 DLP version 16.0.1

    Windows Server Enterprise or Yes No No


    Standard (64-bit) 2012 R2
    Microsoft Windows Server 2016 Yes Yes Yes
    Standard or Datacenter Edition
    (64-bit)
    No service pack
    Microsoft Windows Server 2019 Yes Yes Yes
    (64-bit)
    Microsoft Windows Server 2022 Yes Yes Yes

    122
    Windows 10 Enterprise Edition (64-bit)
    Symantec supports major versions of the Windows 10 21H2 and 22H2. Symantec does not support each minor version.
    If you opt to install DLP Agents on a minor version, Symantec Support will make a reasonable effort to provide support
    when all system requirements are met.

    Version DLP version 15.8 DLP version 16.0 DLP version 16.0.1

    Version 21H2 Yes Yes Yes


    (OS build
    19044)
    a
    Version 22H2 Yes Yes Yes
    (OS build
    19045)

    See Supported languages for detection for detailed information about supported languages and character sets.

    Windows 11
    Symantec supports major versions of Windows 11 21H2 and 22H2. Symantec does not support each minor version. If you
    opt to install DLP Agents on a minor version, Symantec Support will make a reasonable effort to provide support when all
    system requirements are met.

    DLP version
    Version DLP version 15.8 DLP version 16.0
    16.0.1
    Version 21H2 Yes Yes Yes
    (OS build
    22000)
    Version 22H2 No Yes Yes
    OS build
    22621

    Windows 10 and 11 Beta and Insider Preview Compatibility Testing Results

    Symantec tests the DLP Agent for compatibility with Microsoft Windows 10 and 11 Beta and Insider Preview builds.
    The information on this page is updated approximately every two weeks or as needed, and indicates whether critical
    issues have been observed.
    The following tables list the results of testing for each build that Microsoft released.

    Table 51: Windows 11 Beta compatibility testing results

    Release date Build number Test result

    July 13, 2023 22631.2048 No issues observed.


    June 29, 2023 22631.1972 No issues observed.
    June 15, 2023 22631.1900 No issues observed.
    June 1, 2023 22631.1830 No issues observed.
    May 9, 2023 22624.1755 No issues observed.

    a. The version 16.0 MP1 DLP Agent supports running Hypervisor-protected Code Integrity (HVCI) on Windows 10, Version 22H2.

    123
    Release date Build number Test result

    April 27, 2023 22624.1680 No issues observed.


    April 13, 2023 22624.1610 No issues observed.
    March 31, 2023 22624.1537 No issues observed.
    March 16, 2023 22624.1465 No issues observed.
    March 3, 2023 22623.1391 No issues observed.
    February 16, 2023 22623.1037 No issues observed.
    February 2, 2023 22623.1250 No issues observed.
    January 5, 2023 22623.1095 No issues observed.
    November 10, 2022 22623.891 No issues observed.

    Table 52: Windows 10 Insider Preview compatibility testing results

    Release date Build number Test result

    June 22, 2023 19045.3154 No issues observed.


    June 13, 2023 19045.3086 No issues observed.
    May 23, 2023 19045.3031 No issues observed.
    May 11, 2023 19045.3030 No issues observed.
    April 25, 2023 19045.2913 No issues observed.
    April 13, 2023 19045.2908 No issues observed.
    March 21 19045.2788 No issues observed.
    March 16, 2023 19045.2787 No issues observed.

    macOS operating system requirements for endpoint systems


    Endpoint Data Loss Prevention can operate on Endpoint systems that use the following macOS operating systems:
    NOTE
    Customers have reported an issue with fresh installations of the DLP Agent on macOS versions 12.3 and later.
    For more information, see https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/
    ProductAdvisories/0/20496.

    Table 53: Endpoint Data Loss Prevention supported macOS operating systems

    Operating system DLP version 15.8 DLP version 16.0 DLP version 16.0.1

    Apple macOS 10.14 (64-bit) Yes No No


    Apple macOS 10.15 (64- Yes Yes No
    a
    bit)
    Apple macOS 11.1 (64-bit) Yes Yes Yes
    Apple macOS 11.x is deprecated.
    Apple macOS 11.2 (64-bit) Yes (through 11.2.3) Yes (through 11.2.3) Yes
    Apple macOS 11.x is deprecated.

    a. See Configuring MDM profiles for Full Disk Access for macOS 10.15 and DLP Agent support

    124
    Operating system DLP version 15.8 DLP version 16.0 DLP version 16.0.1

    Apple macOS 11.3.1 (64-bit) Yes Yes Yes


    Apple macOS 11.x is deprecated.
    Apple macOS 11.4 (64-bit) Yes Yes Yes
    Apple macOS 11.x is deprecated.
    Apple macOS 11.5 (64-bit) Yes (through 11.5.2) on 15.8 Yes (through 11.5.2) Yes (through 11.5.2)
    MP1 Apple macOS 11.x is deprecated.
    Apple macOS 11.6 (64-bit) Yes (through 11.6.8) Yes (through 11.6.8) Yes (through 11.6.8)
    Apple macOS 11.x is deprecated.
    Apple macOS 11.7 (64-bit) Yes (through 11.7.10) Yes (through 11.7.10) Yes (through 11.7.10)
    Apple macOS 11.x is deprecated.
    b
    Apple macOS 12.0 (64-bit) Yes Yes Yes
    Apple macOS 12.1 (64-bit) Yes Yes Yes
    Apple macOS 12.2 (64-bit) Yes Yes Yes
    Apple macOS 12.3 (64-bit) Yes (through 12.3.1) Yes Yes
    Apple macOS 12.4 (64-bit) Yes Yes Yes
    Apple macOS 12.5 (64-bit) Yes (through 12.5.1) Yes (through 12.5.1) Yes
    Apple macOS 12.6 (64-bit Yes (through 12.6.9) Yes (through 12.6.9) Yes (through 12.6.9)
    Apple macOS 13.0 (64-bit) Yes (through 13.0.1) Yes (through 13.0.1) Yes (through 13.0.1)
    Apple macOS 13.1 (64-bit) Yes Yes Yes
    Apple macOS 13.2 (64-bit) Yes (through 13.2.1) Yes (through 13.2.1) Yes (through 13.2.1)
    Apple macOS 13.3 (64-bit) Yes (through 13.3.1) Yes (through 13.3.1) Yes (through 13.3.1)
    Apple macOS 13.4 (64-bit) Yes (through 13.4.1) Yes (through 13.4.1 and Yes (through 13.4.1 and
    including release candidate [RC] 2) including release candidate [RC] 2)
    Apple macOS 13.5 (64-bit) Yes (through 13.5.2) Yes (through 13.5.2) Yes (through 13.5.2)

    Symantec DLP Agents can also be installed on supported localized versions of these macOS operating systems.

    DLP Endpoint Support for Apple Silicon

    Version 16.0 DLP Agents support Apple Silicon systems natively.

    macOS Beta Compatibility Testing Results

    Symantec tests the DLP Agent for compatibility with macOS beta builds. The following table lists the results of testing with
    various builds with Data Loss Prevention 16.0.
    The information on this page is updated approximately every two weeks or as needed, and indicates whether critical
    issues have been observed.
    The following tables list the results of testing for each build that Apple released.

    b. The macOS version listed on the Agent List screen appears as macOS 11 for DLP Agent versions 15.7 and 15.8.

    125
    Table 54: macOS 14 beta compatibility testing results

    Release date Build number Test results

    August 22, 2023 macOS 14 beta 6 (23A5328b) • Cloud storage monitoring failed
    • Folder upload monitoring failed in Safari
    • A recurring pop-up requesting
    permission to use the Symantec
    Extension appears for every website
    visted in Safari
    July 11, 2023 macOS 14 beta 3 (23a5286i) • Cloud storage monitoring failed
    • Folder upload monitoring failed in Safari
    • A recurring pop-up requesting
    permission to use the Symantec
    Extension appears for every website
    visted in Safari

    Table 55: macOS 13 beta compatibility testing results

    Release date Build number Test results

    April 11, 2023 macOS 13.4 beta 2 (22F5037d) No issues observed.


    March 28, 2023 macOS 13.4 beta 1 (22F5027f) No issues observed.
    March 15, 2023 macOS 13.3 beta 4 (22E5246b) No issues observed.

    Table 56: macOS 12 beta compatibility testing results

    Release date Build number Test results

    April 11, 2023 macOS 12.6.6 beta 2 (21G633) No issues observed.


    March 15, 2023 macOS 12.6.4 beta 4 (21G521) No Issues observed.

    Linux Operating System Requirements for Endpoint Systems


    Endpoint Data Loss Prevention can operate on Endpoint systems that use the following Linux operating systems:

    Table 57: Endpoint Data Loss Prevention supported Linux operating systems

    Operating system DLP version 16.0 DLP version 16.0.1

    Red Hat Enterprise Linux 7.9 Yes Yes


    Red Hat Enterprise Linux 8.4 through Yes Yes
    8.6
    Red Hat Enterprise Linux 8.7 Yes (on 16.0 MP1) Yes
    Ubuntu 20.04 LTS No Yes
    Ubuntu 22.04 LTS No Yes

    126
    Supported languages for detection
    Symantec Data Loss Prevention supports a large number of languages for detection. Policies can be defined that
    accurately detect and report on the violations that are found in content in these languages:
    • Arabic
    • Brazilian Portuguese
    • Chinese (traditional)
    • Chinese (simplified)
    • Czech
    • Danish
    • Dutch
    • English
    • Finnish
    • French
    • German
    • Greek
    • Hebrew
    • Hungarian
    • Italian
    • Japanese
    • Korean
    • Norwegian
    • Polish
    • Portuguese
    • Romanian
    • Russian
    • Spanish
    • Swedish
    • Turkish
    NOTE
    Symantec Data Loss Prevention cannot be installed on a Windows operating system that is localized for the
    Turkish language, and you cannot choose Turkish as an alternate locale.
    A number of capabilities are not implied by this support:
    • Technical support provided in a non-English language. Because Symantec Data Loss Prevention supports a particular
    language does not imply that technical support is delivered in that language.
    • Localized administrative user interface (UI) and documentation. Support for a language does not imply that the UI
    or product documentation has been localized into that language. However, even without a localized UI, user-defined
    portions of the UI such as pop-up notification messages on the endpoint can still be localized into any language by
    entering the appropriate text in the UI.
    • Localized content. Keywords are used in a number of areas of the product, including policy templates and data
    identifiers. Support for a language does not imply that these keywords have been translated into that language. Users
    may, however, add keywords in the new language through the Enforce Server administration console.
    • New file types, protocols, applications, or encodings. Support for a language does not imply support for any new file
    types, protocols, applications, or encodings that may be prevalent in that language or region other than what is already
    supported in the product.
    • Language-specific normalization. An example of normalization is to treat accented and unaccented versions of
    a character as the same. The product already performs a number of normalizations, including standard Unicode

    127
    normalization that should cover the vast majority of cases. However, it does not mean that all potential normalizations
    are included.
    • Region-specific normalization and validation. An example of this is the awareness that the product has of the format
    of North American phone numbers, which allows it to treat different versions of a number as the same, and to identify
    invalid numbers in EDM source files. Support for a language does not imply this kind of functionality for that language
    or region.
    Items in these excluded categories are tracked as individual product enhancements on a language- or region-specific
    basis. Contact Symantec Technical Support for additional information on language-related enhancements or plans for the
    languages not listed.
    About support for character sets, languages, and locales

    Available language packs


    You can install any of the available language packs for your Symantec Data Loss Prevention deployment. Language
    packs provide a limited set of non-English languages for the Enforce Server administration console user interface and
    online Help. Note that these language packs are only needed to provide a translated user interface and online Help; they
    are not needed for data detection. Language packs also contain translated versions of selected Symantec Data Loss
    Prevention documentation.
    As they become available, language packs for Symantec Data Loss Prevention are distributed along with the software
    products they support. You can also download and add a language pack to an installation. Language packs do not require
    any additional purchase or license. See Using the Language Pack Utility for details on how to add and enable a language
    pack.
    Table 58: Language packs and corresponding locale codes lists language packs that can be used with Symantec Data
    Loss Prevention.

    Table 58: Language packs and corresponding locale codes

    Language Locale code

    Brazilian Portuguese PT_BR


    French FR_FR
    Japanese JA_JP
    Mexican Spanish ES_MX

    NOTE
    Not all language packs are available when a product is first released.

    Oracle database requirements


    Symantec Data Loss Prevention supports the following Oracle databases:
    • Oracle 19c Enterprise Edition.
    Support is included for the the latest Database Release Updates (RUs).
    NOTE
    Oracle RU 19.6.0.0.0 is only supported on Linux servers.
    You must obtain software and support from Oracle. For implementation details, see Implementing the Database.
    • Oracle 19c Standard Edition 2. Support is included for the following Database Release Updates (RUs):
    Support is included for the the latest Database Release Updates (RUs), available from Symantec.

    128
    NOTE
    Oracle RU 19.6.0.0.0 is only supported on Linux servers.
    You can obtain the software from Symantec. For implementation details, see Implementing the Database.
    NOTE
    Symantec recommends that you run the Oracle 19c Standard Edition 2 database on a supported version
    of Windows or Linux. Symantec Data Loss Prevention supports running the Oracle 19c Standard Edition
    2 database on platforms that Oracle supports. See Running Oracle 19c Standard Edition 2 software on
    alternate platforms.
    The Symantec Data Loss Prevention database schema is supported on all editions of Oracle.
    Symantec Data Loss Prevention requires the Oracle database to use the AL32UTF8 character set. If your database is
    configured for a different character set, the installer notifies you and cancels the installation.
    You can install Oracle on a dedicated server (a three-tier deployment) or on the same computer as the Enforce Server (a
    two-tier or single-tier deployment):
    • Three-tier deployment.
    System requirements for a dedicated Oracle server are listed below.
    NOTE
    Dedicated Oracle server deployments require that you install the Oracle Client on the Enforce Server
    computer if the database is running on a separate server. The Oracle Client version must match the Oracle
    database version.
    • Single- and two-tier deployments.
    When installed on the Enforce Server computer, the Oracle system requirements are the same as those of the Enforce
    Server.
    Single-tier Installation Minimum Hardware Requirements
    Small Installation Hardware Recommendations
    If you install Oracle on a dedicated server, that computer must meet the following minimum system requirements for
    Symantec Data Loss Prevention:
    • One of the following operating systems:
    – Microsoft Windows Server 2012 R2 Standard, Enterprise, or Datacenter (64-bit)
    – Microsoft Windows Server 2016 Standard or Datacenter (64-bit)
    – Red Hat Enterprise Linux 7.5 through 7.9 (64-bit)
    – Red Hat Enterprise Linux 8.0, 8.3 through 8.4, 8.6, and 8.8 (only with Oracle 19.8.0.0).
    – Oracle Linux 7.5 through 7.9 or Oracle Linux 7.3 with RHCK (Red Hat compatible kernel)
    – Oracle Linux 8.3
    • 8 – 32 GB of RAM
    • 8 – 16 GB of swap space (equal to RAM up to 16 GB)
    • 500 GB – 1 TB of disk space for the Enforce database
    The exact amount of disk space that is required for the Enforce Server database depends on variables such as:
    • The number of policies you plan to initially deploy
    • The number of policies you plan to add over time

    Running Oracle 19c Standard Edition 2 software on alternate platforms

    You can run the Oracle 19c Standard Edition 2 software on platforms supported by the Oracle database software. See the
    Oracle documentation for a list of supported platforms and information on installing the database software:
    https://docs.oracle.com/en/database/oracle/oracle-database/19/install-and-upgrade.html

    129
    Obtain the installation files, CPUs, and RUs for your particular platform from Oracle.
    If you run the database software on an alternate platform you can use the database templates that Symantec provides.
    However, you must update paths in the template to be compatible with your platform and database software. Symantec
    recommends that you use the Linux version of the database template. The Linux template uses elements (for example,
    backslashes [/] for directories) most similar to alternate platforms.

    Browser requirements for accessing the Enforce Server administration console


    You can access the Enforce Server administration console using any of the following browsers:
    • Edge (Chromium-based) 102
    • Firefox 62 through 69, and 101
    • Firefox Enterprise (ESR) 68 and 91
    • Chrome 75 through 79, 87, and 102
    NOTE
    You must install a Microsoft Language Pack on a Windows client system to support certain languages.

    Deploying Data Loss Prevention on public cloud infrastructures


    Symantec supports deployment of Data Loss Prevention servers on the following public clouds:
    • Amazon Web Services (AWS)
    Deploying Symantec Data Loss Prevention on Amazon Web Services infrastructure
    • Microsoft Azure
    Deploying Symantec Data Loss Prevention on Microsoft Azure
    • Oracle Cloud public clouds
    Deploying Symantec Data Loss Prevention on Oracle Cloud

    Deploying Symantec Data Loss Prevention on Amazon Web Services infrastructure


    The following table lists the servers and operating systems that are supported for deployment of Data Loss Prevention on
    AWS. You can run Symantec Data Loss Prevention on AWS on supported operating systems.
    Minimum System Requirements for Symantec Data Loss Prevention Servers

    Table 59: Deploying Symantec Data Loss Prevention on AWS

    Data Loss Prevention servers

    Enforce Server with Oracle database on the same computer (two-tier deployments)
    Oracle database with Amazon RDS (three-tier deployments)
    Cloud Prevent for Email
    Network Prevent for Web
    Network Prevent for Email
    Endpoint Prevent
    Network Discover
    API Detection for Developer Apps Appliance

    For more information, see Deploy Symantec Data Loss Prevention servers on Amazon Web Services .

    130
    Deploying Symantec Data Loss Prevention on Microsoft Azure
    Symantec Data Loss Prevention supports running Microsoft Azure in a three-tier environment.
    NOTE
    Ensure that the the Oracle database server can communicate with the Enforce Server and that communications
    are encrypted using TLS.
    The following table lists the servers that are supported for deployment of Data Loss Prevention on Microsoft Azure. See
    Minimum system requirements for Symantec Data Loss Prevention servers for a list of the supported operating systems
    where you can run Microsoft Azure.

    Table 60: Deploying Symantec Data Loss Prevention on Microsoft Azure

    Data Loss Prevention servers

    Enforce Server with Oracle database


    Cloud Prevent for Email
    Network Prevent for Web
    Network Prevent for Email
    Endpoint Prevent
    Network Discover

    Symantec supports SIR (Symantec Image Recognition) including OCR and Form Recognition with Cloud Prevent for
    Email on Azure.
    Symantec supports the use of the Azure load balancer to balance the endpoint client connections to the Endpoint Server.

    Deploying Symantec Data Loss Prevention on Oracle Cloud


    Symantec Data Loss Prevention is supported in the following environments:
    • Oracle Cloud IaaS
    • Oracle Bare Metal Cloud with managed Virtual Machine (VM) instances
    Deploying Symantec Data Loss Prevention on Oracle Cloud Infrastructure as a Service lists the servers that are
    supported for deployment of Data Loss Prevention on Oracle Cloud Infrastructure as a Service. You can run Symantec
    Data Loss Prevention on Oracle Cloud on supported operating systems.
    Minimum system requirements for Symantec Data Loss Prevention

    Table 61: Deploying Symantec Data Loss Prevention on Oracle Cloud Infrastructure as a Service

    Data Loss Prevention servers

    Enforce Server with Oracle database on the same computer (two-tier deployments)
    Network Prevent for Email
    Endpoint Prevent
    Network Discover

    NOTE
    Three-tier Symantec Data Loss Prevention deployments are not supported on Oracle.

    131
    Virtual machine support
    The following lists virtual machine support:
    • Virtual server support
    Virtual server support
    • Virtual desktop and virtual application support with Endpoint Prevent
    Virtual desktop and virtual application support with Endpoint Prevent

    Virtual Server Support


    Symantec Data Loss Prevention is supported on all Type-1 hypervisors, such as VMware ESXi, Microsoft Hyper-V Server,
    and so on. The Type-1 hypervisor, which is known as bare metal, provides direct access to the hardware layer.
    NOTE
    Symantec does not certify each hypervisor. If you opt to implement Symantec Data Loss Prevention on a Type-1
    hypervisor, Symantec Support makes a reasonable effort to support Symantec Data Loss Prevention when all
    system requirements are met.
    See Minimum System Requirements for Symantec Data Loss Prevention Servers for information on allocating sufficient
    hardware resources. Network Monitor with dedicated capture interfaces (Napatech and Native NIC) is supported with PCI
    passthrough devices on the Type-1 hypervisors. See the supported hardware list for your Type-1 hypervisor product.
    NOTE
    Symantec Data Loss Prevention Virtual Appliances are supported in a virtualization environment on VMware
    ESXi 5.5.0 Update 2 and VMware ESXi 6.5.
    Make sure that each virtual server environment matches the system requirements for servers that are described in this
    document.
    Consider the following support information when configuring a virtual server environment:
    • Endpoint Prevent servers are supported only for configurations that do not exceed the recommended number of
    connected agents.
    • Symantec supports running the Enforce Server and Oracle database server in a Windows Hyper-V environment.
    • Symantec does not support single-server installations on virtual machines.
    Various factors influence the virtual machine performance, including:
    • the number of CPUs,
    • the amount of dedicated RAM, and
    • the resource reservations for CPU cycles and RAM.
    The virtualization overhead and guest operating system overhead can lead to a performance degradation in the
    throughput for large datasets compared to a system running on physical hardware. Use your own test results as a basis
    for sizing deployments to virtual machines.
    See About Network Performance Tests for additional information about running Network Prevent servers on virtual
    machines.

    Related Links
    Operating system requirements for servers on page 118
    Minimum System Requirements for Symantec Data Loss Prevention Servers on page 109

    132
    Virtual desktop and virtual application support with Endpoint Prevent
    You can deploy the DLP Agent on Microsoft Azure, Citrix, and VMware virtual machines to monitor virtual desktops and
    prevent remote users from copying sensitive data that is accessible through a virtual desktop.

    Microsoft Azure Virtual Desktop support

    The DLP Agent is supported to run on the following operating systems in Azure Virtual Desktop:
    • Microsoft Windows 10 Enterprise Edition (Single session)
    • Microsoft Windows 10 Enterprise Edition (Multi-session)
    • Microsoft Windows 11 Enterprise Edition (Single session)
    • Microsoft Windows 11 Enterprise Edition (Multi-session)
    For more information, see About Azure Virtual Desktop support.

    Citrix virtualization support

    The DLP Agent is supported to run on the following Citrix Virtual Desktop virtual workstations and Citrix Virtual Apps
    server configurations:
    NOTE
    Support listed for Long Term Service Release (LTSR) versions includes Cumulative Updates (CU) released
    under the listed LTSR version.

    Table 62: Citrix Virtual Apps support

    Citrix Virtual Apps Version Platform

    7.6, 7.9, and 7.11–7.14 Windows Server 2012 R2 Standard Edition


    7.15, 7.15 LTSR, and Update 2 Windows Server 2016 Standard Edition
    7.16–7.19 Windows Server 2016 Standard Edition
    7 2003 (and LTSR), 2009, 2203 LTSR, and 1912 LTSR Windows Server 2019 Standard

    Table 63: Citrix Virtual Desktop support

    Citrix Virtual Desktop Version Platform

    7.9 Windows 8.0, 8.1, and Windows 10 (64-bit)


    7.12–7.15 Windows 10 (64-bit)
    7.15 LTSR Windows 10 RS4 (version 1803) (64-bit) (with Update 2)
    Windows 10 (version 2004) (with CU 6)
    Windows 10 (version 20H2) (with CU 8)
    7.16 Windows 10 RS2 (64-bit)
    7.17 Windows 10 RS3 (version 1703) (64-bit)
    7.18 Windows 10 RS4 (version 1803) (64-bit)
    7.19 Windows 10 RS4 (version 1803) (64-bit)
    7 1912 LTSR Windows 10 20H1 (version 2004) (64-bit)
    7 2003 (and LTSR) Windows 10 20H1 (version 2004) (64-bit)
    Windows 10 21H1 (version 2004) (64-bit) with LTSR

    133
    Citrix Virtual Desktop Version Platform

    7 2009 Windows 10 (version 20H2) (64-bit)


    7 2203 LTSR Windows 10 21H1 (version 2004) (64-bit)

    NOTE
    Files saved from Microsoft Office (using Save As) to client drives hosted on Citrix Virtual Desktop 7.13 through
    7.18 and Citrix Virtual Desktop 7 2003 are not monitored. However, if you are running Citrix Virtual Desktop
    7.13 or later with version 7.12 Virtual Delivery Agent (VDA), files saved to client drives (using Save As) are
    monitored. See Known issue running Citrix Virtual Apps and Virtual Desktop versions 7.13 through 7.18 at the
    Tech Docs Portal.

    VMware virtualization support

    Virtual desktop support


    The DLP Agent supports installation on virtual workstations using one of the following VMware platforms:
    • VMware View 4.6
    • VMware Horizon View:
    – 6.0.1
    – 6.2.1
    – 7.1
    – 7.3.1
    – 7.4
    – 7.6
    – 7.9–7.12
    • VMware Horizon 8 2006
    • VMware Horizon 8 2012
    • VMware Horizon 8 2111
    • Hyper-V and Hyper-V (WS 2012 R2)
    Virtual app support
    The DLP Agent supports monitoring pubished virtual apps on the following VMware platforms:
    • VMware Horizon 8 2111

    Supported operating systems for the EMDI, EDM, and IDM Remote Indexers
    You can install the Remote EMDI Indexer, the Remote EDM Indexer, and the Remote IDM Indexer on all Windows and
    Linux platforms that are supported for installing the Enforce Server and detection servers.
    See Operating system requirements for servers.
    In addition, you can install the indexers on the following Windows endpoint operating systems:
    • Windows:

    134
    – Windows 8.1 (64-bit) Enterprise, Professional
    – Windows 8.1 Update 1 (64-bit) Enterprise, Professional
    – Windows 8.1 Update 2 (64-bit) Enterprise, Professional
    – Windows 8.1 Update 3 (64-bit) Enterprise, Professional
    – Windows 10 Update [1511] (64-bit] Enterprise, Professional
    – Windows 10 Red Stone Update [1607 - RS1] (64-bit] Enterprise, Professional
    – Windows 10 Red Stone Update [1607 - RS1] (64-bit] Enterprise, Professional
    – Microsoft Windows 10 Creators Update (RS2 v1703)
    – Microsoft Windows 10 Creators Update (RS3 v1709)
    – Microsoft Windows 10 Creators Update (RS4 v1803
    • Linux:
    – Red Hat Enterprise Linux 7.3 through 7.7
    – Red Hat Enterprise Linux 8.x
    – Oracle Linux 7.3 and 7.6

    Third-party software requirements and recommendations


    Symantec Data Loss Prevention requires certain third-party software. Other third-party software is recommended. See the
    following sections for requirements:
    • Required third-party software
    • Required Linux RPMs
    • Required Linux dependencies
    See Recommended third-party software for recommended software.

    Required third-party software

    Table 64: Required third-party software

    Software Required for Description

    Adobe Reader All systems Adobe Reader is required for reading the Symantec Data Loss
    Prevention documentation.
    Download from http://www.adobe.com.
    Apache Tomcat version 9 Enforce Server Required to support the reporting system.
    The correct version of Tomcat is automatically installed on the
    Enforce Server by the Symantec DLP Installation Wizard and does
    not need to be obtained or installed separately.
    OpenJRE 1.8.0_322 – All servers Obtain the JRE from the DLPDownloadHome directory.
    a
    OpenJRE 1.8.0_372 See About updating the JRE to the latest version for information
    on migrating to the latest JRE version.
    OpenJRE 1.8.0_372 is supported starting with Symantec Data
    Loss Prevention version 16.0 MP1.

    a. OpenJRE 1.8.0_352 and later use TLS 1.3, which is not currently supported with Symantec Data Loss Prevention. See Network Prevent for Email
    Servers not running with OpenJRE 1.8.0_352 for information on using TLS 1.2 with OpenJRE.

    135
    Software Required for Description

    Napatech driver package Napatech NT20E2, NT4E, Provides high-speed monitoring.


    8.0.3 (driver version 3.5.1) NT40A01, and NT40E3 high- Symantec supports
    (Windows Server 2012 speed packet capture card • Multiple capture ports per Napatech Network capture card
    R2 and Windows Server
    • NT40A01 Napatech Network Accelerator
    2016) and driver package
    8.1.0 (driver version 3.5.0)
    • NT40E3 and NT20E2 10 gigabit interfaces
    (RHEL 6x/7x) • Multi-threaded packet capture
    • Napatech hardware filtering
    • Napatech third-generation card drivers for Windows
    and RHEL platforms
    • Virtualized Data Loss Prevention Network Monitor with
    capture cards as PCI pass-through devices in the VMware
    ESXi platform
    Napatech cards are not supported on Single Server installations.
    Npcap 1.10.xx and 1.71.xx Required for Windows-based During the Symantec Data Loss Prevention installation,
    Network Monitor Servers. select WinPcap compatibility mode.
    Recommended for all Windows-
    based detection servers.
    VMware Required to run Virtualization software.
    supported components in Download from https://www.vmware.com/download/vi.
    a virtualized environment.
    Virtual Server Support
    Microsoft Active Directory Required versions for connecting Provides directory services for Windows domain networks.
    2012, 2012 R2, or 2016 to Active Directory.
    Microsoft Visual C++ Required for all Windows servers. Download the VC_redist.x64.exe file from The latest
    Redistributable for Visual supported Visual C++ downloads. See Verifying that servers are
    Studio 2015, 2017 and 2019 ready for Symantec Data Loss Prevention installation.
    Network Security Required to run web server Download from https://firefox-source-docs.mozilla.org.
    Services version 3.26 or later scanners.

    Required Linux RPMs


    In addition to the Linux Minimal Installation, all Linux-based Symantec Data Loss Prevention servers require the Red Hat
    Package Manager (RPM). The following table lists required Linux RPMs.

    136
    Table 65: Required Linux RPMs

    Linux-based servers Required RPMs

    Enforce Server apr


    Oracle server apr-util
    binutils
    expat
    libicu
    Xorg-x11*
    *Required only for graphical installation. Console-mode installation
    does not require an X server.
    Network Monitor Server apr
    apr-util
    expat
    libicu
    Xorg-X11*
    *Required only for graphical installation. Console-mode installation
    does not require an X server.
    Network Discover Server (for web server scanner) at-spi2-atk
    at-spi2-core
    atk
    cairo
    cups
    libatomic
    libX11
    libXcomposite
    libXScrnSaver
    libXtst
    pango

    Required Linux dependencies


    Use yum commands to identify and install dependencies.
    Use the list of dependencies that are returned on the Linux computer where you install Symantec Data Loss Prevention
    components and for file system scanners.
    NOTE
    SeLinux must be disabled on all Linux-based servers.

    Recommended third-party software


    Symantec recommends the third-party software listed in Table 66: Recommended third-party software for help with
    configuring and troubleshooting your Symantec Data Loss Prevention deployment.

    137
    Table 66: Recommended third-party software

    Software Location Description

    Wireshark Any server computer Use Wireshark (formerly Ethereal) to verify


    that the detection server NIC receives the
    correct traffic from the SPAN port or tap.
    You can also use Wireshark to diagnose
    network problems between other servers.
    Download the latest version from http://
    www.wireshark.org.
    Sysinternals Suite Any Windows server computer Troubleshooting utilities. Recommended for
    diagnosing problems on Windows server
    computers.
    Download the latest version from http://
    technet.microsoft.com/en-us/sysinternals/
    bb842062.aspx.
    LDAP browser Enforce Server An LDAP browser is recommended for
    configuring or troubleshooting Active
    Directory or LDAP.
    Stealthbits StealthAUDIT 11.5 Symantec Data Loss Prevention Supported for data access governance.
    environment Obtain the software and documentation
    from https://stealthbits.com/.

    Product compatibility
    Environment Compatibility and Requirements for Network Prevent for Email and Cloud Prevent for Email Servers
    Proxy Server Compatibility with Network Prevent for Web
    SSL monitoring with Network Monitor
    Secure ICAP support for Network Prevent for Web
    High-speed packet capture card
    Veritas Data Insight compatibility with Symantec Data Loss Prevention
    Integrations with other Symantec products
    Network Discover compatibility
    Support for IPv6 addresses
    Endpoint Prevent Supported Applications

    Environment Compatibility and Requirements for Network Prevent for Email and
    Cloud Prevent for Email Servers
    The Network Prevent for Email Server is compatible with a wide range of enterprise-grade third-party SMTP-
    compliant MTAs and hosted email services. Consult your MTA vendor or hosted email service for specific support
    questions.
    The Network Prevent for Email Server can integrate with an MTA or hosted email service that meets the following
    requirements:

    138
    • The MTA or hosted email service needs the capability of strict SMTP compliance and of sending and receiving mail
    using only the following command verbs: HELO (or EHLO), RCPT TO, MAIL FROM, QUIT, NOOP, and DATA.
    • When running the Network Prevent for Email Server in reflecting mode, the upstream MTA must be able to route
    messages to the Server once and only once for each message.
    In practice, these requirements mean that you can use an SMTP-compliant MTA that can route outbound messages from
    your internal mail infrastructure to the Network Prevent for Email Server. For reflecting mode compatibility, the MTA must
    also be able to route messages that are returned from the Network Prevent for Email Server out to their intended
    recipients.
    Both the Cloud Prevent for Email and the Network Prevent for Email Servers attempt to initiate a TLS connection with
    a downstream MTA only when the upstream MTA issues the STARTTLS command. The TLS connection succeeds only
    if the downstream MTA or hosted email service supports TLS and can authenticate itself to the Cloud Prevent for Email
    Server. Successful authentication requires that the appropriate keys and X509 certificates are available for each mail
    server in the proxied message chain.
    For more information about configuring TLS support for Network Prevent Servers operating in forwarding mode or
    reflecting mode, see Configuring keys and certificates for TLS.
    For information about configuring Cloud Prevent for Email see Symantec™ Data Loss Prevention Cloud Prevent for
    Microsoft 365 Implementation Guide.

    Proxy Server Compatibility with Network Prevent for Web


    Network Prevent for Web Servers use a standard Internet Content Adaptation Protocol (ICAP) interface which allows you
    to use any ICAP compliant proxy server. Symantec recommends using the ProxySG proxy server, which is tested with
    Symantec Data Loss Prevention.
    Network Prevent for Web supports ICAP (as specified in RFC 3507). This support includes the request modification
    (REQMOD) and response modification (RESPMOD) modes of ICAP. The Network Prevent for Web server is compatible
    with a wide range of enterprise-grade third-party ICAP-compliant proxies. Refer to the vendor documentation for known
    limitations. If you have specific support questions, consult your web proxy vendor.
    NOTE
    If you experience issues using Network Prevent for Web when using it with a third-party proxy, Symantec
    Support will attempt to reproduce the issue using ProxySG. If the issue is reproducible and determined as a DLP
    issue, Support will attempt to provide a solution. If the issue is not reproducible with ProxySG, Support will direct
    you to the third-party proxy vendor to resolve the issue. Non-reproducible issues are likely the result of the third-
    party proxy.
    Network Prevent for Web also supports secure ICAP (SICAP). You can set up secure ICAP with ProxySG through the
    Enforce Server administration console. See Secure ICAP support for Network Prevent for Web.

    SSL monitoring with Network Monitor


    Symantec has certified Network Monitor to monitor Blue Coat SSL Visibility Appliance.
    For details, see Using the Blue Coat SSL Visibility Appliance with Network Monitor at the Tech Docs Portal.

    Secure ICAP support for Network Prevent for Web


    You configure your system to use integrated Secure ICAP for Network Prevent for Web. See Configuring a Secure ICAP
    keystore for Network Prevent for Web for configuration details.

    139
    High-speed packet capture card
    Symantec Data Loss Prevention supports the Napatech high-speed packed capture card for Network Monitor. The
    following table lists support details.

    Table 67: Napatech high-speed packet capture card details

    Card Version Driver version

    Napatech NT20E2, NT20E3, NT4E, NT40A01, and NT40E3 Symantec Data Loss Prevention supports the
    following driver packages and software:
    • Driver package 8.0.3 (driver version 3.5.1)
    and 11.8.1 (driver version 3.15.x) for Windows
    • Driver package 8.1.0 (driver version 3.5.0)
    and 12.1 (driver version 3.19.x) for Linux
    • Link Capture Software 12.7.x for Windows and
    Linux
    Symantec Data Loss Prevention supports the
    following:
    • Multiple capture ports per Napatech Network
    capture card
    • NT40A01 Napatech Network Accelerator
    • Multi-threaded packet capture
    • Napatech hardware filtering
    • Napatech third-generation card drivers for
    Windows and RHEL platforms
    • 10 gigabit adapters
    • Virtualized Data Loss Prevention Network
    Monitor with capture cards as PCI pass-
    through devices in the VMware ESXi platform

    Veritas Data Insight compatibility with Symantec Data Loss Prevention


    Veritas Data Insight is a separately licensed option to Symantec Data Loss Prevention that helps organizations solve the
    problem of identifying data owners and responsible parties for information due to incomplete or inaccurate metadata or
    tracking information. Data Insight provides a connection from the Enforce Server to a Data Insight Management Server.

    Table 68: Supported versions of Veritas Data Insight and Symantec Data Loss Prevention

    Data Insight version DLP version 15.8 DLP version 16.0 DLP version 16.0.1

    6.1.5 Yes No No
    a
    6.1.6 Yes No No
    6.2 Yes No No
    6.3 Yes No No
    6.3.1 Yes No No
    6.4.1 No Yes Yes

    a. The system saves logs in the Incident Persister debug log.

    140
    Integrations with other Symantec products
    This section describes compatibility of various integrations of Symantec Data Loss Prevention with the following Symantec
    products:
    • Symantec Information Centric Analytics
    • Symantec PGP Universal Gateway Email
    • Symantec Messaging Gateway (SMG) (8200 and 8300 Series)
    • Symantec Web Gateway (SWG)
    • Symantec Endpoint Protection
    • Symantec Data Loss Prevention Data Access Governance

    Symantec Information Centric Analytics


    Symantec Information Centric Analytics (ICA) version 6.6 is required to implement User Risk detection with Symantec
    Data Loss Prevention.

    Symantec PGP Universal Gateway Email

    Table 69: Symantec PGP Universal Gateway Email

    Version DLP version 15.8 DLP version 16.0 DLP version 16.0.1

    2.63 Yes Yes Yes


    3.3.x Yes Yes Yes

    Symantec Messaging Gateway (SMG) (8200 and 8300 Series)

    Table 70: Symantec Messaging Gateway (SMG) (8200 and 8300 Series)

    Version DLP version 15.8 DLP version 16.0 DLP version 16.0.1

    10.6.x Yes Yes Yes


    10.7.x Yes Yes Yes
    10.8.x Yes Yes Yes

    Symantec Web Gateway (SWG)

    Table 71: Symantec Web Gateway (SWG)

    Version DLP version 15.8 DLP version 16.0 DLP version 16.0.1

    5.2.7 Yes Yes Yes

    141
    Symantec Endpoint Protection

    Table 72: Symantec Endpoint Protection

    Version DLP version 15.8 DLP version 16.0 DLP version 16.0.1

    12.1.6 (12.1 RU6 MP6) Yes Yes Yes


    14.0 Yes Yes Yes
    14.0.1 and 14.0.1 MP1 Yes Yes Yes

    Symantec Data Loss Prevention Data Access Governance

    Table 73: Symantec Data Loss Prevention Data Access Governance

    Version DLP version 15.8 DLP version 16.0 DLP version 16.0.1

    9.0 Yes No No
    11.5 Yes Yes Yes

    Support for IPv6 addresses


    The DLP Agent supports endpoints that are configured with only an IPv6 address. No additional configuration is required.
    However, the Enforce Server administration console does not accept IPv6 addresses as input. Instead of specifying IPv6
    addresses, you can enter host names instead.
    To ensure that IPv6-only endpoints can communicate with an Endpoint Prevent Server, make sure that the Endpoint
    Prevent Server is running on a dual stack host. If the Endpoint Prevent Server is running on an IPv4-only host, you might
    need to configure NAT devices to translate the IP addresses of IPv6-only endpoints.

    Network Discover compatibility


    Network Discover locates exposed confidential data by scanning a broad range of enterprise data repositories such as:
    file servers, databases, Microsoft SharePoint, Lotus Notes, Microsoft Exchange, and web servers. The following lists scan
    support for enterprise data repositories:
    • Supported File System Targets
    • Supported IBM (Lotus) Notes targets
    • Supported SQL database targets
    • Supported SharePoint server targets
    • Supported Exchange Server targets
    • Supported File System Scanner Targets
    • Supported web server scanner targets

    Supported File System Targets

    File System target supports scanning of the network file systems listed in the following table.

    142
    Table 74: Supported file system targets

    File System - High


    Target type Protocol and supported software versions Network Discover
    Speed Discovery
    File servers CIFS servers Supported Supported
    File shares CIFS: Supported (SMB 2.0 Supported (SMB 2.0 and
    supported on Windows and 3.0 supported on
    • Windows Server 2012 R2 Linux Network Discover Windows and Linux
    Windows Server 2012 R2 is deprecated in
    servers) Network Discover
    Symantec Data Loss Prevention 16.0.1.
    clusters)
    • Windows Server 2016
    • Windows Server 2019

    NFS: Supported Supported


    • Windows Server 2012 R2 Note: Access Control Lists Note: Access Control
    Windows Server 2012 R2 is deprecated in (ACL) is not available for NFS Lists (ACL) is not
    Symantec Data Loss Prevention 16.0.1. share on Windows and Linux available for NFS share
    • Windows Server 2016 platforms. on Windows platforms.
    • Windows Server 2019 Note: NFS is not supported
    • Red Hat Enterprise Linux 7.x—8.x with Network Protect.

    DFS Supported Supported


    • Windows Server 2012 R2 Note: DFS is not supported
    Windows Server 2012 R2 is deprecated in with Network Protect.
    Symantec Data Loss Prevention 16.0.1.
    • Windows Server 2016
    • Windows Server 2019
    Other The File System target supports scanning of Supported Supported
    Microsoft Outlook Personal Folders (.pst files)
    created with Outlook 2013 (deprecated in Symantec
    Data Loss Prevention 16.0.1.), 2016, and 2019.

    NOTE
    You can use SSHFS to scan File System targets on UNIX systems. Ensure that you use Fuse components and
    packages that are validated and adhere to your organization's security policies. Technical support is available
    only for Symantec components.
    Configuring scans of Microsoft Outlook Personal Folders (.pst files)
    Setting up server scans of file systems

    Supported IBM (Lotus) Notes targets


    The IBM Notes (formerly known as Lotus Notes) target supports scanning of IBM Notes 9.0.x.
    The files Notes.jar and NCSO.jar are in the Lotus Notes client installation directory. The manifest version number of
    these files depend on the Domino server version. Version 9 has a manifest version in the JAR file of 1.6.0.
    Setting up server scans of IBM (Lotus) Notes databases

    Supported SQL database targets


    The following SQL Databases were tested with Network Discover Target scans:
    • Oracle 12c (12.1.x), 18c (12.2.x), and 19c (12.2.0.3) (the vendor_name is oracle)

    143
    NOTE
    Oracle 12c (12.1.x) is deprecated in Symantec Data Loss Prevention 16.0.1.
    • SQL Server 2014 SP3, 2016 SP2, 2017 (only on Windows), and 2019 (only on Windows) (the vendor_name is
    sqlserver)
    • DB2 10.5 (the vendor_name is db2), 11.1, and 11.5
    NOTE
    DB2 10.5 is deprecated in Symantec Data Loss Prevention 16.0.1.
    Contact Symantec Data Loss Prevention Support for information about scanning any other SQL databases.
    Setting up server scans of SQL databases

    Required JDBC drivers for SQL database targets

    Install a JDBC driver on each Network Discover detection server for each SQL database type to be scanned. The
    following table lists the latest supported driver versions.

    Table 75: Supported JDBC drivers for SQL database targets

    Database type Driver supported

    SQL database Up to jTDS JDBC driver version 1.3.1


    For Microsoft SQL Server, the open source driver jTDS, can be
    obtained from SourceForge.
    Oracle Oracle JDBC 19.8.0.0
    The Oracle driver is installed with the Network Discover detection
    server in the default SQL drivers directory Protect/lib/
    jdbc.
    DB2 IBM JDBC driver version 4.0
    The IBM driver JAR files are in the IBM DB2 distribution, under
    the java folder. They can be obtained from IBM at db2.

    Supported SharePoint server targets


    The following SharePoint server targets are supported:
    • Microsoft Office SharePoint Server 2013 SP1
    NOTE
    Microsoft Office SharePoint Server 2013 SP1 is deprecated in Symantec Data Loss Prevention 16.0.1.
    • Microsoft Office SharePoint Server 2016
    • Microsoft Office SharePoint Server 2019
    • SharePoint Server Subscription Edition

    Supported Exchange Server targets


    Symantec Data Loss Prevention supports the following Exchange Server targets:
    • Microsoft Exchange Server 2013 SP1
    NOTE
    Microsoft Exchange Server 2013 SP1 is deprecated in Symantec Data Loss Prevention 16.0.1.
    • Microsoft Exchange Server 2016 (on-premises)
    • Microsoft Exchange Server 2019 (on-premises)

    144
    To use the Exchange Web Services connector, Exchange Web Services and the Autodiscover Service must be enabled
    on your Exchange server and are accessible to the Network Discover server.
    You can scan the data objects that are stored within Public Folders, such as:
    • Email messages
    • Message attachments
    • Microsoft Word documents
    • Excel spreadsheets
    The Exchange scan also targets mail stored in Exchange 2013, 2016, and 2019 Personal Archives.

    Supported File System Scanner Targets


    The following remote Windows systems can be scanned:
    • Windows Server 2012 R2 is deprecated in Symantec Data Loss Prevention 16.0
    • Windows Server 2016
    • Windows Server 2019
    The following file systems can be scanned:
    • Red Hat Enterprise Linux 7.4 (supported on 64-bit systems only)
    • Red Hat Enterprise Linux 8.x
    • AIX 7.1 (supported on 64-bit systems only)
    AIX requires the following C run time libraries, as well as Java 1.8 and JRE:
    • xlC.aix50.rte (v8.0.0.0+)
    • xlC.rte (v8.0.0.0+)
    File systems on UNIX systems can also be scanned using the SFTP protocol. This protocol provides a method similar to
    share-based file scanning, instead of using the file system scanner. Contact Symantec Professional Services for details.
    Setting up remote scanning of file systems

    Supported web server scanner targets


    The web server scanner supports scanning for HTTP and HTTPS websites using through TLSv1.3, SSLv3, and SSLv23.
    Setting up scanning of web servers

    Endpoint Prevent Supported Applications


    Applications Supported by Endpoint Prevent on Windows describes individual applications that can be monitored using
    Endpoint Prevent on Windows; Applications Supported by Endpoint Prevent on macOS describes browsers that can be
    monitored using Endpoint Prevent on macOS.
    Endpoint Prevent enables you to add monitoring support for other third-party applications not listed in the following tables.
    An example of a third-party application is Thunderbird. You add monitoring support for an application on the Enforce
    Server administration console. Always test monitoring support for applications before you enable monitoring on a large
    number of endpoints. Individual applications may need additional filtering settings to maintain acceptable performance.
    See the About global application monitoring for more information about configuring and using application monitoring.
    NOTE
    Applications Supported by Endpoint Prevent on Windows and Applications Supported by Endpoint Prevent on
    macOS assume that you have installed the latest DLP hot fix from Symantec.

    145
    Applications Supported by Endpoint Prevent on Windows
    This section describes individual applications that can be monitored using Endpoint Prevent on Windows.
    IMPORTANT
    You must install the latest maintenance pack and hotfix for Symantec Data Loss Prevention to ensure that you
    have the platform support as indicated in the following tables. In some cases, platform support as indicated is
    enabled only when you apply the latest maintenance pack and hotfix.
    Support is listed for the following items:
    • HTTP support
    • Secure HTTP (HTTPS)
    • Instant messaging
    • Email
    • FTP
    • CD/DVD
    • Cloud Sync Apps
    • Misc.

    HTTP support

    Software DLP 15.8 DLP 16.0 DLP 16.0.1

    All browsers Yes Yes Yes

    Secure HTTP (HTTPS)


    NOTE
    Symantec tests beta and stable releases of Google Chrome, Microsoft Edge Chromium, and Mozilla Firefox for
    compatibility with Data Loss Prevention. However, as browser vendors roll out updates over several days, the
    most recent stable release might not be certified for compatibility with Data Loss Prevention on the same day as
    the release in your region.

    Software and version DLP 15.8 DLP 16.0 DLP 16.0.1

    Internet Explorer 10.0 Yes No No


    Internet Explorer 11.0 Yes No No
    Edge RS1 Yes No No
    Edge RS2 Yes No No
    Edge RS3 and RS4 No No No
    Microsoft Edge (Chromium Yes Yes Yes
    based) version 89 through
    version 116
    Firefox 23 through 46.0.1 Yes Yes Yes
    Firefox 51 through 117 Yes Yes Yes
    Chrome 38 through 117 Yes Yes Yes

    146
    Instant messaging

    Software and version DLP 15.8 DLP 16.0 DLP 16.0.1

    AIM Yes Yes Yes


    AIM Pro Yes Yes Yes
    AIM6 Yes Yes Yes
    Microsoft Office Communicator Yes Yes Yes
    Skype Yes Yes Yes
    Microsoft Teams No Yes Yes

    Email

    Software and version DLP 15.8 DLP 16.0 DLP 16.0.1

    Outlook 2013 Yes No No


    Outlook 2016 Yes Yes Yes
    Outlook 2019 Yes Yes Yes
    Outlook Web Access (rich and Yes Yes Yes
    light mode) 2010
    Outlook Web Access (rich and Yes No No
    light mode) 2013
    Outlook Web Access (rich and Yes Yes Yes
    light mode) 2016
    Microsoft 365 (16.30 and later) Yes Yes Yes
    Lotus Notes 8.5.3 and 9.0.1 Yes Yes Yes

    FTP

    Software version DLP 15.8 DLP 16.0 DLP 16.0

    N/A Yes Yes Yes

    CD/DVD

    Software version DLP 15.8 DLP 16.0 DLP 16.0.1

    BsClip Yes Yes Yes


    Bs Recorder Gold Yes Yes Yes
    BurnAware Yes Yes Yes
    Cheetah Burner Yes Yes Yes
    Command Burner Yes Yes Yes
    CopyToDVD Yes Yes Yes
    Creator10 Yes Yes Yes
    GEAR for Windows Yes Yes Yes
    mkisofs Yes Yes Yes
    Nero Yes Yes Yes

    147
    Software version DLP 15.8 DLP 16.0 DLP 16.0.1

    Nero Start Smart Yes Yes Yes


    Roxio Yes Yes Yes
    Roxio RecordNow Yes Yes Yes
    Roxio5 Yes Yes Yes
    Roxio Mediahub Yes Yes Yes
    Silent Night Micro Burner Yes Yes Yes
    Star Burn Yes Yes Yes

    Cloud Sync Apps

    Software version DLP 15.8 DLP 16.0 DLP 16.0.1

    Box 4.0.6169 Yes No No


    Box (Most recent version Yes No No
    available)
    Dropbox Yes Yes Yes
    3.2.x,
    6.4.x,
    8.4.x
    12.4.x, 13.4.x, 14.4.x, 15.4.x,
    17.4.x, 19.4.x, 20.4.x–38.4.x
    Dropbox (Most recent version Yes Yes Yes
    available)
    Microsoft OneDrive Yes Yes Yes
    15.0.4675. 1003 for Win 8.1
    (default) 17.3.4726. 0226 and
    17.3.6517. 0809 for Win 7 x86/
    x64 (desktop client)
    Hightail 2.4.7.1621 Yes Yes Yes
    Google Backup and Sync 3.35.x Yes Yes Yes
    Google Backup and Sync 3.37.x Yes Yes Yes
    Google Backup and Sync 3.41.x Yes Yes Yes
    Google Backup and Sync 3.46.x Yes Yes Yes
    Google Backup and Sync 3.53.x Yes Yes Yes
    Google Drive Yes Yes Yes
    1.20.x, 1.30.x, 1.32.x, 2.34.x–
    3.37.x
    Apple iCloud Yes Yes Yes
    4.0.3.56, 4.0.5.20

    Misc.

    Software version DLP 15.8 DLP 16.0 DLP 16.0.1

    Adobe Reader Yes Yes Yes


    Apple iTunes Yes Yes Yes

    148
    Software version DLP 15.8 DLP 16.0 DLP 16.0.1

    Click-to-Run Yes No No
    Microsoft Pro 2013
    Roxio_Central Yes Yes Yes
    WebEx Communications Yes Yes Yes
    Module

    Applications Supported by Endpoint Prevent on macOS


    This section describes individual applications that can be monitored using Endpoint Prevent on macOS.
    IMPORTANT
    You must install the latest maintenance pack and hotfix for Symantec Data Loss Prevention to ensure that you
    have the platform support as indicated in the following tables. In some cases, platform support as indicated is
    enabled only when you apply the latest maintenance pack and hotfix.
    Support is listed for the following items:
    • Secure HTTP (HTTPS)
    • Email
    • Instant Messaging
    • Cloud Sync Apps

    Secure HTTP (HTTPS)


    NOTE
    • Paste monitoring is supported only on certified browsers.
    • Symantec tests beta and stable releases of Google Chrome, Microsoft Edge Chromium, and Mozilla
    Firefox for compatibility with Data Loss Prevention. However, as browser vendors roll out updates over
    several days, the most recent stable release might not be certified for compatibility with Data Loss Prevention
    on the same day as the release in your region.

    Software Version DLP 15.8 DLP 16.0 DLP 16.0.1

    Firefox 36.0.4, ESR 31.X Yes Yes Yes


    Firefox 38 ESR, 45 ESR, 45.1.1 Yes Yes Yes
    ESR, 45.4.0, 46.0.1 ESR, 49.0.2
    ESR
    Firefox 68 ESR Yes Yes Yes
    Firefox 49 through 54 Yes Yes Yes
    Firefox 56 through 71 Yes Yes Yes
    Firefox 73 through 82 Yes Yes Yes
    Firefox 84 through 117 Yes Yes Yes
    Safari 10.0.x No No No
    Safari 10.1.x Yes Yes Yes
    Safari 11 through 14 Yes Yes Yes
    Safari 15 Yes Yes Yes
    Safari 16 No No Yes

    149
    Software Version DLP 15.8 DLP 16.0 DLP 16.0.1

    Google Chrome 41.0.x Yes Yes Yes


    Google Chrome 50 through 81 Yes Yes Yes
    Google Chrome 83 through 117 Yes Yes Yes
    Microsoft Edge (Chromium Yes Yes Yes
    based) 102 through 116

    Email

    Software Version DLP 15.8 DLP 16.0 DLP 16.0.1

    Outlook 2011 No No No
    Outlook 2016 Yes Yes Yes
    No for macOS 11 No for macOS 11 No for macOS 11
    Outlook 2019 Yes Yes Yes
    For macOS 11, Outlook 2019 For macOS 11, Outlook For macOS 11, Outlook
    supported with Exchange online 2019 supported with 2019 supported with
    or Office 365) Exchange online or Office 365) Exchange online or Office 365)
    Microsoft 365 (16.30 and later) Yes Yes Yes
    Office 2021 Yes Yes Yes

    Instant Messaging

    Software Version DLP 15.8 DLP 16.0 DLP 16.0.1

    Cisco Jabber Yes Yes Yes


    a
    Skype Yes Yes Yes

    Cloud Sync Apps

    Software version DLP 15.8 DLP 16.0 DLP 16.0.1

    Dropbox Yes Yes Yes


    111.4.x
    Dropbox Yes Yes Yes
    154.4.x
    Dropbox for Mac No No Yes
    180.4.4912
    Box Drive for Mac 2.x No Yes Yes
    Dropbox for Mac 180.4.4912
    BoxSync for Mac 4.0.x No Yes Yes
    OneDrive Yes Yes Yes
    20.x
    OneDrive No Yes Yes
    22.x
    OneDrive for Mac 23.x No No Yes

    a. Paste monitoring is not available for Skype.

    150
    Software version DLP 15.8 DLP 16.0 DLP 16.0.1

    Google Backup and Sync Yes Yes Yes


    3.46.x
    Google Backup and Sync Yes Yes Yes
    3.53.x

    Browser Beta Compatibility and Testing


    Symantec tests beta releases of Google Chrome, Microsoft Edge, and Mozilla Firefox for compatibility with Data
    Loss Prevention. Only Data Loss Prevention 16.0 with the most recent Maintenance Pack is tested for browser beta
    compatibility.
    The information on this page is updated approximately every two weeks or as needed, and indicates whether critical
    issues have been observed.
    For information about DLP Agent support for stable browser releases, see Applications Supported by Endpoint Prevent on
    Windows andApplications Supported by Endpoint Prevent on macOS.

    Table 76: Browser beta test results; Updated on July 5, 2023. DLP version tested: 16.0

    Browser Beta build Platform Result

    Google Chrome 115.0.5790.56 Windows 11 Enterprise 21H2 No issues were observed.


    115.0.5790.56 macOS 12.6.1 No issues were observed.
    Microsoft Edge 115.0.1901.157 Windows 11 Enterprise 21H2 No issues were observed.
    Mozilla Firefox 115.0b9 Windows 11 Enterprise 21H2 No issues were observed
    115.0 macOS 12.6.1 No issues were observed.

    Table 77: Browser beta test results; Updated on June 20, 2023. DLP version tested: 16.0

    Browser Beta build Platform Result

    Google Chrome 115.0.5790.32 Windows 11 Enterprise 21H2 No issues were observed.


    115.0.5790.32 macOS 12.6.1 No issues were observed.
    Microsoft Edge 115.0.1901.9 Windows 11 Enterprise 21H2 No issues were observed.
    Mozilla Firefox 115.0b7 Windows 11 Enterprise 21H2 No issues were observed.
    115.0b7 macOS 12.6.1 No issues were observed.

    Table 78: Browser beta test results; Updated on June 5, 2023. DLP version tested: 16.0

    Browser Beta build Platform Result

    Google Chrome 115.0.5790.13 Windows 11 Enterprise 21H2 No issues were observed.


    Microsoft Edge 114.0.1823.37 Windows 11 Enterprise 21H2 No issues were observed.
    Mozilla Firefox 114.0b9 Windows 11 Enterprise 21H2 No issues were observed.

    151
    Table 79: Browser beta test results; Updated on May 22, 2023. DLP version tested: 16.0

    Browser Beta build Platform Result

    Google Chrome 114.0.5735.16 Windows 11 Enterprise 21H2 No issues were observed.


    114.0.5735.16 macOS 12.6.1 No issues were observed.
    Microsoft Edge 113.0.1774.32 Windows 11 Enterprise 21H2 No issues were observed.
    Mozilla Firefox 114.0b6 Windows 11 Enterprise 21H2 No issues were observed.
    114.0b6 macOS 12.6.1 No issues were observed.

    Table 80: Browser beta test results; Updated on May 5, 2023. DLP version tested: 16.0

    Browser Beta build Platform Result

    Google Chrome 114.0.5735.16 Windows 11 Enterprise 21H2 No issues were observed.


    114.0.5735.16 macOS 12.6.1 No issues were observed.
    Microsoft Edge 113.0.1774.32 Windows 11 Enterprise 21H2 No issues were observed.
    Mozilla Firefox 113.0b9 Windows 11 Enterprise 21H2 No issues were observed.
    113.0b macOS 12.6.1 No issues were observed.

    Table 81: Browser beta test results; Updated on April 21, 2023. DLP version tested: 16.0

    Browser Beta build Platform Result

    Google Chrome 113.0.5672.35 Windows 11 Enterprise 21H2 No issues were observed.


    113.0.5672.35 macOS 12.6.1 No issues were observed.
    Microsoft Edge 113.0.1774.15 Windows 11 Enterprise 21H2 No issues were observed.
    Mozilla Firefox 113.0b5 Windows 11 Enterprise 21H2 No issues were observed.
    113.0b5 macOS 12.6.1 No issues were observed.

    Table 82: Browser beta test results; Updated on April 5, 2023. DLP version tested: 16.0

    Browser Beta build Platform Result

    Google Chrome 112.0.5615.49 Windows 11 Enterprise 21H2 No issues were observed.


    112.0.5615.49 macOS 12.6.1 No issues were observed.
    Microsoft Edge 112.0.1722.31 Windows 11 Enterprise 21H2 No issues were observed.
    Mozilla Firefox 112.0 Windows 11 Enterprise 21H2 No issues were observed.
    112.0 macOS 12.6.1 No issues were observed.

    Table 83: Browser beta test results; Updated on March 24, 2023. DLP version tested: 16.0

    Browser Beta build Platform Result

    Google Chrome 112.0.5615.29 Windows 11 Enterprise 21H2 No issues were observed.

    152
    Browser Beta build Platform Result

    112.0.5615.28 macOS 12.6.1 No issues were observed.


    Microsoft Edge 112.0.1722.11 Windows 11 Enterprise 21H2 No issues were observed.
    Mozilla Firefox 112.0b3 Windows 11 Enterprise 21H2 No issues were observed.
    112.0b3 macOS 12.6.1 No issues were observed.

    Table 84: Browser beta test results; Updated on March 08, 2023. DLP version tested: 16.0

    Browser Beta build Platform Result

    Google Chrome 111.0.5563.50 Windows 11 Enterprise 21H2 No issues were observed.


    111.0.5563.50 macOS 12.6.1 No issues were observed.
    Microsoft Edge 111.0.1661.30 Windows 11 Enterprise 21H2 No issues were observed.
    Mozilla Firefox 111.0b8 Windows 11 Enterprise 21H2 No issues were observed.
    110.0b8 macOS 12.6.1 No issues were observed.

    Table 85: Browser beta test results; Updated on Februrary 23, 2023. DLP version tested: 16.0

    Browser Beta build Platform Result

    Google Chrome 111.0.5563.33 Windows 11 Enterprise 21H2 No issues were observed.


    110.0.5481.77 macOS 12.6.1 No issues were observed.
    Microsoft Edge 111.0.1661.15 Windows 11 Enterprise 21H2 No issues were observed.
    Mozilla Firefox 111.0b2 Windows 11 Enterprise 21H2 No issues were observed.
    110.0b2 macOS 12.6.1 No issues were observed.

    Table 86: Browser beta test results; Updated on Februrary 6, 2023. DLP version tested: 16.0

    Browser Beta build Platform Result

    Google Chrome 110.0.5481.77 Windows 11 Enterprise 21H2 No issues were observed.


    110.0.5481.77 macOS 12.6.1 No issues were observed.
    Microsoft Edge 110.0.1587.35 Windows 11 Enterprise 21H2 No issues were observed.
    Mozilla Firefox 110.0b9 Windows 11 Enterprise 21H2 No issues were observed.
    110.0b9 macOS 12.6.1 No issues were observed.

    Table 87: Browser beta test results; Updated on January 24, 2023. DLP version tested: 16.0

    Browser Beta build Platform Result

    Google Chrome 110.0.5481.38 Windows 11 Enterprise 21H2 No issues were observed.


    110.0.5481.38 macOS 12.6.1 No issues were observed.
    Microsoft Edge 109.0.1518.55 Windows 11 Enterprise 21H2 No issues were observed.
    Mozilla Firefox 110.0b2 Windows 11 Enterprise 21H2 No issues were observed.

    153
    Browser Beta build Platform Result

    110.0b2 macOS 12.6.1 No issues were observed.

    Table 88: Browser beta test results; Updated on January 5, 2023. DLP version tested: 16.0

    Browser Beta build Platform Result

    Google Chrome 109.0.5414.61 Windows 11 Enterprise 21H2 No issues were observed.


    109.0.5414.74 macOS 12.6.1 No issues were observed.
    Microsoft Edge 109.0.1518.26 Windows 11 Enterprise 21H2 No issues were observed.
    Mozilla Firefox 109.0b8 Windows 11 Enterprise 21H2 No issues were observed.
    109.0b8 macOS 12.6.1 No issues were observed.

    Support for Monitoring Applications Protected by System Integrity Protection


    The DLP Agent monitors applications that are protected by System Integrity Protection (SIP) on macOS 10.15 and 11.1
    through 11.2. You can find the latest macOS version support at Default SIP Monitoring.

    Default SIP monitoring

    The DLP Agent monitors macOS applications protected by System Integrity Protection (SIP). The table below lists
    the DLP Agent and macOS versions where SIP monitoring is supported for a given Symantec Data Loss Prevention
    release.

    Table 89: SIP monitoring supported by default

    DLP Agent
    SIP monitoring supported by default
    version
    16.0.1 macOS 10.15 through 10.15.7
    16.0 macOS 10.15 through 10.15.7
    15.8 macOS 10.14 through 10.15.7
    macOS 11.1

    154
    Implementing the Database
    Learn about implementing the Oracle database in your environment.
    About this content
    Preparing Oracle 19c for use with Symantec Data Loss Prevention
    Installing Oracle 19c on Windows
    Installing Oracle 19c on Linux
    Upgrading the database to Oracle 19c
    About migrating the Symantec Data Loss Prevention database to Oracle 19c

    About this content


    This section includes the following topics:
    About updates to the Oracle database content
    About using this content to migrate the Symantec Data Loss Prevention database to Oracle 19c

    About updates to the Oracle database content


    This content is occasionally updated as new information becomes available. See About updates to the Symantec Data
    Loss Prevention Help Center.

    About using this content to migrate the Symantec Data Loss Prevention
    database to Oracle 19c
    The high-level steps that you complete to migrate your existing Symantec Data Loss Prevention database to Oracle 19c
    are provided in Steps to migrate the Symantec Data Loss Prevention database to Oracle 19c. You must complete each
    step to complete the migration successfully.

    Overview—preparing to migrate the database


    You complete preparation steps before you can migrate your database to Oracle 19c.
    NOTE
    Refer to Steps to migrate the Symantec Data Loss Prevention database to Oracle 19c for additional details
    and steps you complete for the database migration.
    Prepare for the migration by completing the following steps:
    1. Update your version of Symantec Data Loss Prevention to at least 15.8.
    NOTE
    Symantec recommends that you update to the latest version of Symantec Data Loss Prevention. Refer to
    End of Service dates for Symantec Data Loss Prevention at the Broadcom Support portal for more
    information.
    2. Install the Oracle software (and the Oracle 19c Client for three-tier installations).
    3. Create the Symantec Data Loss Prevention database in Oracle 19c, set up the listener, and create the Oracle user
    account.

    155
    4. Run the latest version of the Update Readiness Tool.

    Overview—migrating the database


    After you complete preparation steps, you can begin the migration process.
    NOTE
    Refer to Steps to migrate the Symantec Data Loss Prevention database to Oracle 19c for more details and steps
    you complete to migrate the database.
    Complete the migration by completing the following steps:
    1. Confirm the schema row count before the export and confirm the local DATA PUMP directory.
    2. Stop all Symantec Data Loss Prevention services.
    3. Export the Oracle database then import the database into Oracle 19c.
    4. Connect the Enforce Server including updating the database server credentials for the Oracle 19c database.
    5. Restart all Symantec Data Loss Prevention services.
    6. Confirm the schema row count after the import.

    Preparing Oracle 19c for use with Symantec Data Loss Prevention
    This section includes the following topics:
    Using Oracle 19c with Symantec Data Loss Prevention
    About Oracle Real Application Clusters
    About the Oracle multitenant environment
    About deploying Oracle to Amazon Web Services (AWS)

    Using Oracle 19c with Symantec Data Loss Prevention


    You can use the following Oracle 19c versions with Symantec Data Loss Prevention version 15.8 and 16.0:
    • Oracle 19c Enterprise Edition.
    Support is included for the the latest Database Release Updates (RUs).
    NOTE
    Oracle RU 19.6.0.0.0 is only supported on Linux servers.
    You must obtain software and support from Oracle. For implementation details, see Implementing the Database.
    • Oracle 19c Standard Edition 2. Support is included for the following Database Release Updates (RUs):
    Support is included for the the latest Database Release Updates (RUs), available from Symantec.
    NOTE
    Oracle RU 19.6.0.0.0 is only supported on Linux servers.
    You can obtain the software from Symantec. For implementation details, see Implementing the Database.
    NOTE
    Symantec recommends that you run the Oracle 19c Standard Edition 2 database on a supported version
    of Windows or Linux. Symantec Data Loss Prevention supports running the Oracle 19c Standard Edition
    2 database on platforms that Oracle supports. See Running Oracle 19c Standard Edition 2 software on
    alternate platforms.
    NOTE
    See Applying the latest Oracle Release Update (RU) for information on applying RUs.

    156
    You can purchase a Symantec-licensed version of Oracle 19c Standard Edition. After you purchase the software
    download the file from Product Downloads at the Broadcom Support Portal.
    Download the file that correlates with your server platform:
    • Windows: WINDOWS.X64_193000_db_home.zip and WINDOWS.X64_193000_client.zip
    • Linux: LINUX.X64_193000_db_home.zip and LINUX.X64_193000_client.zip
    You can refer to the following Oracle documentation for details on installing the Oracle 19c software:
    https://docs.oracle.com/en/database/oracle/oracle-database/19/install-and-upgrade.html
    If you implement a three-tier installation, you must install the Oracle 19c Client (Administrator installation type) on the
    Enforce Server. Installation of the Oracle Client enables database communications between the Oracle database server
    and the Enforce Server. The Symantec Data Loss Prevention installer needs SQL*Plus to create tables and views on the
    Enforce Server. For this reason, the Windows or Linux user account that is used to install Symantec Data Loss Prevention
    needs access to SQL*Plus.
    Symantec provides Oracle 19c database installation tools. The installation tools include response files, templates, and
    SQL scripts for each supported database version. You use the installation tools during the installation and configuration of
    Oracle 19c on either the Windows or the Red Hat Enterprise Linux platforms.
    About Installing Oracle 19c on Windows
    About installing Oracle 19c on Linux
    NOTE
    Run the latest version of the Update Readiness Tool if you are currently running a previous version Oracle
    database. Running the Update Readiness Tool before you migrate the database to the Oracle 19c software
    ensures that migrated data is compatible and no errors occur.
    See Preparing to Run the Update Readiness Tool.

    Applying the latest Oracle Release Update (RU)


    Oracle releases the latest Release Update (RU) on a quarterly basis. When a release occurs, you can apply the RU to
    your Oracle 19c database software. RUs are cumulative so you can install the latest supported version and can skip
    interim versions.
    See Oracle database requirements for a list of supported RUs.
    1. Obtain the patch from the latest Oracle 19c CPU zip file.
    • For Enterprise, obtain the Oracle 19c CPU zip file from Oracle.
    • For Standard Edition, download the Oracle 19c CPU zip file from Product Downloads at the Broadcom Support
    Portal.
    You can confirm that you have obtained the latest zip file based on information in the file name. For example, the July
    2020 release for Linux is Oracle_19c_CPU2020JUL_Lin64.zip.
    2. Unzip the contents of the file.
    3. Locate the folder that contains the RU.
    For example, the July 2020 RU folder for Linux is ReleaseUpdate_19.8.0.0.0_2020JUL_64bit_Lin.
    4. Unzip the zip file located in the RU folder.
    The zip file name from Oracle uses the patch number, Oracle version, platform, and system type. For example, the RU
    folder for the July 2020 RU is p31281355_190000_Linux-x86-64.zip.

    157
    5. Shut down Symantec Data Loss Prevention services before applying the RU.
    See the Symantec Data Loss Prevention Help Center for steps to shut down services.
    6. Apply the RU.
    See the readme that is provided by Oracle located in the RU folder for steps to apply the RU.
    7. Restart DLP services after you apply the RU.
    See Restart all Symantec Data Loss Prevention services.

    About Oracle Real Application Clusters


    Symantec Data Loss Prevention supports Oracle Real Application Clusters (RAC) with Oracle 19c Enterprise.
    The steps in this content assume you have installed RAC. For full details on how to install Oracle RAC, see the platform-
    specific documentation from Oracle Corporation, available from the Oracle Help Center.

    About the Oracle multitenant environment


    Symantec Data Loss Prevention supports the Oracle multitenant Containerized Database (CDB)/Pluggable Database
    (PDB).
    NOTE
    The steps in this content assume you are using a CDB that contains a single PDB.

    About deploying Oracle to Amazon Web Services (AWS)


    You can deploy the Oracle database server or Oracle RDS on Amazon Web Services (AWS). You do not have to modify
    the servers or perform any special configurations to deploy the Oracle database Server on AWS. For deploying Oracle
    RDS on AWS, you must configure TLS as described in About securing communications between the Enforce Server and
    Amazon RDS for Oracle.

    Related Links
    on page 677
    Learn about deploying Symantec Data Loss Prevention servers on Amazon Web Services.

    Installing Oracle 19c on Windows


    This section includes the following topics:
    About Installing Oracle 19c on Windows
    Steps to install Oracle 19c on Windows
    Preparing the Windows environment
    Installing the Oracle 19c software on Windows
    Creating the Symantec Data Loss Prevention database on Windows
    Creating the Symantec Data Loss Prevention database on RAC with a multitenant environment on Windows
    Verifying and PDB database for RAC on Windows
    Configuring the database connection on Windows
    Verifying that the PDB listener is created and registered on Windows
    Setting the protect PDB to autostart on Windows

    158
    Adding required tablespaces to the PDB database on Windows
    Creating the Oracle user account for Symantec Data Loss Prevention on Windows
    Verifying the Symantec Data Loss Prevention database on Windows

    About Installing Oracle 19c on Windows


    Review this topic for details on the Oracle Client requirement and Oracle 19c database template details.

    Oracle Client Requirement


    If you implement a three-tier installation, you must install the Oracle Client (SQL*Plus and Database Utilities) on the
    Enforce Server. Installation of the Oracle Client enables database communications between the Oracle database server
    and the Enforce Server. The Symantec Data Loss Prevention installer needs SQL*Plus to create tables and views on the
    Enforce Server. For this reason, the Windows or Linux user account that is used to install Symantec Data Loss Prevention
    needs access to SQL*Plus.
    For full details on how to install the Oracle 19c Database Client software, see the the following:
    https://docs.oracle.com/en/database/oracle/oracle-database/19/ntcli/index.html

    Oracle 19c Database Templates


    Symantec provides Oracle 19c database templates for your database version, a database user SQL script, and response
    (.rsp) files that you can use during the installation and configuration of Oracle 19c. These items are located in the
    ZIP archive Symantec_DLP_16.0.00000.60853_Platform_Win-IN.zip, which you can download from Product
    Downloads at the Broadcom Support Portal.
    You can find the installation tools file at the following location:
    \DLP\16.0.1\New_Installs\Oracle_Configuration\19.3.0.0_64_bit_Installation_Tools_Win.zip.
    The 19.3.0.0_64_bit_Installation_Tools_Win.zip provides the following resources:
    • Templates for the database
    – Single instance (and single instance on RAC): Oracle_19.3.0.0_Template_for_64_bit_WIN.dbt
    – Multitenant (and multitenant on RAC): Oracle_19.3.0.0_Template_for_64_bit_PDB_WIN.dbt
    • Response files
    – Single instance:
    • Oracle_19.3.0.0_Standard_Edition_Installation_WIN.rsp
    • Oracle_19.3.0.0_Enterprise_Edition_Installation_WIN.rsp
    • Oracle_19.3.0.0_DBCA_WIN.rsp
    – Multitenant:
    • Oracle_19.3.0.0_Standard_Edition_Installation_PDB_WIN.rsp
    • Oracle_19.3.0.0_Enterprise_Edition_Installation_PDB_WIN.rsp
    • Oracle_19.3.0.0_DBCA_PDB_WIN.rsp
    – RAC:
    • Oracle_19.3.0.0_DBCA_RAC_WIN.rsp
    About Oracle Real Application Clusters

    Steps to install Oracle 19c on Windows


    Oracle 19c installation overview provides a high-level view of the Oracle 19c installation process. You can find more detail
    for each step of the process as indicated in the table.

    159
    Table 90: Oracle 19c installation overview

    Step Action Description

    1 Prepare the Windows environment. Preparing the Windows environment


    2 Install Oracle 19c. Installing the Oracle 19c software on Windows
    3 Create the Symantec Data Loss Prevention If you plan to run the Symantec Data Loss Prevention database in a
    database. single tenant environment or on RAC, go to the following section.
    Creating the Symantec Data Loss Prevention database on Windows
    If you plan to run the Symantec Data Loss Prevention database on RAC
    with a multitenant environment, go to the following section.
    Creating the Symantec Data Loss Prevention database on RAC with a
    multitenant environment on Windows
    Complete other steps to verify the database if you are installing the
    database to a multitenant environment.
    Verifying and PDB database for RAC on Windows
    4 Create the Oracle Net Listener, Local Configuring the database connection on Windows
    Net Service Name, and verify the
    tnsnames.ora contents.
    5 Complete the following steps if you are Verifying that the PDB listener is created and registered on Windows
    installing the database in a multitenant Setting the protect PDB to autostart on Windows
    environment: Adding required tablespaces to the PDB database on Windows
    • Verify that the PDB listener is created and
    registered.
    • Set the protect PDB to autostart.
    • Add tablespaces to the PDB database.
    6 Create the Symantec Data Loss Prevention Creating the Oracle user account for Symantec Data Loss Prevention on
    database user. Windows
    7 Verify the Oracle database. Verifying the Symantec Data Loss Prevention database on Windows

    Preparing the Windows environment


    Follow this procedure to prepare the Windows environment for the Oracle database software installation.
    NOTE
    These steps assume that you have obtained the Oracle database software from Oracle or downloaded a
    licensed version from Product Downloads at the Broadcom Support Portal.
    1. Log on as the administrator.
    2. Shut down the following services if they are running in Windows Services:
    • All Oracle services
    • Distributed Transaction Coordinator service
    To view the services, go to Start > Control Panel > Administrative Tools > Computer Management, and then
    expand Services and Applications and click Services.
    3. Obtain the Oracle 19c software from Oracle or download from Product Downloads at the Broadcom Support Portal.
    4. Prepare the Oracle installation location by completing one of the following steps based on your Oracle database
    installation status:
    • If you are installing the Oracle database software for the first time, complete the following steps:
    a. Create the directory: C:\oracle\product\19.3.0.0\db_1.

    160
    b. Copy the Oracle 19c software file to C:\oracle\product\19.3.0.0\db_1.
    c. Extract the Oracle 19c software to the directory C:\oracle\product\19.3.0.0\db_1.
    Allow approximately 15 minutes for the extraction process to complete.
    • If you are upgrading from a previous version Oracle database, create the 19.3.0.0\db_1 directory under the
    existing \product\ directory. For example, if Oracle 12c is installed under c:\oracle\product\12.2.0.0
    then create the Oracle 19c directory at c:\oracle\product\19.3.0.0.
    5. Install the Oracle Database Client using the Administratoroption if you implement a three-tier system.
    The Symantec Data Loss Prevention installer needs SQL*Plus to create tables and views on the Enforce Server.
    Therefore, the Windows user account that is used to install Symantec Data Loss Prevention must be able to access
    SQL*Plus.
    Oracle Client Requirement
    6. Set the ORACLE_HOME environment variable by completing the following steps:
    a) Go to Control Panel > System and Security > System > Advanced System Settings to display the System
    Properties dialog.
    b) Click the Advanced tab.
    c) Click Environment Variables and click New under System Variables to display the New System Variable dialog.
    d) Enter ORACLE_HOME in the Variable name field.
    e) Enter C:\oracle\product\19.3.0.0\db_1.
    f) Click OK.
    g) Select the existing Path variable and click Edit.
    h) Enter the value in the Path variable: %ORACLE_HOME%\bin
    i) Click New, enter C:\oracle\product\19.3.0.0\db_1 for the path variable, and click OK.
    7. Extract the 19.3.0.0_64_bit_Installation_Tools_Win.zip file into a temporary directory, such as C:\temp
    \Oracle\tools.

    Installing the Oracle 19c software on Windows


    The Enforce Server uses the Oracle thin driver and the Oracle Client (for three-tier deployments). Symantec Data Loss
    Prevention packages the JAR files for the Oracle thin driver with the Symantec Data Loss Prevention software. But, you
    must also install the Oracle Client. The Symantec Data Loss Prevention installer needs SQL*Plus to create tables and
    views on the Enforce Server. Therefore, the Windows user account that is used to install Symantec Data Loss Prevention
    must be able to access SQL*Plus.
    1. To install the Oracle software, use the command prompt to navigate to the db_1 directory. This is the directory where
    you extracted the Oracle 19c files. Run the following command (line break added for legibility):
    • Run the following command for a single-tenant database installation:
    C:\oracle\product\19.3.0.0\db_1\setup.exe
    -noconfig -responseFile
    C:\temp\Oracle\tools\responsefiles\singleinstance
    \Oracle_19.3.0.0_Enterprise_Edition_Installation_WIN.rsp
    Substitute Oracle_19.3.0.0_Standard_Edition_Installation_PDB_WIN.rsp if you are running Oracle
    19c Standard Edition.
    • Run the following command for a multitenant database installation:
    C:\oracle\product\19.3.0.0\db_1\setup.exe
    -noconfig -responseFile
    C:\temp\Oracle\tools\responsefiles\multitenant
    \Oracle_19.3.0.0_Enterprise_Edition_Installation_PDB_WIN.rsp

    161
    Substitute Oracle_19.3.0.0_Standard_Edition_Installation_PDB_WIN.rsp if you are running Oracle
    19c Standard Edition.
    The installation wizard appears with pre-selected values that are drawn from the installation response file. You can
    confirm these values and click through the panels without needing to enter information where noted.
    2. Refer to Table 91: Installation wizard options for information on what to enter on each screen of the installation wizard.

    Table 91: Installation wizard options

    Screen Action

    Configuration Options Select Set Up Software Only. Click Next.


    Database Installation Option Select the database type that you plan to install:
    • Single instance database installation
    • Oracle Real Application Cluster database installation
    Click Next.
    Select Database Edition The database edition that you are installing is selected. Click
    Next.
    Specify Oracle Home User Enter a user name and password for the Oracle Home User. The
    default name for the Oracle Home User is oracle.
    Note: The Oracle Home User is the Windows user account
    that runs Windows services. The Oracle Home User is different
    from the Symantec Data Loss Prevention Oracle user account.
    Confirm the password, then click Next.
    Specify Installation Location Confirm that the Oracle Base and Software Location paths fields
    are populated with the following information:
    • Oracle Base: c:\oracle
    • Software Location: c:\oracle\product
    \19.3.0.0\db_1
    Click Next.
    Perform Prerequisite Checks Lists the prerequisite check status.
    Click Next.
    Summary Click Install to begin the installation.
    The installer application installs the Oracle 19c software to your
    computer.
    Finish Click Close to exit the installer application. You can safely ignore
    the configuration note that appears on this panel.

    Creating the Symantec Data Loss Prevention database on Windows


    Follow this procedure to create the Symantec Data Loss Prevention database on Windows systems.
    These instructions include details for creating the database in a single tenant, multitenant, and RAC in a single tenant
    environment.
    NOTE
    You complete a different process to create the database on RAC with a multitenant environment.

    162
    Creating the Symantec Data Loss Prevention database on RAC with a multitenant environment on Windows
    1. Navigate to the C:\temp\Oracle\tools folder where you extracted the
    19.3.0.0_64_bit_Installation_Tools_Win.zip file.
    2. Copy a database template file to the database server. Copy the database template file that matches your database
    environment:
    • Single tenant: Oracle_19.3.0.0_Template_for_64_bit_WIN.dbt

    From To

    C:\temp\Oracle\tools\templates c:\oracle\product\19.3.0.0\db_1\assistants
    \singleinstance \dbca\templates
    • RAC in a single tenant: Oracle_19.3.0.0_Template_for_64_bit_WIN.dbt

    From To

    C:\temp\Oracle\tools\templates\rac c:\oracle\product\19.3.0.0\db_1\assistants
    \dbca\templates
    • Multitenant: Oracle_19.3.0.0_Template_for_64_bit_PDB_WIN.dbt

    From To

    C:\temp\Oracle\tools\templates\multitenant c:\oracle\product\19.3.0.0\db_1\assistants
    \dbca\templates
    3. Open a command prompt, and execute one of the following commands for your database environment:
    NOTE
    Line breaks added for legibility.
    • Run the following command for a single tenant environment:
    %ORACLE_HOME%\bin\dbca
    -createDatabase
    -progressOnly
    -responseFile C:\temp\Oracle\tools\responsefiles\singleinstance
    \Oracle_19.3.0.0_DBCA_WIN.rsp
    • Run the following command for a multitenant environment:
    %ORACLE_HOME%\bin\dbca
    -createDatabase
    -progressOnly
    -responseFile C:\temp\Oracle\tools\responsefiles\multitenant
    \Oracle_19.3.0.0_DBCA_PDB_WIN.rsp
    • Run the following command for a RAC environment:
    %ORACLE_HOME%\bin\dbca
    -createDatabase -progressOnly -nodelist <list of RAC node names>
    -responseFile C:\temp\Oracle\tools\responsefiles\rac\Oracle_19.3.0.0_DBCA_WIN.rsp
    Replace <list of RAC node names> with each node name, which is separated by a comma, in your RAC
    environment.
    4. Enter the SYS user password at the prompt.
    5. Enter the SYSTEM user password at the prompt.
    Follow these guidelines to create acceptable passwords:

    163
    • Passwords cannot contain more than 30 characters.
    • Passwords cannot contain double quotation marks, commas, or backslashes.
    • Avoid using the & character.
    • Passwords are case-sensitive by default. You can change the case sensitivity through an Oracle configuration
    setting.
    • If your password uses special characters other than _, #, or $, or if your password begins with a number, you must
    enclose the password in double quotes when you configure it.
    The database creation process appears on the terminal window and can take up to 30 minutes to complete.
    6. If you are creating the database in a multitenant environment, you are prompted to enter the PDBAdmin user and
    password. Enter the user account and password you used when you created the PDB.
    7. If the database services OracleServicePROTECT and Distributed Transaction Coordinator are down, start them
    using Windows Services: Start > Control Panel > Administrative Tools > Computer Management > Services and
    Applications > Services.

    Creating the Symantec Data Loss Prevention database on RAC with a


    multitenant environment on Windows
    If you plan to run the Symantec Data Loss Prevention database on RAC, you install the database on the RAC system.
    NOTE
    These steps provide details for installing the database on RAC with a multitenant environment. You complete a
    different process to create the database in a single tenant environment.
    Creating the Symantec Data Loss Prevention database on Windows
    1. Copy the Oracle_19.3.0.0_Template_for_64_bit_PDB_WIN.dbt (located in the C:\temp\Oracle\tools
    \templates\singleinstance folder) to %ORACLE_HOME%\assistants\dbca\templates on the Oracle 19c
    RAC server.
    2. Open the Oracle Configuration Assistant on the RAC server by running the following command:
    %ORACLE_HOME%\bin\dbca

    3. Refer to Table 92: Database Configuration Assistant for Oracle 19c for information on what to enter on each screen of
    the Database Configuration Assistant.

    Table 92: Database Configuration Assistant for Oracle 19c

    Database Operation Select Create Database and click Next.

    Creation Mode Select Advanced Mode and click Next.


    Deployment Type Select Oracle 19.3.0.0 Database for DLP and click Next.
    Nodes Selection Select all RAC nodes that apply and click Next.
    Database Identification Enter information and select items for the following:
    • Enter dlpcdb in the Global Database Name field.
    • Enter dlpcdb in the SID prefix field. This field automatically populates based on the
    value you provided in the Global Database Name field.
    • Select Create as a Container Database and complete the following:
    – Enter 1 in the Number of PDBS field.
    – Enter protect in the PDB Name field.
    Click Next.

    164
    Database Operation Select Create Database and click Next.

    Storage Option Select Use the following for the database storage attributes.
    Enter information and select items for the following:
    • Select Automatic Storage Management (ASM) in the Database files storage type
    list.
    • Enter +DATA/{DB_UNIQUE_NAME} in the Database files location field.
    • Select User Oracle-Managed Files (OMF).
    Click Next.
    Fast Recovery Option Use the default setting and click Next.
    Database Options Use the default setting and click Next.
    Configuration Options Update the SGA and PGA size based on your system requirements and click Next.
    Management Options Use the default settings and click Next.
    User Credentials Select an item and passwords applicable for your implementation and click Next.
    Creation Options Use the default settings and click Next.
    Prerequisite Checks The prerequisite check process can take ten minutes to complete. After the process
    completes, review warnings and confirm that all expected nodes are running.
    Click Next.
    Summary Parameters Review the information to confirm RAC and PDB settings.
    Click Next.
    Progress The database creation process can take about an hour to complete.
    Click Next.
    Finish Record the CDB name (dlpcdb), and click Close to complete the process.

    After you complete these steps, verify the database.


    Verifying and PDB database for RAC on Windows

    Verifying and PDB database for RAC on Windows


    After you complete the CDB and PDB database installation on RAC, you verify components of the installation. Specifically,
    you confirm that the CDB name is dlpcdb and that the PDB name is protect.
    You complete these steps only if you are setting up a PDB environment or a PDB running in a RAC environment.
    1. Confirm the CON_NAME by running the following command.
    sqlplus sys/<password> as sysdba
    show con_name

    The command output should display a message similar to the following message:
    CON_NAME
    ------------------------------
    CDB$ROOT

    2. Confirm the PDBS name by running the following command:


    show pdbs

    The command output should display a message similar to the following message:
    CON_ID CON_NAME OPEN MODE RESTRICTED
    ---------- ------------------------------ ---------- ----------
    2 PDB$SEED READ ONLY NO

    165
    3 PROTECT READ WRITE NO

    Configuring the database connection on Windows


    Skip these steps if you are configuring RAC.
    Complete the following procedures to configure the database connection on Windows:
    1. Configure the TNS listener and the Local Net Service Name.
    Configuring the TNS Listener and Net Service Name
    2. Verify the tnsnames.ora file.
    Verifying tnsnames.ora contents
    3. Modify the listener.ora file.
    Modifying the listener.ora file

    Configuring the TNS Listener and Net Service Name


    After you install the Oracle database, configure the TNS Listener and the Net Service Name.
    1. (Optional) If you logged on as a domain user, you must set the sqlnet.ora file
    SQLNET.AUTHENTICATION_SERVICES=() value to none. Otherwise, proceed to step 2.

    To set the sqlnet.ora file SQLNET.AUTHENTICATION_SERVICES=() value, perform the following steps:
    a) Open sqlnet.ora, located in the %ORACLE_HOME%\network\admin folder, using a text editor.
    b) Change the SQLNET.AUTHENTICATION_SERVICES=(NTS) value to none.
    SQLNET.AUTHENTICATION_SERVICES=(none)
    c) Save and close the sqlnet.ora file.
    2. Start the Oracle Net Configuration Assistant by running the following command:
    %ORACLE_HOME%\bin\netca

    3. Create the TNS Listener.


    Refer to Table 93: Creating the TNS Listener for information on what to select and enter on each screen of the
    Database Configuration Assistant.

    Table 93: Creating the TNS Listener

    Screen Action

    Welcome Select Listener configuration and click Next.


    Listener Configuration, Listener Select Add and click Next.
    Listener Configuration, Listener Name Enter a listener name and the password for your Oracle Home
    User, then click Next.
    Note: Use the default listener name, LISTENER, unless you must
    use a different name.

    Listener Configuration, Select Protocols Select the TCP protocol and click Next.
    Listener Configuration, TCP/IP Protocol Select Use the standard port number of 1521 and click Next.
    Listener Configuration, More Listeners? Select No and click Next.
    Listener Configuration Done Click Next and select Local Net Service Name configuration.

    166
    4. Configure the Net Service Name.
    Refer to Table 94: Configuring the Net Service Name for information on what to enter on each screen of the Database
    Configuration Assistant.

    Table 94: Configuring the Net Service Name

    Screen Action

    Net Service Name Configuration Select Add and click Next.


    Net Service Name Configuration, Service Name Enter protect in the Service Name field and click Next.
    Net Service Name Configuration, Select Protocols Select TCP and click Next.
    Net Service Name Configuration, TCP/IP Protocol 1. Enter the host name of the Oracle server computer in the
    Host name field.
    2. Select Use the standard port number of 1521 (the default
    value).
    3. Click Next.
    Net Service Name Configuration, Test Select No, do not test and click Next.
    Note: Do not test the service configuration, because the listener
    has not yet started.

    Net Service Name Configuration, Net Service Name Select accept the default name of "protect" and click Next.
    Net Service Name Configuration, Another Net Service Name? Select No and click Next.
    Net Service Name Configuration Done Click Next and click Finish.

    Verifying tnsnames.ora contents


    Before you create the required Oracle user accounts, verify that the tnsnames.ora file contains entries for the protect
    database that you created.
    1. Using a text editor, open the tnsnames.ora file, which is located in the $ORACLE_HOME/network/admin directory.
    2. Verify that the following lines are present in the file:
    PROTECT =
    (DESCRIPTION =
    (ADDRESS_LIST =
    (ADDRESS = (PROTOCOL = TCP)(HOST = <ip_address>)(PORT = <port_number>))
    )
    (CONNECT_DATA =
    (SERVICE_NAME = protect)
    )
    )

    If these lines do not exist, add them to the file, replacing <ip_address> and <port_number> with the correct values
    for your system.
    NOTE
    Do not copy and paste information to the tnsnames.ora file. Pasting can introduce hidden characters that
    cannot be parsed.
    3. Add the following lines if you are installing a multitenant database, replacing <host_name> with the correct value for
    your system:
    DLPCDB =

    167
    (DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCP)(HOST = <hostname>)(PORT = 1521))
    (CONNECT_DATA =
    (SERVER = DEDICATED)
    (SERVICE_NAME = DLPCDB)
    )
    )

    PROTECT =
    (DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCP)(HOST = <hostname>)(PORT = 1521))
    (CONNECT_DATA =
    (SERVER = DEDICATED)
    (SERVICE_NAME = PROTECT)
    )
    )

    4. Save the tnsnames.ora file and exit the text editor.

    Modifying the listener.ora file


    1. Open a command prompt and run the following command:
    lsnrctl stop

    2. Open the following file in a text editor:


    %ORACLE_HOME%\network\admin\listener.ora
    3. Locate the following line:
    (ADDRESS = (PROTOCOL = IPC)(KEY = <key_value>))
    4. Change <key_value> to PROTECT.
    5. Add the following line to the end of the file:
    SECURE_REGISTER_LISTENER = (IPC)

    6. Add the following lines if you are installing a multitenant database:


    SID_LIST_LISTENER =
    (SID_LIST =
    (SID_DESC =
    (SID_NAME = CLRExtProc)
    (ORACLE_HOME = c:\oracle\product\19.3.0.0\db_1)
    (PROGRAM = extproc)
    (ENVS = "EXTPROC_DLLS=ONLY:c:\oracle\product\19.3.0.0\db_1\bin\oraclr19.dll")
    )
    (SID_DESC =
    (GLOBAL_DBNAME = DLPCDB)
    (SID_NAME = DLPCDB)
    (ORACLE_HOME = c:\oracle\product\19.3.0.0\db_1)
    )
    (SID_DESC =
    (GLOBAL_DBNAME = PROTECT)
    (SID_NAME = DLPCDB)
    (ORACLE_HOME = c:\oracle\product\19.3.0.0\db_1)

    168
    )
    )

    7. Save the file and exit the text editor.


    8. Run the following command:
    export ORACLE_SID=protect

    9. Run the following command:


    lsnrctl start

    10. Run the following commands to connect to the database using SQL*Plus:
    sqlplus sys/<password> as sysdba

    11. Run the following command:


    ALTER SYSTEM SET service_names = 'protect' SCOPE=both;

    12. Run the following command:


    ALTER SYSTEM SET local_listener =
    '(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=PROTECT)))' SCOPE=both;

    13. Run the following command to register the listener:


    ALTER SYSTEM REGISTER;

    14. Exit SQL*Plus by running the following command:


    exit

    15. If you are installing a single tenant system, run the following command to verify the change:
    lsnrctl services

    The command output should display a message similar to the following message:
    Services Summary...
    Service "protect" has 1 instance(s).
    Instance "protect", status READY, has 1 handler(s) for this service...
    Handler(s):
    "DEDICATED" established:0 refused:0 state:ready
    LOCAL SERVER
    The command completed successfully

    Verifying that the PDB listener is created and registered on Windows


    If you are running the database in a multitenant environment, verify that the PDB listener is created and registered.
    1. Verify that you can log in to and exit SQL*Plus.
    2. Run the following command using SQL*Plus to verify PDB accessibility:
    sqlplus sys/<password>@protect as sysdba

    3. Run the following commands to confirm that the PDB service is accessible:
    a) sqlplus sys/<password> as sysdba
    b) show parameter service
    The command output should display a message similar to the following message:
    NAME TYPE VALUE

    169
    -------------------------- ------- ------------------------------
    service_names string dlpcdb
    c) show parameter local_listener
    The command output should display a message similar to the following message:
    NAME TYPE VALUE
    ------------------------- ----------- ------------------------------
    local_listener string (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=protect)))
    d) Run the following command to format output:
    COLUMN SERVICE_ID FORMAT 9
    COLUMN NAME FORMAT A20
    COLUMN PDB FORMAT A20
    e) select service_id, name, pdb from v$services;
    Confirm that protect is listed in the output.
    SERVICE_ID NAME PDB
    ------------------ ------------------------------ ------------------------------
    1 SYS$BACKGROUND CDB$ROOT
    2 SYS$USERS CDB$ROOT
    3 dlpcdbXDB CDB$ROOT
    4 dlpcdb CDB$ROOT
    7 protect PROTECT
    NOTE
    The SERVICE_ID number may differ from those listed on your system.
    4. Confirm the active services that are running under cdb$root by running the following command:
    alter session set container=cdb$root;

    select name from v$active_services;

    The command output should display a message similar to the following message:
    NAME
    ----------------------------------------------------------------
    dlpcdb
    SYS$BACKGROUND
    SYS$USERS
    protect
    dlpcdbXDB

    Confirm that the dlpcdb and protect services are listed in the output.
    5. Run the following commands if the protect service is missing from the output in the preceding step:
    a) Run the following command:
    Alter session set container=protect;
    exec dbms_service.CREATE_SERVICE('PROTECT', 'PROTECT');
    exec dbms_service.START_SERVICE(SERVICE_NAME=>'PROTECT');
    b) Run the following command to register the listener:
    ALTER SYSTEM REGISTER;
    c) Exit SQL*Plus by running the following command:
    exit

    170
    6. Restart the listener by running the following commands:
    lsnrctl stop
    lsnrctl start

    The command output should display a message similar to the following message:
    Service "DLPCDB" has 1 instance(s).
    Instance "dlpcdb", status READY, has 1 handler(s) for this service...
    Service "PROTECT" has 1 instance(s).
    Instance "dlpcdb", status READY , has 1 handler(s) for this service...

    7. Confirm that the PDB service is accessible by running the following commands:
    a) sqlplus sys/<password>@protect as sysdba
    b) show con_name
    to return the following message:
    CON_NAME
    ------------------------------
    PROTECT
    c) show pdbs
    to return the following message:
    CON_ID CON_NAME OPEN MODE RESTRICTED
    ---------- ------------------------------ ---------- ----------
    3 PROTECT READ WRITE NO

    8. Run the following command if the show pdbs command returns PROTECT listed without Read Write:
    select inst_id, con_id, name, open_mode from gv$pdbs where name='PROTECT';

    9. Exit SQL*Plus by running the following command:


    exit

    Setting the protect PDB to autostart on Windows


    If you are running the database in a multitenant environment, configure the protect PDB to auto start when the Oracle
    database restarts. You can set the PDB to auto start by saving the state of the PDB when it is open.
    1. Open a command prompt as the Oracle user.
    2. Start SQL*Plus by running the following command:
    sqlplus sys/<password> as sysdba

    where <password> is the SYS password.


    3. Run the following commands:
    alter pluggable database protect open;

    alter pluggable database protect save state;

    4. Exit SQL*Plus by running the following command:


    exit

    171
    Adding required tablespaces to the PDB database on Windows
    If you are running the database in a multitenant environment, add tablespaces to the PDB database.
    1. Navigate to the C:\temp\Oracle\tools folder.
    2. Start SQL*Plus and run the add_pdb_tablespace_WIN.sql script.
    sqlplus /nolog @add_pdb_tablespace_WIN.sql

    3. At the Please enter the password for sys user prompt, enter the password for the SYS user.
    4. At the Please enter Service Name prompt, enter protect.
    5. Confirm that all required tablespaces are added for the PDB by running the following command:
    sqlplus sys/<password>@protect as sysdba
    SELECT tablespace_name FROM dba_tablespaces;

    For example, if you are using Oracle 19.3.0.0, the output information should read:
    TABLESPACE_NAME
    ------------------------------
    SYSTEM
    SYSAUX
    UNDOTBS1
    TEMP
    USERS
    LOB_TABLESPACE

    6. Confirm the summary of tablespaces and that the data file paths are consistent by completing the following steps:
    a) Start SQL*Plus by running the following command:
    sqlplus sys/<password>@protect as sysdba
    b) Run the following query:
    COLUMN Tablespace_Name FORMAT A20
    COLUMN File_Name FORMAT A50
    COLUMN Size_Mb FORMAT 9999
    SELECT substr(tablespace_name,1,20) as Tablespace_Name,
    substr(file_name,1,50) as File_Name,
    bytes/1024/1024 as Size_MB
    FROM dba_data_files
    union
    SELECT 'TEMP' as Tablespace_Name,
    name as File_Name,
    bytes/1024/1024 as Size_MB
    FROM v$tempfile;

    Confirm that the data file paths are consistently located in the same location under the PROTECT folder. For
    example, if you are using Oracle 19c, the output information should read:
    TABLESPACE_NAME FILE_NAME SIZE_MB

    ------------------ -------------------------------------------------- ----

    LOB_TABLESPACE C:\ORACLE\ORADATA\DLPCDB\PROTECT\LOB01.DBF 2048

    LOB_TABLESPACE C:\ORACLE\ORADATA\DLPCDB\PROTECT\LOB02.DBF 1024

    172
    LOB_TABLESPACE C:\ORACLE\ORADATA\DLPCDB\PROTECT\LOB03.DBF 1024

    SYSAUX C:\ORACLE\ORADATA\DLPCDB\PROTECT\SYSAUX01.DBF 150

    SYSTEM C:\ORACLE\ORADATA\DLPCDB\PROTECT\SYSTEM01.DBF 169

    TEMP C:\ORACLE\ORADATA\DLPCDB\PROTECT\TEMP01.DBF 2048

    UNDOTBS1 C:\ORACLE\ORADATA\DLPCDB\PROTECT\UNDOTBS01.DBF 2048

    USERS C:\ORACLE\ORADATA\DLPCDB\PROTECT\USERS01.DBF 2048

    USERS C:\ORACLE\ORADATA\DLPCDB\PROTECT\USERS02.DBF 2048

    USERS C:\ORACLE\ORADATA\DLPCDB\PROTECT\USERS03.DBF 2048

    Creating the Oracle user account for Symantec Data Loss Prevention on
    Windows
    Perform the following procedure to create an Oracle user account and name it “protect.”
    1. Navigate to the C:\temp\Oracle\tools folder.
    2. Run the following command using SQL*Plus to run the oracle_create_user.sql script:
    sqlplus /nolog @oracle_create_user.sql

    3. At the Please enter the password for sys user prompt, enter the password for the SYS user.
    4. At the Please enter SID prompt, enter protect.
    5. At the Please enter required username to be created prompt, enter protect for the user name.
    6. At the Please enter a password for the new username prompt, enter a new password.
    Follow these guidelines to create acceptable passwords:
    • Passwords cannot contain more than 30 characters.
    • Passwords cannot contain double quotation marks, commas, or backslashes.
    • Avoid using the & character.
    • Passwords are case-sensitive by default. You can change the case sensitivity through an Oracle configuration
    setting.
    • If your password uses special characters other than _, #, or $, or if your password begins with a number, you must
    enclose the password in double quotes when you configure it.
    Store the password in a secure location for future use. Use this password to install Symantec Data Loss Prevention.
    If you must change the password after you install Symantec Data Loss Prevention, see the Symantec Data Loss
    Prevention Help Center for instructions.
    7. Confirm that tablespaces are available for the Oracle user you created by running the following SQL*Plus commands
    in the listed order:
    a) sqlplus protect/<password>@protect
    b) SELECT tablespace_name FROM user_tablespaces;
    The command returns the following message:
    TABLESPACE_NAME
    ------------------------------

    173
    SYSTEM
    SYSAUX
    UNDOTBS1
    TEMP
    USERS
    LOB_TABLESPACE
    c) Exit SQL*Plus.

    Verifying the Symantec Data Loss Prevention database on Windows


    After you create the Symantec Data Loss Prevention database, verify that it was created correctly.
    NOTE
    The following steps apply to single tenant and RAC implementations. The process to verify the Symantec Data
    Loss Prevention database in a multitenant differs slightly.
    Verifying and PDB database for RAC on Windows
    1. Open a new command prompt, start SQL*Plus, and log on as the SYS user:
    sqlplus sys/<password>@protect as sysdba

    Where <password> represents the SYS password.


    Exit SQL*Plus after you run the command.
    2. Run the following query:
    SELECT BANNER_FULL FROM v$version;

    3. Confirm that the output from the query contains information that correctly identifies the software components for the
    installed version of Oracle 19c.
    For example, if you are running Oracle 19c Standard Edition, the output information should read:
    BANNER
    --------------------------------------------------------------------------------

    Oracle Database 19c Standard Edition 2 Release 19.0.0.0.0 - Production Version 19.3.0.0.0

    4. Exit SQL*Plus:
    exit

    Installing Oracle 19c on Linux


    This section includes the following topics:
    About installing Oracle 19c on Linux
    Steps to install Oracle 19c on Linux
    Performing the Linux preinstallation steps
    Installing Oracle 19c on Linux
    Creating the Symantec Data Loss Prevention database on Linux
    Creating the Symantec Data Loss Prevention database on RAC with a multitenant environment on Linux
    Verifying the PDB database on Linux
    Configuring the database connection on Linux

    174
    Verifying that the PDB listener is created and registered on Linux
    Setting the protect PDB to autostart on Linux
    Adding required tablespaces to the PDB database on Linux
    Verifying the Symantec Data Loss Prevention database on Linux
    Creating the Oracle user account for Symantec Data Loss Prevention on Linux
    Configuring automatic startup and shutdown of the database

    About installing Oracle 19c on Linux

    Oracle Client requirement


    If you implement a three-tier installation, you must install the Oracle Client (SQL*Plus and Database Utilities) on the
    Enforce Server. Installation of the Oracle Client enables database communications between the Oracle database server
    and the Enforce Server. The Symantec Data Loss Prevention installer needs SQL*Plus to create tables and views on the
    Enforce Server. For this reason, the Windows or Linux user account that is used to install Symantec Data Loss Prevention
    needs access to SQL*Plus.
    For full details on how to install the Oracle 19c Database Client software, see the the following:
    https://docs.oracle.com/en/database/oracle/oracle-database/19/lacli/index.html

    Oracle 19c database templates


    Symantec provides Oracle 19c database templates for your database version, a database user SQL script, and
    response files (.rsp) that you can use during the installation and configuration of Oracle 19c. These items are located
    in an archive within the Symantec_DLP_16.0.00000.60853_Platform_Lin-IN.zip file, which you can download
    from Product Downloads at the Broadcom Support Portal.
    NOTE
    If you are running Symantec Data Loss Prevention version 15.7, you obtain the installation tools files from
    the 19.3.0.0_64_bit_Installation_Tools_Linux.tar.gz file. You download this file from Product
    Downloads at the Broadcom Support Portal.
    You can find the installation tools file at the following location (replace vv.y with the Symantec Data Loss Prevention
    version you are running):
    \DLP\vv.y\New_Installs\Oracle_Configuration\19.3.0.0_64_bit_Installation_Tools_Lin.tar.gz
    The 19.3.0.0_64_bit_Installation_Tools_Lin.tar.gz provides the following:
    • Templates for the database
    – Single instance (and single instance on RAC): Oracle_19.3.0.0_Template_for_64_bit_Linux.dbt
    – Multitenant (and multitenant on RAC): Oracle_19.3.0.0_Template_for_64_bit_PDB_Linux.dbt
    • Response files:
    – Single instance:
    • Oracle_19.3.0.0_Standard_Edition_Installation_Linux.rsp
    • Oracle_19.3.0.0_Enterprise_Edition_Installation_Linux.rsp
    • Oracle_19.3.0.0_DBCA_Linux.rsp
    – Multitenant:

    175
    • Oracle_19.3.0.0_Standard_Edition_PDB_Installation_Linux.rsp
    • Oracle_19.3.0.0_Enterprise_Edition_PDB_Installation_Linux.rsp
    • Oracle_19.3.0.0_DBCA_PDB_Linux.rsp
    – RAC:
    • Oracle_19.3.0.0_DBCA_RAC_Linux.rsp
    About Oracle Real Application Clusters

    Steps to install Oracle 19c on Linux


    Table 95: Oracle 19c installation steps provides a high-level view of the Oracle 19c installation process. You can find
    more detail for each step of the process as indicated in the table.

    Table 95: Oracle 19c installation steps

    Step Action Description

    1 Perform the preinstallation steps. Performing the Linux preinstallation steps


    2 Install Oracle 19c. Installing the Oracle 19c software on Linux
    3 Create the Symantec Data Loss Prevention If you plan to run the Symantec Data Loss Prevention database in a
    database. single tenant environment or with RAC, go to the following section.
    Creating the Symantec Data Loss Prevention database on Linux
    If you plan to run the Symantec Data Loss Prevention database on RAC
    with a multitenant environment, go to the following section.
    Creating the Symantec Data Loss Prevention database on RAC with a
    multitenant environment on Linux
    4 Create Oracle Listener and Local Net Service Configuring the database connection on Linux
    Name.
    5 Complete the following steps if you are installing the Verifying that the PDB listener is created and registered on Linux
    database to a multitenant environment: Setting the protect PDB to autostart on Linux
    • Verify that the PDB listener is created and Adding required tablespaces to the PDB database on Linux
    registered.
    • Set the protect PDB to autostart.
    • Add tablespaces to the PDB database.
    6 Verify the Oracle database. Verifying the Symantec Data Loss Prevention database on Linux
    Complete other steps to verify the database if Verifying the PDB database on Linux
    you are installing the database to a multitenant Setting the protect PDB to autostart on Linux
    environment.
    Set the protect PDB to autostart if you are installing
    the database to a multitenant environment.
    7 Create the Symantec Data Loss Prevention Creating the Oracle user account for Symantec Data Loss Prevention on
    database user. Linux
    8 Configure your system to start Oracle when the Configuring automatic startup and shutdown of the database
    server computer boots.

    Performing the Linux preinstallation steps


    Perform the following procedure to prepare your Linux environment for installation. The preinstallation requires Python.
    You can use Python versions 2.4.6 through 3.6.3.

    176
    Preparing the Linux environment
    The following Linux environment preparation steps assume that you are logged on as the root user.
    NOTE
    These steps assume that you have obtained the Oracle database software from Oracle or downloaded a
    licensed version from Product Downloads at the Symantec Enterprise Security Support Portal.
    1. Run the following command to copy the file 19.3.0.0_64_bit_Installation_Tools_Lin.tar.gz to the Linux
    server and extract its contents into the temporary directory (/tmp):
    tar xvfz 19.3.0.0_64_bit_Installation_Tools_Lin.tar.gz -C /tmp

    Extracting creates a subdirectory that is named oracle_install in the /tmp directory and extracts the files into that
    subdirectory.
    2. Prepare the Oracle installation location by completing one of the following steps based on your Oracle database
    installation status:
    • If you are installing the Oracle database software for the first time, run the following Oracle preparation script in the
    oracle_install directory:
    cd /tmp/oracle_install
    ./scripts/oracle_prepare.sh

    The script creates the Oracle user directory and provides permissions to the /opt/oracle/19.3.0.0 location.
    • If you are upgrading from a previous version Oracle database, create the 19.3.0.0/db_1 directory under the
    existing /opt/oracle/product directory.

    3. Install the Oracle Database Client using the Administrator option if you implement a three-tier system.
    The Symantec Data Loss Prevention installer needs SQL*Plus to create tables and views on the Enforce Server.
    Therefore, the root user account that is used to install Symantec Data Loss Prevention must be able to access
    SQL*Plus.
    Oracle Client requirement
    4. If you are installing Oracle 19c for the first time, provide read and write access to the /opt directory for the Oracle
    user.
    5. After the preparation script has run to completion, switch to the /home/oracle/oracle_install/scripts
    directory and run the verification script:
    cd /home/oracle/oracle_install/scripts
    ./oracle_verify.py

    The verification script displays settings (such as RAM, swap space, shared memory, /tmp disc space) that do not
    meet the requirements for Oracle. Adjust any settings to the required values.
    a) Run the oracle_config_kernel_parameters.py script in the /home/oracle/oracle_install/scripts
    directory. This script sets the kernel parameters to the required settings.
    b) Restart the server to apply the updated kernel parameters.
    6. Verify that there is enough space under /var. For a small to medium enterprise, /var should have at least 15 GB.
    For a large enterprise, /var should have at least 30 GB. For a very large enterprise, /var should have at least 45 GB

    177
    of free space. As the traffic of your organization expands, these figures should increase, and you must allocate more
    free space.
    7. Verify that the /opt and /boot file systems have the required free space for your Symantec Data Loss Prevention
    installation. See #unique_138/unique_138_Connect_42_v33230447

    Installing the Oracle 19c software on Linux


    The Enforce Server uses the Oracle thin driver and the Oracle Client. Symantec Data Loss Prevention packages the
    JAR files for the Oracle thin driver with the Symantec Data Loss Prevention software. You must also install the Oracle
    Client. The Symantec Data Loss Prevention installer needs SQL*Plus to create tables and views on the Enforce Server.
    Therefore, the Linux user account that is used to install Symantec Data Loss Prevention must be able to access to
    SQL*Plus.
    The instructions in this section assume that you are logged on locally to the Linux server and running the X Window
    System. The instructions also assume that you have the xorg-x11-apps.x86_64 package installed. If you connect
    to the server remotely, you run a terminal emulator. You also set the location where the GUI tools can display their output;
    you use the export display command to do that. For example:
    export DISPLAY=ip_address:display_number

    NOTE
    Refer to the configuration information in the X server management program for the IP address and display
    number. Typically, the display number is 0.
    As you run the GUI tools later, you might get a response similar to the following example:
    X connection to localhost:10.0 broken (explicit kill or server shutdown)

    Run the export display command again.


    For Symantec Data Loss Prevention installation on Linux systems, follow this procedure to install Oracle 19c.
    1. Log on to the terminal as the root user, then execute the following command:
    su -l root
    xhost +SI:localuser:oracle

    2. Switch to the Oracle user terminal.


    3. Copy the required Oracle software installation file to the /opt/oracle/product/19.3.0.0/db_1 location.
    4. Unzip the ZIP files you copied.
    Run the unzip command as the Oracle user. If you run it as the root user, then the Oracle user cannot view the
    extracted files unless you change the permissions. However, changing the permissions is not advisable from a security
    standpoint.
    5. Navigate to the /home/oracle/oracle_install directory where you extracted the
    19.3.0.0_64_bit_Installation_Tools_Lin.tar.gz file.

    6. Provide read and write access to the /opt directory for the Oracle user.
    7. Log in as the Oracle user. In the Oracle user terminal, execute one of the following commands for your database
    installation type (line breaks are added for legibility):
    • Single-tenant:
    /opt/oracle/product/19.3.0.0/db_1/runInstaller
    -noconfig
    -responseFile /home/oracle/oracle_install/responsefiles/
    singleinstance/Oracle_19.3.0.0_Enterprise_Edition_Installation_Linux.rsp

    178
    Substitute Oracle_19.3.0.0_Standard_Edition_Installation_Linux.rsp if you are running Oracle 19c
    Standard Edition.
    • Multitenant:
    /opt/oracle/product/19.3.0.0/db_1/runInstaller
    -noconfig
    -responseFile /home/oracle/oracle_install/responsefiles/
    multitenant/Oracle_19.3.0.0_Enterprise_Edition_PDB_Installation_Linux.rsp

    Substitute Oracle_19.3.0.0_Standard_Edition_PDB_Installation_Linux.rsp if you are running


    Oracle 19c Standard Edition.
    The Oracle Database 19c Installer appears.
    8. See Table 96: Installation wizard options for information on what to enter on each screen of the installation wizard.

    Table 96: Installation wizard options

    Screen Action

    Select Configuration Options Set Up Software Only is selected. Click Next.


    Select Database Installation Options The database type is selected based on the type you chose previously. Click
    Next.
    Select Product Languages Click Next to accept English as the default language.
    Select Database Edition The software edition is selected. Click Next.
    Specify Installation Location The following paths are specified:
    • Oracle Base: /opt/oracle
    • Software Location: /opt/oracle/product/19.3.0.0/db_1
    Click Next.
    A dialog appears and requests confirmation that you want to install to the /
    oraInventory directory. Click Yes.
    Privileged Operating System Groups Click Next to grant the Database Administrator and Database Operator privileges
    to the default DBA group.
    The installer application performs a prerequisite check and displays the results.
    Root script execution configuration Click Next to apply the default configuration.
    Perform Prerequisite checks Resolve any issues listed in the Verification Result area and click Next.
    Create Inventory Displays if you are installing Oracle on the server computer for the first time.
    The inventory path is entered as /opt/oracle/oraInventory and the
    group name is entered as oinstall.
    Click Next.
    Note: The installer may display a warning message that you placed the central
    inventory location in the Oracle base directory. You can safely ignore this
    message for Symantec Data Loss Prevention database installations.

    Summary Click Install to begin the installation.


    The installer application installs the Oracle 19c software on your computer.

    179
    Screen Action

    Execute Configuration scripts The window directs you to execute two scripts as the root user. From the root
    xterm window, complete the following steps:
    1. Run the script:/opt/oracle/product/19.3.0.0/db_1/root.sh
    2. Enter the full pathname to the local binary directory when prompted.
    3. Accept the default /usr/local/bin directory and press Enter.
    4. Enter Y if the script asks for confirmation to overwrite the following files:
    dbhome, oraenv and coraenv.
    Execute Configuration scripts Return to this screen and click OK.
    Finish Click Close to exit the installer application. You can safely ignore the
    configuration note that appears on this panel.

    Creating the Symantec Data Loss Prevention database on Linux


    Follow this procedure to create the Symantec Data Loss Prevention database on a Linux system.
    These instructions include details for creating the database in a single tenant, multitenant, and RAC in a single tenant
    environment.
    NOTE
    You complete a different process to create the database on RAC with a multitenant environment.
    Creating the Symantec Data Loss Prevention database on RAC with a multitenant environment on Linux

    1. Set the ORACLE_HOME and ORACLE_SERVICE_NAME environment variables for your new installation. Open a
    command prompt as the Oracle user and enter:
    export ORACLE_HOME=/opt/oracle/product/19.3.0.0/db_1

    export ORACLE_SERVICE_NAME=protect

    If you installed Oracle 19c into a different location, substitute the correct directory in this command.
    Add these commands to your user profile configuration to define the ORACLE_HOME and
    ORACLE_SERVICE_NAME environment variables each time you log on. See your Linux documentation for details
    about setting environment variables.

    180
    2. Navigate to /home/oracle/oracle_install where you extracted the
    19.3.0.0_64_bit_Installation_Tools_Linux.tar.gz file.
    3. Copy one of the following database template files based on your database environment:
    • Single tenant: Oracle_19.3.0.0_Template_for_64_bit_Linux.dbt

    From To

    /home/oracle/oracle_install/templates/ $ORACLE_HOME/assistants/dbca/templates
    singleinstance/
    • RAC in a single tenant: Oracle_19.3.0.0_Template_for_64_bit_Linux.dbt

    From To

    /home/oracle/oracle_install/templates/rac/ $ORACLE_HOME/assistants/dbca/templates
    • Multitenant: Oracle_19.3.0.0_Template_for_64_bit_PDB_Linux.dbt

    From To

    /home/oracle/oracle_install/responsefiles/ $ORACLE_HOME/assistants/dbca/templates
    templates

    4. Open a command prompt, and execute one of the following commands. Run the command for your database
    environment:
    • Single tenant environment:
    $ORACLE_HOME/bin/dbca
    -createDatabase
    -progressOnly
    -responseFile /home/oracle/oracle_install/responsefiles/singleinstance
    Oracle_19.3.0.0_DBCA_Linux.rsp
    • Multitenant environment:
    $ORACLE_HOME/bin/dbca
    -createDatabase
    -progressOnly
    -responseFile /home/oracle/oracle_install/responsefiles/multitenant/
    Oracle_19.3.0.0_DBCA_PDB_Linux.rsp
    • RAC environment:
    $ORACLE_HOME/bin/dbca
    -createDatabase
    -progressOnly -nodelist <list of RAC node names>
    -responseFile /home/oracle/oracle_install/responsefiles/rac
    Oracle_19.3.0.0_DBCA_RAC_Linux.rsp

    Replace <list of RAC node names> with each node name, which is separated by a comma, in your RAC
    environment.
    NOTE
    Line breaks added for legibility.

    181
    5. Enter the SYS password when prompted.
    6. Enter the SYSTEM password when prompted.
    Follow these guidelines to create acceptable passwords:
    • Passwords cannot contain more than 30 characters.
    • Passwords cannot contain double quotation marks, commas, or backslashes.
    • Avoid using the & character.
    • Passwords are case-sensitive by default. You can change the case sensitivity through an Oracle configuration
    setting.
    • If your password uses special characters other than _, #, or $, or if your password begins with a number, you must
    enclose the password in double quotes when you configure it.
    7. If you are creating the database in a multitenant environment, a dialog appears that prompts you to enter the
    PDBAdmin user and password. Enter the user account and password you used when you created the PDB.

    The progress of the Symantec Data Loss Prevention database creation appears on the terminal window.

    Creating the Symantec Data Loss Prevention database on RAC with a


    multitenant environment on Linux
    If you plan to run the Symantec Data Loss Prevention database on RAC, you install the database on the RAC system.
    NOTE
    These steps provide details for installing the database on RAC with a multitenant environment. You complete a
    different process to create the database in a single tenant environment.
    Creating the Symantec Data Loss Prevention database on Linux
    1. Copy the template file based Oracle_19.3.0.0_Template_for_64_bit_PDB_Linux.dbt (located in the tmp/
    oracle_install/templates/rac/ folder) to $ORACLE_HOME/assistants/dbca/templates on the Oracle
    19c RAC server.
    2. Open the Oracle Configuration Assistant on the RAC server by running the following command:
    $ORACLE_HOME/bin/dbca

    3. See Table 97: Database Configuration Assistant for information on what to enter on each screen of the Database
    Configuration Assistant.

    Table 97: Database Configuration Assistant

    Database Operation Select Create Database and click Next.


    Creation Mode Select Advanced Mode and click Next.
    Deployment Type Select Oracle 19.3.0.0 Database for DLP and click Next.
    Nodes Selection Select all RAC nodes that apply and click Next.
    Database Identification Enter information and select items for the following:
    • Enter dlpcdb in the Global Database Name field.
    • Enter dlpcdb in the SID prefix field. This field automatically populates based on the value you
    provided in the Global Database Name field.
    • Select Create as a Container Database and complete the following:
    – Enter 1 in the Number of PDBS field.
    – Enter protect in the PDB Name field.
    Click Next.

    182
    Storage Option Select Use the following for the database storage attributes.
    Enter information and select items for the following:
    • Select Automatic Storage Management (ASM) in the Database files storage type list.
    • Enter +DATA/{DB_UNIQUE_NAME} in the Database files location field.
    • Select User Oracle-Managed Files (OMF).
    Click Next.
    Fast Recovery Option Use the default setting and click Next.
    Database Options Use the default setting and click Next.
    Configuration Options Update the SGA and PGA size based on your system requirements and click Next.
    Management Options Use the default settings and click Next.
    User Credentials Select an item and passwords applicable for your implementation and click Next.
    Creation Options Use the default settings and click Next.
    Prerequisite Checks The prerequisite check process can take ten minutes to complete. After the process completes, review
    warnings and confirm that all expected nodes are running.
    Click Next.
    Summary Parameters Review the information to confirm RAC and PDB settings.
    Click Next.
    Progress The database creation process can take about an hour to complete.
    Click Next.
    Finish Record the CDB name (dlpcdb), and click Close to complete the process.

    After you complete these steps, you verify the database.


    Verifying the PDB database on Linux

    Verifying the PDB database on Linux


    After you complete the CDB and PDB database installation on RAC, you verify components of the installation. Specifically,
    you confirm that the CDB name is dlpcdb and that the PDB name is protect.
    1. Set environment variables by running the following command:
    export ORACLE_HOME=/opt/oracle/product/19.3.0.0/db_1
    export ORACLE_SID=dlpcdb

    2. Open a command prompt as the Oracle user and start SQL*Plus:


    sqlplus sys/<password> as sysdba

    3. Confirm the CON_NAME by running the following command.


    show con_name

    The command output should display a message similar to the following message:
    CON_NAME
    ------------------------------
    CDB$ROOT

    4. Confirm the PDBS name by running the following command:


    show pdbs

    The command output should display a message similar to the following message:
    CON_ID CON_NAME OPEN MODE RESTRICTED

    183
    ---------- ------------------------------ ---------- ----------
    2 PDB$SEED READ ONLY NO
    3 PROTECT READ WRITE NO

    Configuring the database connection on Linux


    Skip these steps if you are configuring RAC.
    The following list provides an overview of steps you complete to configure the database connection on Linux:
    1. Run the Oracle Net Configuration Assistant to Configure the TNS listener and the local net service.
    Configuring TNS Listener and Net Service Name
    2. Verify the tnsnames.ora file.
    Verifying tnsnames.ora contents
    3. Modify the listener.ora file.
    Modifying the listener.ora file

    Configuring TNS Listener and Net Service Name


    Perform the following procedure to configure the TNS Listener and Net Service Name for the Symantec Data Loss
    Prevention database.
    NOTE
    To use the commands that are referenced in this procedure, ensure that your working directory is
    $ORACLE_HOME/bin. If SQL*Plus does not work while following this procedure, set your $PATH variable to
    point to $ORACLE_HOME/bin.
    Before you create the TNS Listener, confirm that the local host name can be resolved using the DNS server name or a
    hosts file. If the DNS server resolution does not exist, the Net Configuration Assistant (NETCA) can not start. If you use a
    host file (at /etc/hosts), it must contain IP-address-to-host-name mappings that point to the DNS server name. Add two
    entries to the/etc/hosts file, one that resolves the static IP and one that resolves the local host IP. For example, use
    the following details:
    [IP address or DNS] myhost.mydomain.com myhost
    127.0.0.1 myhost.mydomain.com myhost
    Replace myhost with the actual host name.
    1. As the Oracle user, run the following commands to confirm that environment variables are set:
    a) Run the following command to set the ORACLE_HOME variable:
    export ORACLE_HOME=/opt/oracle/product/19.3.0.0/db_1
    b) Run the following command to set the PATH variable:
    export PATH=$ORACLE_HOME/bin:$PATH
    2. Start the Oracle Net Configuration Assistant:
    $ORACLE_HOME/bin/netca

    3. Create the TNS Listener.


    Refer to Table 98: Configuring the Local Net Service Name for information on what to enter on each screen of the
    Database Configuration Assistant.

    184
    Table 98: Configuring the Local Net Service Name

    Screen Action

    Welcome Select Listener configuration and click Next.


    Listener Configuration, Listener Select Add and click Next.
    Listener Configuration, Listener Name Enter a listener name and click Next.
    Note: Use the default listener name, LISTENER, unless you must
    use a different name.

    Listener Configuration, Select Protocols Select the TCP protocol and click Next.
    Listener Configuration, TCP/IP Protocol Select Use the standard port number of 1521 and click Next.
    Listener Configuration, More Listeners? Select No and click Next.
    Listener Configuration Done Click Next.
    Oracle Net Configuration Assistant Configure the Local Net Service Name.

    4. Configure the Local Net Service Name.


    Refer to Table 99: Configuring the Local Net Service Name for information on what to enter on each screen of the
    Database Configuration Assistant.

    Table 99: Configuring the Local Net Service Name

    Screen Action

    Welcome Select Local Net Service Name configuration and click Next.
    Net Service Name Configuration Select Add and click Next.
    Net Service Name Configuration, Service Name Enter protect in the Service Name field, and click Next.
    Net Service Name Configuration Select the TCP protocol and click Next.
    Net Service Name Configuration, TCP/IP Protocol 1. Enter the host name of the Oracle server computer in the
    Host name field.
    2. Select Use the standard port number of 1521 (the default
    value).
    3. Click Next.
    Net Service Name Configuration, Test Select No, do not test and click Next.
    Do not test the service configuration because the listener has not
    yet started.
    Net Service Name Configuration, Net Service Name Accept the default net service name (protect) and click Next.
    Net Service Name Configuration, Another Net Service Name? Select No and click Next.
    Net Service Name Configuration Done Click Next and click Finish to exit the Oracle Net Configuration
    Assistant.

    Verifying tnsnames.ora contents


    Before you create the required Oracle user accounts, verify that the tnsnames.ora file contains entries for the protect
    database that you created.

    185
    If you are preparing the database for a multitenant environment, you modify the tnsnames.ora file contents.
    1. Using a text editor, open the tnsnames.ora file, which is located in the $ORACLE_HOME/network/admin directory.
    2. Verify that the following lines are present in the file:
    PROTECT =
    (DESCRIPTION =
    (ADDRESS_LIST =
    (ADDRESS = (PROTOCOL = TCP)(HOST = host_name)(PORT = port_number))
    )
    (CONNECT_DATA =
    (SERVICE_NAME = protect)
    )
    )

    If these lines do not exist, add them to the file, replacing host_name and port_number with the correct values for
    your system.
    NOTE
    Do not copy and paste information to the tnsnames.ora file. Pasting information to the file can introduce
    hidden characters that cannot be parsed.
    3. Add the following lines if you are installing a multitenant database, replacing <host_name> with the correct value for
    your system:
    • DLPCDB =
    (DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCP)(HOST = <host_name>)(PORT = 1521))
    (CONNECT_DATA =
    (SERVER = DEDICATED)
    (SERVICE_NAME = DLPCDB)
    )
    )
    • PROTECT =
    (DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCP)(HOST = <host_name>)(PORT = 1521))
    (CONNECT_DATA =
    (SERVER = DEDICATED)
    (SERVICE_NAME = PROTECT)
    )
    )

    4. Save the tnsnames.ora file and exit the text editor.

    Modifying the listener.ora file


    The following steps assume you have logged into the Oracle host computer as the Oracle user.
    1. Run the following command to stop the listener:
    lsnrctl stop

    2. Open the following file in a text editor:


    $ORACLE_HOME/network/admin/listener.ora

    186
    3. Change key_value to PROTECT in the following line:
    (ADDRESS = (PROTOCOL = IPC)(KEY = <key_value>))
    4. Add the following line to the end of the file:
    SECURE_REGISTER_LISTENER = (IPC)
    5. Add the following lines if you are installing a multitenant database:
    SID_LIST_LISTENER =
    (SID_LIST =
    (SID_DESC =
    (GLOBAL_DBNAME = DLPCDB)
    (SID_NAME = DLPCDB)
    (ORACLE_HOME = /opt/oracle/product/19.3.0.0/db_1)
    )
    (SID_DESC =
    (GLOBAL_DBNAME = PROTECT)
    (SID_NAME = DLPCDB)
    (ORACLE_HOME = /opt/oracle/product/19.3.0.0/db_1)
    )
    )

    6. Save the file and exit the text editor.


    7. Run the following command:
    export ORACLE_SID=protect

    8. Run the following command:


    lsnrctl start

    9. Run the following commands to connect to the database using SQL*Plus:


    sqlplus sys/<password> as sysdba

    10. Run the following command:


    ALTER SYSTEM SET service_names = 'protect' SCOPE=both;

    11. Run the following command:


    ALTER SYSTEM SET local_listener =
    '(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=PROTECT)))' SCOPE=both;

    12. Run the following command to register the listener:


    ALTER SYSTEM REGISTER;

    13. Exit SQL*Plus by running the following command:


    exit

    14. Run the following command to verify the change:


    lsnrctl services

    The command output for a single tenant environment appears a message similar to the following message:
    Services Summary...
    Service "protect" has 1 instance(s).
    Instance "protect", status READY, has 1 handler(s) for this service...

    187
    Handler(s):
    "DEDICATED" established:0 refused:0 state:ready
    LOCAL SERVER
    The command completed successfully

    NOTE
    For a multitenant environment, confirm that at least one instance of DLPCDB and PROTECT appears.

    Verifying that the PDB listener is created and registered on Linux


    If you are running the database in a multitenant environment, verify that the PDB listener is created and registered.
    1. Run the following command in SQL*Plus to verify PDB accessibility:
    sqlplus sys/<password>@protect as sysdba

    2. Exit SQL*Plus after you run the command.


    3. Run the following commands to confirm that the PDB service is accessible:
    a) sqlplus sys/<password> as sysdba
    b) show parameter service
    The command output should display a message similar to the following message:
    NAME TYPE VALUE
    -------------------------- ------- ------------------------------
    service_names string dlpcdb
    c) show parameter local_listener
    The command output should display a message similar to the following message:
    NAME TYPE VALUE
    ------------------------- ----------- ------------------------------
    local_listener string (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=protect)))
    d) Run the following command to format the output:
    COLUMN SERVICE_ID FORMAT 9
    COLUMN NAME FORMAT A20
    COLUMN PDB FORMAT A20
    e) select service_id, name, pdb from v$services;
    The command output should display a message similar to the following message:
    SERVICE_ID NAME PDB
    ------------------ ------------------------------ ------------------------------
    1 SYS$BACKGROUND CDB$ROOT
    2 SYS$USERS CDB$ROOT
    3 dlpcdbXDB CDB$ROOT
    4 dlpcdb CDB$ROOT
    7 protect PROTECT
    NOTE
    The SERVICE_ID number may differ from what is listed on your system.
    4. Confirm the active services that are running under cdb$root by running the following command:
    alter session set container=cdb$root;

    select name from v$active_services;

    The command output should display a message similar to the following message:

    188
    NAME
    ----------------------------------------------------------------
    dlpcdb
    SYS$BACKGROUND
    SYS$USERS
    protect
    dlpcdbXDB

    Confirm that the dlpcdb and protect services are listed in the output.
    5. Complete the following steps if the protect service is missing from the output in step 4:
    a) Run the following commands:
    Alter session set container=protect;

    exec dbms_service.CREATE_SERVICE('PROTECT', 'PROTECT');

    exec dbms_service.START_SERVICE(SERVICE_NAME=>'PROTECT');

    ALTER SYSTEM REGISTER;


    b) Restart the listener by running the following command:
    lsnrctl stop;

    lsnrctl start;
    lsnrctl status

    The command output should display a message similar to the following message:
    Service "DLPCDB" has 1 instance(s).

    Instance "dlpcdb", status READY, has 1 handler(s) for this service...


    Service "PROTECT" has 1 instance(s).

    Instance "dlpcdb", status READY , has 1 handler(s) for this service...

    6. Confirm that the PDB service is accessible by running the following commands:
    a) sqlplus sys/<password>@protect as sysdba
    b) show con_name
    Returns the following message:
    CON_NAME
    ------------------------------
    PROTECT
    c) show pdbs
    Returns the following message:
    CON_ID CON_NAME OPEN MODE RESTRICTED
    ---------- ------------------------------ ---------- ----------
    3 PROTECT READ WRITE NO

    7. Run the following command if the show pdbs command returns protect listed without Read Write:
    sqlplus sys/<password>@protect as sysdba

    select inst_id, con_id, name, open_mode from gv$pdbs where name='PROTECT';

    189
    Setting the protect PDB to autostart on Linux
    If you are running the database in a multitenant environment, configure the protect PDB to autostart when the Oracle
    database restarts. You can set the PDB to autostart by saving the state of the PDB when it is open.
    1. Open a command prompt as the Oracle user.
    2. Start SQL*Plus by running the following command:
    sqlplus sys/<password> as sysdba

    3. Run the following command:


    alter pluggable database protect open;

    alter pluggable database protect save state;

    Adding required tablespaces to the PDB database on Linux


    If you are running the database in a multitenant environment, add tablespaces to the PDB database.
    1. Navigate to the /home/oracle/oracle_install/scripts folder.
    2. Start SQL*Plus and run the add_pdb_tablespace_WIN.sql script:
    sqlplus /nolog @add_pdb_tablespace_Linux.sql
    3. At the Please enter the password for sys user prompt, enter the password for the SYS user.
    4. At the Please enter Service Name prompt, enter protect.
    5. Confirm that all required tablespaces are added for the PDB by running the following script:
    sqlplus sys/<password>@protect as sysdba
    SELECT tablespace_name FROM dba_tablespaces;

    For example, if you are using Oracle 19.3.0.0, the output information should read:
    TABLESPACE_NAME
    ------------------------------
    SYSTEM
    SYSAUX
    UNDOTBS1
    TEMP
    USERS
    LOB_TABLESPACE

    6. Confirm the summary of tablespaces and that the data file paths are consistent by running the following steps:
    a) Run the following query:
    sqlplus sys/<password>@protect as sysdba
    b) Run the following commands:
    COLUMN Tablespace_Name FORMAT A20
    COLUMN File_Name FORMAT A50
    COLUMN Size_Mb FORMAT 9999
    SELECT substr(tablespace_name,1,20) as Tablespace_Name,
    substr(file_name,1,50) as File_Name,
    bytes/1024/1024 as Size_MB
    FROM dba_data_files
    union
    SELECT 'TEMP' as Tablespace_Name,
    name as File_Name,

    190
    bytes/1024/1024 as Size_MB
    FROM v$tempfile;
    c) Confirm that the data file paths are consistently located in the same location under the PROTECT folder. For
    example, if you are using Oracle 19c, the output information should read:
    TABLESPACE_NAME FILE_NAME SIZE_MB

    -------------------- -------------------------------------------------- -------

    LOB_TABLESPACE /opt/oracle/oradata/dlpcdb/protect/LOB01.DBF 2048

    LOB_TABLESPACE /opt/oracle/oradata/dlpcdb/protect/LOB02.DBF 1024

    LOB_TABLESPACE /opt/oracle/oradata/dlpcdb/protect/LOB03.DBF 1024

    SYSAUX /opt/oracle/oradata/dlpcdb/protect/SYSAUX01.DBF 150

    SYSTEM /opt/oracle/oradata/dlpcdb/protect/SYSTEM01.DBF 169

    TEMP /opt/oracle/oradata/dlpcdb/protect/TEMP01.DBF 2048

    UNDOTBS1 /opt/oracle/oradata/dlpcdb/protect/UNDOTBS01.DBF 2048

    USERS /opt/oracle/oradata/dlpcdb/protect/USERS01.DBF 2048

    USERS /opt/oracle/oradata/dlpcdb/protect/USERS02.DBF 2048

    USERS /opt/oracle/oradata/dlpcdb/protect/USERS03.DBF 2048

    Verifying the Symantec Data Loss Prevention database on Linux


    After you create the Symantec Data Loss Prevention database, verify that it was created correctly.
    NOTE
    To use the commands that are referenced in this procedure, ensure that your working directory is
    $ORACLE_HOME/bin. If SQL*Plus does not work while following this procedure, set the $PATH variable to point
    to $ORACLE_HOME/bin.
    1. Open a command prompt as the Oracle user, start SQL*Plus, and log on as the SYS user:
    sqlplus sys/<password>@protect as sysdba

    Where <password> represents the SYS password.


    Exit SQL*Plus after you run the command.
    2. Run the following query:
    SELECT BANNER_FULL FROM v$version;

    3. Confirm that the output from the query contains information that correctly identifies the software components for the
    installed version of the Oracle database.
    For example, if you are using Oracle 19c Enterprise Edition, the output information should read:
    Oracle Database 19c Enterprise Edition Release 19.0.0.0.0
    Version 19.3.0.0.0

    191
    4. Exit SQL*Plus:
    exit

    Creating the Oracle user account for Symantec Data Loss Prevention on Linux
    Perform the following procedure to create an Oracle user account and name it “protect.”
    1. Copy the oracle_create_user.sql file from /home/oracle/oracle_install/scripts to a local directory.
    2. Run the following command using SQL*Plus to run the oracle_create_user.sql script:
    sqlplus /nolog @oracle_create_user.sql

    3. At the Please enter the password for sys user prompt, enter the password for the SYS user.
    4. At the Please enter SID prompt, enter protect.
    5. At the Please enter required username to be created prompt, enter protect.
    6. At the Please enter a password for the new username prompt, enter a new password.
    Follow these guidelines to create acceptable passwords:
    • Passwords cannot contain more than 30 characters.
    • Passwords cannot contain double quotation marks, commas, or backslashes.
    • Avoid using the & character.
    • Passwords are case-sensitive by default. You can change the case sensitivity through an Oracle configuration
    setting.
    • If your password uses special characters other than _, #, or $, or if your password begins with a number, you must
    enclose the password in double quotes when you configure it.
    Store the password in a secure location for future use. You use this password to install Symantec Data Loss
    Prevention. If you must change the password after you install Symantec Data Loss Prevention, see the Symantec
    Data Loss Prevention Help Center for instructions.
    NOTE
    If you have not already created the protect account, an error message displays indicating that it does not
    exist. You can safely ignore this message and continue the process.
    7. Confirm that tablespaces are available for the Oracle user you created by running the following commands in the listed
    order:
    a) sqlplus protect/<password>@protect
    b) SELECT tablespace_name FROM user_tablespaces;
    The command returns the following message:
    TABLESPACE_NAME
    ------------------------------
    SYSTEM
    SYSAUX
    TEMP
    USERS
    LOB_TABLESPACE

    192
    Configuring automatic startup and shutdown of the database
    To configure automatic startup and shutdown of the database, follow this procedure:
    1. Switch to the root user.
    2. Go to the oracle_install directory.
    cd /home/oracle/oracle_install

    3. Run the oracle_post.sh script from the oracle_install directory.


    ./scripts/oracle_post.sh

    4. Verify that the script completed successfully by confirming that the last line of the output is:
    dbora 0:off 1:off 2:off 3:on 4:on 5:on 6:off

    You may see errors before the last line (for example, cannot access /var/log/dbora). You can ignore these errors.
    Validate that the settings were applied by viewing the file /etc/oratab and confirming that Y appears in the final line:
    protect:/opt/oracle/product/19.3.0.0/db_1:Y. If N appears, change it to Y and save your changes.

    Upgrading the database to Oracle 19c


    This section includes the following topics:
    About upgrading the Symantec Data Loss Prevention database to Oracle 19c
    Steps to upgrade the Symantec Data Loss Prevention database to Oracle 19c

    About upgrading the Symantec Data Loss Prevention database to Oracle 19c
    You can use the Database Upgrade Assistant (DBUA) to upgrade to the Oracle 19c database software. Using the DBUA
    allows you to upgrade the database on the same server where the previous database resides.

    Steps to upgrade the Symantec Data Loss Prevention database to Oracle 19c
    The Table 100: Steps to upgrade the Symantec Data Loss Prevention database to Oracle 19c table provides a high-level
    view of the database migration process. You can find more detail for each step of the process as indicated in the table.

    Table 100: Steps to upgrade the Symantec Data Loss Prevention database to Oracle 19c

    Step Action Information

    1 Set privileges for the "protect" user. Setting Privileges for the Oracle User
    2 Upgrade to Oracle 19c. Upgrading to Oracle 19c

    Setting Privileges for the Oracle User


    You must set privileges for the Oracle user. Set privileges before you upgrade Symantec Data Loss Prevention.

    1. Stop all Symantec Data Loss Prevention services.


    2. Provide the Oracle database user permissions by completing the following steps:
    a) Start SQL*Plus.
    b) Run the following commands:
    sqlplus sys/protect as sysdba

    193
    GRANT read, write ON directory data_pump_dir TO protect;
    GRANT SELECT ON dba_registry_history TO protect;
    GRANT SELECT ON dba_temp_free_space TO protect;
    GRANT SELECT ON v_$version TO protect;
    GRANT EXECUTE ON dbms_lob TO protect;
    GRANT create job TO protect;
    c) Exit SQL*Plus:
    exit

    Upgrading to Oracle 19c


    You use the steps in this section to upgrade your Oracle database (either 11g or 12c) to Oracle 19c.
    NOTE
    If you are installing the database to a Linux environment, you must export display settings. The instructions in
    this section assume that you are logged on locally to the Linux server and running the X Window System. See
    Installing the Oracle 19c software on Linux for more details.
    1. Obtain and review the Oracle 19c installation software.
    About Installing Oracle 19c on Windows
    About installing Oracle 19c on Linux
    2. Prepare the database environment.
    Preparing the Windows environment
    Performing the Linux preinstallation steps
    3. Install the Oracle 19c software.
    Installing the Oracle 19c software on Windows
    Installing the Oracle 19c software on Linux
    4. Start the Database Upgrade Assistant by running the following command:
    %ORACLE_HOME%/bin/dbua for Windows

    $ORACLE_HOME/bin/dbua for Linux

    If the Database Upgrade Assistant does not launch and an error message displays, complete the following items in
    order:
    1. Open the command prompt window.
    2. Set ORACLE_HOME depending on your database server OS:
    set ORACLE_HOME=c:\oracle\product\19.3.0.0\db_1 for Windows
    export ORACLE_HOME=/opt/oracle/product/19.3.0.0/db1 for Linux
    3. Set the path:
    set PATH=%PATH%:%ORACLE_HOME%\bin for Windows
    export PATH=$PATH:$ORACLE_HOME/bin for Linux
    4. Restart the Database Upgrade Assistant:
    %ORACLE_HOME%\bin\dbua for Windows
    $ORACLE_HOME/bin/dbua for Linux

    5. Confirm that the OracleServicePROTECT service is running.


    If the service is not running, an error message displays and the upgrade process cannot finish.

    194
    6. Refer to the following table for information on what to enter on each screen of the Database Upgrade Assistant.

    Screen Description

    Select Database Enter the sysdba user name and password.


    Prerequisite Checks Resolve any warnings or errors that display. Sometimes, you must drop packages
    from previous Symantec Data Loss Prevention versions to clear errors. For example,
    to drop Symantec Data Loss Prevention 15.8 packages, you run the following SQL
    command:
    SQL> drop package UPGRADESCEHEME_PRELOAD_V15_8_0
    Select Upgrade Options Leave the settings as default.
    Select Recover Options Select I have my own backup and restore strategy.
    Configure Network Clear the selected listener that displays on the Listener Selection tab. You re-create
    the listener in a later step. Leave the remaining settings default.
    Configure Management Clear the Configure Enterprise Manager (EM) database express selection.
    Summary The Summary screen lists the settings that are used during the database upgrade.
    Click Finish.
    Progress The Progress screen displays the details about the upgrade. The upgrade can take
    around 30 minutes to complete.
    Results The Results screen appears when the upgrade completes.

    7. Re-create the TNS Listener and Net Service Name.


    Configuring the TNS Listener and Net Service Name for Windows
    Configuring TNS Listener and Net Service Namefor Linux
    8. Restart Symantec Data Loss Prevention services.
    9. Log on to the Enforce Server administration platform.
    If the Enforce Server logon page does not load and instead displays a 'GLOBAL NOT_FOUND' message, restart all
    Symantec Data Loss Prevention services again.

    Migrating the database to Oracle 19c


    This section includes the following topics:
    About migrating the Symantec Data Loss Prevention database to Oracle 19c
    Steps to migrate the Symantec Data Loss Prevention database to Oracle 19c
    Migrating to an Oracle multitenant environment on Windows Oracle 19c
    Migrating to an Oracle multitenant environment on Linux

    About migrating the Symantec Data Loss Prevention database to Oracle 19c
    The following sections list the process to migrate the Symantec Data Loss Prevention database from a previous Oracle
    database version (including Oracle 11g and 12c) to supported versions of Oracle 19c.
    Under ideal conditions, the migration process can take about two-and-a-half hours to complete. However, factors such
    as the size of your database and the hardware in your environment may extend the time to complete considerably. Table
    101: Estimated processing time for migration tasks provides a breakdown of how long each part of the process takes.

    195
    NOTE
    Times were recorded in a lab environment under ideal conditions. The time to complete the database migration
    process varies based on environment hardware performance and other factors.

    Table 101: Estimated processing time for migration tasks

    Process Time

    Exporting the data from Oracle 12c consisting of a 25-GB file ~20 minutes
    Importing the data into Oracle 19c ~2 hours

    Steps to migrate the Symantec Data Loss Prevention database to Oracle 19c
    The Table 102: Steps to migrate the Symantec Data Loss Prevention database to Oracle 19c table provides a high-level
    view of the database migration process. You can find more detail for each step of the process as indicated in the table.

    Table 102: Steps to migrate the Symantec Data Loss Prevention database to Oracle 19c

    Step Action Information

    1 Update your version of Symantec Data Loss Upgrading DLP


    Prevention to at least 15.8.
    2 Install the Oracle software on a new system. • Installing the Oracle 19c software on Windows
    • Installing the Oracle 19c software on Linux
    3 Install the Oracle 19c Client (SQL*Plus and Using Oracle 19c with Symantec Data Loss Prevention
    Database Utilities) on the Enforce Server if you
    are running a three-tier installation.
    4 Create the Symantec Data Loss Prevention • Creating the Symantec Data Loss Prevention database on
    database in Oracle 19c. Windows
    • Creating the Symantec Data Loss Prevention database on Linux
    5 Set up the listener. • Configuring the database connection on Linux
    • Configuring the database connection on Windows
    6 Create the Oracle user account. • Creating the Oracle user account for Symantec Data Loss
    Prevention on Windows
    • Creating the Oracle user account for Symantec Data Loss
    Prevention on Linux
    7 Configure automatic startup and shutdown of Configuring automatic startup and shutdown of the database
    the database (only applies to Linux).
    8 Run the latest version of the Update Readiness Running the Update Readiness Tool before you migrate the database
    Tool. to the Oracle 19c software ensures that migrated data is compatible
    and no errors occur.
    Preparing to Run the Update Readiness Tool
    9 Confirm the schema row count before the Confirm the schema row count before the export on Windows
    export. Confirm the schema row count before the export on Linux
    10 Confirm the local DATA PUMP directory. Confirm the DATA PUMP directory
    11 Stop all Symantec Data Loss Prevention Stop all Symantec Data Loss Prevention services
    services.
    12 Export the Oracle database. Export the database from the Oracle source database system

    196
    Step Action Information

    13 Add data files for large databases. Add data files for large databases
    This step is only required for databases with
    tablespaces that exceed 98 MB.
    14 Import the database into Oracle 19c. Import the database to the Oracle 19c system
    15 Connect the Enforce Server. Connect the Enforce Server to the Oracle 19c database
    16 Update the Enforce Server to use the database • Update the database server connection on Windows
    server credentials for the Oracle 19c database. • Update the database server connection on Linux
    17 Restart all Symantec Data Loss Prevention Restart all Symantec Data Loss Prevention services
    services.
    18 Confirm the schema row count after the import. Confirm the schema row count after the import on Windows
    Confirm the schema row count after the import on Linux

    Confirm the schema row count before the export on Windows


    Confirm the schema row count before you begin the database export. You use the database row count to compare to the
    count after you complete the export.
    1. Enter the following at the SQL> command prompt:
    sqlplus protect/<password>@protect

    The Connected message appears.


    2. Enter the following command to create a PL\SQL function and generate the row count:
    create or replace function

    row_count (p_tablename in varchar2)

    return number

    as

    l_count number;

    begin execute immediate

    'select count(*)

    from ' || p_tablename

    into l_count;

    return l_count;

    end;
    /

    3. Run the following query to generate the row count for each table in your schema:
    spool rowCount_before_export.txt

    select table_name, row_count(table_name) num_of_rows from user_tables;

    spool off

    The rowCount_before_export.txt file is generated in the execution directory.

    197
    4. Save the rowCount_before_export.txt file for future use.

    Confirm the schema row count before the export on Linux


    Confirm the schema row count before you begin the database export. You use the schema row count to compare to the
    count after you complete the export.
    1. At the SQL> command prompt enter:
    sqlplus protect/<password>@protect

    2. After receiving the Connected message, at the SQL> command prompt, enter the following command to create a PL
    \SQL function to generate the row count:
    create or replace function

    row_count (p_tablename in varchar2)

    return number

    as

    l_count number;

    begin execute immediate


    'select count(*)

    from ' || p_tablename

    into l_count;

    return l_count;

    end;

    3. Run the following query to generate the row count for each table in your schema:
    spool rowCount_before_export.txt

    select table_name, row_count(table_name) num_of_rows from user_tables;

    spool off

    The rowCount_before_export.txt file is generated in the execution directory.


    4. Save the rowCount_before_export.txt file for future use.

    Confirm the DATA PUMP directory


    Confirm the DATA_PUMP_DIR directory location and grant permissions on the source (Oracle 11g or Oracle 12c) and
    target (Oracle 19c) systems.
    1. Run the following command on the Oracle source system:
    sqlplus sys/<password>@<service name> as sysdba

    select directory_name, directory_path from dba_directories where directory_name='DATA_PUMP_DIR';

    The command output should display a message similar to the following message:
    DIRECTORY_NAME DIRECTORY_PATH
    ------------------------------------
    DATA_PUMP_DIR /opt/oracle/admin/dpdump/

    198
    2. Run the following command on the Oracle source system to grant read and write permission to the newly created
    directory object to your db schema user.
    sqlplus sys/<password>@<service name> as sysdba

    grant read,write on directory DATA_PUMP_DIR to protect;


    The command returns the message Grant succeeded.
    3. Run the following command on the Oracle 19c system:
    select directory_name, directory_path from dba_directories where directory_name='DATA_PUMP_DIR';

    The command output should display a message similar to the following message:
    DIRECTORY_NAME DIRECTORY_PATH
    ------------------------------------
    DATA_PUMP_DIR /opt/oracle/admin/dpdump/

    4. Run the following command on the Oracle 19c system to grant read and write permission to the newly created
    directory object for the db schema user.
    sqlplus sys/<password>@<service name> as sysdb

    grant read,write on directory DATA_PUMP_DIR to protect;


    The command returns the message Grant succeeded.

    Stop all Symantec Data Loss Prevention services


    Shut down all Symantec Data Loss Prevention services on your Enforce Server. You also shut down any other services
    that access the Symantec Data Loss Prevention database (for example, Data Insight).
    Shut down services in the following order based on your server operating system:
    Linux:
    1. Services that access the Symantec Data Loss Prevention database (for example, Data Insight)
    2. SymantecDLPIncidentPersisterService
    3. SymantecDLPManagerService
    4. SymantecDLPDetectionServerControllerService
    5. SymantecDLPNotifierService
    Windows:
    1. Services that access the Symantec Data Loss Prevention database (for example, Data Insight)
    2. SymantecDLPDetectionServerControllerService
    3. SymantecDLPIncidentPersisterService
    4. SymantecDLPManagerService
    5. SymantecDLPNotifierService

    Export the database from the Oracle source database system


    After you stop all services, you export the database from the Oracle source database system.
    1. (Optional) Estimate the database dump file by running the following command:
    expdp protect/<password>@protect schemas=protect EXCLUDE=STATISTICS NOLOGFILE=YES
    ESTIMATE_ONLY=YES

    199
    Estimating the database dump file size helps you to confirm whether your new system has sufficient disc space. The
    size of the database dump file also indicates whether the new database has sufficient data files to accommodate the
    import.
    To accommodate both the database dump file and the imported database, the server where the Oracle 19c database
    is running should have at least 150 GB or 2.5 times the estimated number (whichever is greater) in free disk space.
    NOTE
    If the estimated database dump file size exceeds 98 GB, refer to Add data files for large databases.
    2. Create the database dump file by running the following command:
    expdp protect/<password>@protect dumpfile=fullexport.dmp schemas=protect directory=DATA_PUMP_DIR
    logfile=fullexport.log EXCLUDE=STATISTICS

    3. Copy the database dump file. Copy the file from the DATA_PUMP_DIR on the Oracle source database system to the
    DATA_PUMP_DIR directory location on the Oracle 19c system.
    Related Links
    Confirm the DATA PUMP directory on page 198

    Add data files for large databases


    If the database dump file exceeds 98 GB, you must add LOB_TABLESPACE data files to the database on the Oracle 19c
    database. You perform the action before you import the database dump file to the Oracle 19c database.
    The number of data files you add depends on how much more space you need. You can confirm the number of data
    files that are needed by counting the number that the source database uses. You can also estimate the number by using
    the database dump file size.
    1. Estimate the number of data files you must add by completing the following steps:
    NOTE
    Go to step 2 if you have already defined the number of data files required.
    a) Subtract 100 GB from the size of the database dump file estimate.
    See Export the database from the Oracle source database system to generate the database dump file estimate.
    b) Divide the remainder by 32 (the number of gigabytes a data file can potentially accommodate).
    c) Round the resulting number up to ensure you create enough data files.
    For example, if the database dump file is 500 GB, you add 13 new data files.
    2. Run the following command to connect to the database using SQL*Plus:
    sqlplus sys/<password> as sysdba

    3. Run a command based on your database configuration to add data files (line breaks added for legibility):
    • Single-tenant on Linux
    ALTER TABLESPACE LOB_TABLESPACE ADD DATAFILE
    '/opt/oracle/oradata/protect/LOB04.DBF'
    SIZE 1024M AUTOEXTEND ON NEXT 100M MAXSIZE 32767M;
    • Multitenant on Linux
    ALTER TABLESPACE LOB_TABLESPACE ADD DATAFILE
    '/opt/oracle/oradata/dlpcdb/protect/LOB04.DBF'
    SIZE 1024M AUTOEXTEND ON NEXT 100M MAXSIZE 32767M;
    • Single-tenant on Windows

    200
    ALTER TABLESPACE LOB_TABLESPACE ADD DATAFILE
    'C:\ORACLE\ORADATA\PROTECT\LOB04.DBF'
    SIZE 1024M AUTOEXTEND ON NEXT 100M MAXSIZE 32767M;
    • Multitenant on Windows
    ALTER TABLESPACE LOB_TABLESPACE ADD DATAFILE
    'C:\ORACLE\ORADATA\DLPCDB\PROTECT\LOB04.DBF'
    SIZE 1024M AUTOEXTEND ON NEXT 100M MAXSIZE 32767M;

    4. Repeat step 3 for each new data file you must add. Each time that you run the command, increase the numeral in the
    LOB04.DBF file name sequentially by one. For example, if you are adding 13 new data files, the first data file name is
    LOB04.DBF and the last is LOB16.DBF.
    Related Links
    Export the database from the Oracle source database system on page 199
    Import the database to the Oracle 19c system on page 201

    Import the database to the Oracle 19c system


    The process to import the database sets LOB to be stored as SecureFile.
    1. Run the following commands on the Oracle 19c system to import the Oracle source database (line breaks added for
    legibility).
    a) Import the database while excluding the index by running the following command:
    impdp protect/<password>@<service name>
    dumpfile=fullexport.dmp schemas=protect
    directory=DATA_PUMP_DIR logfile=fullimport.log
    DATA_OPTIONS=skip_constraint_errors
    TRANSFORM=LOB_STORAGE:DEFAULT
    EXCLUDE=INDEX
    b) Import the database by running the following command:
    impdp protect/<password>@<service name>
    dumpfile=fullexport.dmp schemas=protect
    directory=DATA_PUMP_DIR
    logfile=fullimport.log
    DATA_OPTIONS=skip_constraint_errors
    TRANSFORM=LOB_STORAGE:DEFAULT
    INCLUDE=INDEX

    2. Verify that the LOB tables use SecureFile storage on the target system by running the following query:
    Sqlplus protect/<password>@<service name>
    SELECT table_name as "tableName", column_name as "columnName", securefile as "isSecureFile", in_row as
    "isInRow"
    FROM user_lobs
    WHERE table_name IN ('MESSAGELOB', 'MESSAGECOMPONENTLOB', 'CONDITIONVIOLATIONLOB')
    ORDER BY table_name, column_name;

    3. Confirm that the IsSecureFile column in the output is set to YES in each of the three tables.
    IsSecureFile indicates that the LOB uses SecureFile.

    201
    Connect the Enforce Server to the Oracle 19c database
    After you finish the import process, you can connect the Enforce Server to the Oracle 19c database.
    1. Confirm that the database host IP is accessible to the Enforce Server and is up and running.
    2. Change the jdbc.properties file on the Enforce Server to refer to the host name on the target database system by
    completing the following steps:
    a) Locate the jdbc.properties file.
    Refer to the following list to locate the file on your particular platform and version:
    • Windows: \Program Files\Symantec\DataLossPrevention\EnforceServer\vv.u\Protect
    \config
    • Linux: /opt/Symantec/DataLossPrevention/EnforceServer/vv.u/Protect/config
    Replace vv.u with the Symantec Data Loss Prevention version number.
    b) Open the file and locate the line where the jdbc.dbalias.oracle-thin value displays the hostname.
    c) Enter the IP of the Oracle 19c server.
    d) If the database connects using SID, update connection strings to use service_name.
    3. Save the file.

    Update the database server connection on Windows


    Migrating the database to Oracle 19c requires that you update the registry on the Enforce Server to use the new
    credentials and configuration for the Oracle 19c database. In general, you update the hostname of the new server hosting
    the Oracle 19c database. If you are migrating the Oracle 19c database to the same server, you update the service user to
    the Oracle 19c database.
    1. Open RegEdit on the Enforce Server and expand HKEY_LOCAL_MACHINE > Software > Symantec > Data Loss
    Prevention > Enforce Server > vv.u > Installation.
    Replace vv.u with the Symantec Data Loss Prevention version number.
    2. Update the following registry items that do not match the Oracle 19c database configuration:

    OracleHost Enter the host name (IP or FQDN) of the Oracle 19c server computer.
    OraclePort Enter the port used for the Oracle 19c server computer. The default is 1521.
    Configuring the TNS Listener and Net Service Name
    OracleSID Enter the service name of the Oracle 19c database. The default is protect.
    Configuring the TNS Listener and Net Service Name
    OracleUsername Enter the Oracle user for Symantec Data Loss Prevention. The default Oracle user name for Symantec
    Data Loss Prevention is protect.
    Installing the Oracle 19c software on Windows

    3. Validate the registry updates by opening a command prompt and running the following command:
    tnsping //<hostname>:<port>/<serviceuser>

    Replace the values in brackets with the details from the Oracle 19c configuration, including the following:
    • <hostname> is the Oracle 19c server host name (IP or FQDN).
    • <port> is the port that is used for the Oracle 19c server computer.
    • <serviceuser> is the service name of the Oracle 19c database.

    202
    Update the database server connection on Linux
    Migrating the database to Oracle 19c requires that you update the Enforce Server to use the new credentials and
    configuration for the Oracle 19c database. In general, you update the hostname of the new server hosting the Oracle 19c
    database. If you are migrating the Oracle 19c database to the same server, you update the service user to the Oracle 19c
    database.
    1. Go to the following location on the Enforce Server:
    /etc/Symantec/DataLossPrevention/EnforceServer/vv.u/Installation/
    Replace vv.u with the Symantec Data Loss Prevention version you are running.
    2. Update files that do not match the Oracle 19c database configuration:

    oracleHost Enter the host name (IP or FQDN) of the Oracle 19c server computer.
    oraclePort Enter the port used for the Oracle 19c server computer. The default is 1521.
    Configuring TNS Listener and Net Service Name
    oracleServiceName Enter the service name of the Oracle 19c database. The default is protect.
    Configuring TNS Listener and Net Service Name
    oracleUsername Enter the Oracle user for DLP. The default Oracle user name for DLP is protect.
    Installing the Oracle 19c software on Windows

    Restart all Symantec Data Loss Prevention services


    Restart all Symantec Data Loss Prevention services on the Enforce Server. You also restart any other services that
    access the Symantec Data Loss Prevention database (for example, Data Insight).
    1. Restart all Symantec Data Loss Prevention services on the Enforce Server, including any other services that access
    the DLP database. Restart services in the following sequence (applies to both Linux and Windows):
    a) Secondary services that access the DLP database (for example, Data Insight)
    b) SymantecDLPNotifierService
    c) SymantecDLPManagerService
    d) SymantecDLPIncidentPersisterService
    e) SymantecDLPDetectionServerControllerService
    2. Confirm that the Enforce Server can connect to the database by completing the following steps:
    a) Log in to the Enforce Server and select System > Servers and Detectors > Overview.
    b) Confirm that the servers are listed and running.
    After you confirm that the Enforce Server can connect to the database, confirm the schema row count after the import.
    Confirm the schema row count after the import on Windows
    Confirm the schema row count after the import on Linux

    Confirm the schema row count after the import on Windows


    After you import the database schema, you generate a row count of each table in the schema. You compare the data that
    you generate with the data you generated before the schema export.
    1. Run the following command:
    sqlplus protect/<password>@protect

    2. Run the following command to create a PL\SQL function to generate the row count:
    SQL>create or replace function

    203
    row_count (p_tablename in varchar2)

    return number

    as

    l_count number;
    begin

    execute immediate

    'select count(*)

    from ' || p_tablename

    into l_count;

    return l_count;

    end;

    3. Run the following query to generate a row count for each table in the schema:
    SQL>spool rowCount_after_import.txt
    SQL>select table_name, row_count(table_name) num_of_rows

    from user_tables;

    SQL>spool off

    Confirm the schema row count before the export on Windows


    The rowCount_after_import.txt is created in the execution directory.
    4. Compare the data in rowCount_after_import.txt with the rowCount_before_export.txt file you created
    before the export operation.

    Confirm the schema row count after the import on Linux


    After importing the database schema, you generate a row count of each table in the schema. You compare the data you
    generate with the data you generated before the schema export.
    1. Run the following command:
    sqlplus protect/<password>@protect

    2. Run the following command to create a PL\SQL function to generate the row count:
    SQL>create or replace function

    row_count (p_tablename in varchar2)

    return number

    as

    l_count number;

    begin

    execute immediate

    'select count(*)

    204
    from ' || p_tablename

    into l_count;

    return l_count;

    end;
    /

    3. Run the following query to generate a row count for each table in the schema:
    SQL>spool rowCount_ater_import.txt

    SQL>select table_name, row_count(table_name) num_of_rows

    from user_tables;

    SQL>spool off

    The rowCount_after_import.txt is created in the execution directory.


    4. Compare the data in rowCount_after_import.txt with the rowCount_before_export.txt file you created
    before the export operation.

    Migrating to an Oracle multitenant environment on Windows


    Table 103: Steps to set up an Oracle multitenant environment on Windows lists the process to install Oracle CDB/PDB on
    Windows systems.

    Table 103: Steps to set up an Oracle multitenant environment on Windows

    Step Action More info

    1 Install the Oracle database. Installing the Oracle 19c software on Windows
    2 Create the PDB database.
    3 Confirm the following: Verifying and PDB database for RAC on Windows
    • Confirm that the Container Database name is
    'dlpcdb'.
    • Confirm that the Pluggable Database name is
    'protect'.
    4 Verify that the CDB/PDB is created. Verifying and PDB database for RAC on Windows
    5 Configure the Oracle listeners. Configuring the database connection on Windows
    6 Verify that the PDB listener is created and registered. Verifying that the PDB listener is created and registered on
    Windows
    7 Set the PDB to autostart (for Windows only). Setting the protect PDB to autostart on Windows
    8 Add required tablespaces to the PDB database. Adding required tablespaces to the PDB database on Windows
    9 Create the Oracle user account. Creating the Oracle user account for Symantec Data Loss
    Prevention on Windows

    Migrating to an Oracle multitenant environment on Linux


    Table 104: Steps to set up Oracle multitenant environment on Linux lists the process to install Oracle CDP/PDB on Linux
    systems.

    205
    Table 104: Steps to set up Oracle multitenant environment on Linux

    Step Action More info

    1 Complete preinstallation steps. Performing the Linux preinstallation steps


    2 Install the Oracle database. Installing Oracle 19c on Linux
    3 Create the CDB and PDB database. Creating the Symantec Data Loss Prevention database on Linux
    4 Confirm the following: Verifying the PDB database on Linux
    • Confirm that the Container Database name
    is 'dlpcdb'.
    • Confirm that the Pluggable Database name
    is 'protect'.
    5 Configure the Oracle listener. Configuring the database connection on Linux
    6 Verify that the PDB listener is created and Verifying that the PDB listener is created and registered on Linux
    registered.
    7 Set the protect PDB to autostart. Setting the protect PDB to autostart on Linux
    8 Create the Oracle user account. Creating the Oracle user account for Symantec Data Loss
    Prevention on Linux

    206
    Installing DLP
    Install the Enforce Server, detection servers, and DLP Agents.
    Planning the installation
    Installing an Enforce Server
    Importing a solution pack
    Installing and registering detection servers
    Configuring certificates for secure server communications
    Installing the domain controller agent to identify users in incidents
    Performing a single-tier installation
    Installing Symantec DLP Agents
    Installing language packs
    Post-installation tasks

    Planning the installation


    About installation tiers
    About single sign-on
    About hosted Network Prevent deployments
    About Symantec Data Loss Prevention system requirements
    Symantec Data Loss Prevention Required Items
    Standard ASCII characters required for all installation parameters
    Performing a three-tier installation—high-level steps
    Performing a two-tier installation—high-level steps
    Performing a single-tier installation—high-level steps
    Symantec Data Loss Prevention Preinstallation Steps
    Confirming the Oracle database user permissions
    About external storage for incident attachments
    Signing RPM Files for Server Components
    Verifying that servers are ready for Symantec Data Loss Prevention installation

    About installation tiers


    Symantec Data Loss Prevention supports three different installation types: three-tier, two-tier, and single-tier. Symantec
    recommends the three-tier installation. However, your organization might need to implement a two-tier installation

    207
    depending on available resources and organization size. Single-tier installations are recommended for branch offices,
    small organizations, or for testing purposes.

    Single-tier To implement the single-tier installation, you install the database, the Enforce Server, and a detection server all on
    the same computer. Typically, this installation is implemented for testing purposes.
    A Symantec Data Loss Prevention Single Server deployment is a single-tier deployment that includes the Single
    Tier Monitor detection server. The Single Tier Monitor is a detection server that includes the detection capabilities
    of the Network Monitor, Network Discover, Network Prevent for Email, Network Prevent for Web, and the Endpoint
    Prevent and Endpoint Discover detection servers. Each of these detection server types is associated with one or
    more detection "channels." The Single Server deployment simplifies Symantec Data Loss Prevention administration
    and reduces maintenance and hardware costs for small organizations, or for branch offices of larger enterprises that
    would benefit from on-site deployments of Symantec Data Loss Prevention.
    If you choose either of these types of installation, the Symantec Data Loss Prevention administrator needs to be
    able to perform database maintenance tasks, such as database backups.
    Performing a single-tier installation—high-level steps
    Two-tier To implement the two-tier installation, you install the Oracle database and the Enforce Server on the same computer.
    You then install detection servers on separate computers.
    Typically, this installation is implemented when an organization, or the group responsible for data loss prevention,
    does not have a separate database administration team. If you choose this type of installation, the Symantec Data
    Loss Prevention administrator needs to be able to perform database maintenance tasks, such as database backups.
    Performing a two-tier installation—high-level steps
    Three-tier To implement the three-tier installation, you install the Oracle database, the Enforce Server, and a detection server
    on separate computers. Symantec recommends implementing the three-tier installation architecture as it enables
    your database administration team to control the database. In this way you can use all of your corporate standard
    tools for database backup, recovery, monitoring, performance, and maintenance. Three-tier installations require
    that you install the Oracle Client (SQL*Plus and Database Utilities) on the Enforce Server to communicate with the
    Oracle server.
    Performing a three-tier installation—high-level steps

    About single sign-on


    Symantec Data Loss Prevention provides several options for authenticating users and signing users on to the Enforce
    Server administration console. The Symantec Data Loss Prevention installation program helps you configure several of
    these options when you install the Enforce Server. These installation options include:
    • Password authentication with forms-based sign-on.
    This is the default method of authenticating users to the Enforce Server administration console. When using password
    authentication, users sign on to the Enforce Server administration console by accessing the sign-on page in their
    browser and entering their user name and password. You can enable password authentication in addition to certificate
    authentication.
    • Certificate authentication.
    Symantec Data Loss Prevention supports single sign-on using client certificate authentication. With certificate
    authentication, a user interacts with a separate public key infrastructure (PKI) to generate a client certificate that
    Symantec Data Loss Prevention supports for authentication. When a user accesses the Enforce Server administration
    console, the PKI automatically delivers the user's certificate to the Enforce Server computer for authentication and
    sign-on. If you choose certificate authentication, the installation program gives you the option to enable password
    authentication as well.
    If you want to enable certificate authentication, first verify that your client certificates are compatible with Symantec Data
    Loss Prevention. See Environment Compatibility and Requirements for Network Prevent for Email and Cloud Prevent for
    Email Servers. Certificate authentication also requires that you install the certificate authority (CA) certificates that are
    necessary to validate client certificates in your system. These certificates must be available in .cer files on the Enforce
    Server computer. During the Symantec Data Loss Prevention installation, you can import these CA certificates if available.

    208
    If you want to use password authentication, no additional information is required during the Symantec Data Loss
    Prevention installation.
    See About authenticating users for more information about all of the authentication and sign-on mechanisms that
    Symantec Data Loss Prevention supports.

    About hosted Network Prevent deployments


    Symantec Data Loss Prevention supports deploying one or more Network Prevent detection servers in a hosted service
    provider network, or in a network location that requires communication across a Wide Area Network (WAN). You may
    want to deploy a Network Prevent server in a hosted environment if you use a service provider's mail server or Web proxy.
    In this way, the Network Prevent server can be easily integrated with the remote proxy to prevent confidential data loss
    through email or HTTP posts.
    You can deploy the Enforce Server and detection servers to the Amazon Web Services infrastructure. See Deploy
    Symantec Data Loss Prevention servers on Amazon Web Services .
    When you choose to install a detection server, the Symantec Data Loss Prevention installation program asks if you want
    to install Network Prevent in a hosted environment.
    If you choose to install a Network Prevent detection server in a hosted environment, you must use the sslkeytool utility
    to create multiple, user-generated certificates to use with both internal (corporate) and hosted detection servers. This
    ensures secure communication from the Enforce Server to the hosted Network Prevent server, and to all other detection
    servers that you install. You cannot use the built-in Symantec Data Loss Prevention certificate when you deploy a hosted
    Network Prevent detection server.

    About Symantec Data Loss Prevention system requirements


    System requirements for Symantec Data Loss Prevention depend on:
    • The type of information you want to protect
    • The size of your organization
    • The number of Symantec Data Loss Prevention servers you choose to install
    • The location in which you install the servers
    If you plan to install Symantec Data Loss Prevention on Linux, there are also additional package dependencies. See
    Third-party software requirements and recommendations for detailed information about these additional required
    packages.
    Deployment planning considerations

    Symantec Data Loss Prevention Required Items


    See Minimum System Requirements for Symantec Data Loss Prevention Servers for detailed requirements information.
    Before you install Symantec Data Loss Prevention, make sure that the following items are available:
    • Your Symantec Data Loss Prevention software.
    Download and extract the Symantec Data Loss Prevention software ZIP files. Extract these ZIP files into a directory
    on a system that is accessible to you. The root directory into which the ZIP files are extracted is referred to as the
    DLPDownloadHome directory.
    • Your Symantec Data Loss Prevention license file.
    Download your Symantec Data Loss Prevention license file into a directory on a system that is accessible to you.
    License files have names in the format name.slf.
    • The Oracle database software. You can find this software in the Symantec Data Loss Prevention installation package.
    Install Oracle software before installing the Enforce Server.

    209
    See Implementing the Database.
    • The following third-party components, if required:
    – Network Monitor servers require either a dedicated NIC or a high-speed packet capture adapter. See Minimum
    System Requirements for Symantec Data Loss Prevention Servers for requirements.
    – Windows-based Network Monitor servers require WinPcap or Npcap software.
    Locate the WinPcap software at the following URL:
    http://www.winpcap.org/
    Locate the Npcap software at the following URL:
    http://nmap.org/npcap
    See Minimum System Requirements for Symantec Data Loss Prevention Servers for requirements.
    – Wireshark, available from http://www.wireshark.org. During the Wireshark installation process on Windows
    platforms, do not install a version of WinPcap lower than 4.1.2 or a version of Npcap lower than 0.995.
    – For two-tier or three-tier installations, a remote access utility may be required (for example, Remote Desktop for
    Windows systems, or PuTTY or a similar SSH client for Linux systems).
    – Windows-based Discover servers that are scanning targets on UNIX machines must have the NFS Client feature
    enabled. You can enable the NFS Client on your Windows Server 2012, 2016, or 2019 computer from the Windows
    Server Manager.
    To enable the NFS client on your Windows-based Discover server, take one of the following actions:
    • Windows Server 2012, 2016, or 2019: In the Windows Server Manager, use the Add Roles and Features
    wizard to select and install the Client for NFS.
    https://docs.microsoft.com/en-us/windows-server/administration/server-manager/install-or-uninstall-roles-role-
    services-or-features#BKMK_installarfw
    • Adobe Reader (for reading Symantec Data Loss Prevention documentation).

    Standard ASCII characters required for all installation parameters


    Use only standard, 7-bit ASCII characters to enter installation parameters during the installation process. Extended (hi-
    ASCII) and double-byte characters cannot be used for account or user names, passwords, directory names, IP addresses,
    or port numbers. Installation may fail if you use characters other than standard 7-bit ASCII.
    NOTE
    Installation directories on Linux platforms cannot contain any spaces in the full path name. For example, /
    opt/'symantec products'/Symantec/DataLossPrevention is not a valid installation folder.

    Performing a three-tier installation—high-level steps


    The computer on which you install Symantec Data Loss Prevention must contain only the software that is required to
    run the product. Symantec does not support installing Symantec Data Loss Prevention on a computer with unrelated
    applications.
    See Third-party software requirements and recommendations for a list of required and recommended third-party software.

    Table 105: Performing a three-tier installation—high-level steps

    Step Action Description

    1 Perform the preinstallation steps. Symantec Data Loss Prevention Preinstallation Steps
    2 Verify that your servers are ready for installation. Verifying that servers are ready for Symantec Data Loss
    Prevention installation

    210
    Step Action Description

    3 Install Oracle and create the Symantec Data Loss In a three-tier installation your organization’s database
    Prevention database. administration team installs, creates, and maintains the
    Symantec Data Loss Prevention database.
    See Implementing the Database for information about
    installing Oracle.
    4 Install the Oracle Client (SQL*Plus and Database The user account that is used to install Symantec Data
    Utilities) on the Enforce Server computer to enable Loss Prevention requires access to SQL*Plus to create
    communication with the Oracle server. tables and views.
    5 Install the Java Runtime Environment on the Enforce Installing the Java Runtime Environment on the Enforce
    Server. Server on Windows
    Installing the Java Runtime Environment on the Enforce
    Server on Linux
    6 Install and configure (only on Linux platforms) the Installing an Enforce Server on Windows
    Enforce Server. Installing an Enforce Server on Linux
    7 Verify that the Enforce Server is correctly installed. Verifying an Enforce Server installation
    8 Install one or more Symantec Data Loss Prevention Installing a New License File
    license files.
    9 Import a solution pack. Importing a Solution Pack
    10 Generate server certificates for secure communication. If you are installing Network Prevent in a hosted
    environment, you must create user-generated certificates
    for the Enforce Server and all detection servers in your
    deployment. This ensures that communication between
    the Enforce Server and all detection servers is secure.
    Symantec recommends that you generate new
    certificates for any multi-tier deployment. If you do not
    generate new certificates, Enforce and detection servers
    use a default, built-in certificate that is shared by all
    Symantec Data Loss Prevention installations.
    Using sslkeytool to generate new Enforce Server and
    detection server certificates
    11 Generate certificates to secure communications between About securing communications between the Enforce
    the Enforce Server and Oracle Database. Server and the database
    12 Install the Java Runtime Environment on the detection Install the Java Runtime Environment on a detection
    server. server on Windows
    Installing the Java Runtime Environment on a Detection
    Server on Linux
    13 Install and configure (only on Linux platforms) a detection Installing a detection server on Windows
    server. Installing a detection server on Linux
    14 Register a detection server. Registering a detection server
    15 Perform the post-installation tasks. Symantec recommends that you create a backup of
    your system after completing the installation. Other
    recommended post-installation tasks include configuring
    security settings and perform initial setup tasks.
    About post-installation tasks
    16 Start using Symantec Data Loss Prevention to perform About post-installation security configuration
    initial setup tasks; for example, change the Administrator For more detailed administration topics (including how
    password, and create user accounts and roles. to configure a specific detection server) see Server
    configuration—basic.

    211
    Performing a two-tier installation—high-level steps
    The computer on which you install Symantec Data Loss Prevention must only contain the software that is required to
    run the product. Symantec does not support installing Symantec Data Loss Prevention on a computer with unrelated
    applications.
    See Third-party software requirements and recommendations for a list of required and recommended third-party software.

    Table 106: Performing a two-tier installation—high-level steps

    Step Action Description

    1 Perform the preinstallation steps. Symantec Data Loss Prevention Preinstallation Steps
    2 Verify that your servers are ready for installation. Verifying that servers are ready for Symantec Data Loss
    Prevention installation
    3 Install Oracle and create the Symantec Data Loss See Implementing the Database for information about
    Prevention database. installing Oracle.
    4 Install the Java Runtime Environment on the Enforce Installing the Java Runtime Environment on the Enforce
    Server. Server on Windows
    Installing the Java Runtime Environment on the Enforce
    Server on Linux
    5 Install and configure (only on Linux platforms) the Installing an Enforce Server on Windows
    Enforce Server. Installing an Enforce Server on Linux
    6 Verify that the Enforce Server is correctly installed. Verifying an Enforce Server installation
    7 Install one or more Symantec Data Loss Prevention Installing a New License File
    license files.
    8 Import a solution pack. Importing a solution pack
    9 Generate server certificates for secure communication. If you are installing Network Prevent in a hosted
    environment, you must create user-generated certificates
    for the Enforce Server and all detection servers in your
    deployment. This ensures that communication between
    the Enforce Server and all detection servers is secure.
    Symantec recommends that you generate new
    certificates for any multi-tier deployment. If you do not
    generate new certificates, Enforce and detection servers
    use a default, built-in certificate that is shared by all
    Symantec Data Loss Prevention installations.
    Using sslkeytool to generate new Enforce Server and
    detection server certificates
    10 Generate certificates to secure communications between About securing communications between the Enforce
    the Enforce Server and Oracle Database. Server and the database
    11 Install the Java Runtime Environment on the detection Installing the Java Runtime Environment on the Enforce
    server. Server on Windows
    Installing the Java Runtime Environment on the Enforce
    Server on Linux
    12 Install and configure (only on Linux platforms) a detection Installing a detection server on Windows
    server. Installing a detection server on Linux
    Configuring a Detection Server
    13 Register a detection server. Registering a detection server

    212
    Step Action Description

    14 Perform the post-installation tasks. Symantec recommends that you create a backup of
    your system after completing the installation. Other
    recommended post-installation tasks include configuring
    security settings and perform initial setup tasks.
    About post-installation tasks
    15 Start using Symantec Data Loss Prevention to perform About post-installation security configuration
    initial setup tasks; for example, change the Administrator For more detailed administration topics (including how
    password, and create user accounts and roles. to configure a specific detection server) see Server
    configuration—basic.

    Performing a single-tier installation—high-level steps


    Single-tier installations are for testing, training, and risk assessment purposes.
    A single-tier installation that is used in production is called a Single Server deployment. Single Server deployments are for
    branch offices or small organizations.
    The computer on which you install Symantec Data Loss Prevention must only contain the software that is required to
    run the product. Symantec does not support installing Symantec Data Loss Prevention on a computer with unrelated
    applications.
    See Third-party software requirements and recommendations for a list of required and recommended third-party software.

    Table 107: Performing a single-tier installation—high-level steps

    Step Action Reference

    1 Perform the preinstallation steps. Symantec Data Loss Prevention Preinstallation Steps
    2 Verify that the server is ready for installation. Verifying that servers are ready for Symantec Data Loss
    Prevention installation
    3 Install Oracle and create the Symantec Data Loss See Implementing the Database for information about
    Prevention database. installing Oracle.
    4 Install the Java Runtime Environment. Installing the Java Runtime Environment on the Enforce
    Server on Windows
    Installing the Java Runtime Environment on the Enforce
    Server on Linux
    5 Install the Enforce Server and a detection server on the Installing a single-tier server on Windows
    same computer. Installing a single-tier server on Linux
    Configure the Enforce Server and the detection server on Configuring a new single-tier installation
    Linux platforms.
    7 Verify that the system is correctly installed. Verifying a single-tier installation
    8 Install one or more Symantec Data Loss Prevention Installing a New License File
    license files.
    9 Import a solution pack. Importing a solution pack
    10 Register the detection server. Registering a detection server
    Registering the Single Tier Monitor
    11 Perform the post-installation tasks. Symantec recommends that you create a backup of
    your system after completing the installation. Other
    recommended post-installation tasks include configuring
    security settings and perform initial setup tasks.
    About post-installation tasks

    213
    Step Action Reference

    12 Start using Symantec Data Loss Prevention to perform About post-installation security configuration
    initial setup tasks; for example, change the Administrator For more detailed administration topics (including how
    password, and create user accounts and roles. to configure a specific detection server) see Server
    configuration—basic.

    Symantec Data Loss Prevention Preinstallation Steps


    Review the Symantec Data Loss Prevention installatio steps before installing.
    This section assumes that you have completed the following tasks:
    • You have verified that the server meets the system requirements.
    • You have gathered the required materials.
    1. See Release Notes for installation, Windows versus Linux capabilities, and server-specific information before
    beginning the installation process.

    2. Make sure your server is up to date with the latest security patches.
    3. Obtain the Administrator user name and password (for Windows) or root password (for Linux) for each system on
    which Symantec Data Loss Prevention is to be installed.
    4. Obtain the static IP address(es) for each system on which Symantec Data Loss Prevention is to be installed.
    5. Verify that each server host name that you will specify has a valid DNS entry.
    6. Verify that you have access to all remote computers that you will use during the installation (for example, by using
    Terminal Services, Remote Desktop, or an SSH client).
    7. Confirm the database user has permissions to connect to the Enforce Server.

    8. Validate the RPM file signature.

    9. Verify the server installation.

    10. If you want to store your incident attachments on an external file system rather than in the Oracle database, ensure
    that you have set up your external storage directory and know the path to that location.

    11. Copy files from DLPDownloadHome to an easily accessible directory on the Enforce Server:
    • Choose from the following installer files based on the system you plan to deploy.
    a b
    Installer Windows details Linux details

    Enforce EnforceServer.msi EnforceServer.zip


    Server
    Detection DetectionServer.msi DetectionServer.zip
    server
    Indexers.msi
    Remote EDM Indexer SymantecDLPIndexers.zip
    Single-tier SingleTierServer.msi SingleTierServer.zip
    instance

    a. These files can be found in the DLPDownloadHome\DLP\16.0.1\New_Installs\Release directory.


    b. These files can be found in the DLPDownloadHome/DLP/16.0.1/New_Installs/Release directory

    214
    a b
    Installer Windows details Linux details

    Java Runtime OpenJDK8U-jre_x64_windows_hotspot_8u322- OpenJDK8U-


    Environment b06.zip jre_x64_linux_hotspot_8u322-
    b06.tar.gz
    • Your Symantec Data Loss Prevention license file.
    License files have names in the format name.slf.
    • Symantec DLP Agent installers.
    These files can be found in the following locations:

    Agent Installer Windows location Linux location

    Mac installer DLPDownloadHome\DLP\16.0.1\Endpoint\Mac DLPDownloadHome/DLP/16.0.1/Endpoint/


    \x86_64\AgentInstall_16_0_1.pkg Mac/x86_64/AgentInstall_16_0_1.pkg
    Windows 64- DLPDownloadHome\DLP\16.0.1\Endpoint\Win DLPDownloadHome/DLP/16.0.1/Endpoint/
    bit \x64\AgentInstall-x64_16_0_1.msi Win/x64/AgentInstall-x64_16_0_1.msi
    Windows 32- DLPDownloadHome\DLP\16.0.1\Endpoint\Win DLPDownloadHome/DLP/16.0.1/Endpoint/
    bit \x86\AgentInstall-x86_16_0_1.msi Win/x86/AgentInstall-x86_16_0_1.msi
    Linux installer • Red Hat Enterprise Linux: • Red Hat Enterprise Linux: DLPDownloadHome/
    DLPDownloadHome\DLP\16.0.1\Endpoint DLP/16.0.1/Endpoint/Linux/x86_64/
    \Linux\x86_64\AgentInstall- AgentInstall-x86_64_16.0.1.rpm
    x86_64_16_0_1.rpm • Ubuntu: DLPDownloadHome/DLP/16.0.1/
    • Ubuntu: DLPDownloadHome\DLP Endpoint/Ubuntu/x86_64/
    \16.0.1\Endpoint\Ubuntu AgentInstall-x86_64_16.0.1.deb
    \x86_64\AgentInstall-x86_64_16.0.1.deb

    These files are only available if you licensed Endpoint Prevent.


    • Symantec Data Loss Prevention solution packs. The following lists the solution pack location based on your
    platform:
    – Windows: DLPDownloadHome\DLP\16.0.10000\Solution_Packs\.
    – Linux: DLPDownloadHome/DLP/16.0.10000/Solution_Packs/.
    12. If you plan to use Symantec Data Loss Prevention alerting capabilities, you need the following items:
    • Access to a local SMTP server.
    • Mail server configuration for sending SMTP email. This configuration includes an account and password if the mail
    server requires authentication.

    Confirming the Oracle database user permissions


    The Oracle database user (typically “protect”) must have permission to connect to the Enforce Server. The installation fails
    if the user cannot access the Enforce Server.
    1. Start SQL*Plus.
    2. Run the following commands:
    sqlplus sys/protect as sysdba
    GRANT read, write ON directory data_pump_dir TO protect;
    GRANT SELECT ON dba_registry_history TO protect;
    GRANT SELECT ON dba_temp_free_space TO protect;
    GRANT SELECT ON v_$version TO protect;
    GRANT EXECUTE ON dbms_lob TO protect;

    a. These files can be found in the DLPDownloadHome\DLP\16.0.1\New_Installs\Release directory.


    b. These files can be found in the DLPDownloadHome/DLP/16.0.1/New_Installs/Release directory

    215
    3. If you are running Oracle 19c, run the following command:
    GRANT create job TO protect;

    4. Exit SQL*Plus:
    exit

    About external storage for incident attachments


    You can store incident attachments such as email messages or documents on a file system rather than in the Symantec
    Data Loss Prevention database. Storing incident attachments externally saves a great deal of space in your database,
    providing you with a more cost-effective storage solution.
    You can store incident attachments either in a directory on the Enforce Sever host computer, or on a stand-alone
    computer. You can use any file system you choose. Symantec recommends that you work with your data storage
    administrator to set up an appropriate directory for incident attachment storage.
    To set up an external storage directory, Symantec recommend these best practices:
    • If you choose to store your incident attachments on the Enforce Server host computer, complete the following steps:
    – Create an external storage directory before you install Symantec Data Loss Prevention.
    – Create the "SymantecDLP" user.
    – Grant Read/Write permissions to the location for the "SymantecDLP" user.
    – Do not place your storage directory under the\Symantec\DataLossPrevention folder (for Windows) or /
    Symantec/DataLossPrevention for Linux.
    • If you choose to store incident attachments on a computer other than your Enforce Server host computer, take the
    following steps:
    – Ensure that both the external storage server and the Enforce Server are in the same domain.
    – Create a "SymantecDLP" user on the external storage server with the same password as your Enforce Server
    "SymantecDLP" user to use with your external storage directory.
    – If you are using a Linux system for external storage, change the owner of the external storage directory to the
    external storage "SymantecDLP" user.
    – If you are using a Microsoft Windows system for external storage, share the directory with Read/Write permissions
    with the external storage "SymantecDLP" user.
    After you have set up your storage location you can select external storage for incident attachments in the Installation
    Wizard. All incident attachments will be stored in the external storage directory. Incident attachments in the external
    storage directory cannot be migrated back to the database. All incidents attachments stored in the external storage
    directory are encrypted and can only be accessed from the Enforce Server administration console.
    The incident deletion process deletes incident attachments in your external storage directory after it deletes the
    associated incident data from your database. You do not need to take any special action to delete incidents from the
    external storage directory.

    Verifying that servers are ready for Symantec Data Loss Prevention installation
    Before installing Symantec Data Loss Prevention, you must verify that the server computers are ready.
    1. Verify that all systems are racked and set up in the data center.
    2. Verify that the network cables are plugged into the appropriate ports as follows:
    • Enforce Server NIC Port 1.
    Standard network access for Administration.

    216
    If the Enforce Server has multiple NICs, disable the unused NIC if possible. This task can only be completed once
    you have installed the Enforce Server.
    • Detection servers NIC Port 1.
    Standard network access for Administration.
    • Network Monitor detection servers NIC Port 2.
    SPAN port or tap should be plugged into this port for detection. (Does not need an IP address.)
    If you use a high-speed packet capture card (such as Endace or Napatech), then do not set this port for SPAN or
    tap.
    3. Log on as the Administrator user (on Windows) or superuser (on Linux).

    4. On Linux, verify that you have required packages installed.


    See Third-party software requirements and recommendations.
    5. Assign a static IP address, subnet mask, and gateway for the Administration NIC on the Enforce Server. Do not assign
    an IP address to the detection server NICs.
    6. Confirm the mangement NIC settings for your platform.
    NOTE
    Disabling any of these can cause communication problems between the Enforce Server and the detection
    servers.
    For Windows, confirm that the management NIC has the following items enabled:
    • Internet protocol TCP/IP
    • File and Printer Sharing for Microsoft networks
    • Client for Microsoft Networks
    For Linux, confirm that the management NIC has the Internet protocol TCP/IP enabled.
    7. Verify assigned IP addresses.
    For Windows, from a command line, use ipconfig /all.
    For Linux, use ifconfig.
    8. If you do not use DNS on Windows platforms, check that the c:\windows\system32\drivers\etc\hosts file
    contains the server name and IP addresses for the server computer. If you modify this file, restart the server to apply
    the changes.
    9. If you are using DNS, verify that all host names have valid DNS entries.
    10. Ping each Symantec Data Loss Prevention server computer (using both IP and host name) to verify network access.
    11. Verify that ports 443 (SSL) and 3389 (RDP) are open and accessible to the client computers that require access.
    Port 3389 is optional for Linux.
    12. Turn on remote desktop connections for each Symantec Data Loss Prevention server computer. In Windows, right-
    click My Computer. Click Properties and then select Remote > Allow users to connect remotely to this computer.
    Verify that you can use Remote Desktop to log onto the server from a local workstation.
    13. Verify that port 25 is not blocked. The Symantec Data Loss Prevention server uses port 25 (SMTP) for email alerts.
    14. Verify that the Network Monitor detection server NICs receive the correct traffic from the SPAN port or tap. Install the
    latest version of Wireshark and use it to verify traffic on the server.
    For Endace cards, use dagsnap -o out.pcap from a command line. Then review the dagsnap output in Wireshark.

    217
    For Napatech cards, there is a "statistics" tool with option -bch=0xf to observe the "Hardware counters" for all
    channels/ports.
    15. Ensure that all Windows servers are synchronized with the same time (to the minute). Ensure that the servers are
    updated with the correct Daylight Saving Time patches.
    16. Confirm that the designated Enforce Server has at least 1 GB of free space.
    17. Set the Enforce Server to boot into the Xorg display server if you are running Red Hat Enterprise Linux 8.
    Complete the following steps on the Enforce Server system on which you intend to install Enforce:
    a) Locate the file custom.conf file at /etc/gdm/.
    b) Change the WaylandEnable value to false and save your changes.
    c) Reboot the server.
    18. Install the Microsoft Visual C++ Redistributable for Visual Studio 2015, 2017, and 2019 to all servers where you plan to
    run the Enforce Server, detection servers, and indexers on Windows.
    Download the VC_redist.x64.exe file from The latest supported Visual C++ downloads. After you complete the
    installation, restart the server.
    19. For Network Prevent for Email detection server installations, verify the following:
    • Use an SSH client to verify that you can access the Mail Transfer Agent (MTA).
    • Verify that the firewall permits you to Telnet from the Network Prevent for Email Server computer to the MTA on port
    25. Also ensure that you can Telnet from the MTA to the Network Prevent for Email detection server computer on
    port 10026.

    Installing an Enforce Server


    Learn about installing the Enforce Server on Windows or Linux.
    Preparing for an Enforce Server installation
    Installing on Windows
    Installing on Linux
    Verifying an Enforce Server installation
    Installing a New License File

    Preparing for an Enforce Server installation


    Review and complete the following items before you install an Enforce Server:
    • Complete the preinstallation steps.
    Symantec Data Loss Prevention Preinstallation Steps
    • Verify that the system is ready for installation.
    Verifying that servers are ready for Symantec Data Loss Prevention installation
    • Ensure that the Oracle software and Symantec Data Loss Prevention database is installed on the appropriate system.
    – For single- and two-tier Symantec Data Loss Prevention installations, Oracle is installed on the same computer as
    the Enforce Server.
    – For a three-tier installation, Oracle is installed on a separate server. For a three-tier installation, the Oracle Client
    (SQL*Plus and Database Utilities) must be installed on the Enforce Server computer to enable communication with
    the Oracle server.

    218
    See Implementing the Database for information about installing Oracle 19c.
    • Before you begin, make sure that you have access and permission to run the Symantec Data Loss Prevention installer
    software: EnforceServer.msi.
    • Install the Java Runtime Environment.
    Installing the Java Runtime Environment on the Enforce Server on Windows
    Installing the Java Runtime Environment on the Enforce Server on Linux
    If you intend to run Symantec Data Loss Prevention using Federal Information Processing Standards (FIPS) encryption,
    you must first prepare for FIPS encryption. You enable FIPS encryption during the installation process.

    Related Links
    About FIPS encryption on page 349

    Installing on Windows
    The following sections include steps to install the Enforce Server on Windows:
    • Installing the Java Runtime Environment on the Enforce Server on Windows
    • Installing an Enforce Server on Windows

    Installing the Java Runtime Environment on the Enforce Server on Windows


    You install the Java Runtime Environment (JRE) on the Enforce Server before you install the Enforce Server.
    1. Log on (or remote logon) as Administrator to the Enforce Server system on which you intend to install Enforce.
    2. Copy OpenJDK8U-jre_x64_windows_hotspot_<version>.zip from your DLPDownloadHome\DLP
    \16.0.1\New_Installs\x64\Release directory to the computer where you plan to install the Enforce Server.
    Where <version> represents the latest supported version.
    For example, move the file to c:\temp).
    3. Unzip the file to C:\Program Files\AdoptOpenJRE\jdk<version>-jre.
    Next: Installing an Enforce Server on Windows

    Installing an Enforce Server on Windows


    The instructions that follow describe how to install an Enforce Server on a Windows computer in a two- or three-tier
    environment. The steps to install the Enforce Server in a single-tier environment are different.
    Installing a single-tier server on Windows
    NOTE
    If you are running the database in a RAC environment, confirm that the scan host IP for RAC is accessible and
    the nodes associated with it are all up and running during the install process.
    These instructions assume that the EnforceServer.msi file and license file have been copied into the c:\temp
    directory on the Enforce Server computer.
    NOTE
    Enter directory names, account names, passwords, IP addresses, and port numbers that you create or specify
    during the installation process using standard 7-bit ASCII characters only. Extended (hi-ASCII) and double-byte
    characters are not supported.

    219
    The installation process automatically generates log information saved to a file MSI*.log (* is replaced with random
    characters) in the %TEMP% folder. You can change log file name and location by starting the installation from the command
    line by running the /L*v option. See the example below:
    msiexec /i EnforceServer.msi /L*v c:\temp\enforce_install.log
    You can complete the installation silently or using a graphical user interface.
    Installing silently

    Enter values with information specific to your installation for the following:

    Table 108: Enforce Server installation parameters

    Command Description

    INSTALLATION_DIRECTORY Specifies where the Enforce Server is installed. The default location is C:\Program
    Files\Symantec\DataLossPrevention.
    DATA_DIRECTORY Defines where Symantec Data Loss Prevention stores files that are updated while the
    Enforce Server is running (for example, logs and licenses). The default location is c:
    \ProgramData\Symantec\DataLossPrevention\EnforceServer\.
    Note: If you do not use the default location, you must indicate a folder name for the data
    directory. If you set the data directory to the drive root (for example c:\ or e:\) you
    cannot successfully uninstall the program.

    JRE_DIRECTORY Specifies the path where the JRE resides.


    See Installing the Java Runtime Environment on the Enforce Server on Windows.
    FIPS_OPTION Defines whether to disable (Disabled) or enable (Enabled) FIPS encryption.
    The default is disabled.
    SERVICE_USER_OPTION The default is ExistingUser.
    Defines whether to create a new service user by entering NewUser or using an existing
    one by entering ExistingUser.
    SERVICE_USER_USERNAME Defines a name for the account that is used to manage Symantec Data Loss Prevention
    services. The default user name is “SymantecDLP.”
    SERVICE_USER_PASSWORD Defines the password for the account that is used to manage Symantec Data Loss
    Prevention services.
    ORACLE_HOME Defines the Oracle Home Directory. For example, use c:\oracle\product
    \19.3.0.0\db_1 to define the home directory if you use the Oracle 19c database.
    ORACLE_HOST Defines the IP address of the Oracle server computer.
    If you are running the Oracle database in a RAC environment, use the scan
    host IP address for the host, not the database IP address. Confirm that the scan
    host IP for RAC is accessible and that all of the nodes associated with it are running
    during the installation process.
    ORACLE_PORT Defines the Oracle listener port (typically 1521).
    ORACLE_USERNAME Defines the Symantec Data Loss Prevention database user name.
    ORACLE_PASSWORD Defines the Symantec Data Loss Prevention database password.
    ORACLE_SERVICE_NAME Defines the database service name (typically “protect”).
    EXTERNAL_STORAGE_OPTION Defines whether incident attachments are stored in the database (Database) or in
    external storage (ExternalStorage).
    EXTERNAL_STORAGE_DIRECTORY Defines the path where you plan to store incident attachments.
    ADDITIONAL_LOCALE Defines an additional locale for use by individual users.

    220
    Command Description

    ENFORCE_ADMINISTRATOR_PASSWORD Defines the Enforce Server administration console password. The Enforce Server
    administration console passport must be at least eight characters long.
    REINSTALLATION_RESOURCE_FILE Defines the location of the Reinstallation Resource File.
    INITIALIZE_DATABASE_OPTION Defines whether you create a new database (Initialize) or connect to an existing
    one (Preserve).
    The default is Preserve.

    The following is an example of what the completed command might look like. The command you use differs based on your
    implementation requirements. Using the following command as-is may cause the installation to fail.

    msiexec /i EnforceServer.msi /qn /norestart


    INSTALLATION_DIRECTORY="C:\Program Files\Symantec\DataLossPrevention"
    DATA_DIRECTORY="C:\ProgramData\Symantec\DataLossPrevention\EnforceServer"
    JRE_DIRECTORY="C:\Program Files\AdoptOpenJRE\jdk8u322-b06-jre"
    FIPS_OPTION=Disabled
    SERVICE_USER_OPTION=ExistingUser
    SERVICE_USER_USERNAME=<protect>
    SERVICE_USER_PASSWORD=<password>
    ORACLE_HOST=[IP or host name]
    ORACLE_PORT=1521
    ORACLE_USERNAME=protect
    ORACLE_PASSWORD=<password>
    ORACLE_SERVICE_NAME=protect
    EXTERNAL_STORAGE_OPTION=Database
    ENFORCE_ADMINISTRATOR_PASSWORD=Password
    Installing using a graphical user interface

    1. Symantec recommends that you disable any antivirus, pop-up blocker, and registry protection software before you
    begin the Symantec Data Loss Prevention installation process.
    2. Go to the folder where you copied the EnforceServer.msi file (c:\temp).
    3. Double-click EnforceServer.msi to start the installation wizard.
    NOTE
    The installation process automatically generates log information saved to a file MSI*.log (replace * with
    random characters) in the %TEMP% folder. You can change log file name and location by starting the
    installation from the command line by running the /L*v option.
    msiexec /i EnforceServer.msi /L*v c:\temp\enforce_install.log

    4. In the Welcome panel, click Next.


    5. After you review the license agreement, select I accept the terms in the License Agreement, and click Next.
    6. In the Destination Folder panel, accept the default destination directory, or enter an alternate directory, and click
    Next. The default installation directory is:
    c:\Program Files\Symantec\DataLossPrevention\

    Symantec recommends that you use the default destination directory. References to the "installation directory" in
    Symantec Data Loss Prevention documentation are to this default location.

    221
    7. In the Data Directory panel, accept the default data directory, or enter an alternate directory, and click Next. The
    default data directory is:
    c:\ProgramData\Symantec\DataLossPrevention\
    NOTE
    If you do not use the default location, you must indicate a folder name for the data directory (for example,
    c:\enforcedata). If you set the data directory to the drive root (for example c:\ or e:\) you cannot
    successfully uninstall the program.
    8. In the JRE Directory panel, click Browse to locate the JRE, and click Next.
    9. In the FIPS Cryptography Mode panel, select whether to disable or enable FIPS encryption.
    About FIPS encryption
    10. In the Service User panel, select one of the following options.
    • New Users: Select this option to create the Symantec Data Loss Prevention system account user name and
    password and confirm the password. This account is used to manage Symantec Data Loss Prevention services.
    The default user name is “SymantecDLP.”
    NOTE
    The password you enter for the System Account must conform to the password policy of the server. For
    example, the server may require all passwords to include special characters.
    • Existing Users: Select this option to use an existing local or domain user account.
    Click Next.
    11. (Optional) If you opted to create a new service user, enter the new account name and password. Confirm the
    password, then click Next.
    12. (Optional) If you opted to use an existing domain user account, enter the account name and password. The user name
    must be in DOMAIN\username format.
    13. In the Oracle Database panel, enter details about the Oracle database server. Specify one of the following options in
    the Oracle Database Server field:

    Host Enter host information based on your Symantec Data Loss Prevention installation:
    • Single- and two-tier installation (Enforce and Oracle servers on the same system): The Oracle Server
    location is 127.0.0.1.
    • Three-tier installation (Enforce Server and Oracle server on different systems): Specify the Oracle server
    host name or IP address.
    If you are running the Oracle database in a RAC environment, use the scan host IP address for the host,
    not the database IP address. Confirm that the scan host IP for RAC is accessible and that all of the nodes
    associated with it are running during the installation process.
    Port Enter the Oracle Listener Port, or accept the default.
    Service Name Enter the database service name (typically “protect”).
    Username Enter the Symantec Data Loss Prevention database user name.
    Password Enter the Symantec Data Loss Prevention database password.

    If your Oracle database is not a supported version, you are warned and offered the choice of continuing or canceling
    the installation. You can continue and upgrade the Oracle database later.

    222
    NOTE
    Symantec Data Loss Prevention requires the Oracle database to use the AL32UTF8 character set. If your
    database is configured for a different character set, you are notified and the installation is canceled. Correct
    the problem and re-run the installer.
    14. Click Next.
    If you are performing a new installation, go to step 17. If you are installing to a database where you have previously
    installed Symantec Data Loss Prevention, the Initialize Database panel displays.
    15. In the Initialize Database panel, select one of the following options:
    • Select Initialize Database if you are performing a new Symantec Data Loss Prevention installation.
    Select this option if you are reinstalling and want to overwrite the existing Enforce schema and all data. Note
    that this action cannot be undone. If this check box is selected, the data in your existing Symantec Data Loss
    Prevention database is destroyed when you begin the installation.
    Click Next.
    In the Enforce Administrator Password panel, enter and confirm a password you use to access the Enforce
    Server administration console. The Enforce Server administration console passport must be at least eight
    characters long.
    • Select Preserve Database Data if you want to connect to an existing database.
    Selecting this option skips the database initialization process.
    Click Next.
    In the Enforce Reinstallation Resources panel, specify the unique Enforce Reinstallation Resources file for the
    existing database that you want to use.
    16. Click Next.
    17. Select one of the following incident storage locations on the Incident Storage Location panel:
    • Database stores incidents in the Oracle database.
    • External Storage stores your incident attachments externally.
    About external storage for incident attachments
    18. Click Next and enter the path or browse to your external storage directory (if you selected External Storage), or go to
    21 if you selected Database.
    19. In the Additional Locale panel, select an alternate locale, or accept the default of None, and click Next.
    Locale controls the format of numbers and dates, and how lists and reports are alphabetically sorted. If you accept
    the default choice of None, English is the locale for this Symantec Data Loss Prevention installation. If you choose an
    alternate locale, that locale becomes the default for this installation, but individual users can select English as a locale
    for their use.
    See About locales for more information on locales.
    20. Click Install.
    The installation process can take a few minutes. The installation program window may persist for a while during the
    startup of the services. After a successful installation, a completion notice displays.
    21. Restart any antivirus, pop-up blocker, or other protection software that you disabled before starting the Symantec Data
    Loss Prevention installation process.
    22. Verify that the Enforce Server is properly installed.
    See Verifying an Enforce Server installation.

    223
    23. Import a Symantec Data Loss Prevention solution pack immediately after installing the Enforce Server, and before
    installing any detection servers.
    See About Symantec Data Loss Prevention solution packs.
    24. Create a backup of your system after completing the installation.
    See Backing up your system.

    Installing on Linux
    The following sections include steps to install the Enforce Server on Linux:
    • Installing the Java Runtime Environment on the Enforce Server on Linux
    • Installing an Enforce Server on Linux
    • Configuring a new Enforce Server installation on Linux

    Installing the Java Runtime Environment on the Enforce Server on Linux


    These steps assume you have prepared the Enforce Server environment. See Preparing for an Enforce Server
    installation.

    You install the Java Runtime Environment (JRE) on the Enforce Server before you install the Enforce Server.
    1. Log on as root to the Enforce Server system on which you intend to install Enforce.
    2. Copy OpenJDK8U-jre_x64_linux_hotspot_<version>.tar.gz from your DLPDownloadHome/DLP/16.0.1/
    New_Installs/Release directory to the computer where you plan to install the Enforce Server.
    Where <version> represents the latest supported version.
    3. Unzip the file contents (for example, unzip to opt/AdoptOpenJRE).
    Signing RPM Files for Server Components

    Signing RPM Files for Server Components


    Before you install the latest Symantec Data Loss Prevention version on a Linux platform, Symantec recommends
    that you use the RPM signing key to verify the signature of RPM files. All RPM packages provided in the
    Symantec_DLP_16_0_1_Platform_Lin-IN_<platform_lin_version>.zip are signed with a GPG key. The
    signature provides integrity protection and ensures that the packages are the same packages produced by Symantec and
    were not altered in any way by a malicious third-party.
    NOTE
    If you try to install and do not use the RPM signing key, a "NOKEY" warning message displays during the
    installation.
    Use the RPM signing key before you install the Enforce Server, detection server, or a single-tier system.
    1. Locate the Symantec_DLP_RPM_Signing_Key.asc file in the DLPDownloadHome directory. The
    Symantec_DLP_RPM_Signing_Key.asc is packaged in the Symantec_DLP_16_0_1_Platform_Lin-
    IN_<platform_lin_version>.zip file.
    2. Copy the Symantec_DLP_RPM_Signing_Key.asc file to the computer where you plan to install the server
    component.
    3. Log on as root to the computer where you plan to install the server component.
    4. Import the key to the RPM key ring by running the following command:
    rpm --import Symantec_DLP_RPM_Signing_Key.asc

    224
    5. Display the imported key by running the following command:
    rpm -qi gpg-pubkey-b891399b-59c04bd7

    6. Verify the signature of files before installing them by running the following command:
    rpm -K *rpm
    Installing an Enforce Server on Linux

    Installing an Enforce Server on Linux


    The instructions that follow describe how to install an Enforce Server on a Linux computer.
    These instructions assume that the EnforceServer.zip file and license file have been copied into the /opt/temp
    directory on the Enforce Server computer.
    1. Symantec recommends that you disable any antivirus, pop-up blocker, and registry protection software before you
    begin the Symantec Data Loss Prevention installation process.
    2. Log on as root to the Enforce Server system on which you intend to install Enforce.
    3. Navigate to the directory where you copied the EnforceServer.zip file (/opt/temp/).
    4. Unzip the file to the same directory (/opt/temp/).

    5. Confirm file dependencies for RPM files by running the following command:
    rpm -qpR *.rpm

    You can also specify a file to confirm by running the following command:
    rpm -qpR .rpm-file

    If the command indicates that dependencies are missing, you can use YUM repositories to install them. Use the
    following command:
    yum install repo

    Replace repo with the repository package name.


    6. Install the Enforce Server by running the following command:
    ./install.sh -t enforce

    Parameters for install.sh


    NOTE
    If you use YUM to install, you cannot override the default relocatable roots where Symantec Data Loss
    Prevention is installed.
    7. Restart any antivirus, pop-up blocker, or other protection software that you disabled.
    8. Start the Symantec Data Loss Prevention configuration process.
    Configuring a new Enforce Server installation on Linux
    Next: Configuring a new Enforce Server installation on Linux

    Configuring a new Enforce Server installation on Linux


    After you install the Enforce Server on Linux, you configure the installation by running the Enforce Server Configuration
    Utility.

    225
    NOTE
    If you are running the database in a RAC environment, confirm that the SCAN HOST IP for RAC is accessible
    and the nodes associated with it are all up and running during the install process.
    You can complete the installation silently or using a graphical user interface.
    Configure silently

    The following table lists the installation parameters you use during the Enforce Server silent installation.

    Table 109: Enforce Server installation parameters

    Command Description

    jreDirectory Specifies where the JRE resides.


    Installing the Java Runtime Environment on the Enforce Server on
    Linux
    fipsOption Defines whether to disable (Disabled) or enable
    (Enabled) FIPS encryption.
    serviceUserOption Defines the service user by entering NewUser or
    ExistingUser.
    The default is NewUser.
    serviceUserUsername Defines a name for the account that is used to manage Symantec
    Data Loss Prevention services. The default user name is
    “SymantecDLP.”
    oracleHome Defines the Oracle Home Directory. For example, use /opt/oracle/
    product/19.3.0.0/db_1 to define the home directory if you use the
    Oracle 19c database.
    oracleHost Defines the IP address of the Oracle server computer.
    If you are running the Oracle database in a RAC environment,
    use the Scan Host IP address for the host, not the
    database IP address. Confirm that the SCAN HOST IP for RAC is
    accessible and that all of the nodes associated with it are running
    during the installation process.
    oraclePort Defines the Oracle listener port (typically 1521).
    oracleUsername Defines the Symantec Data Loss Prevention database user name.
    oraclePassword Defines the Symantec Data Loss Prevention database password.
    oracleServiceName Defines the database service name (typically “protect”).

    226
    Command Description

    initializeDatabaseOption Defines whether you create a new database (Initialize) or


    connect to an existing one (Preserve).
    The default setting is Preserve.
    Warning! If you install over an existing installation, entering
    Initialize overwrites the existing Enforce schema and all data.
    This means that the existing Symantec Data Loss Prevention
    database is destroyed when you run the installer.
    Leave this item blank to perform a recovery operation.
    Note: If your Oracle database is not the correct version, you are
    warned and offered the choice of continuing or canceling the
    installation. You can continue and upgrade the Oracle database
    later.
    Note:

    reinstallationResourceFile Defines the location of the Reinstallation Resource File.


    Creating the Enforce Reinstallation Resources file
    externalStorageOption Defines whether incident attachments are stored in the database
    (Database) or in external storage (ExternalStorage).
    externalStorageDirectory Defines the path where you plan to store incident attachments.
    enforceAdministratorPassword Defines the Enforce Server administration console password. The
    Enforce Server administration console passport must be at least
    eight characters long.
    additionalLocale Defines an additional locale for use by individual users.

    The following is an example of what the completed command might look like. The command you use differs based on your
    implementation requirements. Using the following command as-is may cause the installation to fail.
    ./EnforceServerConfigurationUtility -silent
    -jreDirectory=opt/AdoptOpenJRE/jdk8u322-b06-jre
    -serviceUserOption=NewUser
    -serviceUserUsername=protect
    -oracleHome=/opt/oracle/product/19.3.0.0/db_1
    -oracleHost=127.0.0.1
    -oracleUsername=protect
    -oraclePassword=password
    -oraclePort=1521
    -oracleServiceName=protect
    -initializeDatabaseOption=Preserve
    -reinstallationResourceFile=/opt/temp/EnforceReinstallationResources.zip
    -fipsOption=Disabled
    -externalStorageOption=Database
    Configure using a graphical user interface

    1. Navigate to the installation directory. The default directory is /opt/Symantec/DataLossPrevention/


    EnforceServer/16.0.10000/Protect/install.
    2. Run the Enforce Server Configuration Utility. Use the following command to launch the utility:
    ./EnforceServerConfigurationUtility

    227
    3. Enter the following information in the Enforce Server Configuration Utility:

    License agreement Review and accept the License Agreement by entering 1.


    JRE directory Enter the JRE directory.
    The recommended directory is opt/AdoptOpenJRE/[JRE version].
    Installing the Java Runtime Environment on the Enforce Server on Linux
    FIPS encryption Select whether to disable or enable FIPS encryption.
    About FIPS encryption
    Service user Use1 to add a new user or enter 2 to use an existing user.
    The default new user name is "SymantecDLP." If you create a new service user, enter the user name
    when prompted.
    Note: If you create a new service user, the user must be a member of a group and the service user and
    the group names must match. If these conditions are not present, upgrades fail.

    Oracle database Specify the following Oracle database connection settings:


    connection • Oracle Home Directory: For example, use /opt/oracle/product/19.3.0.0/db_1 to define the home
    directory if you use the Oracle 19c database.
    • Oracle Host: Specify the Oracle server host name or IP address. To install into a test environment that
    has no DNS available, use the IP address of the Oracle database server.
    Note: If you are running the Oracle database in a RAC environment, use the Scan Host IP address for
    Oracle Host, not the database IP address.
    • Port: Enter the Oracle listener port.
    • Service name: Enter the database service name (typically “protect”).
    • Oracle user name and password: Enter the user name and password.
    • Database initialization: Select one of the following options:
    – Initialize Database: Set the database to initialize by entering 1.
    Warning! If you install over an existing installation, entering 1 overwrites the existing Enforce
    schema and all data. This means that the existing Symantec Data Loss Prevention database is
    destroyed when you run the installer.
    – Preserve Database Data: Use an existing database by entering 2.
    If you connect an existing Enforce Server database, identify the location of the
    EnforceReinstallationResources.zip file from your previous installation.
    Creating the Enforce Reinstallation Resources file
    Enforce Server settings Specify the following Enforce Server settings.
    • Enforce administrator password: If you chose an option to support password authentication with forms-
    based logon, enter a password for the Enforce Server Administrator account. The Enforce Server
    administration console password must be at least eight characters long.
    If you chose an option to support password authentication with forms-based logon, enter a password
    for the Enforce Server Administrator account.
    If you chose to support certificate authentication, enter the Common Name (CN) value that
    corresponds to the Enforce Server Administrator user. The Enforce Server assigns administrator
    privileges to the user who logs on with a client certificate that contains this CN value.
    • Enable external storage: Select one of the following options:
    – Database storage
    This option stores data in the database.
    – Enable External Storage
    This option lets you store incident attachments externally. Enter a path to the external storage
    directory.

    228
    NOTE
    If any configuration steps fail, the Enforce Server Configuration Utility does not roll back the changes that
    were made. You must rollback changes before you re-attempt the installation.
    Rolling back a failed Enforce Server installation
    Setting the ownership and permission of Symantec Data Loss Prevention files may take several minutes. The
    installation program may persist for a while during the startup of the services.
    If you re-use a database that was created for an earlier Symantec Data Loss Prevention installation, the Symantec
    Data Loss Prevention database user ("protect" user by default) may not have sufficient privileges to install the product.
    In this case, you must manually add the necessary privileges using SQL*Plus.
    NOTE
    Symantec Data Loss Prevention requires the Oracle database to use the AL32UTF8 character set. If your
    database is configured for a different character set, you are notified and the installation is canceled. Correct
    the problem and re-run the installer.
    4. Verify that the Enforce Server is properly configured.
    Verifying an Enforce Server installation
    5. Import a Symantec Data Loss Prevention solution pack immediately after installing the Enforce Server, and before
    installing any detection servers.
    Importing a Solution Pack
    6. Create a backup of your system after completing the installation.
    Backing up your system
    Rolling back a failed Enforce Server installation

    While installing the Enforce Server on Linux, if any configuration steps fail, the Enforce Server Configuration Utility does
    not roll back the changes that were made.
    1. Stop all the SymantecDLP services and uninstall the Enforce Server by running the following command.
    rpm -e $(rpm -qa "symantec-dlp-16-0*")

    2. Confirm that the following folders and their contents are removed from the Enforce Server:
    • /opt/Symantec/DataLossPrevention
    • /var/Symantec/DataLossPrevention
    • /var/log/Symantec/DataLossPrevention
    • /var/run/Symantec/DataLossPrevention
    If the folders and their contents are not removed, delete them.
    3. Re-install the Java Runtime Environment and the Enforce Server.
    Parameters for install.sh

    You can use the following parameters when using install.sh. If you do not change parameters, a default installation is
    completed.

    229
    Table 110: Parameters for install.sh

    Parameter Default Description

    -t N/A This required parameter defines the installation type. Enter one of the
    following, depending on what you plan to install:
    • enforce
    • detection
    • singletier
    • indexers
    -i /opt/Symantec/ Defines the path to the installation directory. You can indicate a path
    DataLossPrevention where you want to relocate the installation type.
    -d /var/Symantec/ Defines the path to the data directory.
    DataLossPrevention
    -l /var/log/Symantec/ Defines the path to the logs directory.
    DataLossPrevention
    -r /var/run/Symantec/ Defines the path to the run directory.
    DataLossPrevention
    -s /var/spool/Symantec/ Defines the path to the spool directory.
    DataLossPrevention

    Verifying an Enforce Server installation


    After installing an Enforce Server, verify that it is operating correctly before importing a solution pack.
    1. Confirm that Oracle Services automatically start upon system restart.
    2. Confirm that all of the Symantec Data Loss Prevention Services are running under the user name that you specified
    during installation.
    NOTE
    On Windows platforms, all services run under the user name (by default, “SymantecDLP”).
    Symantec Data Loss Prevention includes the following services:
    • SymantecDLPManagerService
    • SymantecDLPIncidentPersisterService
    • SymantecDLPNotifierService
    • SymantecDLPDetectionServerControllerService

    3. If the Symantec Data Loss Prevention services do not start, check the log files for possible issues (for example,
    connectivity, password, or database access issues).
    • For Windows, the Symantec Data Loss Prevention installation log is at c:\ProgramData\Symantec
    \DataLossPrevention\EnforceServer\16.0.10000\logs.
    You may also need to install the Update for Universal C Runtime in Windows. See https://support.microsoft.com/
    en-us/kb/2999226.
    • For Linux, the Symantec Data Loss Prevention operational logs are in /var/log/Symantec/
    DataLossPrevention/EnforceServer/16.0.10000/logs.

    230
    4. Once you have verified the Enforce Server installation, you can log on to the Enforce Server to view the administration
    console. After you log on, you accept the EULA, enter your company information, and add all of your licenses.

    Installing a New License File


    When you first purchase Symantec Data Loss Prevention, upgrade to a later version, or purchase more product modules,
    you must install one or more Symantec Data Loss Prevention license files. License files have names in the format
    name.slf.
    You can also enter a license file for one module to start and, later on, enter license files for more modules.
    1. Download the new license file.
    2. Log in to the Enforce Server administration console.
    3. Go to System > Settings > General and click Configure.
    4. At the Edit General Settings screen, scroll down to the License section.
    5. In the Install License field, browse for the new Symantec Data Loss Prevention license file you downloaded.
    6. Click Save to agree to the terms and conditions of the end-user license agreement (EULA) for the software and to
    install the license.

    The Current License list displays the following information for each product license:
    • Product – The individual Symantec Data Loss Prevention product name
    • Count – The number of users licensed to use the product
    • Status – The current state of the product
    • Expiration – The expiration date of license for the product
    A month before Expiration of the license, warning messages appear on the System > Servers > Overview screen.
    When you see a message about the expiration of your license, contact Symantec to purchase a new license key before
    the current license expires.

    Importing a solution pack


    Learn about importing a solution pack.
    About Symantec Data Loss Prevention solution packs
    Importing a Solution Pack

    About Symantec Data Loss Prevention solution packs


    You import a solution pack to provide the initial Enforce Server configuration. Each solution pack includes policies, roles,
    reports, protocols, and the incident statuses that support a particular industry or organization.
    Solution packs have file names ending in *.vsp (for example, Energy_v16.0.1vsp).
    Download the Symantec_DLP_16.0.1_Solution_Packs.zip from Product Downloads at the Broadcom Support
    Portal. Save the file to the same local system you downloaded other Data Loss Prevention components.

    Unzip the solution pack Symantec_DLP_16.0.1_Solution_Packs.zip file contents to a directory based on your
    platform:
    • Windows: DLPDownloadHome\DLP\16.0.1\Solution_Packs\
    • Linux: DLPDownloadHome/DLP/16.0.1/Solution_Packs/
    Symantec provides the solution packs listed in the following table.

    231
    Table 111: Symantec Data Loss Prevention solution packs

    Name File name

    Energy & Utilities Solution Pack Energy_v16.0.1.vsp


    EU and UK Solution Pack EU_UK_v16.0.1.vsp
    Federal Solution Pack Federal_v16.0.1.vsp
    Financial Services Financial_v16.0.1.vsp
    Health Care Solution Pack Health_Care_v16.0.1.vsp
    High Tech Solution Pack High_Tech_v16.0.1.vsp
    Insurance Solution Pack Insurance_v16.0.1.vsp
    Manufacturing Solution Pack Manufacturing_v16.0.1.vsp
    Media & Entertainment Solution Pack Media_Entertainment_v16.0.1.vsp
    Pharmaceutical Solution Pack Pharmaceutical_v16.0.1.vsp
    Retail Solution Pack Retail_v16.0.1.vsp
    Telecom Solution Pack Telecom_v16.0.1.vsp
    General Solution Pack General_v16.0.1.vsp

    See the solution pack documentation for a description of the contents of each solution pack.
    Solution pack documentation can be found in one of the following directories (based on your platform):
    • WIndows: DLPDownloadHome\DLP\16.0.1\Docs\Solution_Packs\
    • Linux: DLPDownloadHome/DLP/16.0.1/Docs/Solution_Packs
    The directory was created when you unzipped either the entire software download file or the documentation ZIP file.
    You must choose and import a solution pack immediately after installing the Enforce Server and before installing any
    detection servers. You only import a single solution pack. You cannot change the imported solution pack at a later time.
    Importing a solution pack

    Importing a Solution Pack


    You import a Symantec Data Loss Prevention solution pack on the Enforce Server computer. The following rules apply
    when you import a solution pack:
    • You must import the solution pack immediately after you install the Enforce Server and before you install any detection
    server. (If you performed a single-tier installation, you must import the solution pack immediately after the installation is
    complete.)
    • Only import a solution pack that was created for the specific Enforce Server version you installed. Do not import a
    solution pack that was released with a previous version of the Symantec Data Loss Prevention software.
    For example, do not import a version 16.0 solution pack on a version 16.0.1 Enforce Server.
    • Do not attempt to import more than one solution pack on the same Enforce Server, as the solution pack import fails.
    • Do not import a solution pack on an Enforce Server that was modified after the initial installation; the solution pack
    import fails.
    • After you import a solution pack, you cannot change the installation to use a different solution pack later.
    1. Decide which solution pack you want to use.
    About Symantec Data Loss Prevention solution packs

    232
    NOTE
    Use a version 16.0.1 solution pack; earlier versions are not supported.
    2. Log on (or remote log-on) as Administrator (on Windows) or root (on Linux) to the Enforce Server computer.
    3. Copy the solution pack file from the Solution_Packs folder to an easily accessible local directory.
    The Solution_Packs folder location is based on your platform:
    • Windows: DLPDownloadHome\DLP\16.0.10000\Solution_Packs\
    • Linux: DLPDownloadHome/DLP/16.0.10000/Solution_Packs/
    4. Import the solution pack. Use the steps that match your platform.
    Import the solution pack on Windows by completing the following steps:
    a) In Windows Services, stop the SymantecDLPManagerService service.
    Stopping an Enforce Server on Windows
    b) From the command-line prompt, change to the c:\Program Files\Symantec\DataLossPrevention
    \EnforceServer\16.0.10000\protect\bin directory on the Enforce Server. This directory contains the
    SolutionPackInstaller.exe application. For example:
    cd C:\Program Files\Symantec\DataLossPrevention\EnforceServer\16.0.10000\protect\bin
    c) Import the solution pack by running SolutionPackInstaller.exe from the command line and specifying the
    solution pack directory path and file name. The solution pack directory must not contain spaces.
    For example, if you placed a copy of the Financial_v16.0.1.vsp solution pack in the \Program Files
    \Symantec\DataLossPrevention directory of the Enforce Server, you enter:

    SolutionPackInstaller.exe import
    c:\Program Files\Symantec\DataLossPrevention\Financial_v16.0.1.vsp
    Import the solution pack on Linux by completing the following steps:
    a) From the command-line prompt, change the directory to /opt/Symantec/DataLossPrevention/
    EnforceServer/16.0.10000/Protect/bin. For example:
    cd /opt/Symantec/DataLossPrevention/EnforceServer/16.0.10000/Protect/bin
    b) Stop the SymantecDLPManagerService service by entering the following command:
    service SymantecDLPManagerService stop

    See Stopping an Enforce Server on Linux.


    c) Import the solution pack by running SolutionPackInstaller from the command line and specifying the
    solution pack directory path and file name. The solution pack directory must not contain spaces.
    For example, if you placed a copy of the Financial_v16.0.1.vsp solution pack in the /opt/Symantec/
    DataLossPrevention directory of the Enforce Server, you enter:
    ./SolutionPackInstaller import /opt/Symantec/DataLossPrevention/
    Financial_v16.0.1.vsp

    233
    5. Check the solution pack installer messages to be sure that the installation succeeded without error.
    6. Restart the SymantecDLPManagerService service.
    7. After you have imported the solution pack, install or register a detection server based on the type of installation:
    • On three-tier or two-tier installations, install one or more detection servers.
    • On a single-tier installation, register a detection server.
    Related Links
    Installing and registering detection servers on page 234

    Installing and registering detection servers


    Learn about installing detection servers.
    Detection Servers
    Network Discover Clusters
    Preparing for a Detection Server Installation
    Installing a detection server on Windows
    Installing a Network Discover Cluster on Windows
    Installing a detection server on Linux
    Installing a Network Discover Cluster on Linux
    Verifying a Detection Server or Node Installation
    Registering a detection server

    Detection Servers
    Learn about the types of Symantec Data Loss Prevention detection servers you can register.
    The Symantec Data Loss Prevention suite includes the types of detection servers that are described in the following table.
    The Enforce Server manages all of these detection servers.
    For information about registering cloud detectors, see Adding a cloud detector or the documentation that accompanies
    your cloud detector.

    Table 112: Detection Servers

    Server Name Description

    Network Monitor Network Monitor inspects the network communications for confidential data, accurately detects policy
    violations, and precisely qualifies and quantifies the risk of data loss. Data loss can include intellectual
    property or customer data.
    Network Discover Network Discover identifies unsecured confidential data that is exposed on open file shares, web servers,
    Microsoft Exchange servers, and Microsoft SharePoint platforms.
    Install a Network Discover cluster to perform high speed file system scanning with Network Discover. See
    Network Discover Clusters.
    The Network Protect product module adds protection functionality to the Network Discover Server.Network
    Protect reduces your risk by removing exposed confidential data, intellectual property, and classified
    information from open file shares on network servers or desktop computers.

    234
    Server Name Description

    Network Prevent for Network Prevent for Email prevents data security violations by blocking the email communications that
    Email contain confidential data. It can also conditionally route traffic with confidential data to an encryption
    gateway for secure delivery and encryption-policy enforcement.
    Note: You can optionally deploy Network Prevent for Email in a hosted service provider network, or in a
    network location that requires communication across a Wide Area Network (WAN) to reach the Enforce
    Server. See About hosted Network Prevent deployments.

    Network Prevent for Web Network Prevent for Web prevents data security violations for data that is transmitted by web
    communications and file-transfer protocols.
    Note: You can optionally deploy Network Prevent for Web in a hosted service provider network, or in a
    network location that requires communication across a Wide Area Network (WAN) to reach the Enforce
    Server. See About hosted Network Prevent deployments.

    Endpoint Prevent Endpoint Prevent monitors the use of sensitive data on endpoint systems and detects endpoint policy
    violations. Endpoint Prevent also identifies unsecured confidential data that is exposed on endpoints.
    Single Tier Monitor The Single Tier Monitor enables the detection servers that you have licensed on the same host as the
    Enforce Server. The single-tier server performs detection for the following products (you must have a
    license for each): Network Monitor, Network Discover, Network Prevent for Email, Network Prevent for
    Web, and Endpoint Prevent.

    Related Links
    Preparing for a Detection Server Installation on page 236

    Network Discover Clusters


    Perform high-speed file system scans with a Network Discover cluster. The cluster can scan at higher speeds than a
    detection server by scanning the same target using multiple scanners simultaneously.
    The Network Discover cluster (cluster) is a logical grouping of Network Discover detection servers that participate in a
    scan. The Network Discover detection servers in a cluster can be classified as data nodes or worker nodes depending on
    their function.

    Data Node
    The data node acts as an intermediary between the Monitor Controller and the worker nodes. The data node receives and
    stores all policies, settings, and scan requests from the Monitor Controller. The data node then sends this information to
    each of the worker nodes, and caches the information that is required for the cluster to function during the scan execution.
    The data node also manages the scans and sends incidents, scan status, scan statistics, and worker node inventories to
    the Monitor Controller.
    NOTE
    You must install only one data node server per cluster.

    Worker Nodes
    Worker nodes are Network Discover detection servers that do the scanning. A worker node does not communicate with
    the Monitor Controller directly. However, the worker node does connect to the data node to receive policies, settings, and
    scan requests.
    Worker nodes crawl, download, and perform detection on the content roots or repositories that are specified in the target.
    When a violation is detected, an incident is created. Worker nodes send all of the incidents and scan details to the data
    node. The data node sends the incident details, and scan status and statistics to the Enforce Server.
    For more information about cluster services, see About Symantec Data Loss Prevention services.

    235
    Related Links
    Preparing for a Detection Server Installation on page 236

    Preparing for a Detection Server Installation


    Complete the following steps before installing a detection server:
    1. Install the Enforce Server (or a single-tier Symantec Data Loss Prevention installation) and import a solution pack
    before installing a detection server.
    2. Complete the preinstallation steps on the detection server system.
    Symantec Data Loss Prevention Preinstallation Steps
    3. Verify that the system is ready for detection server installation.
    Verifying that servers are ready for Symantec Data Loss Prevention installation
    4. Confirm that you have access and permission to run the Symantec Data Loss Prevention installer software:
    • Windows: DetectionServer.msi
    • Linux: DetectionServer.zip
    5. Confirm the following Windows platform-specific items:
    • Installed Wireshark. Wireshark is available from http://www.wireshark.org. During the Wireshark installation process
    on Windows platforms, do not install a version of Npcap lower than 0.995.
    • Enabled the Client for Network File System (Client for NFS).
    The Client for NFS is required for a Network Discover Server to run a scan against a target on a UNIX machine.
    Refer to the following link that matches your detection server operating system:
    https://docs.microsoft.com/en-us/windows-server/storage/nfs/deploy-nfs
    6. Install Npcap.
    For Windows, locate the npcap-1.10-oem.exe file at DLPDownloadHome\DLP\16.0.1\New_Installs
    \x64\Third_Party directory, where DLPDownloadHome is the name of the directory in which you unzipped
    the Symantec Data Loss Prevention software.
    For Linux, run yum install libpcap to install pcap from repositories. If Npcap is not already on your system, go to
    the following URL to obtain it: https://nmap.org/npcap
    NOTE
    The Npcap software is only required for the Network Monitor Server. However, Symantec recommends that
    you install Npcap no matter which type of detection server you plan to install and configure.
    7. Complete prerequisites before enabling Microsoft Rights Management (RMS) file detection.
    See About Microsoft Rights Management file and email monitoring.
    8. Symantec recommends that you disable any antivirus, pop-up locker, and registry-protection software before you
    begin the detection server installation process.

    Related Links
    Installing a detection server on Windows on page 236
    Installing a detection server on Linux on page 248

    Installing a detection server on Windows


    The following sections include steps to install a detection server on Windows:
    • Install the Java Runtime Environment on a detection server on Windows
    • Installing a detection server on Windows
    • Preparing Your Environment for Microsoft Rights Management File Monitoring

    236
    Install the Java Runtime Environment on a detection server on Windows
    You install the Java Runtime Environment (JRE) on the server computer before you install the detection server.
    1. Log on (or remote logon) as Administrator to the Enforce Server system on which you intend to install Enforce.
    2. Copy OpenJDK8U-jre_x64_windows_hotspot_<version>.zip from your DLPDownloadHome\DLP
    \16.0.1\New_Installs\x64\Release directory to the computer where you plan to install the detection server.
    For example, move the file to c:\temp).
    3. Unzip the file to C:\Program Files\AdoptOpenJRE\<version>-jre.
    Replace <version> with the JRE version.
    See Installing a detection server on Windows.

    Installing a detection server on Windows


    Follow this procedure to install the detection server software on a server computer. You specify the type of detection
    server during the server registration process that follows this installation process.
    See Detection Servers.
    The installation process automatically generates log information saved to a file MSI*.log (* is replaced with random
    characters) in the %TEMP% folder. You can change log file name and location by starting the installation from the command
    line by running the /L*v option. See the example bellow:
    msiexec /i DetectionServer.msi /L*v c:\temp\detectionserver_install.log

    You can complete the installation silently from the command line or from a graphical user interface.
    Before you begin

    Copy the DetectionServer.msi file into the c:\temp directory on the server computer.
    Installing silently

    Enter values with information specific to your installation for the following:

    Table 113: Detection server installation parameters

    Command Description

    INSTALLATION_DIRECTORY Specifies where the detection server is installed. The default location is C:\Program Files
    \Symantec\DataLossPrevention.
    DATA_DIRECTORY Defines where Symantec Data Loss Prevention stores files that are updated while the Enforce
    Server is running (for example, logs and licenses). The default location is \ProgramData
    \Symantec\DataLossPrevention\DetectionServer\.
    Note: If you do not use the default location, you must indicate a folder name for the data
    directory. If you set the data directory to the drive root (for example c:\ or e:\) you cannot
    successfully uninstall the program.

    JRE_DIRECTORY Specifies where the JRE resides.


    See Install the Java Runtime Environment on a detection server on Windows.
    FIPS_OPTION Defines whether to disable (Disabled) or enable (Enabled) FIPS encryption.
    The default is disabled.

    237
    Command Description

    SERVICE_USER_OPTION Defines whether to create a new service user by entering NewUser or using an existing one by
    entering ExistingUser.
    The default is ExistingUser.
    SERVICE_USER_USERNAME Defines a name for the account that is used to manage Symantec Data Loss Prevention
    services. The default user name is “SymantecDLP.”
    SERVICE_USER_PASSWORD Defines the password for the account that is used to manage Symantec Data Loss Prevention
    services.
    BIND_HOST Defines the host name or IP address of the detection server.
    BIND_PORT Defines the port on which the detection server should accept connections from the Enforce
    Server. If you cannot use the default port (8100), you can enter any port higher than port 1024, in
    the range of 1024–65535.

    The following is an example of what the completed command might look like. The command you use differs based on your
    implementation requirements. Using the following command as-is may cause the installation to fail.
    msiexec /i DetectionServer.msi /qn /norestart
    INSTALLATION_DIRECTORY="C:\Program Files\Symantec\DataLossPrevention"
    DATA_DIRECTORY="C:\ProgramData\Symantec\DataLossPrevention\DetectionServer"
    JRE_DIRECTORY="C:\Program Files\AdoptOpenJRE\jdk8u322-b06-jre"
    FIPS_OPTION=Disabled
    SERVICE_USER_OPTION=ExistingUser

    Installing using a graphical user interface

    1. Ensure that installation preparations are complete.


    Preparing for a Detection Server Installation
    2. Log on as Administrator to the computer on which you plan to install the detection server.
    3. If you are installing a Network Monitor detection server, install Npcap on the server computer.
    Complete the following steps to install Npcap:
    a) Locate the Npcap file npcap-1.10-oem.exe at DLP_Home\Third_Party directory, where DLP_Home is the
    name of the directory in which you unzipped the Symantec Data Loss Prevention software.
    b) Double-click on the npcap-1.10-oem.exe and follow the on-screen installation instructions.
    c) Install Npca using WinPcap Compatible Mode.
    4. Copy the detection server installer (DetectionServer.msi) from the Enforce Server to a local directory on the
    detection server.
    DetectionServer.msi is included in your software download (DLPDownloadHome) directory.
    5. Click Start > Run > Browse to navigate to the folder where you copied the DetectionServer.msi file.
    6. Double-click DetectionServer.msi to start the installation wizard.
    The Welcome panel of the Installation Wizard appears.
    NOTE
    The installation process automatically generates log information saved to a file MSI*.log (replace * with
    random characters) in the %TEMP% folder. You can change log file name and location by starting the
    installation from the command line by running the /L*v option. See the example bellow:

    238
    msiexec /i EnforceServer.msi /L*v c:\temp\detectionserver_install.log

    7. Click Next.
    The End-User License Agreement panel displays.
    8. After reviewing the license agreement, select I accept the terms in the License Agreement, and click Next.
    9. In the Destination Folder panel, accept the default destination directory, or enter an alternate directory, and click
    Next.
    For example: c:\Program Files\Symantec\DataLossPrevention\
    Symantec recommends that you use the default destination directory. However, you can click Change to navigate to a
    different installation location instead.
    NOTE
    Directory names, IP addresses, and port numbers created or specified during the installation process must
    be entered in standard 7-bit ASCII characters only. Extended (hi-ASCII) and double-byte characters are not
    supported.
    10. In the Data Directory panel, accept the default data directory, or enter an alternate directory, and click Next. The
    default data directory is:
    c:\ProgramData\Symantec\DataLossPrevention\
    NOTE
    If you do not use the default location, you must indicate a folder name for the data directory. If you set the
    data directory to the drive root (for example c:\ or e:\) you cannot successfully uninstall the program.
    11. In the JRE Directory panel, click Browse to locate the JRE, and click Next.
    12. In the FIPS Cryptography Mode panel, select whether to disable or enable FIPS encryption.
    About FIPS encryption
    13. In the Service User panel, select one of the following options, then click Next.
    • New Users: Select this option to create the Symantec Data Loss Prevention system account user name and
    password and confirm the password. This account is used to manage Symantec Data Loss Prevention services.
    The default user name is “SymantecDLP.” New service user accounts are local accounts.
    NOTE
    To use the RMS detection feature, you must enable it after installing the detection server.
    Enabling Microsoft Rights Management file monitoring
    The password you enter for the System Account must conform to the password policy of the server. For example,
    the server may require all passwords to include special characters.
    • Existing Users: Select this option to use an existing local or domain user account.
    Enter a domain service user name and password if you plan to manage the detection server with a domain user. If
    you want to use the RMS detection feature, ensure that the domain user that you enter has access to the RMS AD
    system (and is a member of the selected AD RMS Super Users group) or the Azure RMS system.
    Click Next.

    239
    14. (Optional) If you opted to create a new service user, enter the new account name and password. Confirm the
    password, then click Next.
    15. (Optional) If you opted to use an existing local or domain user account, enter the account name and password. The
    user name for a domain users must be in DOMAIN\username format.
    16. In the Detection Server Default Certificates panel, select one of the following options:
    • Enable Default Certificates: Select if the detection server runs on a secure network or if it is only accessible by
    trusted traffic.
    • Disable Default Certificates: Select if you plan to generate unique, self-signed certificates for your organization’s
    installation.
    About the sslkeytool utility and server certificates
    Click Next.
    17. In the Server Bindings panel, enter the following settings:
    • Host. Enter the host name or IP address of the detection server.
    • Port. Accept the default port number (8100) on which the detection server should accept connections from the
    Enforce Server. If you cannot use the default port, you can change it to any port higher than port 1024, in the range
    of 1024–65535.
    18. Click Install to begin the installation process.
    The Installing panel appears, and displays a progress bar. After a successful installation, the Completed panel
    appears. Click Finish.
    19. Restart any antivirus, pop-up blocker, or other protection software that you disabled before starting the detection
    server installation process.
    20. Verify that the detection server is properly installed.
    Verifying a Detection Server or Node Installation
    21. Create a backup of your system after completing the installation.
    Backing up your system

    Preparing Your Environment for Microsoft Rights Management File Monitoring


    You must complete prerequisites before enabling Microsoft Rights Management (RMS) file monitoring on Windows
    servers. The following prerequisites apply to Azure RMS or Active Directory (AD) RMS.

    240
    Prepare the AD RMS Environment for RMS Monitoring

    Complete the following steps to prepare your AD RMS environment for monitoring.
    1. Confirm that the latest AD RMS client is installed.
    2. Confirm that the AD RMS account has Read and Execute permissions to access ServerCertification.asmx.
    For additional details, refer to the Microsoft Developer Network article: https://msdn.microsoft.com/en-us/library/
    mt433203.aspx.
    3. Confirm that the AD RMS superuser group and Service Group both have Read and Execute permissions.
    4. Add each detection server to the AD RMS domain.
    5. Complete the following to change the previous Symantec Data Loss Prevention version service user to a domain user
    that has access to the AD RMS superuser group.
    • Shut down all services on the detection server before updating the service user.
    • Run the ChangeServiceUser.exe utility to change the service user:
    C:\Program Files\Symantec\DataLossPrevention\ServerPlatformCommon
    \16.0.10000\Protect\bin\ChangeServiceUser.exe
    USAGE: ChangeServiceUser.exe [installation directory]
    [new service user username] [new service user password]

    Parameters:
    [new service user password] is optional.

    C:\Program Files\Symantec\DataLossPrevention\ServerPlatformCommon
    \16.0.10000\Protect\bin\ChangeServiceUser.exe
    C:\Program Files\Symantec\DataLossPrevention\ [AD RMS domain name]\[super user
    username]
    [super user password]
    After running the script, the command prompt displays the change status, including the service user change status.
    6. Start all services after updating the service user.
    Prepare the Azure RMS Environment for RMS Monitoring

    Complete the following steps to prepare your Azure RMS environment for RMS monitoring:
    1. Confirm that the latest Azure RMS client is installed.
    2. Create a local or domain user on each detection server that can access the Azure RMS.

    After you upgrade the detection server, you enable the Microsoft Rights Management plug-in to complete the process to
    monitor Microsoft Rights Management files.
    See Enabling Microsoft Rights Management File Monitoring.
    Enabling Microsoft Rights Management file monitoring

    Symantec Data Loss Prevention can detect files that are encrypted using Microsoft Rights Management (RMS)
    administered by Azure or Active Directory (AD).
    Before you enable Microsoft Rights Management file monitoring, confirm that prerequisites for the RMS environment and
    the detection server have been completed.

    241
    Enabling RMS detection for Azure-managed RMS
    For Azure RMS, complete the following on each detection server to enable RMS file monitoring:
    1. Locate the plugin Enable-Plugin.ps1 located on the detection server at the following path:

    C:\Program Files\Symantec\DataLossPrevention\ContentExtractionService
    \16.0.10000\Plugins\Protect\plugins\contentextraction
    2. Run the plugin by executing the following command:

    powershell.exe -ExecutionPolicy RemoteSigned -File


    "C:\Program Files\Symantec\DataLossPrevention\ContentExtractionService\16.0.10000\
    Plugins\Protect\plugins\contentextraction\Enable-Plugin.ps1"
    3. Run the configuration utility ConfigurationCreator.exe to add the system user. Run the utility as the protect
    user.
    NOTE
    Enter all credentials accurately to ensure that the feature is enabled.

    C:\Program Files\Symantec\DataLossPrevention\ContentExtractionService
    \16.0.10000\Plugins\Protect\plugins\contentextraction\MicrosoftRightsManagementPlugin
    \ConfigurationCreator.exe
    Do you want to configure ADAL authentication [y/n]: n
    Do you want to configure symmetric key authentication [y/n]: y
    Enter your symmetric key (base-64): [user's Azure RMS symmetric key]
    Enter your app principal ID: [user's Azure RMS app principal ID]
    Enter your BPOS tenant ID: [user's Azure RMS BPOS tenant ID]
    After running this script, the following files are created in the MicrosoftRightsManagementPlugin at \Program
    Files\Symantec\DataLossPrevention\ContentExtractionService\16.0.10000\Plugins\Protect
    \plugins\contentextraction:
    • rightsManagementConfiguration
    • rightsManagementConfigurationProtection
    4. Restart each detection server to complete the process.
    NOTE
    You can confirm that Symantec Data Loss Prevention is monitoring RMS content by reviewing
    the ContentExtractionHost_FileReader.log file (located at \ProgramData\Symantec
    \DataLossPrevention\DetectionServer\16.0.10000\logs\debug). Error messages that display
    for the MicrosoftRightsManagementPlugin.cpp item indicate that the plugin is not monitoring RMS
    content.
    Enabling RMS detection for AD-managed RMS
    For AD RMS, complete the following on each detection server to enable RMS file monitoring:
    1. Run the plugin, Enable-Plugin.ps1, which is located at located at \Program Files\Symantec
    \DataLossPrevention\Protect\bin on the Enforce Server.
    powershell.exe -ExecutionPolicy RemoteSigned -File
    "C:\Program Files\Symantec\DataLossPrevention\ContentExtractionService
    \16.0.10000\Plugins\Protect\plugins\contentextraction\MicrosoftRightsManagementPlugin
    \Enable-Plugin.ps1"

    242
    2. Restart each detection server to complete the process.
    NOTE
    You can confirm that Symantec Data Loss Prevention is monitoring RMS content by reviewing
    the ContentExtractionHost_FileReader.log file (located at \ProgramData\Symantec
    \DataLossPrevention\DetectionServer\16.0.10000\logs\debug). Error messages that display
    for the MicrosoftRightsManagementPlugin.cpp item indicate that the plugin is not monitoring RMS
    content.

    Installing a Network Discover Cluster on Windows


    Follow this procedure to install the Network Discover Cluster software on a Windows server computer.

    Before you Begin


    Complete the following prerequisites before starting the Network Discover Cluster installation:
    • Copy the DetectionServer.msi file into the c:\temp directory on the server computer.
    • Install the JRE where you plan to install the nodes. See Install the Java Runtime Environment on a detection server on
    Windows.

    Steps to Install a Network Discover Cluster on Windows


    The following section lists steps that you complete to install clusters on Windows platforms.
    Step 1: Secure the Communications Between Nodes

    Create an authentication package using the DiscoverClusterKeyTool before installing worker and data nodes. The
    authentication package enables encrypted communication between nodes.
    1. Locate the DiscoverClusterKeyTool at C:\Program Files\Symantec\DataLossPrevention\EnforceServer
    \16.0.10000\Protect\bin\DiscoverClusterKeyTool.exe.
    2. Prepare to run the authentication package.
    Enter values that are specific to your installation. See the following table for a list of parameters and descriptions.
    Command Description
    generate-package-type Refer to the following list when defining the type of node for
    which the authentication is used:
    • WN for worker nodes.
    • DN for a data node.
    • All for both worker and data nodes.
    enforce-url (Optional) Enter the Enforce Server host name or IP.
    If you do not enter a value, the tool assigns the URL
    https://<localhost>/.
    enforce-username Enter an Enforce Server username with administrator rights.
    enforce-password Enter the password for the user specified in enforce-
    username.
    keystore-password (Optional) Enter a password for the keystore.
    If you do not specify a password, the tool assigns a randomly
    generated password.

    243
    Command Description
    truststore-password (Optional) Enter a password for the truststore.
    If you do not specify a password, the tool assigns a randomly
    generated truststore password.
    disable-ssl-verification (Optional) Indicate whether to disable SSL verification while
    connecting to the Enforce Server.
    This parameter controls client side SSL validation between the
    cluster and the Enforce Server during the process to generate
    the authentication package.
    You can enter one of the following values:
    • true disables SSL verification at client side
    • false (default) keeps SSL verification that is enabled at
    client side
    output-dir (Optional) Define the directory where the tool creates the
    authentication package ZIP.
    By default, the tool creates the package at the current directory.

    The following example command includes all options.


    DiscoverClusterKeyTool
    -generate-package
    -type=All
    -enforce-url=https://<localhost>/
    -enforce-username=SymantecDLP
    -enforce-password=<password>
    -keystore-password=<password>
    -truststore-password=<password>
    -disable-ssl-verification=true
    -output-dir=C:\Program
    Files\Symantec\DataLossPreventionDetectionServer
    \16.0.10000\Protect\keystore\discovercluster

    3. Run the command.


    The tool creates files based on the location you defined with generate-package-type. The following table lists
    outputs based on the package type.
    Package type File generated
    WN dlp_discover_cluster_workernode_auth.zip
    Use during the worker node installation.
    DN dlp_discover_cluster_datanode_auth.zip
    Use during the data node installation.
    All dlp_discover_cluster_auth.zip
    The file contains
    dlp_discover_cluster_workernode_auth.zip
    and dlp_discover_cluster_datanode_auth.zip in
    it.
    Extract the individual ZIP files for access during worker node
    and data node installation.

    244
    Step 2: Install the JRE

    See Install the Java Runtime Environment on a detection server on Windows.


    Step 3: Install the Nodes

    Complete the following procedure to install the node software on a server computer. You specify the node type during the
    installation process.
    Install a data node before installing worker nodes. Installing the data node first defines where worker nodes communicate
    once they are installed.
    See Detection Servers for details on nodes.
    The installation process automatically generates log information that is saved to a file MSI*.log (* is replaced with
    random characters) in the %TEMP% folder. You can change log file name and location by starting the installation from the
    command line by running the /L*vexampl option. See the e below:
    msiexec /i DetectionServer.msi /L*v c:\temp\detectionserver_install.log

    You can complete the installation silently from the command line or from a graphical user interface.
    Install Nodes Silently
    Enter values with information specific to your installation for the following parameters:

    Table 114: Node installation parameters

    Command Description

    INSTALLATION_DIRECTORY Specifies where the node is installed. The default location is C:\Program
    Files\Symantec\DataLossPrevention.
    DATA_DIRECTORY Defines where Symantec Data Loss Prevention stores files that are updated
    while the Enforce Server is running (for example, logs and licenses). The
    default location is \ProgramData\Symantec\DataLossPrevention
    \DetectionServer\.
    Note: If you do not use the default location, you must indicate a folder
    name for the data directory. If you set the data directory to the drive root (for
    example, c:\ or e:\) you cannot successfully uninstall the program.

    JRE_DIRECTORY Specifies where the JRE resides.


    See Install the Java Runtime Environment on a detection server on Windows.
    FIPS_OPTION Defines whether to disable (Disabled) or enable
    (Enabled) FIPS encryption.
    The default is disabled.
    SERVICE_USER_OPTION Defines whether to create a new service user by entering NewUser or using
    an existing one by entering ExistingUser.
    The default is ExistingUser.
    SERVICE_USER_USERNAME Defines a name for the account that is used to manage Symantec Data Loss
    Prevention services. The default username is “SymantecDLP.”
    SERVICE_USER_PASSWORD Defines the password for the account that is used to manage Symantec Data
    Loss Prevention services.
    BIND_HOST Defines the host name or IP address of the data node.
    If you are installing the data node, enter the IP of the server where you plan to
    install the data node.

    245
    Command Description

    BIND_PORT Defines the port on which the data node should accept connections from the
    Enforce Server. If you cannot use the default port (8100), you can enter any
    port higher than port 1024, in the range of 1024–65535.
    DISCOVER_CLUSTER_ROLE_OPTION Defines the type of server that you are installing, which includes the following
    values:
    • DN for data node
    • WN for worker node
    DISCOVER_CLUSTER_IP Defines the data node IP address.
    If you are installing the data node, enter the internal IP address of the server
    where you plan to install the data node.
    DISCOVER_CLUSTER_DISCOVERY_PORT_RANGE Used with the cluster IP to discover data nodes in a cluster.
    This parameter is required for the data node installation.
    The default value is 47500..47520.
    Defines the range of ports used for communication between worker and data
    DISCOVER_CLUSTER_CLIENT_CONNECTION_PORT_RANGE
    nodes in a cluster.
    This parameter is required for the data node and worker node installation.
    The default value is 10800..10820.
    DISCOVER_CLUSTER_AUTH_PACKAGE Defines the authentication package location.
    Target the file based on the node type that you are installing:
    • Worker node: dlp_discover_cluster_workernode_auth.zip
    • Data node: dlp_discover_cluster_datanode_auth.zip

    The following examples list completed commands for worker nodes and data nodes. The commands that you use differ
    based on your implementation requirements. Using the following commands as-is may cause the installation to fail.
    • Data node example command:
    msiexec /i "DetectionServer.msi" /qn /norestart /log "package_det_install.log"
    JRE_DIRECTORY="C:\Program Files\AdoptOpenJDK\jre-8.0.262.10-hotspot"
    FIPS_OPTION="Disabled"
    SERVICE_USER_USERNAME="SymantecDLP"
    SERVICE_USER_PASSWORD=<password>
    DISCOVER_CLUSTER_ROLE_OPTION=DN
    DISCOVER_CLUSTER_IP=0.0.0.0
    INSTALLATION_DIRECTORY="C:\Program Files\Symantec\DataLossPrevention"
    DISCOVER_CLUSTER_AUTH_PACKAGE="C:\temp\dlp_discover_cluster_datanode_auth.zip"
    DISCOVER_CLUSTER_CLIENT_CONNECTION_PORT_RANGE=<StartPort>..<EndPort>
    DISCOVER_CLUSTER_DISCOVERY_PORT_RANGE=<StartPort>..<EndPort>
    • Worker node example command:
    msiexec /i "DetectionServer.msi" /qn /norestart /log "package_det_install.log"
    JRE_DIRECTORY="C:\Program Files\AdoptOpenJDK\jre-8.0.262.10-hotspot"
    FIPS_OPTION="Disabled"
    SERVICE_USER_USERNAME="SymantecDLP"
    SERVICE_USER_PASSWORD=<password>
    DISCOVER_CLUSTER_ROLE_OPTION=WN
    DISCOVER_CLUSTER_IP=0.0.0.0
    INSTALLATION_DIRECTORY="C:\Program Files\Symantec\DataLossPrevention"
    DISCOVER_CLUSTER_AUTH_PACKAGE="C:\temp\dlp_discover_cluster_workernode_auth.zip"
    DISCOVER_CLUSTER_CLIENT_CONNECTION_PORT_RANGE=<StartPort>..<EndPort>

    246
    Install Nodes Using a Graphical User Interface
    1. Ensure that installation preparations are complete.
    Preparing for a Detection Server Installation
    2. Log on as Administrator to the computer on which you plan to install the node.
    3. Copy the detection server installer (DetectionServer.msi) from the Enforce Server to a local directory on the
    node.
    DetectionServer.msi is included in your software download (DLPDownloadHome) directory.
    4. Click Start > Run > Browse to navigate to the folder where you copied the DetectionServer.msi file.
    5. Double-click DetectionServer.msi to start the installation wizard.
    The Welcome panel of the Installation Wizard appears.
    NOTE
    The installation process automatically generates log information that is saved to a file MSI*.log (replace *
    with random characters) in the %TEMP% folder. You can change log file name and location by starting the
    installation from the command line by running the /L*v option. See the example bellow:
    msiexec /i EnforceServer.msi /L*v c:\temp\detectionserver_install.log

    6. Click Next.
    The End-User License Agreement panel displays.
    7. After reviewing the license agreement, select I accept the terms in the License Agreement, and click Next.
    8. In the Destination Folder panel, accept the default destination directory, or enter an alternate directory, and click
    Next.
    For example: c:\Program Files\Symantec\DataLossPrevention\
    Symantec recommends that you use the default destination directory. However, you can click Change to navigate to a
    different installation location instead.
    NOTE
    Directory names, IP addresses, and port numbers that are created or specified during the installation
    process must be entered in standard 7-bit ASCII characters only. Extended (hi-ASCII) and double-byte
    characters are not supported.
    9. In the Data Directory panel, accept the default data directory, or enter an alternate directory, and click Next. The
    default data directory is:
    c:\ProgramData\Symantec\DataLossPrevention\
    NOTE
    If you do not use the default location, you must indicate a folder name for the data directory. If you set the
    data directory to the drive root (for example, c:\ or e:\) you cannot successfully uninstall the program.
    10. In the JRE Directory panel, click Browse to locate the JRE, and click Next.
    11. In the FIPS Cryptography Mode panel, select whether to disable or enable FIPS encryption.
    About FIPS encryption
    12. In the Service User panel, create the system account user name and password and confirm the password.
    This account is used to manage Symantec Data Loss Prevention services. The default user name is “SymantecDLP.”
    New service user accounts are local accounts.

    247
    The password that you enter for the System Account must conform to the password policy of the server. For example,
    the server may require all passwords to include special characters.
    Click Next.
    13. In the Server Bindings panel, enter the following settings:
    • Host: Enter the host name or IP address of the data node.
    • Port: Accept the default port number (8100) on which the data node should accept connections from the Enforce
    Server. If you cannot use the default port, you can change it to any port higher than port 1024, in the range of
    1024–65535.
    Click Next.
    14. Server Role panel, select the node type you plan to install.
    Install a data node before installing worker nodes. Installing the data node first defines where worker nodes
    communicate once they are installed.
    15. In the Network Discover Cluster Settings panel, enter the following settings:
    • Cluster Discovery Port Range:
    Enter the starting and ending ports to use for discovering data nodes in a cluster. This parameter is required for the
    data node installation. The default values of the start port and end port are 47500 and 47520, respectively.
    • Client Connection Port Range:
    Enter the starting and ending ports used for communication between the worker and data nodes in a cluster. This
    parameter is required for the data node and worker node installation. The default values of the start port and end
    port are 10800 and 10820 respectively.
    Click Next.
    16. In the Network Discover Cluster Authentication Package panel, select the authentication package for the node type
    you are installing:
    • Worker node: dlp_discover_cluster_workernode_auth.zip
    • Data node: dlp_discover_cluster_datanode_auth.zip
    Click Next.
    17. Click Install to begin the installation process.
    The Installing panel appears, and displays a progress bar. After a successful installation, the Completed panel
    appears. Click Finish.
    18. Restart any antivirus, pop-up blocker, or other protection software that you disabled before starting the node
    installation process.
    19. Verify that the node is properly installed.
    Verifying a Detection Server or Node Installation
    20. Create a backup of your system after completing the installation.
    Backing up your system

    Installing a detection server on Linux


    The following sections include steps to install a detection server on Linux:
    • Installing the Java Runtime Environment on a Detection Server on Linux
    • Installing a detection server on Linux
    • Configuring a Detection Server

    248
    Installing the Java Runtime Environment on a Detection Server on Linux
    You install the Java Runtime Environment (JRE) on the server computer before you install the detection server.
    1. Log on as root to the Enforce Server system on which you intend to install Enforce.
    2. Copy OpenJDK8U-jre_x64_linux_hotspot_8u322-b06.tar.gz from your DLPDownloadHome/DLP/16.0.1/
    New_Installs/Release directory to the computer where you plan to install the Enforce Server.
    3. Unzip the file contents (for example, unzip to opt/AdoptOpenJRE).
    Installing a detection server on Linux

    Installing a detection server on Linux


    Complete the preinstallation steps. See Preparing for a Detection Server Installation.

    Follow this procedure to install the detection server software on a server computer. You specify the type of detection
    server during the server registration process that follows this installation process.
    NOTE
    The following instructions assume that the DetectionServer.zip file has been copied into the /opt/temp/
    directory on the server computer.
    1. Log on as root to the computer on which you intend to install the detection server.
    2. Copy the detection server installer (DetectionServer.zip) from the Enforce Server to a local directory on the
    detection server. The DetectionServer.zip file is included in your software download (DLPDownloadHome)
    directory. It should have been copied to a local directory on the Enforce Server during the Enforce Server installation
    process.
    3. Navigate to the directory where you copied the DetectionServer.zip file (/opt/temp/).
    4. Unzip the file contents (for example, unzip to /opt/temp).
    5. Confirm file dependencies for RPM files by running the following command:
    rpm -qpR *.rpm

    You can also specify a file to confirm by running the following command:
    rpm -qpR .rpm-file

    where .rpm-file is the file you want to confirm.


    If the command indicates that dependencies are missing, you can use YUM repositories to install them. Use the
    following command:
    yum install repo

    Replace repo with the repository package name.


    6. Install the detection server by running the following command:
    ./install.sh -t detection

    Parameters for install.sh


    NOTE
    If you use YUM to install, you cannot override the default relocatable roots where Symantec Data Loss
    Prevention is installed.

    249
    7. Start the Symantec Data Loss Prevention configuration process.
    Configuring a Detection Server

    Configuring a Detection Server


    After you install a detection server, you configure it by running the Detection Server Configuration Utility.
    You can complete the installation silently or interactively from the command line. The following table lists the installation
    parameters you use during the installation.

    Table 115: Detection Server Installation Parameters

    Command Description

    jreDirectory Specifies where the JRE resides.


    See Installing the Java Runtime Environment on a Detection
    Server on Linux.
    fipsOption Defines whether to disable (Disabled) or enable (Enabled)
    FIPS encryption.
    serviceUserOption Defines the service user by entering NewUser or
    ExistingUser.
    serviceUserUsername Defines a name for the account that is used to manage Symantec
    Data Loss Prevention services. The default user name is
    “SymantecDLP.”
    detectionCommunicationDefaultCertificates Defines whether you use default certificates (Enabled) or
    certificates you create (Disabled).
    About the sslkeytool utility and server certificates
    bindHost Defines the detection server network interface to use to
    communicate with the Enforce Server. If there is only one
    network interface, leave this field blank.
    bindPort Defines the port number on which the detection server should
    accept connections from the Enforce Server. The default port
    number is 8100.
    If you cannot use the default port, you can change it to any port
    higher than port 1024, in the range of 1024–65535.

    The following is an example of what the completed command might look like:
    ./DetectionServerConfigurationUtility -silent
    -jreDirectory=/opt/AdoptOpenJRE/jdk8u322-b06-jre
    -serviceUserOption=NewUser
    -serviceUserUsername=SymantecDLP
    -bindHost=[IP or host name]
    -bindPort=8100
    -fipsOption=Disabled
    -detectionCommunicationDefaultCertificates=Enabled

    250
    NOTE
    The command you use differs based on your implementation requirements. Using the following command as-is
    may cause the installation to fail.
    1. Navigate to the installation directory. Go to the default directory at /opt/Symantec/DataLossPrevention/
    DetectionServer/16.0.10000/Protect/install or to the path you used if you selected a non-default
    installation.
    2. Run the Detection Server Configuration Utility. Use the following command to launch the utility:
    ./DetectionServerConfigurationUtility

    3. Enter the following information in the Detection Server Configuration Utility:

    License agreement Review and accept the License Agreement by entering 1.


    JRE directory Enter the JRE directory.
    The recommended directory is /opt/AdoptOpenJRE/[JRE version].
    FIPS encryption Select whether to disable or enable FIPS encryption.
    About FIPS encryption
    Service user Use 1 to add a new user or enter 2 to use an existing user.
    The default new user name is "SymantecDLP." If you create a new service user, enter the user name
    when prompted.
    Note: If you create a new service user, the user must be a member of a group and the service user and
    the group names must match. If these conditions are not present, upgrades fail.

    Network port Accept the default port number (8100) on which the detection server should accept connections from the
    Enforce Server. If you cannot use the default port, you can change it to any port higher than port 1024, in
    the range of 1024–65535.
    Network interface Enter the detection server network interface (bind address) to use to communicate with the Enforce
    Server. If there is only one network interface, leave this field blank.

    4. Verify that the detection server is properly installed.


    Verifying a Detection Server or Node Installation
    5. Create a backup of your system after completing the installation.
    Backing up your system

    Installing a Network Discover Cluster on Linux


    Follow this procedure to install the Network Discover cluster software on a server computer.
    You specify the type of cluster during the server registration process that follows this installation process.

    Before you Begin


    Complete the following prerequisites before starting the Network Discover cluster installation:
    • Complete server preparation steps. See Preparing for a Detection Server Installation.
    • Copy the DetectionServer.zip file into the /opt/temp/ directory on the server computer.

    Steps to Install a Network Discover Cluster on Linux


    The following section lists steps that you complete to install clusters on Linux platforms.

    251
    Step 1: Secure the Communications between Nodes

    Create an authentication package using the DiscoverClusterKeyTool before installing worker and data nodes. The
    authentication package enables encrypted communication between nodes and the Enforce Server.
    1. Locate the DiscoverClusterKeyTool at /opt/Symantec/DataLossPrevention/EnforceServer/16.0.10000/
    Protect/bin/DiscoverClusterKeyTool
    2. Prepare to run the authentication package.
    Enter values that include information specific to your installation. See the following table for a list of parameters and
    descriptions.

    Table 116: DiscoverClusterKeyTool parameters

    Command Description

    generate-package-type Defines the type of node for which the authentication is used,
    including the following:
    • WN for worker nodes.
    • DN for a data node.
    • All for both worker and data nodes.
    enforce-url (Optional) Enter the Enforce Server host name or IP.
    If you do not enter a value, the tool assigns the URL https://
    <localhost>/.
    enforce-username Enter an Enforce Server username with administrator rights.
    enforce-password Enter the password for the user specified in enforce-username.
    keystore-password (Optional) Enter a password for the keystore.
    If you do not specify a password, the tool assigns a randomly
    generated password.
    truststore-password (Optional) Enter a password for the truststore.
    If you do not specify a password, the tool assigns a randomly
    generated truststore password.
    disable-ssl-verification (Optional) Indicate whether to disable SSL verification while
    connecting to the Enforce Server.
    You can enter one of the following values:
    • true disables SSL verification at the client side
    • false (default) keeps SSL verification that is enabled at the
    client side

    output-dir (Optional) Define the directory where the tool creates the
    authentication package zip.
    By default, the tool creates the package at the current directory.

    The following command is an example that includes all options.


    DiscoverClusterKeyTool
    -generate-package
    -type=All
    -enforce-url=https://<localhost>/
    -enforce-username=SymantecDLP
    -enforce-password=<password>
    -keystore-password=<password>

    252
    -truststore-password=<password>
    -disable-ssl-verification=true
    -output-dir=/opt/Symantec/DataLossPrevention/DataLossPreventionDetectionServer
    /16.0.10000/Protect/keystore/discovercluster

    3. Run the command.


    The tool creates files based on the location you defined with generate-package-type. The following table lists
    outputs based on the package type.

    Table 117: Authentication Package Outputs

    Package type File generated

    WN dlp_discover_cluster_workernode_auth.zip
    Use during the worker node installation.
    DN dlp_discover_cluster_datanode_auth.zip
    Use during the data node installation.
    All dlp_discover_cluster_auth.zip
    The file contains dlp_discover_cluster_workernode_auth.zip and
    dlp_discover_cluster_datanode_auth.zip in it.
    Extract the individual ZIP files for access during worker node and data node installation.

    Step 2: Install the JRE

    See Installing the Java Runtime Environment on a Detection Server on Linux.


    Step 3: Install Nodes

    Complete the following procedure to install the node software on a server computer. You specify the node type during the
    configuration process.
    Install a data node before installing worker nodes. Installing the data node first defines where worker nodes communicate
    once they are installed.
    1. Complete the preinstallation steps.
    See Preparing for a Detection Server Installation.
    2. Log on as root to the computer on which you intend to install the detection server software.
    3. Copy the detection server installer (DetectionServer.zip) from the Enforce Server to a local directory on the
    detection server. The DetectionServer.zip file is included in your software download (DLPDownloadHome)
    directory. It should have been copied to a local directory on the Enforce Server during the Enforce Server installation
    process.
    4. Navigate to the directory where you copied the DetectionServer.zip file (/opt/temp/).
    5. Unzip the file contents (for example, unzip to /opt/temp).
    6. Confirm file dependencies for RPM files by running the following command:
    rpm -qpR *.rpm

    You can also specify a file to confirm by running the following command:
    rpm -qpR .rpm-file

    where .rpm-file is the file that you want to confirm.

    253
    If the command indicates that dependencies are missing, you can use YUM repositories to install them. Use the
    following command:
    yum install repo

    Replace repo with the repository package name.


    7. Install the detection server by running the following command:
    ./install.sh -t detection

    Parameters for install.sh


    NOTE
    If you use YUM to install, you cannot override the default relocatable roots where Symantec Data Loss
    Prevention is installed.
    8. Start the node configuration process.
    Step 4: Configure the Node Software

    After you install a detection server, you configure it by running the Detection Server Configuration Utility.
    You can complete the installation silently or interactively from the command line. The following table lists the installation
    parameters that you use during the installation.

    Table 118: Network Discover cluster installation parameters

    Command Description

    jreDirectory Specifies where the JRE resides.


    See Installing the Java Runtime Environment on a Detection
    Server on Linux.
    fipsOption Defines whether to disable (Disabled) or enable
    (Enabled) FIPS encryption.
    serviceUserOption Defines the service user by entering NewUser or
    ExistingUser.
    serviceUserUsername Defines a name for the account that is used to manage Symantec
    Data Loss Prevention services. The default user name is
    “SymantecDLP.”
    detectionCommunicationDefaultCertificates Defines whether you use default certificates (Enabled) or
    certificates you create (Disabled).
    About the sslkeytool utility and server certificates
    bindHost Defines the detection server network interface to use to
    communicate with the Enforce Server. If there is only one
    network interface, leave this field blank.
    bindPort Defines the port number on which the detection server should
    accept connections from the Enforce Server. The default port
    number is 8100.
    If you cannot use the default port, you can change it to any port
    higher than port 1024, in the range of 1024–65535.

    254
    Command Description

    discoverClusterRoleOption Defines the type of server that you are installing, which includes
    the following:
    • DN for data node
    • WN for worker node
    If a worker node is installed, the CAP_NET_BIND_SERVICE is
    set for java processes during the installation. This capability is
    removes if the worker node is uninstalled.
    discoverClusterIP Defines the data node IP.
    If you are installing the data node, enter the internal IP of the
    server where you plan to install the data node.
    discoverClusterDiscoveryPortRange Used with the cluster IP to discover data nodes in a cluster.
    This parameter is required for the data node installation.
    The default value is 47500..47520.
    discoverClusterClientConnectionPortRange Defines the range of ports used for communication between
    worker and data nodes in a cluster.
    This parameter is required for the data node and worker node
    installation.
    The default value is 10800..10820.
    discoverClusterAuthPackage Defines the authentication package location.
    Target the file based on the node type that you are installing:
    • Worker node:
    dlp_discover_cluster_workernode_auth.zip
    • Data node:
    dlp_discover_cluster_datanode_auth.zip

    The following examples list completed commands for worker nodes and data nodes. The commands that you use differ
    based on your implementation requirements. Using the following commands as-is may cause the installation to fail.
    • Data node example command:
    ./DetectionServerConfigurationUtility -silent
    -jreDirectory=/usr/lib/jvm/adoptopenjdk-8-hotspot-jre/
    -serviceUserOption=SymantecDLP
    -serviceUserUsername=protect
    -bindHost=[IP or host name]
    -bindPort=8100
    -fipsOption=Disabled
    -detectionCommunicationDefaultCertificates=Enabled
    -discoverClusterRoleOption=DN
    -discoverClusterIP=0.0.0.0
    -discoverClusterAuthPackage=/opt/dlp_discover_cluster_datanode_auth.zip
    -discoverClusterClientConnectionPortRange=<StartPort>..<EndPort>
    -discoverClusterDiscoveryPortRange=<StartPort>..<EndPort>

    • Worker node example command:


    ./DetectionServerConfigurationUtility -silent
    -jreDirectory=/usr/lib/jvm/adoptopenjdk-8-hotspot-jre/
    -serviceUserOption=ExistingUser
    -serviceUserUsername=protect
    -bindHost=[IP or host name]

    255
    -bindPort=8100
    -fipsOption=Disabled
    -detectionCommunicationDefaultCertificates=Enabled
    -discoverClusterRoleOption=WN
    -discoverClusterIP=0.0.0.0
    -discoverClusterAuthPackage=/home/bishnu/Desktop/dlp_discover_cluster_workernode_auth.zip
    -discoverClusterClientConnectionPortRange=<StartPort>..<EndPort>

    1. Navigate to the installation directory. Go to the default directory at /opt/Symantec/DataLossPrevention/


    DetectionServer/16.0.10000/Protect/install or to the path that you used if you selected a non-default
    installation.
    2. Run the Detection Server Configuration Utility. Use the following command to launch the utility:
    ./DetectionServerConfigurationUtility

    3. Enter the following information in the Detection Server Configuration Utility:

    License agreement Review and accept the License Agreement by entering 1.


    JRE directory Enter the JRE directory.
    The recommended directory is /opt/AdoptOpenJRE/[JRE version].
    FIPS encryption Select whether to disable or enable FIPS encryption.
    About FIPS encryption
    Service user Enter 1 to add a new user or enter 2 to use an existing user.
    The default new user name is "SymantecDLP." If you create a new service user, enter the user name
    when prompted.
    Note: If you create a new service user, the user must be a member of a group and the service user and
    the group names must match. If these conditions are not present, upgrades fail.

    Network port Accept the default port number (8100) on which the detection server should accept connections from the
    Enforce Server. If you cannot use the default port, you can change it to any port higher than port 1024, in
    the range of 1024–65535.
    Network interface Enter the detection server network interface (bind address) to use to communicate with the Enforce
    Server. If there is only one network interface, leave this field blank.
    Node type Define the type of server that you are installing, which includes the following:
    • DN for data node
    • WN for worker node
    Data node IP If you are installing the data node, enter the IP of the server where you plan to install the data node.
    Network Discover cluster Used with the cluster IP to discover data nodes in a cluster.
    discovery port range This parameter is required for the data node installation.
    The default value is 47500..47520.
    Network Discover cluster Defines the range of ports used for communication between worker and data nodes in a cluster.
    client connection port This parameter is required for the data node and worker node installation.
    range The default value is 10800..10820.
    Cluster authentication Define the authentication package location.
    package Target the file based on the node type that you are installing:
    • Worker node: dlp_discover_cluster_workernode_auth.zip
    • Data node: dlp_discover_cluster_datanode_auth.zip

    4. Verify that the node is properly installed.


    Verifying a Detection Server or Node Installation

    256
    5. Create a backup of your system after completing the installation.
    Backing up your system

    Verifying a Detection Server or Node Installation


    After installing a server or node, verify that it is correctly installed before you register it.
    Installing a detection server
    1. Confirm that services are ru nning for your partocular installation: the SymantecDLPDetectionServerService service
    is running.
    • Detection servers: SymantecDLPDetectionServerService
    • Nodes:
    – SymantecDLPDetectorService
    – SymantecEnforceConnectorService
    2. If the SymantecDLPDetectionServerService service does not start, check log files for possible issues (for example,
    connectivity, password, or database access issues).
    Logs are located at the following locations, based on your platform:
    • Windows: Symantec Data Loss Prevention c:\ProgramData\Symantec\DataLossPrevention
    \DetectionServer\16.0.10000\logs
    • Linux: Symantec Data Loss Prevention /var/log/Symantec/DataLossPrevention/
    DetectionServer/16.0.10000/logs

    Registering a detection server


    Register a detection server to begin implementing a Symantec Data Loss Prevention feature.
    Before registering a server, you must install and verify the server software.
    • See Installing a detection server on Windows
    • See Installing a detection server on Linux
    • See Verifying a Detection Server or Node Installation
    After the detection server is installed, use the Enforce Server administration console to register the detection server as the
    type of detection server you want.
    1. Log on to the Enforce Server as Administrator.
    2. Go to System > Servers and Detectors > Overview.
    The System Overview page displays.
    3. Click Add Server, Software Server.
    NOTE
    For detailed information about adding a Cloud Detector, see Adding a cloud detector.
    4. Select the type of detection server to add and click Next.
    The following detection server options are available:
    Selection Server to Register
    Network Monitor Network Monitor Server
    Network Discover Network Discover Server
    If you want to install Network Protect, make sure you are
    licensed for Network Protect and select the Network Discover

    257
    Selection Server to Register
    option. Network Protect provides additional protection features
    to Network Discover.
    Network Prevent for Email Network Prevent for Email Server
    Network Prevent for Web Network Prevent for Web Server
    Endpoint Prevent Endpoint Prevent and Endpoint Discover
    Single Tier Monitor Single-Tier Servers
    Network Discover Cluster Network Discover cluster

    Detection Servers
    The Configure Server screen appears.
    5. Enter the General information. This information defines how the server communicates with the Enforce Server.
    Field Description
    Name Enter a unique name for the detection server.
    Host Enter the detection server’s host name or IP address. For a
    single-tier installation, click the Same as Enforce check box
    to autofill the host information. For a Single Tier Monitor, the
    local host is pre-selected.
    Port Enter the port number the detection server uses to communicate
    with the Enforce Server. If you chose the default port when you
    installed the detection server, then enter 8100. However, if you
    changed the default port, then enter the same port number here
    (it can be any port higher than 1024).

    The additional configuration options displayed on the Configure Server page vary according to the type of server you
    selected.
    6. Specify the remaining configuration options as appropriate.
    See Server configuration—basic for details on how to configure each type of server.
    7. Click Save.
    The Server Detail screen for that server appears.
    8. If necessary, click Server Settings or other configuration tabs to specify additional configuration parameters.
    9. If necessary, restart the server by clicking Recycle on the Server Detail screen. Or you can start the Symantec DLP
    services manually on the server itself.
    Symantec Data Loss Prevention Services
    10. To verify that the server was registered, return to the System Overview page. Verify that the detection server appears
    in the server list, and that the server status is Running.
    11. To verify the type of certificates that the server uses, select System > Servers > Alerts. Examine the list of alerts to
    determine the type certificates that Symantec Data Loss Prevention servers use:
    • If servers use the built-in certificate, the Enforce Server shows a warning event with code 2709: Using built-in
    certificate.
    • If servers use unique, generated certificates, the Enforce Server shows an info event with code 2710: Using user
    generated certificate.

    258
    Configuring certificates for secure server communications
    Learn about configuring certificates.
    About the sslkeytool utility and server certificates
    About securing communications between the Enforce Server and the database
    About securing communications between the Enforce Server and Amazon RDS for Oracle

    About the sslkeytool utility and server certificates


    Symantec Data Loss Prevention uses Secure Socket Layer/Transport Layer Security (SSL/TLS) to encrypt all data that is
    transmitted between servers. Symantec Data Loss Prevention also uses the SSL/TLS protocol for mutual authentication
    between servers. Servers implement authentication by the mandatory use of client and server-side certificates. By default,
    connections between servers use a single, self-signed certificate that is embedded securely inside the Symantec Data
    Loss Prevention software. All Symantec Data Loss Prevention installations at all customer sites use this same certificate.
    Symantec recommends that you replace the default certificate with unique, self-signed certificates for your organization’s
    installation. You store a certificate on the Enforce Server, and on each detection server that communicates with the
    Enforce Server. These certificates are generated with the sslkeytool utility.
    NOTE
    If you install a Network Prevent detection server in a hosted environment, you must generate unique certificates
    for your Symantec Data Loss Prevention servers. You cannot use the built-in certificate to communicate with a
    hosted Network Prevent server.
    Symantec recommends that you create dedicated certificates for communication with your Symantec Data Loss
    Prevention servers. When you configure the Enforce Server to use a generated certificate, all detection servers in your
    installation must also use generated certificates. You cannot use the generated certificate with some detection servers
    and the built-in certificate with other servers. Single-tier deployments do not support generated certificates. You must use
    the built-in certificate with singler-tier deployments.

    Related Links
    About sslkeytool Command Line Options on page 259
    Using sslkeytool to generate new Enforce Server and detection server certificates on page 261
    Using sslkeytool to add new detection server certificates on page 262
    About server security and SSL/TLS certificates on page 335

    About sslkeytool Command Line Options


    The sslkeytool is a command-line utility that generates a unique pair of SSL certificates (keystore files).
    The sslkeytool utility is located in the directory based on your platform:
    • Windows: c:\Program Files\Symantec\DataLossPrevention\EnforceServer\16.0.10000\Protect
    \bin
    • Linux: /opt/Symantec/DataLossPrevention/EnforceServer/16.0.10000/protect/bin
    It must run under the Symantec Data Loss Prevention operating system user account which, by default, is “protect.” Also,
    you must run the sslkeytool utility directly on the Enforce Server computer.
    The following table lists the command forms and options that are available for the sslkeytool utility:

    259
    Table 119: sslKeyTool Command Forms and Options

    Command and options Description

    sslKeyTool -genkey [-dir=<directory> - You use this command form the first time you generate unique
    alias=<aliasFile>] certificates for your Symantec Data Loss Prevention installation.
    This command generates two unique certificates (keystore files)
    by default: one for the Enforce Server and one for other detection
    servers. The optional -dir argument specifies the directory
    where the keystore files are placed.
    The optional -alias argument generates additional keystore files
    for each alias specified in the aliasFile. You can use the alias file
    to generate unique certificates for each detection server in your
    system (rather than using a same certificate on each detection
    server).
    sslKeyTool -list=<file> This command lists the content of the specified keystore file.
    sslKeyTool -alias=<aliasFile> - You use this command form to add new detection server
    enforce=<enforceKeystoreFile> [-dir=<directory>] certificates to an existing Symantec Data Loss Prevention
    installation.
    This command generates multiple certificate files for detection
    servers using the aliases you define in aliasFile. You must specify
    an existing Enforce Server keystore file to use when generating
    the new detection server keystore files. The optional -dir
    argument specifies the directory where the keystore files are
    placed.
    If you do not specify the -dir option, the Enforce Server keystore
    file must be in the current directory, and the monitor certificates
    will appear in the current directory. If you do specify the -dir
    argument, you must also place the Enforce Server keystore file in
    the specified directory.

    The following table provides examples that demonstrate the usage of the sslkeytool command forms and options.

    Table 120: sslKeyTool Examples

    Example Description

    sslkeytool -genkey This command generates two files:


    • enforce.timestamp.sslKeyStore
    • monitor.timestamp.sslKeyStore
    Unless you specified a different directory with the -dir argument,
    these two keystore files are created in the bin directory where
    the sslkeytool utility resides.
    sslkeytool -alias=Monitor.list.txt - Without the directory option -dir, the Enforce Server certificate
    enforce=enforce.date.sslkeystore must be in the current directory. The new detection server
    certificate(s) will be created in the current directory.
    Windows: sslkeytool -alias=Monitor.list.txt - With the directory option -dir=C:\TEMP for Widnows or -
    enforce=enforce.date.sslkeystore -dir=C:\TEMP dir=opt/temp for Linux, the Enforce Server certificate must
    Linux: sslkeytool -alias=Monitor.list.txt - be in the C:\TEMPopt/temp directory, respectively. The new
    enforce=enforce.date.sslkeystore -dir=opt/temp detection server certificate(s) will be created in the C:\TEMPor
    opt/temp directory.
    Note: Use the absolute path for the -dir option unless the path is
    relative to the current directory.

    260
    Related Links
    About the sslkeytool utility and server certificates on page 259
    Using sslkeytool to generate new Enforce Server and detection server certificates on page 261
    Using sslkeytool to add new detection server certificates on page 262
    About server security and SSL/TLS certificates on page 335

    Using sslkeytool to generate new Enforce Server and detection server certificates
    After installing Symantec Data Loss Prevention, use the -genkey argument with sslkeytool to generate new certificates for
    the Enforce Server and detection servers. Symantec recommends that you replace the default certificate used to secure
    communication between servers with unique, self-signed certificates. The -genkey argument automatically generates two
    certificate files. You store one certificate on the Enforce Server, and the second certificate on each detection server. The
    optional -alias command lets you generate a unique certificate file for each detection server in your system. To use the -
    alias you must first create an alias file that lists the name of each alias create.
    NOTE
    The steps that follow are for generating unique certificates for the Enforce Server and detection servers at the
    same time. If you need to generate one or more detection server certificates after the Enforce Server certificate
    is generated, the procedure is different. Using sslkeytool to add new detection server certificates
    1. Log on to the Enforce Server computer using the "SymantecDLP" user account you created during Symantec Data
    Loss Prevention installation.
    2. From a command window, go to the directory where the sslkeytool utility is stored:
    On Windows this directory is c:\Program Files\Symantec\DataLossPrevention\EnforceServer
    \16.0.10000\Protect\bin.
    On Linux this directory is /opt/Symantec/DataLossPrevention/EnforceServer/16.0.10000/protect/
    bin.
    3. If you want to create a dedicated certificate file for each detection server, first create a text file to list the alias names
    you want to create. Place each alias on a separate line. For example:
    net_monitor01
    protect01
    endpoint01
    smtp_prevent01
    web_prevent01

    NOTE
    The -genkey argument automatically creates certificates for the "enforce" and "monitor" aliases. Do not add
    these aliases to your custom alias file.
    4. Run the sslkeytool utility with the -genkey argument and optional -dir argument to specify the output directory. If you
    created a custom alias file, also specify the optional -alias argument, as in the following example:
    • Windows:
    sslkeytool -genkey -alias=.\aliases.txt -dir=.\generated_keys

    • Linux:
    sslkeytool -genkey -alias=./aliases.txt -dir=./generated_keys

    261
    This generates new certificates (keystore files) in the specified directory. Two files are automatically generated with the
    -genkey argument:

    • enforce.timestamp.sslKeyStore
    • monitor.timestamp.sslKeyStore
    The sslkeytool also generates individual files for any aliases that are defined in the alias file. For example:
    • net_monitor01.timestamp.sslKeyStore
    • protect01.timestamp.sslKeyStore
    • endpoint01.timestamp.sslKeyStore
    • smtp_prevent01.timestamp.sslKeyStore
    • web_prevent01.timestamp.sslKeyStore
    5. Copy the certificate file whose name begins with enforce to the following directory on the Enforce Server, based on
    your platform:
    • Windows: c:\ProgramData\Symantec\DataLossPrevention\EnforceServer\16.0.10000\keystore
    • Linux: /var/Symantec/DataLossPrevention/EnforceServer/16.0.10000/keystore
    6. If you want to use the same certificate file with all detection servers, copy the certificate file whose name begins with
    monitor to the keystore directory of each detection server in your system.

    Copy the file to the directory based on your platform:


    • Windows: c:\ProgramData\Symantec\DataLossPrevention\EnforceServer\16.0.10000\keystore
    • Linux: /var/Symantec/DataLossPrevention/EnforceServer/16.0.10000/keystore
    If you generated a unique certificate file for each detection server in your system, copy the appropriate certificate file to
    the keystore directory on each detection server computer.
    7. Delete or secure any additional copies of the certificate files to prevent unauthorized access to the generated keys.
    8. Restart the SymantecDLPDetectionServerControllerService service on the Enforce Server and the
    SymantecDLPDetectionServerService service on the detection servers.

    When you install a Symantec Data Loss Prevention server, the installation program creates a default keystore in the
    keystore directory. When you copy a generated certificate file into this directory, the generated file overrides the default
    certificate. If you later remove the certificate file from the keystore directory, Symantec Data Loss Prevention reverts to
    the default keystore file embedded within the application. This behavior ensures that data traffic is always protected. Note,
    however, that you cannot use the built-in certificate with certain servers and a generated certificate with other servers. All
    servers in the Symantec Data Loss Prevention system must use either the built-in certificate or a custom certificate.
    NOTE
    If more than one keystore file is placed in the keystore directory, the server does not start.
    Related Links
    Using sslkeytool to add new detection server certificates on page 262
    About sslkeytool Command Line Options on page 259
    About the sslkeytool utility and server certificates on page 259
    About server security and SSL/TLS certificates on page 335

    Using sslkeytool to add new detection server certificates


    Use sslkeytool with the -alias argument to generate new certificate files for an existing Symantec Data Loss Prevention
    deployment. When you use this command form, you must provide the current Enforce Server keystore file, so that
    sslkeytool can embed the Enforce Server certificate in the new detection server certificate files that you generate.

    262
    Using sslkeytool to add new detection server certificates provides instructions for generating one or more new detection
    server certificates.
    To generate new detection server certificates
    1. Log on to the Enforce Server computer using the "SymantecDLP" user account that you created during Symantec
    Data Loss Prevention installation.
    2. From a command window, go to the bin directory where the sslkeytool utility is stored.
    • Windows: C:\Program Files\Symantec\DataLossPrevention\EnforceServer\16.0.10000\protect
    \bin
    • Linux: /opt/Symantec/DataLossPrevention/EnforceServer/16.0.10000/protect/bin
    3. Create a directory in which you will store the new detection server certificate files. For example:
    mkdir new_certificates

    4. Copy the Enforce Server certificate file to the new directory.


    Example commands based on platform are listed below:
    • Windows command:
    copy ..\keystore\enforce.Fri_Jun_12_11_24_20_PDT_2016.sslkeyStore
    .\new_certificates
    • Linux command:
    cp ../keystore/enforce.Fri_Jun_12_11_24_20_PDT_2016.sslkeyStore
    ./new_certificates

    5. Create a text file that lists the new server alias names that you want to create. Place each alias on a separate line. For
    example:
    network02
    smtp_prevent02

    6. Run the sslkeytool utility with the -alias argument and -dir argument to specify the output directory. Also specify the
    name of the Enforce Server certificate file that you copied into the certificate directory.
    Example commands are listed below:
    • Windows command:
    sslkeytool -alias=.\aliases.txt
    -enforce=enforce.Fri_Jun_10_11_24_20_PDT_2016.sslkeyStore
    -dir=.\new_certificates
    • Linux command:
    sslkeytool -alias=./aliases.txt
    -enforce=enforce.Fri_Jun_10_11_24_20_PDT_2016.sslkeyStore
    -dir=./new_certificates

    The command generates a new certificate file for each alias, and stores the new files in the specified directory. Each
    certificate file also includes the Enforce Server certificate from the Enforce Server keystore that you specify.
    7. Copy each new certificate file to the keystore directory on the appropriate detection server computer.
    • Windows: c:\ProgramData\Symantec\DataLossPrevention\DetectionServer
    \16.0.10000\keystore.
    • Linux: /opt/Symantec/DataLossPrevention/EnforceServer/16.0.10000/keystore.
    NOTE
    After creating a new certificate for a detection server (monitor.date.sslkeystore), the Enforce Server
    certificate file (enforce.date.sslkeystore) is updated with the context of each new detection server.

    263
    You need to copy and replace the updated Enforce Server certificate to the keystore directory and repeat the
    process for each new detection server certificate you generate.
    8. Delete or secure any additional copies of the certificate files to prevent unauthorized access to the generated keys.
    9. Restart the SymantecDLPDetectionServerService service on each detection server to use the new certificate file.

    Verifying server certificate usage


    Symantec Data Loss Prevention uses system events to indicate whether servers are using the built-in certificate or
    user-generated certificates to secure communication. If servers use the default, built-in certificate, Symantec Data Loss
    Prevention generates a warning event. If servers use generated certificates, Symantec Data Loss Prevention generates
    an info event.
    Symantec recommends that you use generated certificates, rather than the built-in certificate, for added security.
    If you install Network Prevent to a hosted environment, you cannot use the built-in certificate and you must generate and
    use unique certificates for the Enforce Server and detection servers.
    To determine the type of certificates that Symantec Data Loss Prevention uses
    1. Start the Enforce Server or restart the SymantecDLPDetectionServerControllerService service on the Enforce
    Server computer.
    2. Start each detection server or restart the SymantecDLPDetectionServerService service on each detection server
    computer.
    3. Log in to the Enforce Server administration console.
    4. Select System > Servers > Alerts.
    5. Check the list of alerts to determine the type certificates that Symantec Data Loss Prevention servers use:
    • If servers use the built-in certificate, the Enforce Server shows a warning event with code 2709: Using built-in
    certificate.
    • If servers use unique, generated certificates, the Enforce Server shows an info event with code 2710: Using user
    generated certificate.

    About securing communications between the Enforce Server and the database
    You can use Transport Layer Security (TLS) to encrypt all data that is transmitted between the Enforce Server and the
    database server in a three-tier environment. You create unique, self-signed certificates that you store on the Enforce
    Server.
    Table 121: Steps to secure communications between the Enforce Server and the database describes the process to
    secure communications between the Enforce Server and the database.

    Table 121: Steps to secure communications between the Enforce Server and the database

    Step Action More info

    1 Generate the self-signed certificates using the orapki About orapki command line options
    command-line utility that is provided with the Oracle database. Using orapki to generate the server certificate on the
    Oracle database
    2 Configure the JDBC driver on the Enforce Server to use the Configuring communication on the Enforce Server
    TLS connection and port.
    3 Configure the server certificate on the Enforce Server. Configuring the Server Certificate on the Enforce Server
    4 Verify the database certificate usage on the Enforce Server. Verifying the Enforce Server database certificate usage

    264
    About orapki command line options
    You use the orapki command-line utility to create a wallet where certificates are stored. You then use the utility to generate
    a unique pair of TLS self-signed certificates that are used to secure communication between the Enforce Server and the
    Oracle database.
    The orapki utility can be found in one of the following folders folder where the Oracle database is located:
    • Windows: $ORACLE_HOME/bin
    • Linux: %ORACLE_HOME%\bin
    You run the orapki utility on the computer where the Oracle database is located.
    The following table lists the command forms and options that you use when generating a unique pair of TLS self-signed
    certificates.

    Table 122: Orapki utility examples

    Command and options based on platform Description

    Windows: orapki wallet create -wallet c:\oracle You use this command to create a wallet where certificates are
    \wallet\server_wallet -auto_login -pwd password stored.
    Linux: orapki wallet create -wallet ./ This command also creates the server_wallet directory.
    server_wallet -auto_login -pwd password
    Windows: orapki wallet add -wallet c:\oracle You use this command to add a self-signed certificate and a pair
    \wallet\server_wallet -dn "CN=oracleserver" - of private/public keys to the wallet.
    keysize 2048 -self_signed -validity 3650 -pwd
    password -sign_alg sha256
    Linux: orapki wallet add -wallet /opt/oracle/
    wallet/server_wallet -dn "CN=oracleserver" -
    keysize 2048 -self_signed -validity 3650 -pwd
    password -sign_alg sha256
    Windows: orapki wallet display -wallet c:\oracle You use this command to view the contents of the wallet to
    \wallet\server_wallet confirm that the self-signed certificate was created successfully.
    Linux: orapki wallet display -wallet /opt/oracle/
    wallet/server_wallet
    Windows: orapki wallet export -wallet c:\oracle You use this command to export the self-signed certificate.
    \wallet\server_wallet -dn "CN=oracleserver" -cert In addition to exporting the certificate files, the command creates
    c:\oracle\wallet\server_wallet\cert.txt the file cert.txt in a location based on your platform:
    Linux: orapki wallet export -wallet /opt/oracle/
    wallet/server_wallet -dn "CN=oracleserver" -
    • Windows: c:\oracle\wallet\server_wallet
    cert /opt/oracle/wallet/server_wallet/cert.txt • Linux: /opt/oracle/wallet/server_wallet

    Related Links
    Using orapki to generate the server certificate on the Oracle database on page 265

    Using orapki to generate the server certificate on the Oracle database


    Complete the following to generate the server certificate on the Oracle database.
    1. Prepare to generate the server certificates by completed the following based on your platform:
    • Windows:
    a. Shut down all Oracle services if they are running in Windows Services.

    265
    b. View the services by going to Start > Control Panel > Administrative Tools > Computer Management,
    expanding Services and Applications, and clicking Services.
    • Linux:
    a. Stop the Oracle database.
    Stop the database by running the following command as a root user:
    $ sh /etc/init.d/dbora stop
    b. Log on as the Oracle User by running the following command:
    su - oracle

    2. Go to the oracle directory by running the following command (based on your platform):
    • Windows: cd c:\oracle
    • Linux: cd /opt/oracle
    3. Create the wallet directory by running the following command:
    mkdir wallet

    cd wallet

    4. Create a wallet on the Oracle server with auto login enabled by running the following command (based on your
    platform):
    • Windows: At the directory c:\oracle\wallet, run orapki wallet create -wallet .\server_wallet -
    auto_login -pwd walletpassword
    • Linux: At the directory /opt/oracle/wallet, run orapki wallet create -wallet ./server_wallet -
    auto_login -pwd walletpassword

    NOTE
    Use a wallet password that adheres to the password policy. Passwords must have a minimum length of eight
    characters and contain alphabetic characters combined with numbers or special characters.
    On Oracle 12c systems, the Operation is successfully completed message displays when the command completes.
    The following two files are created under the server_wallet directory (among similarly named .lck files):
    • cwallet.sso
    • ewallet.p12
    5. Generate the self-signed certificate and add it to the wallet by running the following command (based on your
    platform):
    • Windows:
    orapki wallet add -wallet c:\oracle\wallet\server_wallet -dn "CN=oracleserver" -keysize 2048 -
    self_signed -validity 3650 -pwd walletpassword -sign_alg sha256
    • Linux:
    orapki wallet add -wallet /opt/oracle/wallet/server_wallet -dn "CN=oracleserver" -keysize 2048
    -self_signed -validity 3650 -pwd walletpassword -sign_alg sha256

    Replace oracleserver with the name of the computer where Oracle is running.
    6. View the wallet to confirm that the certificate was created successfully by running the following command (based on
    your platform):
    • Windows:
    orapki wallet display -wallet c:\oracle\wallet\server_wallet
    • Linux:
    orapki wallet display -wallet /opt/oracle/wallet/server_wallet

    266
    When the certificate is created successfully, the command returns information in the following form:
    Requested Certificates:
    User Certificates:
    Subject: CN=oracleserver
    Trusted Certificates:
    Subject: CN=oracleserver

    7. Export the certificate by running the following command (based on your platform):
    • Windows:
    orapki wallet export -wallet c:\oracle\wallet\server_wallet -dn "CN=oracleserver" -cert c:
    \oracle\wallet\server_wallet\cert.txt
    • Linux:
    orapki wallet export -wallet /opt/oracle/wallet/server_wallet -dn "CN=oracleserver" -cert /
    opt/oracle/wallet/server_wallet/cert.txt

    8. Confirm that cert.txt is created at the following location (based on your platform):
    • Windows: c:\oracle\wallet\server_wallet
    • Linux: /opt/oracle/wallet/server_wallet

    Configuring communication on the Enforce Server


    After you generate the server certificate on the Oracle database, you update the listener.ora file to point to the self-
    signed certificate.
    1. Back up the listener.ora file before you update it.
    The file is based on your platform:
    • Windows: %ORACLE_HOME%\network\admin
    • Linux: $ORACLE_HOME/network/admin
    2. Switch to the Oracle user by running the following command:
    su - oracle

    3. Stop the listener by running the following command:


    lsnrctl stop

    You can skip this step if the database is already stopped.


    4. Open the listener.ora file.
    5. Update the port number to 2484 and the protocol to TCPS on the Address line.
    The Listener section should read as follows:
    LISTENER =
    (DESCRIPTION_LIST =
    (DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCPS)(HOST = [oracle host name])(PORT = 2484))
    (ADDRESS = (PROTOCOL = IPC)(KEY = protect))
    )
    )

    267
    6. Add the following section to follow the Listener section:
    NOTE
    Confirm that the directory points to the server_wallet location.
    • Windows:
    SSL_CLIENT_AUTHENTICATION = FALSE
    WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = c:\oracle
    \wallet\server_wallet)))
    • Linux:
    SSL_CLIENT_AUTHENTICATION = FALSE
    WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /opt/
    oracle/wallet/server_wallet)))

    7. Navigate to the admin directory (based on your platform):


    • Windows: %ORACLE_HOME%\network\admin
    • Linux: $ORACLE_HOME/network/admin
    8. Open the sqlnet.ora file. Create a new sqlnet.ora file if it does not exist.
    9. Replace the line SQLNET.AUTHENTICATION_SERVICES=(TNS) with the following (based on your platform):
    • Windows:
    SQLNET.AUTHENTICATION_SERVICES=(NONE)
    SSL_CLIENT_AUTHENTICATION = FALSE
    WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = c:\oracle
    \wallet\server_wallet)))
    • Linux:
    SQLNET.AUTHENTICATION_SERVICES=(NONE)
    SSL_CLIENT_AUTHENTICATION = FALSE
    WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /opt/
    oracle/wallet/server_wallet)))

    10. Open the tnsnames.ora file.


    11. Update the protocol to TCPS and the port to 2484. The updated content should match the following:
    PROTECT =
    (DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCPS)(HOST = [oracle host name])(PORT = 2484))
    (CONNECT_DATA =
    (SERVER = DEDICATED)
    (SERVICE_NAME = protect)
    )
    )

    LISTENER_PROTECT =
    (ADDRESS = (PROTOCOL = TCPS)(HOST = [oracle host name])(PORT = 2484))

    12. Start all Oracle services.


    To view the services go to Start > Control Panel > Administrative Tools > Computer Management, and then
    expand Services and Applications and click Services.

    268
    13. Start the Oracle database by running the following command:
    Linux: $ sh /etc/init.d/dbora start
    14. Confirm that the Oracle listener is operating by running the following command:
    lsnrctl status
    The listener status displays in the command prompt. If the command prompt indicates that the listener is running but
    no services are running on the database, run the following commands:
    su - oracle (Only required for Linux)

    export ORACLE_SERVICE_NAME=protect

    sqlplus /nolog

    SQL> conn sys/<password> as sysdba

    If Connected to an idle instance appears, run the following command:


    SQL> startup

    SQL> exit

    lsnrctl status

    Configuring the Server Certificate on the Enforce Server


    After you configure communication on the Enforce Server, you configure the JDBC driver and the server certificate. You
    configure the JDBC driver to use the TLS connection and port, then you configure the server certificate.
    1. Locate the jdbc.properties file at the location based on your platform:
    • Windows: C:\Program Files\Symantec\DataLossPrevention\EnforceServer\16.0.10000\protect
    \config
    • Linux: /opt/Symantec/DataLossPrevention/EnforceServer/16.0.10000/protect/config
    2. Modify the following communication port and connection information:
    a) Update the jdbc.dbalias.oracle-thin line to use TCPS.
    b) Change the port number to 2484.
    The updated communication port and connection information should appear as follows:
    jdbc.dbalias.oracle-thin=@(description=(address=(host=[oracle host name])
    (protocol=tcps)(port=2484))(connect_data=(service_name=protect))
    (SSL_SERVER_CERT_DN="CN=oracleserver"))

    NOTE
    If the server certificate on the Oracle database is signed by a public CA (instead of being self-signed), skip to
    step 4.
    3. Add the certificate to the cacerts file that is located on the Enforce Server by completing the following steps:
    Replace <version> with the OpenJRE version running on your system.
    a) Copy the cert.txt file to the security folder:
    • Windows: C:\Program Files\AdoptOpenJRE\jdk8u<version>-b10-jre\lib\security
    • Linux: opt/AdoptOpenJRE/jdk8u<version>-b10-jre/lib/security

    269
    b) Change the directory by running the following command based on your platform:
    • Windows: cd C:\Program Files\AdoptOpenJRE\jdk8u<version>-b10-jre\lib\security
    • Linux: cd opt/AdoptOpenJRE/jdk8u<version>-b10-jre/lib/security
    c) Insert the certificate into the cacerts file by running the following command as an administrator (for Windows) or
    as a root user (for Linux).
    keytool -import -alias oracleservercert -keystore cacerts -file cert.txt

    Enter the default password when you are prompted: changeit.


    d) Confirm that the certificate was added by running the following command based on your platform:
    • Windows: keytool -list -v -keystore C:\Program Files\AdoptOpenJRE\jdk8u<version>-b10-jre\lib
    \security\cacerts -storepass changeit
    • Linux: keytool -list -v -keystore opt/AdoptOpenJRE/jdk8u<version>-b10-jre/lib/security/
    cacerts -storepass changeit

    4. Restart all Symantec Data Loss Prevention services.


    Related Links
    Using orapki to generate the server certificate on the Oracle database on page 265

    Verifying the Enforce Server database certificate usage


    To confirm that certificates are configured correctly and the Enforce Server is communicating with the database, log on to
    the Enforce Server administration console. If you can log on, the Enforce Server and database are communicating over a
    secure communication.
    If you cannot log on, confirm the SSL Java application connection. To confirm the SSL Java application connection,
    check the listener status on the database server. In the listener status, the TCPS protocol and port 2484 should be in
    use. If the listener status does not display these connection statuses, re-complete the process to generate the self-signed
    certificates.
    For full details on how to configure secure sockets layer authentication, see the following platform-specific documentation
    from Oracle Corporation, available from the Oracle Documentation Library:
    Oracle 12c SE2: https://docs.oracle.com/database/121/DBSEG/asossl.htm#DBSEG070

    Related Links
    About securing communications between the Enforce Server and the database on page 264

    About securing communications between the Enforce Server and Amazon RDS
    for Oracle
    You can use SSL/Transport Layer Security (TLS) to encrypt all data that is transmitted between the Enforce Server and
    the Oracle database hosted with Amazon RDS in a three-tier environment.
    These steps assume that you have already set up an AWS account that you can use to manage the Oracle database. See
    Deploy Symantec Data Loss Prevention servers on Amazon Web Services .
    The following table describes the process to secure communications between the Enforce Server and the database.

    270
    Table 123: Steps to secure communications between the Enforce Server and the Oracle database hosted with
    Amazon RDS

    Step Action More info

    1 Configure the AWS Oracle RDS SSL Configuring Oracle RDS Option Group with
    connector. SSL
    2 Configure the server certificate on the Configuring the Server Certificate on the
    Enforce Server. Enforce Server
    3 Configure the AWS Oracle RDS for Secure Setting up an SSL connection over JDBC
    Sockets Layer (SSL) connection over
    JDBC.
    4 Verify the AWS Oracle RDS certificate Verifying the Enforce Server-Oracle RDS
    usage. database certificate usage

    Configuring Oracle RDS Option Group with SSL


    You enable SSL encryption for an Oracle RDS database instance by adding the Oracle SSL option to the option group
    associated with an Oracle DB instance. You specify the port you want to communicate over using SSL.
    See Oracle Secure Sockets Layer in the AWS Oracle RDS documentation for steps to complete this process.

    Configuring the Server Certificate on the Enforce Server


    After you configure the AWS Oracle RDS Option Group with SSL, you configure the Enforce Server JDBC driver and the
    server certificate. You import the AWS Oracle RDS certificatte into the Enforce Server Java keystore. Last, you configure
    the JDBC driver to use the Oracle RDS SSL/TLS connection and port.
    NOTE
    The following process assumes that the SSL Option is configured with TCP port 2484.
    1. Locate the Jdbc.properties file at the following location (based on your platform):
    • Windows: C:\Program Files\Symantec\DataLossPrevention\EnforceServer\16.0.10000\Protect
    \config
    • Linux: /opt/Symantec/DataLossPrevention/EnforceServer/16.0.10000/protect/config
    2. Modify the following communication port and connection information:
    • Update the jdbc.dbalias.oracle-thin line to use TCPS.
    • Change the port number to 2484.
    The updated communication port and connection information should display as follows:
    jdbc.dbalias.oracle-thin=@(description=(address=(host=[oracle host name])
    (protocol=tcps)(port=2484))(connect_data=(service_name=protect))
    (SSL_SERVER_CERT_DN="CN=oracleserver"))
    The following is an example of what the completed communication port and connection information might look
    like. The information you use differs based on your system. Using the following information as-is may cause the
    configuration to fail.
    NOTE
    The example uses "protect" for the database SID and "2484" for the TLS port.
    jdbc.dbalias.oracle-thin=@(description=(address=(host=oracle-rds-dns-name)
    (protocol=tcps)(port=2484))(connect_data=(service_name=protect)
    (SSL_SERVER_CERT_DN="C=US,ST=Washington,L=Seattle,O=Amazon.com,OU=RDS,

    271
    CN=oracle-rds-dns-name")))
    The certificate details provided above are valid for rds-ca-2015-root and rds-ca-2019-root certificates, but you
    replace the port number with the number used for the SSL port in the option group.
    3. Add the certificate to the cacerts file that is located on the Enforce Server by completing the following steps:
    Replace <version> with the OpenJRE version running on your system.
    a) Copy the Oracle RDS certificate (rds-ca-2015-root.der or rds-ca-2019-root.der) file to the following
    location (based on your platform):
    • Windows: C:\Program Files\AdoptOpenJRE\jdk8u<version>-b10-jre\lib\security
    • Linux: opt/AdoptOpenJRE/jdk8u<version>-b10-jre/lib/security
    b) Change the directory by running the following command (based on your platform):
    • Windows: cd C:\Program Files\AdoptOpenJRE\jdk8u<version>-b10-jre\lib\security
    • Linux: cd opt/AdoptOpenJRE/jdk8u<version>-b10-jre/lib/security
    c) Insert the certificate into the cacerts file by running the following command as an administrator (on Windows) ora
    root user (on Linux):
    keytool -import -alias oracleservercert -keystore cacerts -file rds-ca-2015-root.der

    or
    keytool -import -alias oracleservercert2019 -keystore cacerts -file rds-ca-2019-root.der

    Enter the default password when you are prompted: changeit.


    d) Confirm that the certificate was added by running the following command (based on your platform):
    • Windows: keytool -list -v -keystore C:\Program Files\AdoptOpenJRE\jdk8u<version>-b10-jre\lib
    \security\cacerts -storepass changeit
    • Linux: keytool -list -v -keystore opt/AdoptOpenJRE/jdk8u<version>-b10-jre/lib/security/
    cacerts -storepass changeit

    4. Restart all SymantecDLP services.


    See Symantec Data Loss Prevention Services.

    Setting up an SSL connection over JDBC


    To set up an SSL connection over JDBC you download the Amazon RDS root CA certificate, convert the certificate format
    to .der, then import the certificate into the keystore.
    Refer to Setting up an SSL connection over JDBC in the AWS Oracle RDS documentation for steps to complete this
    process.

    Verifying the Enforce Server-Oracle RDS database certificate usage


    To confirm that certificates are configured correctly and the Enforce Server is communicating with the Oracle RDS
    database, log on to the Enforce Server administration console. If you can log on, the Enforce Server and database are
    communicating over a secure communication.
    If you cannot log on, verify the SSL Java application connection of Jdbc.properties. To confirm the SSL Java
    application connection, check the listener status on the Oracle RDS. In the listener status, the TCPS protocol and port
    2484 should be in use. If the listener status does not display these connection statuses, re-complete the process to enable
    Oracle RDS group with SSL.
    For full details on how to configure SSL/TLS communication between Oracle RDS, and the Enforce Server, see the
    documentation for AWS Oracle RDS Option Group, available from the Amazon Relational Database Service User Guide:

    272
    https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Appendix.Oracle.Options.SSL.html

    Installing the domain controller agent to identify users in incidents


    Learn about installing the domain controller agent.
    About the domain controller agent
    Domain controller agent installation prerequisites
    Installing the domain controller agent
    Domain controller agent post-installation tasks
    Troubleshooting the domain controller agent
    Uninstalling the domain controller agent

    About the domain controller agent


    You can identify specific users in Symantec Data Loss Prevention Network Prevent for Web incidents by installing the
    Symantec Data Loss Prevention domain controller agent. The domain controller agent enables you to resolve user
    names from IPv4 address and associates the IP addresses in those incidents with user names in the User Risk Summary.
    The domain controller agent queries Windows Events in the Microsoft Active Directory security event log of the domain
    controller. Symantec Data Loss Prevention associates these Windows Events with user data in your database. See
    Working with the User Risk Summary.
    The domain controller agent runs only on Windows Server 2012 and later operating systems. For specific supported
    version information, see Minimum System Requirements for Symantec Data Loss Prevention Servers. Symantec
    recommends installing the domain controller agent on a dedicated server. The domain controller agent can connect to
    multiple domain controllers.
    The following User Identification configurations are not supported:
    • One domain controller agent to multiple Enforce Servers
    • Linux domain controllers
    • Domain controller agents installed on endpoints

    Domain controller agent installation prerequisites


    Before you install the domain controller agent, take the following steps:
    • Add the domain controller agent host server to the domain before installing the server.
    • Install the domain controller agent host server using domain administrator credentials.
    • Ensure that the domain controller agent host server can communicate with your Windows Active Directory domain
    controller host and the Enforce Server host.
    • Note the user name and password for logging on to the domain controller server.
    • Note the domain controller fully qualified domain name (FQDN).
    • Create a dedicated Enforce Server account that can authenticate into the console for the domain controller agent.
    • Note the user name and password for logging on to the Enforce Server.
    • Note the Enforce Server fully qualified domain name (FQDN).
    • Note the TCP HTTPS port number you want to use to connect to the Enforce Server. By default, the domain controller
    agent connects to port 443 on Windows systems. To connect the domain controller agent to a Enforce Server on the
    Linux platform, use port 8443 or any other appropriate Linux port.
    • Optional: If you want to use certificate authentication, note the path to your Enforce Server certificate and the path to
    the CA root certificate.

    273
    Installing the domain controller agent
    Complete the following steps to install the domain controller agent:
    1. Copy the symc_dcagent.msi Windows Installer file to your domain controller agent host server.
    The symc_dcagent.msi file is located at one of the following locations (based on your pl
    • Windows: DLPDownloadHome\DLP\16.0.1\Domain_Controller_Agent_Installer\
    • Linux: DLPDownloadHome/DLP/16.0.1/Domain_Controller_Agent_Installer/
    atform)
    2. Run the symc_dcagent.msi Windows Installer file as an Administrator.
    The Vontu Domain Controller Agent Setup Wizard appears.
    3. Read the end-user license agreement and accept the terms.
    4. Click Next.
    The Destination Folder panel appears.
    5. Enter the destination folder for the domain controller agent installation. By default, the domain controller agent
    installation folder is C:\Program Files\Symantec\DataLossPrevention\DC Agent.
    6. Click Next.
    The Domain Controller Configuration panel appears.
    7. Enter the fully qualified domain name (FQDN) of your domain controller.
    8. Click Next.
    The DC Agent Service Configuration panel appears.
    9. Enter the log on (DOMAIN\USERNAME) and password for the Active Directory user that the domain controller agent
    uses to query the domain controller.
    10. Click Next.
    The Symantec DLP Enforce Server Configuration panel appears.
    11. Enter the following information:
    • The Enforce Server host name
    • The Enforce Server port
    • The log on name for the domain controller agent Enforce Server account
    • The password for the domain controller agent Enforce Server account
    • Optional: If you choose to use certificate authentication, select Use a certificate to authenticate?, then enter the
    path to the Enforce Server certificate and the CA root certificate, both located on your Enforce Server.
    12. Click Next.
    The DC Agent Communication Configuration panel appears.
    13. Enter the following information:
    • Communication Interval: This value specifies how often the domain controller agent connects to the domain
    controller to collect events, in seconds. The default communication interval is 1 hour (3600 seconds).
    • Lookback Time: This value specifies the time frame for which the domain controller collects events from the domain
    controller, in seconds. The default lookback time is 12 hours (43200 seconds).

    274
    14. Click Next.
    The Ready to Install Vontu Domain Controller Agent panel appears.
    15. Click Next.
    The Installing Vontu Domain Controller Agent panel appears and displays a progress bar.
    16. Click Finish to complete the installation of the domain controller agent.

    Domain controller agent post-installation tasks


    To confirm the installation, check that the domain controller agent (DC Agent) service is running. If the service is not
    running, see the troubleshooting section in this chapter.
    Troubleshooting the domain controller agent
    After you have installed the domain controller agent, the following parameters can be set up on the System > Incident
    Data > User Identification page in the Enforce Server administration console:
    • Set the User data retention schedule in days
    Set the Domain controller warning in days
    • Set the mapping Schedule
    • View status of installed domain controllers
    See About identifying users in web incidents for more information.
    Excluding an IP address or IP range from event collection
    You can add an optional list of IP addresses or IP ranges to be excluded from event collection. Symantec recommends
    excluding the domain controller IP from event collection.

    Exclude an IP address or IP range from event collection


    1. Open the SymantecDLP\DC Agent\DCAgentConfig.properties file in a text editor.
    2. Enter an IP address or IP range in CIDR notation for the EXCLUDED_EVENT_IPS parameter. For example:
    EXCLUDED_EVENT_IPS=1.2.3.4, 5.6.7.0/24, 8.9.10.11, 12.0.0.0/8

    3. Save and close the DCAgentConfig.properties file.


    4. Restart the DC Agent service to apply your changes.

    Updating configuration settings after installation


    You can edit your domain controller agent settings in the SymantecDLP\DC Agent\DCAgentConfig.properties
    file. After editing this file, restart the DC Agent service to apply your updated settings.
    1. Open the SymantecDLP\DC Agent\DCAgentConfig.properties file in a text editor.
    2. Edit the parameters for the configuration setting you want to change:
    • DC_HOSTNAME: Specifies the domain controller host names in the format
    DC_HOSTNAME=MACHINE1;MACHINE2;MACHINE3. Separate multiple host names with semicolons.
    • DC_LOGIN_TIMEOUT: Specifies the span of time that a user login event from a domain controller lasts. For
    example, if a login occurs at 1:00, and DC_LOGIN_TIMEOUT=90, the event forms a range from 1:00-2:30. Login

    275
    timeouts are matched to the DC_HOSTNAME property list by order. Any Domain Controllers with unspecified login
    timeouts will be assigned the default value of 90 minutes.
    • EVENTS_BUFFER_SIZE: Specifies the number of events in the domain controller agent buffer. The default value
    is 1024.
    • ENFORCE_HOSTNAME: Specifies the name of the Enforce Server host.
    • ENFORCE_PORT: Specifies the port number through which the domain controller agent connects to the Enforce
    Server.
    • SSL_CA_ROOT_CERTIFICATE: Specifies the file system path to the CA root certificate.
    • SSL_HOST_CERTIFICATE: Specifies the file system path to the Enforce Server certificate.
    • HTTP_CONNECT_TIMEOUT: Specifies the connection timeout value. The default timeout value is 300 seconds.
    HTTP_SESSION_TIMEOUT: Specifies the session timeout value. The default session timeout value is 0 (the
    session never times out).
    • COMMUNICATION_INTERVAL: Specifies how often the domain controller agent connects to the domain controller
    to collect events, in seconds. The default communication interval is 1 hour (3600 seconds).
    • HTTP_POST_MAX_EVENTS: Specifies the maximum number of events to collect and post in a single HTTP
    request. The default value is 1024.
    • LOG_CONFIGURATION_FILE=DCAgentLogging.properties: Place this log configuration file in the DCAgent
    installation directory.
    3. Save and close the DCAgentConfig.properties file.
    4. Restart the DC Agent service to apply your configuration changes.
    5. Log on to the domain controller agent host server as the Service Logon user.
    6. In the Credential Manager (Control Panel > User Accounts > Credential Manager), edit the generic credential for
    the Enforce Server.
    7. Click Save.

    Troubleshooting the domain controller agent


    User Identification is disabled by default. Mapping is enabled only when you configure a mapping schedule at System >
    Incident Data> User Identification. If you have trouble with the domain controller agent, check the following items.

    Table 124: Troubleshooting the domain controller agent

    Problem Solution

    There are no entries in the Domain Controllers list. User identification is disabled by default. Go to System > Incident
    Data > User Identification and set a mapping schedule.
    The domain controller agent service does not start Check the domain controller log at System > Incident Data >
    User Identification page.
    If there are no entries on the list, verify that the files were installed
    correctly and that the domain controller agent log-on user account
    has permission to run the service. Start the service manually.
    If there are errors in the log, verify that the log-on user for the
    Enforce Server has the correct credentials and switch to TRACE
    to collect the trace log.
    The IPU tables in the database have no events Check the Enforce Server logs and verify that the log-on user for
    the Enforce Server has the correct credentials.
    Verify Windows vault entries for the service log-on user.
    If you use certificate authentication, verify the private key in your
    Enforce Server certificate store and the public key in the domain
    controller agent installation directory.

    276
    Uninstalling the domain controller agent
    You can uninstall the domain controller agent from Windows (Control Panel > Programs > Programs and Features >
    Uninstall a program), or by running the symc_dcagent.msi Window Installer file again and selecting Remove.

    Performing a single-tier installation


    Learn about installing Symantec Data Loss Prevention in a single-tier environment.
    Preparing for a single-tier installation
    Install a single-tier system on Windows
    Install a single-tier server on Linux
    Verifying a single-tier installation
    Policy authoring considerations
    About migrating to a two-tier deployment
    Registering the Single Tier Monitor

    Preparing for a single-tier installation


    Review and complete the following items before you perform a single-tier installation:
    • Complete the preinstallation steps.
    Symantec Data Loss Prevention Preinstallation Steps
    • Verify that the system is ready for installation.
    Verifying that servers are ready for Symantec Data Loss Prevention installation
    • Install the Oracle software and Symantec Data Loss Prevention database before installing the single-tier server. For
    single-tier Symantec Data Loss Prevention installations, the Oracle software is installed on the Enforce Server.
    See Implementing the Database.
    • Install the Java Runtime Environment (JRE).
    Installing the Java Runtime Environment for a Single-tier Installation on Windows
    • For Windows platforms, confirm that you have access and permission to run the Symantec Data Loss Prevention
    installer software: SingleTierServer.msi.

    Install a single-tier system on Windows


    The following sections include steps to install a single-tier system on Windows:
    • Installing the Java Runtime Environment for a Single-tier Installation on Windows
    • Installing a single-tier server on Windows

    Installing the Java Runtime Environment for a Single-tier Installation on Windows


    You install the Java Runtime Environment (JRE) before you complete a single-tier installation.
    1. Log on (or remote logon) as Administrator to the computer where you plan to install the single-tier system.
    2. Copy OpenJDK8U-jre_x64_windows_hotspot_<version>.zip from your DLPDownloadHome\DLP
    \16.0.1\New_Installs\Release directory to the computer where you plan to install the Enforce Server.
    Where <version> represents the latest supported version.
    For example, move the file to c:\temp).

    277
    3. Unzip the file to C:\Program Files\AdoptOpenJRE\jdk<version>-jre.
    Next: Installing a detection server on Windows

    Installing a single-tier server on Windows


    Symantec recommends that you disable any antivirus, pop-up blocker, and registry-protection software before you begin
    the Symantec Data Loss Prevention installation process.
    The following instructions assume that the SingleTierServer.msi file, license file, and solution pack file have been
    copied into the c:\temp directory on the Enforce Server.
    The installation process automatically generates log information saved to a file MSI*.log (* is replaced with random
    characters) in the %TEMP% folder. You can change log file name and location by starting the installation from the command
    line by running the /L*v option. See the example bellow:
    msiexec /i EnforceServer.msi /L*v c:\temp\enforce_install.log.

    After you complete the Single Tier installation, you can find the installation log file at c:\temp\.
    You can complete the installation silently from the command line or from a graphical user interface.
    Installing silently

    Enter values with information specific to your installation for the following:

    Table 125: Single-tier server installation parameters

    Command Description

    INSTALLATION_DIRECTORY Specifies where the Enforce Server is installed. The default location is C:
    \Program Files\Symantec\DataLossPrevention.
    DATA_DIRECTORY Defines where Symantec Data Loss Prevention stores files that are
    updated while the Enforce Server is running (for example, logs and
    licenses). The default location is C:\ProgramData\Symantec
    \DataLossPrevention.
    Note: If you do not use the default location, you must indicate a folder
    name for the data directory. If you set the data directory to the drive root (for
    example c:\ or e:\) you cannot successfully uninstall the program.

    JRE_DIRECTORY Specifies where the JRE resides.


    See Installing the Java Runtime Environment for a Single-tier Installation on
    Windows.
    FIPS_OPTION Defines whether to disable (Disabled) or enable
    (Enabled) FIPS encryption.
    The default is disabled.
    SERVICE_USER_OPTION Defines whether to create a new service user by entering NewUser or using
    an existing one by entering ExistingUser.
    SERVICE_USER_USERNAME Defines a name for the account that is used to manage Symantec Data Loss
    Prevention services. The default user name is “SymantecDLP.”
    SERVICE_USER_PASSWORD Defines the password for the account that is used to manage Symantec Data
    Loss Prevention services.
    ORACLE_HOME Defines the Oracle Home Directory. For example, use c:\oracle
    \product\19.3.0.0\db_1 to define the home directory if you use the
    Oracle 19c database.

    278
    Command Description

    ORACLE_HOST Defines the IP address of the Oracle server computer.


    Note: If you are running the Oracle database in a RAC environment, use the
    Scan Host IP address for Oracle Host, not the database IP address.

    ORACLE_PORT Defines the Oracle listener port (typically 1521).


    ORACLE_USERNAME Defines the Symantec Data Loss Prevention database user name.
    ORACLE_PASSWORD Defines the Symantec Data Loss Prevention database password.
    ORACLE_SERVICE_NAME Defines the database service name (typically “protect”).
    EXTERNAL_STORAGE_OPTION Defines whether incident attachments are stored in the database
    (Database) or in external storage (ExternalStorage).
    EXTERNAL_STORAGE_DIRECTORY Defines the path where you plan to store incident attachments.
    BIND_PORT Defines the port on which the server should accept connections from the
    Enforce Server. If you cannot use the default port (8100), you can enter any
    port higher than port 1024, in the range of 1024–65535.
    ADDITIONAL_LOCALE Defines an additional locale for use by individual users.
    ENFORCE_ADMINISTRATOR_PASSWORD Defines the Enforce Server administration console password.
    REINSTALLATION_RESOURCE_FILE Defines the location of the Reinstallation Resource File.
    INITIALIZE_DATABASE_OPTION Defines whether you create a new database (Initialize) or connect to an
    existing one (Preserve).
    The default is Preserve.

    The following is an example of what the completed command might look like. The command you use differs based on your
    implementation requirements. Using the following command as-is may cause the installation to fail.

    msiexec /i SingleTierServer.msi /qn /norestart


    INSTALLATION_DIRECTORY="C:\Program Files\Symantec\DataLossPrevention"
    DATA_DIRECTORY="C:\ProgramData\Symantec\DataLossPrevention"
    JRE_DIRECTORY="C:\Program Files\AdoptOpenJRE\jdk8u322-b06-jre"
    FIPS_OPTION=Disabled
    SERVICE_USER_OPTION=ExistingUser
    SERVICE_USER_USERNAME=SymantecDLP
    SERVICE_USER_PASSWORD=Password
    ORACLE_HOME="C:\oracle\product\19.0.0.0\db_1"
    ORACLE_HOST=[IP or host name]
    ORACLE_USERNAME=protect
    ORACLE_PASSWORD=Password
    ORACLE_SERVICE_NAME=protect
    EXTERNAL_STORAGE_OPTION=database
    UPDATE_USER_USERNAME=SymantecDLPUpdate
    UPDATE_USER_PASSWORD=Password
    ENFORCE_ADMINISTRATOR_PASSWORD=Password

    279
    Installing from a graphical user interface

    1. Log on (or remote logon) as Administrator to the computer that is intended for the Symantec Data Loss Prevention
    single-tier installation.
    2. Install Npcap on the system before you install the single-tier system.
    a) On the Internet, go to https://insecure.org
    b) Locate the Npcap file npcap-1.10-oem.exe at the DLP_Home\Third_Party directory, where DLP_Home is the
    name of the directory in which you unzipped the Symantec Data Loss Prevention software.
    c) Double-click on the npcap-1.10-oem.exe and follow the on-screen installation instructions.
    d) Install Npca using WinPcap Compatible Mode.
    3. Copy the Symantec Data Loss Prevention installer (SingleTierServer.msi) from DLPDownloadHome to a local
    directory on the computer where you plan to install the single-tier system.
    4. Click Start > Run > Browse to navigate to the folder where you copied the SingleTierServer.msi file.
    5. Double-click SingleTierServer.msi to launch the installation wizard.
    A welcome notice appears.
    6. Click Next.
    7. In the End-User License Agreement panel, select I accept the terms in the License Agreement, and click Next.
    8. In the Destination Folder panel, accept the Symantec Data Loss Prevention default destination directory and click
    Next.
    Symantec recommends that you use the default destination directory. However, you can click Browse to navigate to a
    different installation location instead.
    Directory names, account names, passwords, IP addresses, and port numbers created or specified during the
    installation process must be entered in standard 7-bit ASCII characters only. Extended (hi-ASCII) and double-byte
    characters are not supported.
    9. In the Data Directory panel, accept the default data directory, or enter an alternate directory, and click Next. The
    default data directory is:
    c:\ProgramData\Symantec\DataLossPrevention\
    10. In the JRE Directory panel, click Browse and locate the JRE, and click Next.
    11. In the FIPS Cryptography Mode panel, select whether to disable or enable FIPS encryption.
    About FIPS encryption
    12. In the Service User panel, select one of the following options, then click Next.
    • New Users: Select this option to create the Symantec Data Loss Prevention system account user name and
    password and confirm the password. This account is used to manage Symantec Data Loss Prevention services.
    The default user name is “SymantecDLP.” New service user accounts are local accounts.
    NOTE
    To use the RMS detection feature, you must enable it after installing the detection server.
    Enabling Microsoft Rights Management file monitoring
    The password you enter for the System Account must conform to the password policy of the server. For example,
    the server may require all passwords to include special characters.
    • Existing Users: Select this option to use an existing local or domain user account.

    280
    Enter a domain service user name and password if you plan to manage the detection server with a domain user. If
    you want to use the RMS detection feature, ensure that the domain user that you enter has access to the RMS AD
    system (and is a member of the selected AD RMS Super Users group) or the Azure RMS system.
    13. (Optional) If you opted to create a new service user, enter the new account name and password. Confirm the
    password, then click Next.
    14. (Optional) If you opted to use an existing local or domain user account, enter the account name and password. The
    user name must be in DOMAIN\username format.
    15. In the Oracle Database Server Information panel, enter the Oracle Database Server host name or IP address and
    the Oracle Listener Port.
    NOTE
    If you are running the Oracle database in a RAC environment, use the scan host IP address for the host,
    not the database IP address. Confirm that the scan host IP for RAC is accessible and that all of the nodes
    associated with it are running during the installation process.
    You also enter information in the following fields:

    Service Name Enter the database service name (typically “protect”).


    Username Enter the Symantec Data Loss Prevention database user name.
    Password Enter the Symantec Data Loss Prevention database password.

    Default values should already be present for these fields. Since this is a single-tier installation with the Oracle
    database on this same system, 127.0.0.1 is the correct value for Oracle Database Server Information and 1521 is the
    correct value for the Oracle Listener Port.
    16. In the Initialize Database panel, select one of the following options:
    • Select Initialize Database if you are performing a new Symantec Data Loss Prevention installation.
    Select this option if you are reinstalling and want to overwrite the existing Enforce schema and all data. Note
    that this action cannot be undone. If this check box is selected, the data in your existing Symantec Data Loss
    Prevention database is destroyed when you begin the installation.
    Click Next.
    In the Enforce Administrator Password panel, enter and confirm a password you use to access the Enforce
    Server administration console. The Enforce Server administration console passport must be at least eight
    characters long.
    • Select Preserve Database Data if you want to connect to an existing database.
    Selecting this option skips the database initialization process.
    Click Next.
    In the Enforce Reinstallation Resources panel, specify the unique Enforce Reinstallation Resources file for the
    existing database that you want to use.
    17. In the Enforce Administrator Password panel, enter and confirm a password you use to access the Enforce Server
    administration console.
    18. Click Next.
    The Enable external storage for incident attachments panel appears.
    19. Select one of the following incident storage locations on the Incident Storage Location panel:
    • Database stores incidents in the Oracle database.
    • External Storage stores your incident attachments externally.
    About external storage for incident attachments

    281
    20. Click Next and enter the path or browse to your external storage directory (if you selected External Storage), or go to
    21 if you selected Database.
    21. In the Additional Locale panel, select an alternate locale, or accept the default of None, and click Next.
    Locale controls the format of numbers and dates, and how lists and reports are alphabetically sorted. If you accept
    the default choice of None, English is the locale for this Symantec Data Loss Prevention installation. If you choose an
    alternate locale, that locale becomes the default for this installation, but individual users can select English as a locale
    for their use.
    See About locales for more information on locales.
    22. In the Server Bindings panel, enter the following settings:
    • Host. Enter the host name or IP address of the detection server.
    • Port. Accept the default port number (8100) on which the detection server should accept connections from the
    Enforce Server. If you cannot use the default port, you can change it to any port higher than port 1024, in the range
    of 1024–65535.
    23. Click Install to begin the installation process.
    The Installing panel appears, and displays a progress bar. After a successful installation, the Completing panel
    displays.
    24. Verify the Symantec Data Loss Prevention single-tier installation.
    Verifying a single-tier installation
    25. You must import a Symantec Data Loss Prevention solution pack immediately after installing and verifying the single-
    tier server, and before changing any single-tier server configurations.
    About Symantec Data Loss Prevention solution packs
    26. After importing a solution pack, register the detection server component of the single-tier installation.
    Registering a detection server
    Registering the Single Tier Monitor
    27. Create the Enforce Reinstallation Resources file. This file contains the unique CryptoMasterKey.properties file
    and keystore files for your Symantec Data Loss Prevention deployment.
    Creating the Enforce Reinstallation Resources file
    28. Create a backup of your system after completing the installation.
    Backing up your system

    Install a single-tier server on Linux


    The following sections include steps to install a single-tier system on Linux:
    • Installing the Java Runtime Environment for a single-tier installation
    • Installing a single-tier server on Linux
    • Configuring a new single-tier installation

    282
    Installing the Java Runtime Environment for a single-tier installation
    You install the Java Runtime Environment (JRE) before you complete a single-tier installation.
    1. Log on as root to the computer where you plan to install the single-tier system.
    2. Copy OpenJDK8U-jre_x64_linux_hotspot_<version>.tar.gz from your DLPDownloadHome/DLP/16.0.1/
    New_Installs/Release directory to the computer where you plan to install the Enforce Server.
    Where <version> represents the latest supported version.
    3. Unzip the file contents (for example, unzip to opt/AdoptOpenJRE).
    Next: Installing a Single-tier Server on Linux

    Installing a single-tier server on Linux


    Symantec recommends that you disable any antivirus, pop-up blocker, and registry-protection software before you begin
    the Symantec Data Loss Prevention installation process.
    NOTE
    The following instructions assume that the SingleTierServer.zip file, license file, and solution pack file
    have been copied into the /opt/temp directory on the Symantec Data Loss Prevention single-tier installation
    server.
    1. Log on as root to the computer that is intended for the Symantec Data Loss Prevention single-tier installation.
    2. Copy the Symantec Data Loss Prevention single-tier installer (SingleTierServer.zip) from DLPDownloadHome
    to a local directory on the single-tier computer (for example, /opt/temp/).
    3. Unzip the file contents (for example, unzip to /opt/temp).
    4. Confirm file dependencies for RPM files by running the following command:
    rpm -qpR *.rpm

    If the command indicates that dependencies are missing, you can use YUM repositories to install them. Use the
    following command:
    yum install repo

    Replace repo with the repository package name.


    5. Navigate to the installation directory. The default directory is /opt/Symantec/DataLossPrevention/
    SingleTierServer/16.0.10000/Protect/install.
    6. Start the Symantec Data Loss Prevention configuration process.
    Next: Configuring a new single-tier installation

    Configuring a new single-tier installation


    After you install a single-tier system, you configure the installation by running the Single-Tier Configuration Utility.
    NOTE
    If you are running the database in a RAC environment, confirm that the scan host IP for RAC is accessible and
    the nodes associated with it are all up and running during the install process.
    You can complete the installation silently from the command line. Enter values with information specific to your installation
    for the following:

    283
    Table 126: Single-tier installation parameters

    Command Description

    jreDirectory Specifies where the JRE resides.


    Installing the Java Runtime Environment for a Single-tier
    Installation on Windows
    fipsOption Defines whether to disable (Disabled) or enable (Enabled)
    FIPS encryption.
    serviceUserOption Defines the service user by entering NewUser or
    ExistingUser.
    serviceUserUsername Defines a name for the account that is used to manage Symantec
    Data Loss Prevention services. The default user name is
    “SymantecDLP.”
    oracleHome Defines the Oracle Home Directory. For example, use /opt/oracle/
    product/19.0.0.0/db_1 to define the home directory if you use the
    Oracle 19.0.0.0 database.
    oracleHost Defines the IP address of the Oracle server computer.
    Note: If you are running the Oracle database in a RAC
    environment, use the scan host IP address for Oracle Host, not
    the database IP address.

    oraclePort Defines the Oracle listener port (typically 1521).


    oracleUsername Defines the Symantec Data Loss Prevention database user name.
    oraclePassword Defines the Symantec Data Loss Prevention database password.
    oracleServiceName Defines the database service name.
    initializeDatabaseOption Defines whether you create a new database (Initialize) or
    connect to an existing one (Preserve).
    The default setting is Preserve.
    Warning! If you install over an existing installation, entering
    Initialize overwrites the existing Enforce schema and all data.
    This means that the existing Symantec Data Loss Prevention
    database is destroyed when you run the installer.
    Leave this item blank to perform a recovery operation.
    Note: If your Oracle database is not the correct version, you are
    warned and offered the choice of continuing or canceling the
    installation. You can continue and upgrade the Oracle database
    later.
    Note:

    reinstallationResourceFile Defines the location of the Reinstallation Resource File.


    Creating the Enforce Reinstallation Resources file
    externalStorageOption Defines whether incident attachments are stored in the database
    (Database) or in external storage (ExternalStorage).
    externalStorageDirectory Defines the path where you plan to store incident attachments.
    enforceAdministratorPassword Defines the Enforce Server administration console password.

    284
    Command Description

    bindPort Defines the port number on which the detection server should
    accept connections from the Enforce Server. The default port
    number is 8100.
    If you cannot use the default port, you can change it to any port
    higher than port 1024, in the range of 1024–65535.
    additionalLocale Defines an additional locale for use by individual users.

    The following is an example of what the completed command might look like. The command you use differs based on your
    implementation requirements. Using the following command as-is may cause the installation to fail.
    ./SingleTierConfigurationUtility -silent
    -jreDirectory=opt/AdoptOpenJRE/jdk8u322-b10-jre
    -serviceUserOption=NewUser
    -serviceUserUsername=protect
    -oracleHome=/opt/oracle/product/19.3.0.0/db_1
    -oracleHost=127.0.0.1
    -oracleUsername=protect
    -oraclePassword=password
    -oraclePort=1521
    -oracleServiceName=protect
    -initializeDatabaseOption=Preserve
    -reinstallationResourceFile=/opt/temp/EnforceReinstallationResources.zip
    -fipsOption=Disabled
    -externalStorageOption=Database

    1. Navigate to/opt/Symantec/DataLossPrevention/SingleTierServer/16.0.10000/Protect/install.
    2. Configure the installation by running the Single Tier Configuration Utility. Use the following command to launch the
    utility:
    ./SingleTierConfigurationUtility

    3. Enter the following information in the Single Tier Configuration Utility:

    License agreement Review and accept the License Agreement by entering 1.


    JRE directory Enter the JRE directory.
    The recommended directory is /opt/AdoptOpenJRE/[JRE version]
    Installing the Java Runtime Environment for a Single-tier Installation on Windows
    FIPS encryption Select whether to disable or enable FIPS encryption.
    About FIPS encryption
    Service user Use1 to add a new user or enter 2 to use an existing user.
    The default new user name is "SymantecDLP." If you create a new service user, enter the user
    name when prompted.
    Note: If you create a new service user, the user must be a member of a group and the service
    user and the group names must match. If these conditions are not present, upgrades fail.

    285
    Oracle database connection Specify the following Oracle database connection settings:
    • Oracle Home Directory: For example, use /opt/oracle/product/19.3.0.0/db_1 to define the
    home directory if you use the Oracle 19c database.
    • Oracle Host: Specify the Oracle server host name or IP address. To install into a test
    environment that has no DNS available, use the IP address of the Oracle database server.
    Note: If you are running the Oracle database in a RAC environment, use the Scan
    Host IP address for Oracle Host, not the database IP address.
    • Port: Enter the Oracle listener port.
    • Service name: Enter the database service name (typically “protect”).
    • Oracle user name and password: Enter the user name and password.
    • Database initialization: Select one of the following options:
    – Initialize Database: Set the database to initialize by entering 1.
    Warning! If you install over an existing installation, entering 1 overwrites the existing
    Enforce schema and all data. This means that the existing Symantec Data Loss
    Prevention database is destroyed when you run the installer.
    – Preserve Database Data: Use an existing database by entering 2.
    If you connect an existing Enforce Server database, identify the location of the
    EnforceReinstallationResources.zip file from your previous installation.
    Creating the Enforce Reinstallation Resources file
    Enforce Server settings Specify the following Enforce Server settings.
    • Enforce administrator password: If you chose an option to support password authentication
    with forms-based logon, enter a password for the Enforce Server Administrator account.
    If you chose an option to support password authentication with forms-based logon, enter a
    password for the Enforce Server Administrator account.
    If you chose to support certificate authentication, enter the Common Name (CN) value
    that corresponds to the Enforce Server Administrator user. The Enforce Server assigns
    administrator privileges to the user who logs on with a client certificate that contains this CN
    value.
    • Enable external storage: Select one of the following options:
    – Database storage
    This option stores data in the database.
    – Enable External Storage
    This option lets you store incident attachments externally. Enter a path to the external
    storage directory.
    Network port Accept the default port number (8100) on which the detection server should accept connections
    from the Enforce Server. If you cannot use the default port, you can change it to any port higher
    than port 1024, in the range of 1024–65535.

    NOTE
    If any configuration steps fail, the Enforce Server Configuration Utility does not roll back the changes that
    were made. You must rollback changes before you re-attempt the installation.
    Rolling back a failed Enforce Server installation
    4. Verify the Symantec Data Loss Prevention single-tier installation.
    Verifying a single-tier installation
    5. You must import a Symantec Data Loss Prevention solution pack immediately after installing and verifying the single-
    tier server, and before changing any single-tier server configurations.
    Importing a Solution Pack

    286
    6. After importing a solution pack, register the detection server component of the single-tier installation.
    7. Create a backup of your system after completing the installation.
    Backing up your system
    Related Links
    Registering a detection server on page 257
    Register a detection server to begin implementing a Symantec Data Loss Prevention feature.
    Registering the Single Tier Monitor on page 288

    Verifying a single-tier installation


    After installing Symantec Data Loss Prevention on a single-tier system, verify that it is operating correctly before importing
    a solution pack.
    1. Confirm that all of the Symantec Data Loss Prevention Services are running under the System Account user name that
    you specified during installation.
    NOTE
    On Windows platforms, all services run the System Account user name.
    Symantec Data Loss Prevention includes the following services:
    • SymantecDLPManagerService
    • SymantecDLPIncidentPersisterService
    • SymantecDLPNotifierService
    • SymantecDLPDetectionServerService
    • SymantecDLPDetectionServerControllerService

    2. If the Symantec Data Loss Prevention services do not start, check the log files for possible issues (for example,
    connectivity, password, or database access issues).
    • For Windows, the Symantec Data Loss Prevention installation log is at c:\ProgramData\Symantec
    \DataLossPrevention\EnforceServer\16.0.10000\logs.
    You may also need to install the Update for Universal C Runtime in Windows. See https://support.microsoft.com/
    en-us/kb/2999226.
    • For Linux, the Symantec Data Loss Prevention operational logs are in /var/log/Symantec/
    DataLossPrevention/EnforceServer/16.0.10000/logs.

    Once you have verified the Enforce Server installation, you can log on to the Enforce Server to view the administration
    console.
    See Logging On and Off the Enforce Server Administration Console information about logging on to, and using, the
    Enforce Server administration console.
    You must import a Symantec Data Loss Prevention solution pack immediately after installing and verifying the single-tier
    server, and before changing any single-tier server configurations.
    Importing a Solution Pack
    After importing a solution pack, register a detection server.
    Registering a detection server
    Registering the Single Tier Monitor

    287
    Policy authoring considerations
    For Single Server deployments, all policies are grouped in the Default Policy Group. Therefore, all policies will apply
    to every channel that you have configured. Take this into consideration when authoring your policies to avoid poor
    performance on your Single Server deployment.
    For more information about policy authoring and policy groups, see About Data Loss Prevention Policy Authoring.

    About migrating to a two-tier deployment


    As your Symantec Data Loss Prevention deployment grows, you may need to migrate your Single Server deployment to a
    two-tier deployment. A two-tier deployment is one in which the Oracle database and Enforce Server remain on one server,
    while you deploy individual detection servers for each detection type you have configured in your Single-tier Detection
    Server. The migration process preserves all of your existing policies, incidents, incident history, and Discover targets.
    Migrating to a two-tier deployment is irreversible. You cannot migrate back to a Single Server deployment from a two-tier
    deployment.
    To migrate to a two-tier deployment
    1. Log on to the Enforce Server as Administrator.
    2. Go to System > Servers > Overview.
    The System Overview page appears.
    3. Click Add Server.
    The Add Server page appears.
    4. Register and configure a new detection server for each detection type which you have a license. Each server requires
    its own dedicated hardware.
    Registering a detection server
    5. After you have registered and configured each detection server, remove the configuration from each tab on the
    System > Servers Overview > Configure Server page for the corresponding channel or channels on your Single Tier
    Monitor.
    6. After you have deployed a new detection server for each of your detection server licenses, go to System > Servers >
    Overview and remove the Single Tier Monitor.

    Registering the Single Tier Monitor


    After you have installed Symantec Data Loss Prevention in single-tier mode, you can register and configure the Single
    Tier Monitor. To register the Single Tier Monitor, you add the server and configure its general settings. To configure the
    Single Tier Monitor, you configure the channels for each detection server type for which you have a license.
    1. Log on to the Enforce Server as Administrator.
    2. Go to System > Servers > Overview.
    The System Overview page appears.
    3. Click Add Server.
    The Add Server page appears.
    4. Select Single Tier Monitor, then click Next.
    The Configure Server screen appears.

    288
    5. Enter the General information. This information defines how the server communicates with the Enforce Server.
    • In the Name field, enter a unique name for the detection server.
    • The Host field is already set to the local host address. You cannot change this setting.
    • In the Port field, enter the port number the detection server uses to communicate with the Enforce Server. By
    default, the port is set to 8100. If you want to use a different port number, enter any port number greater than 1024
    here.
    6. Specify the remaining configuration options as appropriate.
    See the Symantec Data Loss Prevention Help Center for details on how to configure the Single Tier Monitor.
    7. After you have configured each detection channel, click Save.
    The Server Detail screen appears.
    8. If necessary, click Server Settings or other configuration tabs to specify additional configuration parameters.
    9. If necessary, restart the server by clicking Recycle on the Server Detail screen. Or you can start the Symantec DLP
    services manually on the server itself.
    Symantec Data Loss Prevention Services
    10. To verify that the server was registered, return to the System Overview page. Verify that the detection server appears
    in the server list, and that the server status is Running.
    11. To verify the type of certificates that the server uses, select System > Servers > Alerts. Examine the list of alerts to
    determine the type certificates that Symantec Data Loss Prevention servers use:
    • If servers use the built-in certificate, the Enforce Server shows a warning event with code 2709: Using built-in
    certificate.
    • If servers use unique, generated certificates, the Enforce Server shows an info event with code 2710: Using user
    generated certificate.

    Installing Symantec DLP Agents


    Learn about the steps that you complete to install DLP Agents.
    The following overview applies to installing DLP Agents on supported Windows, Linux, and macOS endpoints.

    Before you begin


    Before you begin the Symantec DLP Agent installation process, confirm that you have installed and configured an
    Endpoint Server.
    See Adding a detection server.

    Steps to Install Agents


    Each of the following steps is explained in detail at the referenced sections:
    1. Create the agent installation package.
    A DLP administrator creates the agent installation package using the Enforce Server administration console.
    See Secure Communications Between DLP Agents and Endpoint Servers.
    2. Prepare endpoints for the installation.
    Prepare endpoints for the installation by completing the following items:
    • Update settings on security software.
    • Consider how to best set-up Endpoint Servers to manage the DLP Agents in your environment.
    See About Endpoint Server redundancy.

    289
    3. Install agents.
    The agent installation process differs based on the endpoint operating system.
    • Windows
    • macOS
    • Linux
    Related Links
    Endpoint Tools on page 319
    Work with Symantec DLP Agents using the tools that Symantec Data Loss Prevention provides.
    About uninstallation passwords on page 329

    About secure communications between DLP Agents and Endpoint Servers


    Symantec Data Loss Prevention uses SSL certificates and public-key encryption to authenticate and secure
    communications between DLP Agents and Endpoint Servers.
    When you install or upgrade the Enforce Server, DLP sets up a root Certificate Authority (CA). DLP automatically
    generates the public certificates and the keys that are required to authenticate and secure communications
    between DLP Agents and Endpoint Servers. The certificates are signed by the Symantec Data Loss Prevention CA.
    The public certificates and keys are securely stored in the Enforce Server database. The DLP Agent initiates connections
    to one of the Endpoint Prevent Servers or load balancer servers and authenticates the server certificate.
    When you deploy an Endpoint Prevent Server, the system generates the server public-private key pair that is signed by
    the DLP root CA certificate. These files are versioned. When you generate the agent package, the system generates the
    agent public-private key pair and the agent certificate, also signed by the DLP root CA.
    You can view which CA version is in use at the System > Settings > General screen. The password for the DLP root CA
    is randomly generated and used by the system. Changing the root CA password is reserved for internal use.

    Support for custom certificates


    You can use custom certificates to verify the identities of endpoints and Endpoint Prevent Servers. With custom
    certificates, you can integrate DLP with your Enterprise PKI (Public Key Infrastructure). Endpoint Prevent Servers also can
    check for revoked endpoint certificates.
    On Windows and macOS endpoints, DLP Agent uses custom endpoint certificates that are provisioned in the operating
    system certificate store. The DLP Agent does not support custom endpoint certificates on Linux endpoints.
    The certificate management feature enables you to add your own keystores to Endpoint Prevent Servers. You can also
    add your own truststores that endpoints and Endpoint Prevent Servers can use to verify each other's identity.
    For instructions about configuring new and existing Endpoint Prevent Servers to use custom certificates, see Configuring
    Endpoint Prevent Servers to Use Custom Certificates.
    For instructions about migrating endpoints from the default DLP Agent certificate to a custom certificate, see Configuring
    DLP Agents to Use Custom Certificates.
    For information about the limitations of using custom certificates, see Limitations of DLP support for custom certificates.
    Related links

    Related Links
    Generating agent installation packages on page 291
    Generate the installation package for DLP Agents on the System > Agents > Agent Packaging screen.

    290
    Generating agent installation packages
    Generate the installation package for DLP Agents on the System > Agents > Agent Packaging screen.
    The packaging process creates a zip file that contains the installer of your choice. The zip file includes public certificate
    and keys and installation scripts to install DLP Agents. You generate a single installation package for each endpoint
    platform where you want to deploy.
    For example, if you want to install DLP Agents on Windows 64-bit endpoints, you generate a single
    AgentInstaller_Win64.zip package. If you specify more than one installer for packaging, such as the Windows 64-
    bit agent installer and the Mac 64-bit agent installer, the system generates separate agent packages for each platform.
    Before you start generating the agent installation packages confirm that your system is ready to package by doing the
    following:
    • Confirm that the agent installers are copied to the Enforce Server local file system.
    • Confirm that the Enforce Server has at least 3 GB of free space. The packaging process fails if the Enforce Server has
    less than 3 GB of free space.
    The following table provides instructions for generating agent installation packages. The instructions assume that you
    have deployed an Endpoint Server.

    Table 127: Generating the agent installation package

    Step Action Description

    1 Navigate to the Agent Packaging Log on to the Enforce Server administration console as an administrator and
    page. navigate to the System > Agents > Agent Packaging page.
    2 Select one or more DLP Agent Browse to the folder on the Enforce Server where you copied the agent installer
    installation files. files.
    The following installer files are available:
    • Windows 64-bit: AgentInstall-x64_16_0_1.msi
    • Windows 32-bit: AgentInstall-x86_16_0_1.msi
    • Linux 64 bit RPM:
    For Linux distributions, you package each operating system type separately.
    – Red Hat Enterprise Linux: AgentInstall-x86_64_16_0_1.rpm
    – Ubuntu: AgentInstall-x86_64_16_0_1.deb
    • Mac 64-bit: AgentInstall_16_0_1.pkg

    3 Enter the server host name. Typically you enter the common name (CN) of the Endpoint Server host, or you can
    enter the IP address of the server.
    Be consistent with the type of identifier you use (CN or IP). If you used the CN for
    the Endpoint Server when deploying it, use the same CN for the agent package. If
    you used an IP address to identify the Endpoint Server, use the same IP address
    for the agent package.
    Alternatively, you can enter the CN or IP address of a load balancer server.
    Note: The Enforce Server administration console does not accept IPv6 addresses
    as input. Instead of specifying an IPv6 address, you can enter the host name
    instead.
    Note: To ensure that IPv6-only endpoints can communicate with an Endpoint
    Prevent Server, make sure that the Endpoint Prevent Server is running on a dual
    stack host. If the Endpoint Prevent Server is running on an IPv4 host, you might
    need to configure NAT devices to translate the IP addresses of IPv6-only endpoints.

    291
    Step Action Description

    4 Enter the port number for the The default port is 10443. Typically you do not need to change the default port
    server. unless it is already in use or intended for use by another process on the server
    host.
    5 Add additional servers (optional). Click the plus sign to add additional servers for failover.
    If you configure agents to connect to more than one Endpoint Prevent Server, you
    can specify a mix of servers that use the DLP Default KeyStore and servers that
    use custom keystores.
    Note: Symantec Data Loss Prevention allots 2048 characters for Endpoint Server
    names. This allotment includes the characters that are used for the Endpoint Server
    name, port numbers, and semicolons to delimit each server.
    The first server that is listed is the primary; additional servers are secondary and
    provide backup if the primary is down.
    See About Endpoint Server redundancy.
    6 Enter the Endpoint tools password. A password is required to use the Endpoint tools to administer DLP Agents. The
    Endpoint tools password is case-sensitive. The password is encrypted and stored
    in a file on the Enforce Server. You should store this password in a secure format of
    your own so that it can be retrieved if forgotten.
    After installing agents, you can change the password on the Agent Password
    Management screen.
    See About agent password management.
    7 Re-enter the Endpoint tools The system validates that the passwords match and displays a message if they do
    password. not.
    8 Enter the target directory for the The default installation directory for Windows 32- and 64-bit agents is
    agent installation (Windows only). %PROGRAMFILES%\Manufacturer\Endpoint Agent. Change the default
    path if you want to install the Windows agent to a different location on the endpoint
    host. You can only install the DLP Agent to an ASCII directory using English
    characters. Using non-English characters can prevent the DLP Agent from starting
    and from monitoring data in some scenarios.
    Note: Include the drive letter if you plan to change the default directory. For
    example, use C:\Endpoint Agent. Not including a drive letter causes the
    agent installation to fail.
    The target directory for the Mac agent is set by default.
    9 Enter the uninstall password The agent uninstall password is supported for Windows agents. The uninstall
    (optional, Windows only). password is a tamper-proof mechanism that requires a password to uninstall the
    DLP Agent.
    The password is encrypted and stored in a file on the Enforce Server. You should
    store this password in a secure format of your own so that it can be retrieved if
    forgotten.
    For information on uninstalling Mac agents, see Removing a DLP Agent from a Mac
    Endpoint.
    After installing agents, you can change the password on the Agent Password
    Management screen.
    See About agent password management.
    10 Re-enter the uninstall password. The system validates that the passwords match and displays a message if they do
    not.

    292
    Step Action Description

    11 Select the truststore that contains You can select either the default truststore that contains the self-signed certificate
    the certificate that is used to and key or a custom truststore that you added.
    validate the Endpoint Prevent If you configured the Endpoint Prevent Servers to use a custom certificate,
    Server certificate. select the truststore that contains the corresponding corresponding CA public
    certificate that can validate the custom Endpoint Prevent Server certificate.
    Note: If you previously chose to use the DLP Default TrustStore while creating
    agent packages, you can switch to a custom truststore the next time you generate
    new packages for upgrading agents.

    12 Click Generate Installer This action generates the agent installer package for each platform that you
    Packages. selected in step 3.
    The generation process may take a few minutes.
    13 Save the agent package zip file. When the agent packaging process is complete, the system prompts you to
    download the agent installation package. Save the zip file to the local file system.
    After you save the file you can navigate away from the Agent Packaging screen to
    complete the process.
    The zip file is named according to the agent installer you uploaded:
    • AgentInstaller_Win64.zip
    • AgentInstaller_Win32.zip
    • AgentInstaller_Linux64.zip
    • AgentInstaller_Mac64.zip
    If you upload more than one agent installer, the package name is
    AgentInstallers.zip. In this case, the zip file contains separate zip files for
    each agent package for each platform you selected in step 3.
    14 Install DLP Agents using the agent Once you have generated and downloaded the agent package, you use it to install
    package. all agents for that platform.

    Related Links
    Secure Communications Between DLP Agents and Endpoint Servers on page 669
    Symantec Data Loss Prevention uses SSL certificates and public-key encryption to authenticate and secure
    communications between DLP Agents and Endpoint Servers.

    Agent installation package contents


    Generate the agent installation package for agents at the System > Agents > Agent Packaging screen.

    Related Links
    Generating agent installation packages on page 291
    Generate the installation package for DLP Agents on the System > Agents > Agent Packaging screen.

    Windows Agent Package Contents

    The agent installation package for Windows agents contains the endpoint certificates, installation files, and the package
    manifest.

    293
    macOS Agent Package Contents

    The Mac agent package contains endpoint certificates, installation files, the package manifest, and a file to generate the
    installation script for macOS.

    Table 128: AgentInstaller_Mac64.zip installation package contents

    File Description

    AgentInstall_16_0_1.pkg Mac DLP Agent installer


    AgentInstall.plist Mac DLP Agent installation properties configuration file
    create_package No longer used due to notarization and signing restrictions applied
    by macOS.
    endoint_cert.pem Agent certificate and encryption keys
    endpoint_priv.pem See About secure communications between DLP Agents and
    Endpoint Servers install .
    endpoint_truststore.pem
    addin_trustore.pem Agent certificates required for Outlook monitoring.
    addin_cert.pem
    addin_priv.pem
    install_agent.sh Use to install the DLP Agent.
    Install_Readme.rtf Provides commands for packaging and installing the agent

    Linux Agent Package Contents

    The Mac agent package contains endpoint certificates, installation files, the package manifest, and a file to generate the
    installation script for Linux distributions.

    Table 129: AgentInstaller_Linux64.zip or AgentInstaller_LinuxDeb64.zipinstallation package contents

    File Description

    AgentInstall.json Linux DLP Agent installation properties configuration file


    AgentInstall-x86_64_16_0_1.rpm for Red Hat Linux DLP Agent installer
    Enterprise Linux
    AgentInstall-x86_64_16_0_1.deb for Ubuntu
    endpoint_cert.pem Agent certificate and encryption keys
    endpoint_priv.pem See About secure communications between DLP Agents and
    Endpoint Servers install .
    endpoint_truststore.pem
    install_agent.sh Use to install the DLP Agent.

    Identify security applications running on endpoints


    Before you install the Symantec DLP Agent, identify all security applications that run on your endpoints. Configure those
    applications to allow the Symantec DLP Agents to function fully. Some applications generate alerts when they detect the
    installation or initial launch of a Symantec DLP Agent. Such alerts reveal the presence of Symantec DLP Agents and they
    sometimes let users block the Symantec DLP Agent entirely.

    294
    NOTE
    See Third-party software requirements and recommendations for information about configuring third-party
    software to work with the Symantec DLP Agent.
    Check the following applications:
    • Antivirus software
    • Firewall software
    Make sure that your antivirus software and firewall software recognize the Symantec DLP Agents as legitimate programs.

    About Endpoint Server redundancy


    You can configure the DLP Agent to connect to multiple Endpoint Servers. Endpoint Servers can be connected using a
    load balancer. Multiple Endpoint Servers enable incidents and events to be sent to the Enforce Server in a timely way if an
    Endpoint Server becomes unavailable. For example, assume that an Endpoint Server becomes unavailable because of
    a network partition. The DLP Agent, after a specified amount of time, connects to another Endpoint Server to transmit the
    incidents and events that it has stored. The Symantec DLP Agent makes a best effort to fail over to a different Endpoint
    Server only when the current Endpoint Server is unavailable. If the original Endpoint Server is unavailable, the agent
    attempts to connect to another Endpoint Server in the configured list. By default, the DLP Agent tries to reconnect to the
    original Endpoint Server for 60 minutes before it connects to another Endpoint Server. In a load-balanced Endpoint Server
    environment, the connection interval is managed by the load balancer.
    When a DLP Agent connects to a new Endpoint Server, it downloads the policies from that Endpoint Server. It then
    immediately begins to apply the new policies. To ensure consistent incident detection after a failover, maintain the same
    policies on all Endpoint Servers to which the DLP Agent may connect.
    For Endpoint Discover monitoring, if a failover occurs during a scan, the initial Endpoint Discover scan is aborted. The
    DLP Agent downloads the Endpoint Discover scan configuration and policies from the failover Endpoint Server and
    immediately runs a new scan. The new scan runs only if there is an active Endpoint Discover scan configured on the
    failover Endpoint Server.
    You must specify the list of Endpoint Servers when you install the DLP Agents. The procedure for adding a list of
    Endpoint Servers appears under each method of installation. You can specify either IP addresses or host names with the
    associated port numbers. If you specify a host name, the DLP Agent performs a DNS lookup to get a set of IP addresses.
    It then connects to each IP address. Using host names and DNS lookup lets you make dynamic configuration changes
    instead of relying on a static install-time list of stated IP addresses.
    Setting up and configuring Endpoint Discover
    How to implement Endpoint Prevent

    Installing the DLP Agent on Windows


    You can install one DLP Agent at a time, or you can use systems management software (SMS) to install many DLP
    Agents automatically. Symantec recommends that you install one DLP Agent using the manual method before you install
    many DLP Agents using your SMS. Installing in this manner helps you troubleshoot potential issues and ensures that
    installing using your SMS goes smoothly.

    Before You Begin


    Confirm the following prerequisites before you install the DLP Agent on Windows endpoints:

    295
    • If you plan to install agents on the endpoints that run Windows 10, use an elevated command prompt. See Use the
    Elevated Command Prompt with Windows 10.
    • If you plan to install DLP Agents running Windows 10, verify that Admin Security mode is set to Disabled on the
    administrator account. This setting allows administrators to complete tasks such as running endpoint tools and
    installing agents.
    • Confirm that Windows operating systems meet minimum requirements. See Windows Operating System Requirements
    for Endpoint Systems.
    • Install Endpoint Servers. See Adding a detection server.
    • Generate the agent installation package. See Secure Communications Between DLP Agents and Endpoint Servers.

    Steps to Install the Agent on Windows Endpoints


    The following list provides steps that you complete to install agents on Windows endpoints
    1. Install agents manually.
    Install a single agent to test the configuration or to create a test scenario.
    See Install the DLP Agent for Windows Manually.
    2. Install agents silently.
    You install agents silently to install many agents at one time.
    See Install the DLP Agent for Windows silently.
    3. Confirm that the Windows agent is running.
    Confirming that the Windows agent is running.
    4. Review the Windows agent installation package.
    These components include drivers that prevent tampering and keep the agent running.
    See What gets installed for DLP Agents installed on Windows endpoints.

    Use the Elevated Command Prompt with Windows 10


    If you install agents on the endpoints that run Windows 10, you must run the command prompt in Elevated Command
    Prompt mode.
    See Installing the DLP Agent on Windows for an installation overview.
    1. Click the Start menu.
    2. In the Search programs and files field, enter command prompt.
    The Command Prompt program appears in the results list.
    3. Hold the Shift key and right-click the Command Prompt entry in the results list. Select either Run as Administrator
    or Run as different user.
    4. If you selected Run as different user, enter the credentials for a user that has administrator privileges.
    5. Display the Command Prompt.
    • In Desktop mode, right-click on the Windows icon and select Command Prompt (Admin), then click the Start
    menu.
    • In Metro mode, enter cmd in the Search programs and files field.
    6. Hold the Shift key and right-click Command Prompt in the results list.
    7. Select Run as Administrator.
    See Install the DLP Agent for Windows Manually.

    296
    Install the DLP Agent for Windows Manually
    Install the DLP Agent for Windows manually prior to installing agents to your entire environment.
    See Use the Elevated Command Prompt with Windows 10.
    Table 130: Instructions for installing the DLP Agent for Windows manually provides instructions for installing the DLP
    Agent for Windows manually.
    NOTE
    These steps assume that you have generated the agent installation package. Generating agent installation
    packages

    Table 130: Instructions for installing the DLP Agent for Windows manually

    Step Action Description

    1 Run the DLP Agent installer batch file. You run the install_agent.bat located in the agent installation package
    ZIP file.
    Note: To troubleshoot the manual installation, you can remove the /q element
    from the install_agent.bat file. Removing the /q element launches the
    installation wizard which can provide error information. You can also review
    the installation log file (installAgent.log located at C:\) for additional
    troubleshooting information.

    2 Confirm that the agent is running. Once installed, the DLP Agent initiates a connection with the Endpoint Server.
    Confirm that the agent is running by going to Agent > Overview and locating the
    agent in the list.
    See Confirming that the Windows agent is running.

    Install the DLP Agent for Windows silently


    You can use a silent installation process by using systems management software (SMS) to install DLP Agents to
    endpoints.
    See Install the DLP Agent for Windows Manually.
    You must always install the agent installation package from a local directory. If you do not install from a local directory,
    some functions of the DLP Agent are disabled.
    These steps assume that you have generated the agent installation package. Generating agent installation packages
    NOTE
    Do not rename the InstallAgent.bat file for any reason. If you rename this file, your systems management
    software cannot recognize the file and the installation fails.
    1. Specify the InstallAgent.bat file in your systems management software package.
    2. Specify the InstallAgent.bat installation properties. The installation properties in the InstallAgent.bat file are
    based on entries and selections made during the agent installation packaging process. Symantec recommends that
    you do not update the installation properties.
    When you install the Symantec DLP Agent, your systems management software issues a command to the specified
    endpoints. The following table summarizes important commands:

    msiexec The Windows command for executing MSI packages.


    /i Specifies the name of the package.

    297
    /q Specifies a silent install.
    You can remove this command to install an agent using the wizard. You might install
    using this method if you want to test the installation package when preparing to run a
    silent installation.
    ARPSYSTEMCOMPONENT Optional properties to msiexec.
    ENDPOINTSERVER The Endpoint Server to which agents will connect.
    This value is defined during the agent installation packaging process.
    SERVICENAME The agent service name. The default value is EDPA.
    INSTALLDIR The location where the agent is installed on the endpoint: C:\Program Files
    \Manufacturer\Symantec DLP Agent\.
    This value is defined during the agent installation packaging process.
    UNINSTALLPASSWORDKEY The password the administrator uses when uninstalling agents.
    This value is defined during the agent installation packaging process.
    WATCHDOGNAME The watchdog service name: WDP.
    TOOLS_KEY The password associated with the agent tools.
    This value is defined during the agent installation packaging process.
    ENDPOINT_CERTIFICATE The endpoint self-signed certificate file name: endpoint_cert.pem.
    This file is created during the agent installation packaging process.
    ENDPOINT_PRIVATEKEY The endpoint private key file name: endpoint_priv.pem.
    This file is created during the agent installation packaging process.
    ENDPOINT_TRUSTSTORE The endpoint trust store file to trust the server certificate (server public key):
    endpoint_truststore.pem.
    This file is created during the agent installation packaging process.
    ENDPOINT_PRIVATEKEY_PASSWORD The password associated with the agent certificates.
    The password is located in the endpoint_priv.pem file, which is created during the
    agent installation packaging process.

    The following is an example of what the completed command might look like:

    msiexec /i AgentInstall-x64_16_0_1.msi /q INSTALLDIR="C:\Program Files\Manufacturer\Symantec DLP Agent


    \" ARPSYSTEMCOMPONENT="1" ENDPOINTSERVER="epserver:8001" SERVICENAME="ENDPOINT" WATCHDOGNAME="WATCHDOG"
    UNINSTALLPASSWORDKEY="password" TOOLS_KEY="<tools key password>" ENDPOINT_CERTIFICATE="endpoint_cert.pem"
    ENDPOINT_PRIVATEKEY="endpoint_priv.pem" ENDPOINT_TRUSTSTORE="endpoint_truststore.pem"
    ENDPOINT_PRIVATEKEY_PASSWORD="<generated endpoint private key password>" VERIFY_SERVER_HOSTNAME="No"
    STARTSERVICE="Yes" ENABLEWATCHDOG="YES" LOGDETAILS="Yes" /log C:\installAgent.log

    3. Specify any optional properties for the msiexec utility.

    See Confirming that the Windows agent is running.


    Related Links
    Setting up and configuring Endpoint Discover on page 1886
    How to implement Endpoint Prevent on page 1877

    About agent installation properties

    When you install the Symantec DLP Agent, your systems management software issues a command to the specified
    endpoints. The following table summarizes important commands:

    298
    Table 131: Agent installation properties

    Command Description

    /i Specifies the name of the package.


    /log Use to log information during the installation. You define the name of the log file and the
    location where you want to save it.
    /silent Specifies a silent install.
    You can remove this command to install an agent using the wizard. You might install using
    this method if you want to test the installation package when preparing to run a silent
    installation.
    /debuglog Use to log errors that occur during the installation. You define the name of the log file and
    the location where you want to save it.
    ARPSYSTEMCOMPONENT Enter 1 to prevent the application from being displayed in the Add or Remove Programs
    list.
    Omit the ARPSYSTEMCOMPONENT parameter from the installation command to display the
    application in the Add or Remove Programs list.
    ENDPOINTSERVER The Endpoint Server to which agents connect.
    This value is defined during the agent installation packaging process.
    SERVICENAME The agent service name. The default value is EDPA.
    INSTALLDIR The location where the agent is installed on the endpoint: C:\Program Files
    \Manufacturer\Endpoint Agent\.
    This value is defined during the agent installation packaging process.
    UNINSTALLPASSWORDKEY The password the administrator uses when uninstalling agents.
    This value is defined during the agent installation packaging process.
    WATCHDOGNAME The watchdog service name: WDP.
    TOOLS_KEY The password associated with the agent tools.
    This value is defined during the agent installation packaging process.
    ENDPOINT_CERTIFICATE The endpoint self-signed certificate file name: endpoint_cert.pem.
    This file is created during the agent installation packaging process.
    ENDPOINT_PRIVATEKEY The endpoint private key file name: endpoint_priv.pem.
    This file is created during the agent installation packaging process.
    ENDPOINT_TRUSTSTORE The endpoint trust store file to trust the server certificate (server public key):
    endpoint_truststore.pem.
    This file is created during the agent installation packaging process.
    ENDPOINT_PRIVATEKEY_PASSWORD The password associated with the agent certificates.
    The password is located in the endpoint_priv.pem file, which is created during the
    agent installation packaging process.
    ENDPOINT_TRUSTSTORE The endpoint trust store file to trust the server certificate (server public key):
    endpoint_truststore.pem.
    This file is created during the agent installation packaging process.
    ENDPOINT_PRIVATEKEY_PASSWORD The password associated with the agent certificates.
    The password is located in the endpoint_priv.pem file, which is created during the
    agent installation packaging process.

    Installing DLP Agents for Windows silently

    299
    Confirming that the Windows agent is running
    After you install the agents, the Symantec DLP Agent service automatically starts on each endpoint. Log on to the Enforce
    Server and go to System > Agents > Overview. Verify that the newly installed or upgraded agents are registered (that
    the services appear in the list).
    The watchdog service is deployed with the DLP Agent on Windows endpoints. The watchdog is a service that ensures
    that the DLP Agent is running and active. This relationship is reciprocal. If the DLP Agent does not receive regular
    requests from the watchdog service, it automatically restarts the watchdog service. This reciprocal relationship ensures
    that the DLP Agent is always running and active.
    Users cannot stop the watchdog service on their workstations. Preventing users from stopping the watchdog service
    allows the DLP Agent to remain active on the endpoint.

    Related Links
    How to implement Endpoint Prevent on page 1877
    Setting up and configuring Endpoint Discover on page 1886

    What gets installed for DLP Agents installed on Windows endpoints


    The DLP Agent installation places a number of components on endpoints. Do not disable or modify any of these
    components or the DLP Agent may not function correctly.

    Table 132: Installed components

    Component Description

    Driver (vfsmfd.sys) Detects any activity in the endpoint file system (including activity
    on Citrix XenApp and XenDesktop) and relays the information to
    the DLP Agent service.
    This driver is installed at
    <Windows_dir>\System64\drivers. For example, c:
    \windows\System64\drivers. All other agent files are
    installed into the agent installation directory.
    Driver (vnwcd.sys) Intercepts network traffic (HTTP, FTP, and IM protocols) on
    the endpoint. After the Symantec Data Loss Prevention Agent
    analyzes the content, the vnwcd.sys driver allows or blocks the
    data transfer over the network.
    This driver is installed at
    <Windows_dir>\System64\drivers. For example, c:
    \windows\System64\drivers. All other agent files are
    installed into the agent installation directory.
    Driver (vrtam.sys) Monitors the process creation and destruction, and send
    notifications to the DLP Agent. The driver monitors the
    applications that are configured as part of Application Monitoring;
    for example, CD/DVD applications.
    This driver is installed at
    <Windows_dir>\System64\drivers. For example, c:
    \windows\System64\drivers. All other agent files are
    installed into the agent installation directory.

    300
    Component Description

    Symantec DLP Agent service Receives all information from the driver and relays it to the
    Endpoint Server. During installation, the DLP Agent is listed under
    the task manager as edpa.exe.
    Users are prevented from stopping or deleting this service on their
    workstation.
    Watchdog service Automatically checks to see if the DLP Agent is running. If the
    DLP Agent has been stopped, the watchdog service restarts the
    DLP Agent. If the watchdog service has been stopped, the DLP
    Agent service restarts the watchdog service.
    Users are prevented from stopping or deleting this service.

    The DLP Agent service creates the following files:


    • Two log files (edpa.log and edpa_ext0.log), created in the installation directory.
    • Each DLP Agent maintains an encrypted database at the endpoint called the DLP Agent store. The DLP Agent store
    saves two-tier request metadata, incident information, and the original file that triggered the incident, if needed.
    Depending on the detection methods used, the DLP Agent either analyzes the content locally or sends it to the
    Endpoint Server for analysis. About the DLP Agent store
    • A database named rrc.ead is installed to maintain and contain non-matching entries for rules results caching (RRC).
    About rules results caching (RRC)

    Installing the DLP Agent for macOS


    You can install one DLP Agent to a Mac endpoint at a time, or you can use deployment software to install
    many DLP Agents automatically.
    Symantec recommends that you install one DLP Agent using the manual method before you install many DLP Agents
    using your SMS. Installing in this manner helps you troubleshoot potential issues and ensure that installing using
    your SMS goes smoothly.

    Understanding the DLP Agent Installation Process


    The DLP Agent for macOS endpoints provides a set of features that are distinct from Windows agents. See DLP Agent
    Version 16.0.1 Monitoring Support for more details.
    Various roles in your organization complete tasks to prepare for and complete the installation process. See the following
    table for a list and description of each role. These roles are identified in each subtask where they apply.

    Table 133: Roles for installing the DLP Agent on macOS endpoints

    Name Description

    DLP administrator Generates the macOS agent installation package and provides it
    to the macOS endpoint administrator for deployment.
    macOS endpoint administrator Uses the installation package to create an agent deployment
    confirmation.
    MDM administrator Deploys agent mobileconfig to macOS endpoints.
    Network administrator Manages the firewall to enable web access for agents.
    O365 administrator Deploys the Outlook add-in manifest to enable Outlook monitoring
    for agents.

    301
    Before You Begin
    Confirm the following prerequisites before you start the process to install DLP Agents on macOS endpoints:
    • Meet minimum requirements for macOS operating systems. See macOS operating system requirements for endpoint
    systems.
    • Install Endpoint Servers. See Adding a detection server.
    • Generate the agent installation package. See Generating agent installation packages.

    Steps to Install the Agent on macOS Endpoints


    Complete the following steps to install agents on macOS endpoints:
    1. Complete macOS Endpoint Agent Installation Prerequisites
    2. Install the DLP Agent for macOS
    3. Confirm that the macOS agent is running

    Complete macOS Endpoint Agent Installation Prerequisites


    Complete macOS endpoint agent installation prerequisites listed in this section to ensure that agent monitoring features
    are enabled after you install the agent. The MDM administrator in your organization completes these steps.
    These steps assume you have packaged the agent installation files.
    See Generating agent installation packages.
    Understanding macOS Endpoint Agent Installation Prerequisites

    You can use the mobile device management (MDM) software of your choosing to distribute profiles that enable monitoring
    features on macOS endpoints. See Sample Jamf MDM configuration file for macOS endpoints for information on
    configuration files.
    NOTE
    The steps to deploy MDM profiles use Jamf as an example. The steps differ if you use a different MDM tool.
    Steps to Complete Installation Prerequisites

    Complete the following steps to meet installation prerequisites on macOS endpoints.


    NOTE
    Download the agent installer package from the Broadcom Product Downloads Portal. The package contains a
    ready-to-use MDM configuration file that you can use with a management application like Jamf to perform the
    following deployment tasks. See Sample Jamf MDM configuration file for macOS endpoints for additional details.
    1. Enable full-disk access.
    You deploy MDM profiles to enable full-disk access to allow monitor support for agents. You deploy MDM profiles for
    the following items:
    • Enable Office Open XML content inspection on macOS endpoints on macOS 11 endpoints.
    • Allow full-disk access for the endpoint security host application (SEHA.app) on macOS endpoints
    • Allow Full-disk Access for the DLP Agent on macOS Endpoints
    NOTE
    If you are installing agents manually, enable full-disk access for the Terminal app.
    2. Configure the DLP Agent to start automatically on macOS 13 agents.
    Configure the DLP Agent to Start Automatically
    3. Enable browser extensions.

    302
    Deploy MDM profiles to enable browser extensions. The browsers that you choose are based on the monitor
    requirements in your organization. You can enable extensions for the following browsers:
    • Enable Monitoring in Google Chrome on macOS Endpoints
    • Enable Monitoring in Mozilla Firefox on macOS endpoints
    • Deploy the Symantec extension to monitor Edge
    4. Enable print moitoring for Microsoft Office applications.
    – Enable print monitoring for Microsoft Office applications on macOS endpoints
    5. Enable MIP classification notifications and access to Microsoft Office applications.
    You can deploy MDM profiles to enable the following features:
    • Enable MIP classification notifications on macOS endpoints
    • Enable DLP Agent access to Microsoft Office applications
    Enable Office Open XML content inspection on macOS endpoints

    The macOS endpoint security framework requires special configuration for enabling DLP Agents to inspect Office Open
    XML content. You must create an MDM profile that grants the OOXMLHostApp process full disk access on macOS 10.14
    and later.
    For illustration purposes, the following instructions assume that you plan to use Jamf, an IT management application.
    NOTE
    When you download the agent installer package from the Broadcom Product Downloads portal, the package
    contains a ready-to-use MDM configuration file that you can use with a management application like Jamf
    to perform several deployment tasks simultaneously. See Sample Jamf MDM configuration file for macOS
    endpoints.
    1. In Jamf, select a configuration profile.
    2. Navigate to Privacy Preferences Policy Control.
    3. Under App Access, in the Identifier field, enter
    /Library/Manufacturer/Endpoint Agent/OOXMLHostApp
    4. In the Identifier Type menu, select Bundle ID.
    5. In the Code Requirement field, enter the following:
    identifier OOXMLHostApp and anchor apple generic and certificate
    1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate
    leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] =
    Y2CCP3S9W7
    NOTE
    If you copy this information from the documentation, make sure that there are no extra line breaks when you
    paste it in the Code Requirement field.
    6. In the APP OR SERVICE table, add the following settings:

    APP OR SERVICE ACCESS


    SystemPolicyAllFiles Allow
    SystemPolicyRemovableVolumes Allow
    SystemPolicyNetworkVolumes Allow

    303
    7. Click Save.

    NOTE
    You can refer to the System > Agents > Overview page of the Enforce Server administration console to view
    and troubleshoot any issues.
    Allow full-disk access for the endpoint security host application (SEHA.app) on macOS endpoints

    You must configure an MDM profile to allow full-disk access for the endpoint security host application (SEHA.app) on
    macOS 11 endpoints.
    For illustration purposes, the following instructions assume that you plan to use Jamf, an IT management application.
    1. In Jamf, select a configuration profile.
    2. Navigate to Privacy Preferences Policy Control.
    3. Under App Access, in the Identifier field, type com.symantec.dlp.ext.host.application.
    4. In the Identifier Type menu, select Bundle ID.
    5. In the Code Requirement field, enter the following:
    anchor apple generic and identifier "com.symantec.dlp.ext.host.application"
    and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or
    certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate
    leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] =
    Y2CCP3S9W7)
    NOTE
    If you copy this information from the documentation, make sure that there are no extra line breaks when you
    paste it in the Code Requirement field.
    6. In the APP OR SERVICE table, add the following settings:

    APP OR SERVICE ACCESS


    SystemPolicyAllFiles Allow
    SystemPolicyRemovableVolumes Allow
    SystemPolicyNetworkVolumes Allow

    7. Click Save.

    NOTE
    You can refer to the System > Agents > Overview page of the Enforce Server administration console to view
    and troubleshoot any issues.
    Allow Full-disk Access for the DLP Agent on macOS Endpoints

    You must configure an MDM profile to allow the full disk access for the DLP Agent on macOS endpoints.
    For illustration purposes, the following instructions assume that you plan to use Jamf, an IT management application.
    NOTE
    When you download the agent installer package from the Broadcom Product Downloads portal, the package
    contains a ready-to-use MDM configuration file that you can use with a management application like Jamf

    304
    to perform several deployment tasks simultaneously. See Sample Jamf MDM configuration file for macOS
    endpoints.
    1. In Jamf, select a configuration profile.
    2. Navigate to Privacy Preferences Policy Control.
    3. Under App Access, in the Identifier field, type /Library/Manufacturer/Endpoint Agent/edpa.
    4. In the Identifier Type menu, select Path.
    5. In the Code Requirement field, enter the following:
    identifier edpa and anchor apple generic and certificate
    1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate
    leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] =
    Y2CCP3S9W7
    NOTE
    If you copy this information from the documentation, make sure that there are no extra line breaks when you
    paste it in the Code Requirement field.
    6. In the APP OR SERVICE table, add the following settings:

    APP OR SERVICE ACCESS


    SystemPolicyAllFiles Allow
    SystemPolicyRemovableVolumes Allow
    SystemPolicyNetworkVolumes Allow

    7. Click Save.

    NOTE
    You can refer to the System > Agents > Overview page of the Enforce Server administration console to view
    and troubleshoot any issues.
    Configure the DLP Agent to Start Automatically

    Confirm that the DLP Agent can start automatically on macOS 13 endpoints.
    On macOS 13, the DLP Agent does not start automatically if the EDPA process is disabled on the Login Items settings
    menu. Ensure that the DLP Agent always runs by deploying an MDM configuration profile to prevent users from disabling
    the EDPA process through the Login Items settings menu.
    You can use a sample MDM configuration file with a management application like Jamf to manage the EDPA process. See
    21108 to obtain the sample file.
    See Jamf documentation on creating an MDM profile to manage login items. See the following URL for details:
    https://docs.jamf.com/technical-articles/Uploading_a_Configuration_Profile_for_Managed_Login_Items.html
    Enable Monitoring in Google Chrome on macOS Endpoints

    The following instructions describe the process of creating an MDM configuration profile to deploy the new Google
    Chrome extension for macOS endpoints using MDM settings. For illustration purposes, the instructions assume that you
    plan to deploy the extension using Jamf, an IT management application.
    Alternatively, you can install the extension manually using the Chrome Web Store. Make sure that the Chrome Web Store
    URL is not blocked by your organization's network firewall.
    See https://chrome.google.com/webstore/detail/symantec-extension/egaejpfbkjamgheoingidhokbfnidlpi.

    305
    Before you begin, make sure that you have completed the following steps:
    • Allow full-disk access for the endpoint security host application (SEHA.app) on macOS endpoints
    • Allow Full-disk Access for the DLP Agent on macOS Endpoints
    NOTE
    When you download the agent installer package from the Broadcom Product Downloads portal, the package
    contains a ready-to-use MDM configuration file that you can use with a management application like Jamf
    to perform several deployment tasks simultaneously. See Sample Jamf MDM configuration file for macOS
    endpoints.
    1. Create a browser policy (.plist file) which you can upload to Jamf.
    For example:

    <?xml version="1.0" encoding="UTF-8"?>


    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
    <key>ExtensionSettings</key>
    <dict>
    <key>egaejpfbkjamgheoingidhokbfnidlpi</key>
    <dict>
    <key>installation_mode</key>
    <string>force_installed</string>
    <key>update_url</key>
    <string>https://clients2.google.com/service/update2/crx</string>
    </dict>
    </dict>
    </dict>
    </plist>

    2. In Jamf, select a configuration profile.


    3. Navigate to Application & Custom Settings, and then click Add.
    4. Under Creation Method, select Upload File (PLIST file).
    5. In the Preference Domain field, type com.google.Chrome.
    6. Click the Upload PLIST file button, and then browse to and select the .plist file that you created in Step 1.
    7. Click Save.

    NOTE
    You can refer to the System > Agents > Overview page of the Enforce Server administration console to view
    and troubleshoot any failed deployments.
    Enable Monitoring in Mozilla Firefox on macOS endpoints

    The following instructions describe the process of creating an MDM configuration profile to deploy the new Mozilla Firefox
    extension as well as a signed certificate to enable Outlook Web Access monitoring in Firefox on macOS endpoints.
    For illustration purposes, the instructions assume that you plan to deploy the extension using Jamf, an IT management
    application. The browser extension is supported only on Mozilla Firefox 64.0 and later versions.
    pre

    306
    Complete the following prerequisites before you begin: Allow full-disk access for the
    endpoint security host application (SEHA.app) on macOS endpoints and .Allow Full-disk
    Access for the DLP Agent on macOS Endpoints
    NOTE
    When you download the agent installer package from the Broadcom Product Downloads portal, the package
    contains a ready-to-use MDM configuration file that you can use with a management application like Jamf
    to perform several deployment tasks simultaneously. See Sample Jamf MDM configuration file for macOS
    endpoints.
    1. Create a browser policy (.plist file) which you can upload to Jamf. Mozilla provides a template that you can use to
    define policies for the Firefox browser.
    NOTE
    For more information about Firefox policy templates, see https://github.com/mozilla/policy-templates/blob/
    master/README.md.
    To download the policy template, visit https://github.com/mozilla/policy-templates/blob/master/mac/
    org.mozilla.firefox.plist.
    You can either create a new .plist file based on Mozilla's policy template or modify the existing .plist file based
    on your organization's requirements. For example:

    <?xml version="1.0" encoding="UTF-8"?>


    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
    <key>EnterprisePoliciesEnabled</key>
    <true/>
    <key>Certificates</key>
    <dict>
    <key>ImportEnterpriseRoots</key>
    <true/>
    </dict>
    <key>ExtensionSettings</key>
    <dict>
    <key>InformationProtection@symantec.com</key>
    <dict>
    <key>installation_mode</key>
    <string>force_installed</string>
    <key>install_url</key>
    <string>file:////Library/Manufacturer/Endpoint Agent/dlp-firefox-addon.xpi</string>
    </dict>
    </dict>
    </dict>
    </plist>

    307
    2. In Jamf, select a configuration profile.
    3. Navigate to Application & Custom Settings, and then click Add.
    4. Under Creation Method, select Upload File (PLIST file).
    5. In the Preference Domain field, type org.mozilla.firefox.
    6. Click the Upload PLIST file button, and then browse to and select the .plist file that you created in Step 1.
    7. Click Save.

    NOTE
    You can refer to the System > Agents > Overview page of the Enforce Server administration console to view
    and troubleshoot any failed deployments.
    Deploy the Symantec extension to monitor Edge

    Before you enable monitoring for Microsoft Edge on macOS endpoints, review the list of supported Microsoft Edge
    releases. For more information, see Applications Supported by Endpoint Prevent on macOS.
    Before you begin, confirm that you have allowed full disk access for the agent and the
    endpoint security host application (SEHA.app) on macOS endpoints. See Allow Full-disk
    Access for the DLP Agent on macOS Endpoints and Allow full-disk access for the endpoint
    security host application (SEHA.app) on macOS endpoints respectively.
    Complete the following steps to create an MDM configuration profile to deploy the new Microsoft Edge extension
    for macOS endpoints using MDM settings. For illustration purposes, the instructions assume that you plan to deploy the
    extension using Jamf, an IT management application.
    NOTE
    Alternatively, you can navigate to the Symantec extension in the Edge Add-ins store and then click Get to
    install the extension on a single endpoint. Make sure that the Edge Add-ins store URL is not blocked by your
    organization's network firewall.
    To view the Symantec extension in the Edge add-ins store, visit https://microsoftedge.microsoft.com/addons/
    detail/ifcoeclffkpmgoodbmpmfmcpleljpkfl.
    1. Create a browser policy (.plist file) which you can upload to Jamf.
    For example:
    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
    <key>AllowJavaScriptfromAppleEvents</key>
    <true/>
    <key>InPrivateModeAvailability</key>
    <integer>1</integer>
    <key>ExtensionSettings</key>
    <dict>
    <key>ifcoeclffkpmgoodbmpmfmcpleljpkfl</key>
    <dict>
    <key>installation_mode</key>
    <string>force_installed</string>
    <key>update_url</key>
    <string>https://edge.microsoft.com/extensionwebstorebase/v1/crx</string>
    </dict>

    308
    </dict>
    </dict>
    </plist>

    2. In Jamf, select a configuration profile.


    3. Navigate to Application & Custom Settings, and then click Add.
    4. Under Creation Method, select Upload File (PLIST file).
    5. In the Preference Domain field, type com.microsoft.Edge.
    6. Click the Upload PLIST file button, and then browse to and select the .plist file that you created in Step 1.
    7. Click Save.
    To verify that the extension has been deployed successfully, on a macOS endpoint, click the Microsoft Edge menu on
    the macOS toolbar and then select Microsoft Edge Extensions. Make sure that the Symantec extension is displayed in
    the list of installed extensions.
    Enable MIP classification notifications on macOS endpoints

    On macOS endpoints, users are prompted once to permit the DLP Agent to display notifications about label suggestions
    and label enforcement. To prevent MIP classification notifications from being blocked by users, you can create an MDM
    configuration profile to bypass the prompt for permission.
    For illustration purposes, the following instructions assume that you plan to use Jamf, an IT management application.
    1. Create a custom JSON schema to specify macOS app notifications settings.
    To view a sample schema, visit https://github.com/talkingmoose/jamf-manifests/blob/master/macOS%20Notifications
    %20%28com.apple.notificationsettings%29.json.
    2. In Jamf, select a configuration profile.
    3. Navigate to Application & Custom Settings > External Applications , and then click Add.
    4. In the Source menu, select Custom Schema.
    5. In the Preference Domain box, type com.apple.notificationsettings.
    6. In the Custom Schema box, enter the custom schema that you created.
    7. Under Domain Preferences, do the following:
    a) In the Bundle ID box, type com.symantec.dlp.CUI.
    b) In the Allow Notifications from App menu, select true
    c) In the Alert Type Style menu, select banners
    d) In the Show In Notification Center menu, select true
    e) In the Badges Enabled menu, select true
    8. Click Save.
    Enable DLP Agent access to Microsoft Office applications

    After you enable MIP configuration for Microsoft Office applications in the agent configuration, endpoint users are
    prompted to allow the DLP Agent ('CUI' application) to access Microsoft Word, Microsoft Excel, and Microsoft PowerPoint.
    If users do not grant application access, the MIP classification functionality does not work.
    You can create an MDM configuration profile to enable the DLP Agent to access Microsoft Office applications without
    prompting users for permission. For illustration purposes, the following instructions assume that you plan to use Jamf, an
    IT management application.

    309
    NOTE
    When you copy and paste text into the Receiver Code Requirement box in Jamf, make sure that there are no
    line breaks.
    1. In Jamf, select a configuration profile.
    2. Navigate to Privacy Preferences Policy Control.
    3. Click Add.
    4. Under App Access, do the following:
    a) In the Identifier box, type com.microsoft.Word.
    b) In the Receiver Identifier Type menu, select Bundle ID.
    c) In the Receiver Code Requirement box, type identifier "com.microsoft.Word" and anchor
    apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and
    certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate
    leaf[subject.OU] = UBF8T346G9.
    5. Click Add.
    6. Under App Access, do the following:
    a) In the Identifier box, type com.microsoft.Excel.
    b) In the Receiver Identifier Type menu, select Bundle ID.
    c) In the Receiver Code Requirement box, type identifier "com.microsoft.Excel" and anchor
    apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and
    certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate
    leaf[subject.OU] = UBF8T346G9.
    7. Click Add.
    8. Under App Access, do the following:
    a) In the Identifier box, type com.microsoft.Powerpoint.
    b) In the Receiver Identifier Type menu, select Bundle ID.
    c) In the Receiver Code Requirement box, type identifier "com.microsoft.Powerpoint" and anchor
    apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and
    certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate
    leaf[subject.OU] = UBF8T346G9.
    9. Click Save.

    Install the DLP Agent for macOS


    DLP administrators install agents to macOS endpoints manually or using deployment software. Symantec recommends
    that you install a subset of agents manually for testing purposes before deploying agents in your environment.
    Before you begin the installation

    These steps assume you have generated the agent installation package and completed
    installation prerequisites. See Generating agent installation packages and Complete macOS
    Endpoint Agent Installation Prerequisites.

    310
    Installing the DLP Agent for Mac manually

    This section provides steps for installing the DLP Agent for Mac manually. If you do not plan to test the agent installation
    package, you install Mac agents using MDM software.
    1. Locate the agent installation package ZIP (AgentInstaller_Mac64.zip), and unzip it to the Mac endpoint.
    Unzip the file to /tmp/MacInstaller.
    NOTE
    If you are running macOS 10.15.x and later, Symantec recommends that you unzip the file contents to the
    /tmp/MacInstaller folder. macOS prevents the installation from running at locations like Downloads,
    Documents, and etc.
    2. Install the Mac Agent from the command line using the Terminal application.
    Run the following command on the target endpoint:
    $ sudo sh install_agent.sh

    Replace /tmp/MacInstaller with the path where you unzipped the agent installation package.
    NOTE
    If you are installing the DLP Agent to endpoints that use the Apple M1 chip, you must enable full disc access
    to the Terminal application. You can enable full disc access for the Terminal application in the Security &
    Privacy area in System Settings. You can set full disc access settings using an MDM profile. See Allow Full-
    disk Access for the DLP Agent on macOS Endpoints.
    3. (Optional) Review information about the Mac agent installation.

    Installing the DLP Agent for macOS Using Deployment Software

    You can use a silent installation process by using mobile device management software (MDM) to install DLP Agents to
    endpoints. You must always install the agent installation package from a local directory. If you do not install from a local
    directory, some functions of the DLP Agent are disabled.

    311
    NOTE
    The steps to install the agent using MDM profiles use Jamf as an example. The steps differ if you use a different
    MDM tool.
    1. Move the macOS endpoint agent installation package to a local machine.
    2. Build a PKG file using the Jamf Composer tool by completing the following steps:
    a) Define a location (for example, /Users/) that all endpoints that are targeted for the installation can access. When
    you deploy the package, the MDM software pushes the package to the location you define. The following example
    shows the location.
    Figure 1: PKG file on local machine

    b) Open the Jamf composer and drag the AgentInstaller_Mac64 folder to the Composer window.
    c) Set executable permissions (model: 755) for the folder-based settings listed in the following table:

    Table 134: Executable permissions

    User R W X

    Owner Enabled Enabled Enabled


    Group Enabled Disabled Enabled
    Everyone Enabled Disabled Enabled

    312
    d) Select Apply to All Enclosed Items.
    e) Click Build As PKG and select a location where you want to save the file.
    3. Configure the Jamf policy by completing the following steps:
    a) Log in to Jamf Pro web console.
    b) Go to All Settings > Computer Management and click Packages.
    c) Click New. The following screen appears.
    Figure 2: New Package

    d) Enter a name for the package in the Display Name field.


    e) Click Choose File, select the PKG file that you created using the Jamf composer, and click Save.
    After you save the package, it starts uploading to the cloud distribution point.
    f) When the package is uploaded successfully, go to the Policies page.
    g) Click New (in the Policies section) to create a deployment policy.
    h) Complete the following settings on the New policy page:
    • Enter a display name. For example, enter DLP agent.
    • Set a trigger. For example, you can use recurrent check-in or based on the policy.
    • Select Once per computer for the execution frequency.
    i) Click Packages and click Configure. The package that you uploaded in step e displays.
    j) Click Add and leave the remaining fields and selections default.
    The following graphic provides an example of what you see in your Jamf composer.

    313
    Figure 3: Jamf Web Console Policies Example

    k) Click Files and Processes.


    l) Enter the following command in the Execute Command field:
    installer -pkg "/Users/AgentInstaller_Mac64/AgentInstall_16_0_1-16.0.10000.1234.pkg"
    -target /
    NOTE
    The path and file name are examples. Replace these values with those you defined in step 3.
    The following graphic provides an example of what you see in your Jamf web console.

    314
    Figure 4: Jamf Web Console Execute Command Example

    m) Save the policy.


    The policy is triggered based on settings that you have defined. When the policy triggers, the macOS agent is
    installed.
    4. Confirm the deployment by completing the following steps:
    a) Go to the policy and click the Logs option.
    b) Click the Details option where the deployment details are listed.

    Confirm that the macOS agent is running


    What gets installed for DLP Agents on macOS endpoints

    When the DLP Agent is installed or upgraded on a macOS endpoint, a number of components are installed. Do not
    disable or modify any of these components or the DLP Agent may not function correctly.

    Table 135: Mac agent components

    Component Description

    Endpoint Agent daemon (EDPA) The installation process places the EDPA files here: /Library/
    Manufacturer/Endpoint Agent.
    The com.symantec.manufacturer.agent.plist file
    contains configuration settings for the Endpoint Agent daemon.
    This file is located at /Library/LaunchDaemons/.
    Encrypted database Each DLP Agent maintains an encrypted database at the
    endpoint. The database stores incident metadata in the database,
    contents on the host file system, and the original file that triggered
    the incident, if needed. The DLP Agent analyzes the content
    locally.

    315
    Component Description

    Log files The DLP Agent logs information on completed and failed
    processes.
    Database (rrc.ead) This database maintains and contains non-matching entries for
    rules results caching (RRC). About rules results caching (RRC)

    Related Links
    Setting up and configuring Endpoint Discover on page 1886
    How to implement Endpoint Prevent on page 1877

    Confirm that the macOS agent is running


    Verify that the macOS agent is running by opening the Activity Monitor application and locating
    the CUI and EDPA services.
    The CUI and EDPA services are deployed during the agent installation and begin running after the installation completed.
    You can also confirm that the com.symantec.dlp.edpa service is running. This service displays pop-up notifications on the
    Mac endpoint.
    If you are running macOS 10.15 and later, the SEHA application must be running. If the SEHA is not running, the
    Endpoint Security Client Down agent event is logged and the endpoint goes into a critical state. For the SEHA
    application to run, you must configure disk access using MDM profiles. See Complete macOS Endpoint Agent Installation
    Prerequisites.

    Troubleshoot the macOS Agent Installation

    Condition
    The agent does not connect to the Endpoint Server.

    Cause
    There may be an issue with the agent starting up.

    Remedy

    1. Use the Console application to check the log messages. Review the Mac Agent installer logs at /var/log/
    install.log.
    2. Rerun the installer with -dumplog option to create detailed installation logs. For example, use the command
    sudo installer -pkg /tmp/AgentInstall/AgentInstall_16_0_1.pkg -target / -dumplog.
    Replace /tmp/MacInstaller with the path where you unzipped the agent installation package.

    Installing the DLP Agent on Linux


    As a DLP administrator, install agents to Linux endpoints manually.
    Symantec recommends that you install a subset of agents manually for testing purposes before deploying agents in your
    environment.
    NOTE
    The following steps apply to all supported Linux distributions.

    316
    Before You Begin the Installation
    Confirm the following prerequisites before you start the process to install DLP Agents on Linux endpoints:
    • Verify that you meet the minimum requirements for Linux operating systems. For more information, see Linux
    Operating System Requirements for Endpoint Systems.
    • Install the Endpoint Servers. For more information, see Adding a detection server.
    • Generate the agent installation package. For more information, see Generating agent installation packages.
    NOTE
    Optionally, you can sign RPM installation files on any Linux machine before deploying the package to endpoints
    in your organization. Sign RPM Files for Linux Endpoints

    Steps to Install the Agent on Linux Endpoints


    Complete the following steps to install agents on Linux endpoints:
    1. Complete the Linux Endpoint Agent Installation Prerequisites
    2. (Optional) Signing RPM Files for Server Components
    3. Install the DLP Agent for Linux
    4. Confirm That the Linux Agent is Running

    Complete the Linux Endpoint Agent Installation Prerequisites


    Ensure that the DLP Agent installation is successful on Linux endpoints by completing prerequisites.
    NOTE
    The Linux agent prerequisites also apply to installing agents to Ubuntu distributions.
    Complete the following prerequisites before installing the Linux endpoint agent:
    • Confirm that Red Hat Package Managers (RPM) are available on Linux endpoints. See Required Linux RPMs for more
    details.
    • Set permissions for executable files. Complete the following task to set permissions.
    Set Permissions for Executable Files

    The DLP Agent requires permissions to be set for executable files. If permissions are not applied, the agent installation
    fails.
    1. Use sudo credentials to log on to the computer where you plan to install the DLP Agent.
    2. Enable repository access on the endpoint to ensure that required packages are installed during the agent installation.
    Skip this step if the required packages are already installed on the endpoint.
    3. Locate the agent installation package ZIP for one of the following supported distributions:
    • Linux: AgentInstaller_Linux64.zip
    • Ubuntu: AgentInstaller_LinuxDeb64.zip
    This file is generated during the agent installation packaging process. See Agent installation package contents.
    4. Unzip the file to the Linux endpoint at /opt/temp/LinuxInstaller.
    5. Open a terminal and run one of the following commands for your distribution:
    • Linux:
    cd /opt/temp/LinuxInstaller

    317
    >sudo chmod +x

    *.rpmsudo chmod +x install_agent.sh

    NOTE
    You only must run sudo chmod +x *.rpm if changing permissions is required on the endpoint.
    • Ubuntu:
    cd /opt/temp/LinuxInstaller
    sudo chmod +x *.deb
    sudo chmod +x install_agent.sh

    Sign RPM Files for Linux Endpoints

    Sign RPM Files for Linux Endpoints


    Before you install the latest DLP Agent version on a supported Linux distribution endpoint, Symantec recommends that
    you use the RPM signing key to verify the signature of RPM files.
    All RPM packages provided in the Symantec_DLP_16.0.1_Agent_Lin-IN.zip are signed with a GPG key. The
    signature provides integrity protection and ensures that the packages are the same packages produced by Symantec and
    were not altered in any way by a malicious third-party.
    NOTE
    If you try to install and do not use the RPM signing key, a "NOKEY" warning message displays during the
    installation.
    1. Locate the Symantec_DLP_Linux_Signing_Key.asc file in the DLPDownloadHome directory. The
    Symantec_DLP_Linux_Signing_Key.asc is packaged in the Symantec_DLP_16.0.1_Agent_Lin-IN.zip
    file.
    2. Copy the Symantec_DLP_Linux_Signing_Key.asc file to the computer where you plan to install the DLP Agent.
    3. Use sudo credentials to log on to the computer where you plan to install the DLP Agent.
    4. Import the key to the RPM key ring by running the following command:
    rpm --import Symantec_DLP_RPM_Signing_Key.asc

    5. Display the imported key by running the following command:


    rpm -qi gpg-pubkey-b891399b-59c04bd7

    6. Verify the signature of files before installing them by running the following command:
    • Run the following command for Linux endpoints: rpm -K *rpm
    • Run the following command for Ubuntu endpoints:
    sudo gpg --import Symantec_DLP_DEB_Signing_Key.ascsudo gpg --verify AgentInstall-x86_64_16.0.1.deb sudo
    dpkg-sig --verify AgentInstall-x86_64_16.0.1.deb

    Install the DLP Agent for Linux

    Install the DLP Agent for Linux


    DLP administrators install agents to Linux endpoints (including Ubuntu distributions) manually.

    318
    Before You Begin the Installation

    These steps assume you have generated the agent installation package and completed installation prerequisites. See
    Generating agent installation packages and Complete the Linux Endpoint Agent Installation Prerequisites.
    Install the DLP Agent

    Complete the following steps to install the DLP Agent for Linux distributions manually.
    1. Open a terminal and go to /opt/temp/LinuxInstaller.
    2. Install the Linux agent by running the following command on the target endpoint:
    sudo ./install_agent.sh

    You can locate the agent installation path at /opt/Manufacturer/EndpointAgent.


    3. Review installation logs at /var/log/AgentInstall.log.
    Confirm That the Linux Agent is Running

    Confirm That the Linux Agent is Running


    Confirm that the Linux agent installation process was successful.
    These steps apply to supported Linux distributions.
    Perform the following procedure to confirm that the Linux agent installation completed successfully:
    1. Open a terminal and run the following command:
    sudo systemctl status symantec-dlp-agent

    2. Review the log to confirm that the agent is active.


    The following example log shows an active agent.
    [admin@hkrhel_79_final EndpointAgent]$ sudo systemctl status symantec-dlp-agent
    ● symantec-dlp-agent.service - Data Loss Prevention
    Loaded: loaded (/usr/lib/systemd/system/symantec-dlp-agent.service; enabled; vendor preset: enabled)
    Active: active (running) since Thu 2022-09-08 12:43:17 IST; 22h ago
    Main PID: 23467 (edpa)
    Tasks: 20
    CGroup: /system.slice/symantec-dlp-agent.service
    ├─23467 /opt/Manufacturer/EndpointAgent/edpa
    ├─23505 /opt/Manufacturer/EndpointAgent/Verity/kvoop 23 26 0 23467_-1325164416
    └─23507 /opt/Manufacturer/EndpointAgent/Verity/kvoop 23 28 0 23467_-1325164416

    Sep 08 12:43:17 hkrhel_79_final systemd[1]: Started Data Loss Prevention.

    Endpoint Tools
    Work with Symantec DLP Agents using the tools that Symantec Data Loss Prevention provides.
    Move these tools to a secure directory. The Endpoint tools work with the keystore file that is found in the Agent Install
    directory. The tools and the keystore file must be in the same folder to function properly.
    NOTE
    Before you copy Endpoint tools to the Agent Install directory on Mac and Linux endpoints, change the
    permissions for each tool to be executable.

    319
    Each tool requires a password to operate. You enter the Endpoint tools password during the agent packaging process.
    You can manage the Endpoint tools password using the Agent Password Management screen.
    Generating agent installation packages
    About agent password management
    The following table lists some of the tasks that you can complete using endpoint tools.

    Table 136: Endpoint tools task list

    Task Tool name and location

    Shutting Down the Agent and Watchdog Services on Endpoints service_shutdown


    • Available for Windows agents in the
    Symantec_DLP_16.0.1_Agent_Win-IN.zip file.
    • Available for Linux agents in the
    Symantec_DLP_16.0.1_Agent_Lin-IN.zip file.
    • Available for Mac agents in the
    Symantec_DLP_16.0.1_Agent_Mac-IN.zip file.
    Inspecting the Database Files Accessed by the Agent vontu_sqlite3
    • Available for Windows agents in the
    Symantec_DLP_16.0.1_Agent_Win-IN.zip file.
    • Available for Linux agents in the
    Symantec_DLP_16.0.1_Agent_Lin-IN.zip file.
    • Available for Mac agents in the
    Symantec_DLP_16.0.1_Agent_Mac-IN.zip file.
    Viewing Extended Log Files logdump
    • Available for Windows agents in the
    Symantec_DLP_16.0.1_Agent_Win-IN.zip file.
    • Available for Linux agents in the
    Symantec_DLP_16.0.1_Agent_Lin-IN.zip file.
    • Available for Mac agents in the
    Symantec_DLP_16.0.1_Agent_Mac-IN.zip file.
    Using the Device ID Utilities DeviceID.exe for Windows removable devices.
    Available for Windows agents in the
    Symantec_DLP_16.0.1_Agent_Win-IN.zip file.
    DeviceID for Mac removable devices.
    Available for Mac agents in the
    Symantec_DLP_16.0.1_Agent_Mac-IN.zip file.
    Generating Third-party Application Information Using the GetAppInfo
    GetAppInfo Tool Available for Windows agents in the
    Symantec_DLP_16.0.1_Agent_Win-IN.zip file.
    Starting Agents That Have Been Shutdown start_agent
    • Available for Linux agents in the
    Symantec_DLP_16.0.1_Agent_Lin-IN.zip file.
    • Available for Mac agents in the
    Symantec_DLP_16.0.1_Agent_Mac-IN.zip file.
    Removing a DLP Agent from a Linux Endpoint uninstall_agent
    Available in the Symantec_DLP_16.0.1_Agent_Lin-
    IN.zip file.

    320
    Related Links
    Mac endpoint tools features on page 1846

    Preparing to Use Endpoint Tools


    Review the following sections before using the endpoint tools on endpoints.

    Using Endpoint tools with Windows 10


    To use Endpoint tools on a computer that runs Windows 10, you must run the command prompt in the Elevated Command
    Prompt mode. You cannot run the Endpoint tools without using the Elevated Command Prompt mode.
    1. Display the Command Prompt. Choose one of the following methods:
    • In Desktop mode, right-click on the Windows icon and select Command Prompt (Admin), then click the Start
    menu.
    • In Metro mode, enter cmd in the Search programs and files field.
    2. Hold the Shift key and right-click Command Prompt in the results list.
    3. Select Run as Administrator.

    Using Endpoint Tools with macOS


    To use Endpoint tools on an endpoint that runs macOS, change the permissions for each tool to be executable. Complete
    this prerequisite step before you copy a tool to the agent installation folder. The DLP Agent prevents permissions changes
    to files residing in the agent installation folder. If you do not change permissions, you cannot run the Endpoint tool on
    endpoints.
    1. Copy the Endpoint tool to the endpoint. For example, copy the tool to /Users/<user-name>/Downloads/Tools/.
    2. Set executable definitions by issuing a sudo command from the Terminal application.
    For example, issue the following command if you want to set executable permissions for the Service_Shutdown tool:
    sudo chmod 755 service_shutdown
    3. Copy the endpoint tool to the DLP Agent installation directory.
    Repeat these steps for each Endpoint tool that you plan to run.
    About Endpoint tools

    Using Endpoint Tools with Linux


    To use Endpoint tools on an endpoint that runs Linux, change the permissions for each tool to be executable. If you do not
    change permissions, you cannot run the Endpoint tool on endpoints.
    1. Copy the Endpoint tool to the DLP Agent installation directory. For example, copy the tool to /opt/Manufacturer/
    EndpointAgent.
    2. Set executable definitions by issuing a sudo command from the Terminal application.
    For example, issue the following command if you want to set executable permissions for the vontu_sqlite3 tool:
    sudo chmod +x vontu_sqlite3
    3. Repeat these steps for each Endpoint tool that you plan to run.

    Related Links
    Endpoint Tools on page 319
    Work with Symantec DLP Agents using the tools that Symantec Data Loss Prevention provides.

    321
    Shutting Down the Agent and Watchdog Services on Endpoints
    Shut down the agent and watchdog service on endpoints (with administrator rights).
    Shutting Down the DLP Agent and Watchdog Services on Windows Endpoints

    Use the Service_Shutdown tool to shut down the DLP Agent and watchdog services on Windows endpoints. As a tamper-
    proofing measure, it is not possible for a user to individually stop either the DLP Agent or watchdog service. This tool
    enables users with administrator rights to stop both Symantec Data Loss Prevention services at the same time.
    1. Go to the directory where you installed Symantec Data Loss Prevention.
    2. Run the following command:
    service_shutdown [-p=password]

    where [-p=password] is the password you previously specified. If you do not enter a password, you are prompted to
    input a password. The default password is VontuStop.
    You must run the Service_Shutdown.exe tool from the same directory as the DLP Agent keystore file.
    Shutting Down the DLP Agent Service on Mac Endpoints

    Use the Service_Shutdown tool to shut down the DLP Agent service on Mac endpoints. As a tamper-proofing measure,
    users cannot stop the DLP Agent service on Mac endpoints. However, an administrator with root access can use the
    Service_Shutdown tool to stop the Symantec Data Loss Prevention service.
    1. Set the Service_Shutdown tool permissions to be executable.
    2. Copy the Service_Shutdown tool to the DLP Agent installation folder on the Mac endpoint.
    3. Run the following commands as a root user using the Terminal application:
    #sudo ./service_shutdown
    -p=<tools_password>

    Shutting Down the DLP Agent Service on Linux Endpoints

    Use the service_shutdown.sh tool to shut down the DLP Agent service on supported Linux distribution endpoints. An
    administrator with root access can use the service_shutdown.sh tool to stop the Symantec Data Loss Prevention service.
    1. Set the service_shutdown tool permissions to be executable.
    2. Run the following command as a root user:
    sudo ./service_shutdown.sh

    Inspecting the Database Files Accessed by the Agent


    Use the vontu_sqlite3 tool to inspect the database files that the DLP Agent uses.
    The vontu_sqlite3 tool provides an SQL interface to query database files and to update database files. Without this
    tool, you cannot view the contents of a database file because it is encrypted. Use this tool when you want to investigate or
    make changes to the Symantec Data Loss Prevention files.
    Running the vontu_sqlite3.exe Tool on Windows Endpoints

    You must have administrator rights to use the tool on Windows endpoints.
    1. Run the following script from the Symantec Data Loss Prevention Agent installation directory:
    vontu_sqlite3 -db=database_file [-p=password]

    322
    where database_file is your database file and password is your specified tools password.
    The Symantec Data Loss Prevention database files for Windows agents are located in the DLP Agent installation
    directory and end in the *.ead extension. After you run the command, you are prompted for your password.
    2. Enter the default password VontuStop unless you have already created a unique password.
    You are provided with a shell to enter SQL statements to view or update the database.
    Refer to http://www.sqlite.org/sqlite.html for complete documentation about what commands are available in this shell.
    Running the vontu_sqlite3 Tool on Linux Endpoints

    You must have sudo access to make changes to the agent database on supported Linux distribution endpoints.

    1. Set the vontu_sqlite3 tool permissions to be executable.


    2. Run the following script from the Symantec Data Loss Prevention Agent installation directory:
    sudo ./vontu_sqlite3 -db=database_file [-p=password]

    where database_file is your database file and password is your specified tools password.
    The vontu_sqlite3 tool is located at /opt/Manufacturer/EndpointAgent.
    Running the Vontu_sqlite3 Tool on Mac Endpoints

    You must have root access to make changes to the agent database on Mac endpoints.
    1. Set the vontu_sqlite3 tool permissions to be executable.
    2. Run the following script from the Symantec Data Loss Prevention Agent installation directory:
    sudo ./vontu_sqlite3 -db=database_file [-p=password]

    where database_file is your database file and password is your specified tools password.
    You run this command using the Terminal application. The vontu_sqlite3 tool is located at /Library/
    Manufacturer/Endpoint Agent/.
    3. Enter the default password VontuStop unless you have already created a unique password.
    You are provided with a shell to enter SQL statements to view or update the database.
    Refer to http://www.sqlite.org/sqlite.html for complete documentation about what commands are available in this shell.
    Related Links
    Endpoint Tools on page 319
    Work with Symantec DLP Agents using the tools that Symantec Data Loss Prevention provides.

    Viewing Extended Log Files


    Use the Logdump tool to view the extended log files for DLP Agents.
    You must have administrator privileges to use the Logdump tool. Extended log files are hidden for security reasons.
    Generally, you only need to view log files with Symantec Data Loss Prevention support personnel. Without this tool, you
    cannot view any DLP Agent log files.

    323
    Running the Logdump on Windows

    You must have administrator rights to use the tool on Windows endpoints.
    1. Run the following script from the Symantec Data Loss Prevention Agent installation directory:
    logdump -log=log_file [-p=password]

    where log_file is the log file you want to view and password is the specified tools password. All Symantec Data Loss
    Prevention extended log files are present in the Symantec Data Loss Prevention Agent installation directory. The files
    have names with the format edpa_extfile_number.log. After you run this command, you can see the de-obfuscated log.
    NOTE
    When using Windows PowerShell to run logdump.exe, quotes are required around the log file. For example,
    run:
    logdump "-log=log_file" [-p=password]
    All Symantec Data Loss Prevention extended log files are present in the Symantec Data Loss Prevention Agent
    installation directory. The files have names of the form edpa_extfile_number.log. After you run this command, you can
    see the de-obfuscated log.
    2. (Optional) Print the contents of another log from this view.
    Running the Logdump on macOS

    You must have root access to make changes to the agent database Linux endpoints.
    1. Set the logdump tool permissions to be executable.
    2. Run the following scripts from the Symantec Data Loss Prevention Agent installation directory:
    sudo ./logdump -log=log_file [-p=password]

    where log_file is the log file you want to view and password is the specified tools password.
    All Symantec Data Loss Prevention extended log files are present in the Symantec Data Loss Prevention Agent
    installation directory. The files have names of the form edpa_extfile_number.log. After you run this command, you can
    see the de-obfuscated log.
    3. (Optional) Print the contents of another log from this view.
    #unique_467/unique_467_Connect_42_task_3
    Running the logdump on Linux

    You must have sudo access to make changes to the agent database on supported Linux distribution endpoints.

    1. Set the logdump tool permissions to be executable.


    2. Run the following scripts from the Symantec Data Loss Prevention Agent installation directory (/opt/
    Manufacturer/EndpointAgent):
    sudo ./logdump -log=log_file [-p=password]

    where log_file is the log file you want to view and password is the specified tools password.
    All Symantec Data Loss Prevention extended log files are present in the Symantec Data Loss Prevention Agent
    installation directory. The files have names of the form edpa_extfile_number.log. After you run this command, you can
    see the de-obfuscated log.

    324
    3. (Optional) Print the contents of another log from this view.
    #unique_467/unique_467_Connect_42_task_3
    Printing the Contents of Another Log

    1. From the command window, run:


    logdump -log=log_file -p=password > deobfuscated_log_file_name

    2. Enter the password again to print the log.


    Related Links
    Endpoint Tools on page 319
    Work with Symantec DLP Agents using the tools that Symantec Data Loss Prevention provides.

    Using the Device ID Utilities


    Symantec Data Loss Prevention provides the DeviceID.exe for Windows removable devices and the DeviceID for
    Mac removable devices to assist you with configuring endpoint devices for detection.
    The DeviceID utilities scan the computer for all connected devices and reports the Device Instance ID string on Windows
    endpoints and regex information on Mac endpoints.
    You typically use the DeviceID utilities to allow the copying of sensitive information to company-provided external devices
    like USB drives and SD cards.

    Table 137: Windows Device ID utility example output

    Result Description

    Volume The volume or mount point that the DeviceID.exe tool found.
    For example:
    Volume: E:\
    Dev ID The Device Instance ID for each device.
    For example:
    USBSTOR\DISK&VEN_UFD&PROD_USB_FLASH_DRIVE&REV_1100\5F73HF00Y9DBOG0DXJ
    Regex The regular expression to detect that device instance.
    For example:
    USBSTOR\\DISK&VEN_UFD&PROD_USB_FLASH_DRIVE&REV_1100\\5F73HF00Y9DBOG0DXJ

    Table 138: Mac Device ID utility example output

    Result Description

    Vendor The vendor that the DeviceID tool found.


    For example:
    SanDisk&.*
    Model The model that the DeviceID tool found.
    For example:
    SanDisk&Cruzer Blade&.*
    Serial The serial number that the DeviceID tool found.
    For example:
    SanDisk&Cruzer Blade&DER45TG5444

    325
    Using the Windows Device ID utility

    Use the Device ID utility to extract Device Instance ID strings and to determine what devices the system can recognize for
    detection. You must have administrator rights to use this tool.
    About the Device ID utilities
    To use the Device ID utility
    1. Obtain the DeviceID.exe utility.
    This utility is available with the Endpoint Server utilities package.
    2. Copy the DeviceID.exe utility to a computer where you want to determine Device IDs.
    3. Install the devices you want to examine onto the computer where you copied the DeviceID.exe utility.
    For example, plug in one or more USB devices, connect a hard drive, and so forth.
    4. Run the DeviceID.exe utility from the command line.
    For example, if you copied the DeviceID.exe utility to the C:\temp directory, issue the follow command:
    C:\TEMP>DeviceID

    To output the results to a file, issue the following command:


    C:\TEMP>DeviceID > deviceids.txt

    The file appears in the C:\temp directory and contains the output from the DeviceID process.
    5. View the results of the DeviceID process.
    The command prompt displays the results for each volume or mount point.
    Windows Device ID utility example output
    6. Use the DeviceID utility to evaluate the proposed regex string against a device that is currently connected.
    Device ID regex evaluation
    7. Use the regular expression patterns to configure endpoint devices for detection.

    Table 139: Device ID regex evaluation

    Command parameters Example

    DeviceID.exe [-m] [Volume] DeviceID.exe -m E:\ "USBSTOR\\DISK&VEN_UFD&PROD_USB_FLASH_DRIVE&REV_1100\


    [Regex] \.*"
    Note: The regex string needs to be inside quotation marks.

    Returns Match! or Not match!

    Using the Mac Device ID utility

    Use the Mac Device ID utility to generate regex information. You use this feature to allow the copying of sensitive
    information to company-provided external devices like USB drives and SD cards.
    1. Obtain the DeviceID utility.
    This utility is available with the Mac agent tools package.
    About Endpoint tools

    326
    2. Copy the DeviceID utility to a computer where you want to determine Device IDs.
    3. Install the devices you want to examine onto the computer where you copied the DeviceID utility.
    For example, plug in one or more USB devices, connect a hard drive, and so on.
    4. Run the DeviceID utility from the Terminal application.
    For example, if you copied the DeviceID utility to the Downloads directory, issue the follow command:
    $HOME/Downloads/DeviceID where $HOME is your home directory.
    The output results display information for each volume or mount point in the Terminal application dialog.
    5. Review the DeviceID process results.
    6. Use the regex information to configure endpoint devices for detection.

    Table 140:

    Command parameter Example

    ./DeviceID > deviceids.txt The tool outputs the following information to the
    deviceids.txt file based on information gathered from the
    attached thumb drive:
    • Volume: /Volumes/FAT_USB/
    • Type (BUS): USB
    • Device ID Regex by Vendor: JetFlash&.*
    • Device ID Regex by Model: JetFlash&Mass Storage Device&.*
    • Device ID Regex by Serial No: JetFlash&Mass Storage
    Device&79HCSMJ0RYOHT2FE

    Generating Third-party Application Information Using the GetAppInfo Tool


    You can use the GetAppInfo.exe tool to generate application information. You use this tool when you add applications
    and use the Application Monitoring feature. The Application Monitoring feature monitors data that users move to
    applications.
    Locate this application in the SymantecDLPWinAgentTools_16.0.1.zip in the DLP\Symantec_DLP_16_Win
    \16.0.1_Win\Endpoint\x64 directory.
    1. Launch GetAppInfo.exe.
    2. Enter the path to the application or click Browse and navigate to it.
    3. Click Get Info.
    The tool displays the following application information:

    327
    • Comments
    • InternalName
    • CompanyName
    • LegalCopyright
    • ProductVersion
    • FileDescription
    • LegalTrademarks
    • PrivateBuild
    • FileVersion
    • OriginalFilename
    • SpecialBuild
    • PublisherName
    4. Retain the application information the tool displays. You use the application information when you add an application
    on the Global Application Monitoring screen.

    Adding a Windows application


    About Application File Access monitoring

    Starting Agents That Have Been Shutdown


    Start agents that have been shutdown using the start_agent tool.
    You can use the start_agent tool to start DLP Agents that run on Mac and Linux endpoints. You use the tool if the agents
    have been shut down using the shutdown task on the Agent List screen.
    Starting Agents on Mac Endpoints

    Locate the start_agent tool in the /Library/Manufacturer/Endpoint Agent directory on the endpoint.
    See Generating agent installation packages for more information.
    NOTE
    You must unzip this file to a Mac endpoint. You cannot use the tool if it is unzipped to a Windows endpoint.
    1. Set the start_agent tool permissions to be executable.
    2. From the Symantec Data Loss Prevention Agent installation directory, run the following command:
    sudo ./start_agent

    where the installation directory is the directory where you installed Symantec Data Loss Prevention.
    3. Go to the Agent List screen and confirm that the agent is running.
    Starting Agents on Linux

    This tool is available in the /opt/Manufacturer/EndpointAgent directory on the endpoint.


    See Generating agent installation packages for more information.
    1. Set the start_agent tool permissions to be executable.
    2. From the Symantec Data Loss Prevention Agent installation directory, run the following command:
    sudo ./start_agent.sh

    328
    3. Go to the Agent List screen and confirm that the agent is running.
    Related Links
    Using the Agent List screen on page 1969
    Endpoint Tools on page 319
    Work with Symantec DLP Agents using the tools that Symantec Data Loss Prevention provides.

    About uninstallation passwords


    The uninstallation password prevents unauthorized users from removing the DLP Agent from an endpoint. If an
    unauthorized user tries to remove the agent without the password, the agent cannot be removed.
    You create or assign the password during agent installation or after installation using the Agent Password Management
    screen in the Enforce Server administration console. When you want to remove an agent from an endpoint, the
    uninstallation password parameter pop-up window requests the uninstallation password. If you remove agents from a
    large number of endpoints using an agent management system, the password must be included in the uninstallation
    command line.

    Related Links
    Generating agent installation packages on page 291
    Generate the installation package for DLP Agents on the System > Agents > Agent Packaging screen.
    About agent password management on page 330

    Using uninstallation passwords


    When you want to uninstall a DLP Agent that is password protected, you must enter the correct password before the
    uninstallation continues. If you uninstall your agents manually, a pop-up window appears on the endpoint that requests the
    password. You must enter the password in this window. If you use system management software, include the password
    parameter in the command string.
    NOTE
    By default, the limit for how many times an administrator can enter the wrong password is 3. If the limit is
    exceeded, the uninstallation process quits and the process must be restarted. You can adjust the default value
    using the UninstallPassword.RETRY_LIMIT advanced agent setting.

    If you want to uninstall a group of agents, specify the uninstallation password in the agent uninstallation command line.
    Enter the following parameter in the uninstallation command line;
    UNINSTALLPASSWORD="<password>"
    where <password> is the password that you specified in the password generator.

    An agent command line looks like the following example:


    msiexec /uninstall <product code> /q UNINSTALLPASSWORD="<password>"
    Related Links
    Generating agent installation packages on page 291
    Generate the installation package for DLP Agents on the System > Agents > Agent Packaging screen.
    About agent password management on page 330
    About uninstallation passwords on page 329

    329
    Upgrading agents and uninstallation passwords
    When you upgrade agents, the uninstallation password that was previously applied is removed. To apply an uninstallation
    password, you enter one during the agent packaging process. You can apply a new password using the Agent Password
    Management screen.

    Related Links
    About agent password management on page 330
    About uninstallation passwords on page 329

    About agent password management


    You use the Agent Password Management screen (System > Agents > Agent Passwords) to add or change the DLP
    Agent uninstallation password and Endpoint tools password. The uninstallation password prevents unauthorized users
    from removing the Symantec DLP Agent. The Endpoint tools password grants access to various agent management tools.
    NOTE
    Only administrators with the Server Administrator role can use the Agent Password Management screen.
    When you create or change a password, the password is applied to the agents when they connect to the Endpoint Server.
    Likewise, uninstall passwords or Endpoint tools passwords that are created during the agent packaging process are
    retained until the agents connect to the Endpoint Server.
    You can disable the uninstall password for select agents on the Agent List screen. Using the Agent List screen
    You can use the Agent Password Management screen to complete the following agent password-related tasks:
    • Create a new uninstall or Endpoint tools password if one was not created during the agent packaging process.
    Create a new agent uninstall or Endpoint tools password
    • Change an existing uninstall password or Endpoint tools password.
    Change an existing agent uninstall or Endpoint tools password
    • Retain a password created during the agent packaging process. You can choose whether or not to publish an uninstall
    password or Endpoint tools password to newly added agents by de-selecting the checkbox for each password.
    Retain existing agent uninstall or Endpoint tools passwords
    NOTE
    The agent uninstall password is supported only on Windows endpoints.

    Related Links
    Generating agent installation packages on page 291
    Generate the installation package for DLP Agents on the System > Agents > Agent Packaging screen.
    Endpoint Tools on page 319
    Work with Symantec DLP Agents using the tools that Symantec Data Loss Prevention provides.

    Installing language packs


    Learn about installing language packs.
    About Symantec Data Loss Prevention language packs
    About locales
    Using a non-English language on the Enforce Server administration console

    330
    Using the Language Pack Utility

    About Symantec Data Loss Prevention language packs


    Language packs for Symantec Data Loss Prevention localize the product for a particular language on Windows-based
    systems. After a language pack is added to Symantec Data Loss Prevention, administrators can specify it as the system-
    wide default. If administrators make multiple language packs available for use, individual users can choose the language
    they want to work in.
    Using a non-English language on the Enforce Server administration console
    Language packs provide the following:
    • The locale of the selected language becomes available to administrators and end users in Enforce Server
    Configuration screen.
    • Enforce Server screens, menu items, commands, and messages appear in the language.
    • The Symantec Data Loss Prevention online Help system may be displayed in the language.
    Language packs for Symantec Data Loss Prevention are available from Product Downloads at the Broadcom Support
    Portal.
    CAUTION
    When you install a new version of Symantec Data Loss Prevention, any language packs you have installed are
    deleted. For a new, localized version of Symantec Data Loss Prevention, you must upgrade to a new version of
    the language pack.

    Related Links
    About locales on page 331
    About support for character sets, languages, and locales on page 101

    About locales
    Locales are installed as part of a language pack.
    A locale provides the following:
    • Displays dates and numbers in formats appropriate for that locale.
    • Sorts lists and reports based on text columns, such as "policy name" or "file owner," alphabetically according to the
    rules of the locale.
    An administrator can also configure an additional locale for use by individual users. This additional locale need only be
    supported by the required version of Java.
    For a list of these locales, see https://www.oracle.com/technetwork/java/javase/java8locales-2095355.html.
    You use the Language Pack Utility to specify a locale if one is not specified at product installation time.
    Using a non-English language on the Enforce Server administration console
    About support for character sets, languages, and locales

    Using a non-English language on the Enforce Server administration console


    The use of locales and languages is specified through the Enforce Server administration console by the following roles:
    • Symantec Data Loss Prevention administrator. Specifies that one of the available languages be the default system-
    wide language and sets the locale.
    • Individual Symantec Data Loss Prevention user. Chooses which of the available locales to use.

    331
    NOTE
    The addition of multiple language packs could slightly affect Enforce Server performance, depending on the
    number of languages and customizations present. This occurs because an additional set of indexes has to be
    built and maintained for each language.
    WARNING
    Do not modify the Oracle database NLS_LANGUAGE and NLS_TERRITORY settings.
    About Symantec Data Loss Prevention language packs
    About locales
    A Symantec Data Loss Prevention administrator specifies which of the available languages is the default system-wide
    language.
    To choose the default language for all users
    1. On the Enforce Server, go to System > Settings > General and click Configure.
    The Edit General Settings screen is displayed.
    2. Scroll to the Language section of the Edit General Settings screen, and click the button next to the language you
    want to use as the system-wide default.
    3. Click Save.

    Individual Symantec Data Loss Prevention users can choose which of the available languages and locales they want to
    use by updating their profiles.
    Editing a user profile
    Administrators can use the Language Pack Utility to update the available languages.
    Using the Language Pack Utility
    About support for character sets, languages, and locales
    NOTE
    If the Enforce Server runs on a Linux host, you must install language fonts on the host machine using the Linux
    Package Manager application. Language font packages begin with fonts-<language_name>. For example,
    fonts-japanese-0.20061016-4.el5.noarch

    Using the Language Pack Utility


    To make a specific locale available for Symantec Data Loss Prevention, you add language packs through the Language
    Pack Utility.
    You run the Language Pack Utility from the command line. Its executable, LanguagePackUtility.exe, resides in one
    of the following directories based on your platform:
    • Windows: \Program Files\Symantec\DataLossPrevention\EnforceServer\16.0.10000\Protect\bin
    • Linux: /opt/Symantec/DataLossPrevention/EnforceServer/16.0.10000/Protect/bin
    To use the Language Pack Utility, you must have Read, Write, and Execute permissions on the folders and subfolders
    listed below (for your platform):
    • Windows: \Program Files\Symantec\DataLossPrevention\EnforceServer\16.0.10000
    • Linux: /opt/Symantec/DataLossPrevention/EnforceServer/16.0.10000
    If you are running the utility on Linux, you must be a root user.

    332
    To display help for the utility, such as the list of valid options and their flags, enter LanguagePackUtility without any
    flags.
    NOTE
    Running the Language Pack Utility causes the SymantecDLPManagerService and
    SymantecDLPIncidentPersisterService services to stop for as long as 20 seconds. Any users who are
    logged on to the Enforce Server administration console are logged out automatically. When finished making its
    updates, the utility restarts the services automatically, and users can log back on to the administration console.
    Language packs for Symantec Data Loss Prevention can be obtained from Product Downloads at the Broadcom Support
    Portal.

    NOTE
    Administrators can only make one other locale available for users that is not based on a previously installed
    Symantec Data Loss Prevention language pack.
    About support for character sets, languages, and locales

    Add a language pack on Windows


    1. Advise other users that anyone currently using the Enforce Server administration console must save their work and log
    off.
    2. Run the Language Pack Utility with the -a flag followed by the name of the ZIP file for that language pack. Enter:
    LanguagePackUtility -a filename

    Where filename is the fully qualified path and name of the language pack ZIP file.
    For example, if the Japanese language pack ZIP file is stored in c:\temp, add it by entering:
    LanguagePackUtility -a c:\temp\Symantec_DLP_16.0.1_Japanese.zip

    To add multiple language packs during the same session, specify multiple file names, which are separated by spaces,
    for example:
    LanguagePackUtility -a
    c:\temp\Symantec_DLP_16.0.1_Japanese.zip
    Symantec_DLP_16.0.1_Chinese.zip

    3. Log on to the Enforce Server administration console and confirm that the new language option is available on the Edit
    General Settings screen. To do this, go to System > Settings > General > Configure > Edit General Settings.

    Add a language pack on Linux


    1. Advise other users that anyone currently using the Enforce Server administration console must save their work and log
    off.
    2. Open a terminal session to the Enforce Server host and switch to the DLP_system_account by running the following
    command:
    su - DLP_system_account
    3. Run the following command:
    DLP_home/Protect/bin/LanguagePackUtility -a <path to language pack zip file>

    333
    4. Log on to the Enforce Server administration console and confirm that the new language option is available on the Edit
    General Settings screen. To do this, go to System > Settings > General > Configure > Edit General Settings.

    Remove a language pack


    1. Advise users that anyone currently using the Enforce Server administration console must save their work and log off.
    2. Run the Language Pack Utility with the -r flag followed by the Java locale code of the language pack you want to
    remove. Enter:
    LanguagePackUtility -r locale

    Where locale is a valid Java locale code corresponding to a Symantec Data Loss Prevention language pack.
    For example, to remove the French language pack enter:
    LanguagePackUtility -r fr_FR

    To remove multiple language packs during the same session, specify multiple file names, which are separated by
    spaces.
    3. Log on to the Enforce Server administration console and confirm that the language pack is no longer available on the
    Edit General Settings screen. To do this, go to System > Settings > General > Configure > Edit General Settings.
    4. Advise users that anyone currently using the Enforce Server administration console must save their work and log off.
    5. Run the Language Pack Utility using the -c flag followed by the Java locale code for the locale that you want to
    change or add. Enter:
    LanguagePackUtility -c locale

    Where locale is a valid locale code that is recognized by Java, such as pt_PT for Portuguese.
    For example, to change the locale to Brazilian Portuguese enter:
    LanguagePackUtility -c pt_BR

    6. Log on to the Enforce Server administration console and confirm that the new alternate locale is now available on the
    Edit General Settings screen. To confirm the local, go to System > Settings > General > Configure > Edit General
    Settings.
    If you specify a locale for which there is no language pack, "Translations not available" appears next to
    the locale name. This means that formatting and sort order are appropriate for the locale, but the Enforce Server
    administration console screens and online Help are not translated.
    Related Links
    About Symantec Data Loss Prevention language packs on page 331

    Post-installation tasks
    About post-installation tasks
    Backing up your system after installation
    About post-installation security configuration
    About System Events and Syslog Servers
    Enforce Servers and unused NICs
    Performing initial setup tasks on the Enforce Server
    About updating the JRE to the latest version

    334
    About FIPS encryption
    Configuring Internet Explorer when using FIPS

    About post-installation tasks


    You must perform certain required tasks after a product installation or upgrade is complete. There are also some optional
    post-installation tasks that you might want to perform.
    Backing up your system after installation
    About post-installation security configuration
    About System Events and Syslog Servers
    Enforce Servers and unused NICs (only applies to Windows platforms)
    Performing initial setup tasks on the Enforce Server
    NOTE
    The Enforce Server administration console requires the use of cookies. Ensure that you have enabled cookies in
    the web browser you use to access the Enforce Server administration console.

    Backing up your system after installation


    Symantec recommends that administrators perform backups of their entire system immediately after completing
    the migration or installation processes.
    See Maintaining the DLP System for information on backing up your system.

    About post-installation security configuration


    Symantec Data Loss Prevention secures communications between all Symantec Data Loss Prevention servers. This task
    is accomplished by encrypting the transmitted data and requiring servers to authenticate with each other.
    Symantec Data Loss Prevention also secures data communications and authenticates between the Endpoint Server and
    Symantec DLP Agent.
    Although the default installation is secure, Symantec recommends that you change your system's default security settings
    to use unique certificates or keys.
    About browser certificates
    Symantec Data Loss Prevention Directory and File Exclusion from Antivirus Scans
    Corporate firewall configuration

    About server security and SSL/TLS certificates


    Symantec Data Loss Prevention uses Secure Socket Layer/Transport Layer Security (SSL/TLS) to encrypt all data that
    is transmitted between servers. It also uses the SSL/TLS protocol for mutual authentication between servers. Servers
    implement authentication by the mandatory use of client and server-side certificates.
    The Enforce Server administration console web application enables users to view and manage incidents and policies
    and to configure Symantec Data Loss Prevention. You access this interface with a web browser. The Enforce Server and
    browser communicate through a secure SSL/TLS connection. To ensure confidentiality, all communication between the
    Enforce Server and the browser is encrypted using a symmetric key. During connection initiation, the Enforce Server and
    the browser negotiate the encryption algorithm. The negotiation includes the algorithm, key size, and encoding, as well as
    the encryption key itself.

    335
    A "certificate" is a keystore file used with a keystore password. The terms "certificate" and "keystore file" are often used
    interchangeably. By default, all the connections between the Symantec Data Loss Prevention servers, and the Enforce
    Server and the browser, use a self-signed certificate. This certificate is securely embedded inside the Symantec Data
    Loss Prevention software. By default, every Symantec Data Loss Prevention server at every customer installation uses
    this same certificate.
    Although the existing default security meets stringent standards, Symantec provides the keytool and sslkeytool utilities to
    enhance your encryption security:
    • The keytool utility generates a new certificate to encrypt communication between your web browser and the Enforce
    Server. This certificate is unique to your installation.
    About browser certificates
    Generating a unique browser certificate
    • The sslkeytool utility generates new SSL server certificates to secure communications between your Enforce Server
    and your detection servers. These certificates are unique to your installation. The new certificates replace the single
    default certificate that comes with all Symantec Data Loss Prevention installations. You store one certificate on the
    Enforce Server, and one certificate on each detection server in your installation.
    NOTE
    Symantec recommends that you create dedicated certificates for communication with your Symantec Data
    Loss Prevention servers. When you configure the Enforce Server to use a generated certificate, all detection
    servers in your installation must also use generated certificates. You cannot use the built-in certificate with
    some detection servers and the built-in certificate with other servers.
    NOTE
    If you install a Network Prevent detection server in a hosted environment, you must generate unique
    certificates for your Symantec Data Loss Prevention servers. You cannot use the built-in certificate to
    communicate with a hosted Network Prevent server.
    About the sslkeytool utility and server certificates
    Using sslkeytool to generate new Enforce Server and detection server certificates
    About post-installation tasks
    You may also need to secure communications between Symantec Data Loss Prevention servers and other servers such
    as those used by Active Directory or a Mail Transfer Agent (MTA).

    About browser certificates

    A web browser using a secure connection (HTTPS) requires an SSL certificate. The SSL certificate can be self-signed
    or signed by a certificate authority. With a certificate, the user authenticates to other users and services, or to data
    integrity and authentication services, using digital signatures. It also enables users to cache the public keys (in the form of
    certificates) of their communicating peers. Because a certificate signed by a certificate authority is automatically trusted by
    browsers, the browser does not issue a warning when you connect to the Enforce Server administration console. With a
    self-signed certificate, the browser issues a warning and asks if you want to connect.
    The default certificate installed with Symantec Data Loss Prevention is a standard, self-signed certificate. This certificate
    is embedded securely inside the Symantec Data Loss Prevention software. By default, all Symantec Data Loss Prevention
    installations at all customer sites use this same certificate. Symantec recommends that you replace the default certificate
    with a new, unique certificate for your organization’s installation. The new certificate can be either self-signed or signed by
    a certificate authority.
    Generating a unique browser certificate
    About server security and SSL/TLS certificates

    336
    Generating a unique browser certificate
    By default, connections between the Enforce Server and the browser use a single, self-signed certificate. This certificate is
    embedded securely inside the Symantec Data Loss Prevention software.
    The keytool utility manages keys and certificates. This utility enables users to administer their own public and private key
    pairs and associated certificates for use in self-authentication.
    1. Collect the following information:
    • Common Name: The fully qualified DNS name of the Enforce Server. This must be the actual name of the server
    accessible by all the clients.
    For example, https://Server_name.
    • Organization Name: The name of your company or organization.
    For example, Acme, Inc.
    • Organizational unit : The name of your division, department, unit, etc. (Optional)
    For example, Engineering
    • City: The city, town, or area where you are located.
    For example, San Francisco
    • State: The name of your state, province, or region.
    For example, California or CA
    • Country: Your two-letter country code.
    For example, US
    • Expiration: The certificate expiration time in number of days.
    For example: 90
    2. Stop all the Symantec DLP services on the Enforce Server.
    3. On the Enforce Server, go to a directory based on your platform:
    • Windows: C:\Program Files\AdoptOpenJRE\[JRE version]\bin
    • Linux: /opt/AdoptOpenJRE/[JRE version]/bin
    The keytool software is located in this directory.
    4. Use keytool to create the self-signed certificate (keystore file). This keystore file can also be used to obtain a
    certificate from a certificate authority.
    From within the bin directory, run the following command with the information collected earlier:
    If the /opt/AdoptOpenJRE/[JRE version] directory is not on your path, use ./keytool to run it from the current
    directory.
    keytool -genkey -alias tomcat -keyalg RSA -keysize 1024
    -keystore .keystore -validity NNN -storepass protect
    -dname "cN=common_name, O=organization_name,
    Ou=organization_unit, L=city, S=state, C=XX"

    Where:

    337
    • The -alias parameter specifies the name of this certificate key. This name is used to identify this certificate when
    you run other keytool commands. The value for the -alias parameter must be tomcat.
    • The -keystore parameter specifies the name and location of the keystore file which must be .keystore located
    in this directory. This is specified by using -keystore .keystore
    • The -keyalg parameter specifies the algorithm to be used to generate the key pair. In this case, the algorithm to
    specify is RSA.
    • The -keysize parameter specifies the size of each key to be generated. For example, 1024.
    • The -validity parameter specifies the number of days the certificate is good for. For example, -validity 365
    specifies that the certificate is good for 365 days (or one year). The number of days you choose to specify for the -
    validity parameter is up to you. If a certificate is used for longer than the number of days specified by -validity,
    an "Expired" message appears by the browser when it accesses the Enforce Server administration console. The
    best practice is to replace an expired certificate with a new one.
    • The -storepass parameter specifies the password used to protect the integrity of the keystore.
    If you opted to use a password other than "protect," enter it for the -storepass parameter. You must also modify
    the following to use the password:
    – protect.properties located at ../Protect/config
    Update the line # keystore com.vontu.manager.tomcat.keystore.password = my_password to replace
    my_password with your password.
    – server.xml located at ../tomcat/conf
    Update the line:# keystorePass = my_password to replace my_password with your password.
    • The dname parameter specifies the X.500 Distinguished Name to be associated with this alias. It is used as
    the issuer and subject fields in a self-signed certificate. The parameters that follow are the value of the dname
    parameter.
    • The -CN parameter specifies your name. For example, CN=linda wu
    • The O parameter specifies your organization's name. For example, O=Acme Inc.
    • The Ou parameter specifies your organization's unit or division name. For example, Ou=Engineering Department
    • The L parameter specifies your city. For example, L=San Francisco
    • The S parameter specifies your state or province. For example, S=California
    • The C parameter specifies the two-letter countrycode of your country. For example, C=US
    • If you are asked for a keypass password, hit Return to make the keypass password the same as the storepass
    password.
    An updated .keystore file is generated.
    5. (Optional) Rename or move the existing .keystore file from the conf (\Protect\tomcat\conf for Windows or
    protect/tomcat/conf for Linux) directory.
    6. Copy the updated .keystore file into a directory based on your platform: directory.
    • Windows: C:\Program Files\Symantec\DataLossPrevention\EnforceServer\16.0.10000\protect
    \tomcat\conf
    • Linux: /opt/Symantec/DataLossPrevention/EnforceServer/16.0.10000/protect/tomcat/conf
    7. Restart the Symantec DLP services on the Enforce Server.
    Symantec Data Loss Prevention Services

    As an alternative to using a self-signed certificate, you can use a certificate issued by an internal or external certificate
    authority (CA). Consult your certificate authority for instructions on how to obtain a CA-signed certificate. Certificate
    authorities provide a root certificate and a signed certificate. When using certificates signed by a CA, they need to be
    imported into the Enforce Server using the following commands:
    keytool -import -alias root -keystore .keystore -trustcacerts -file root_certificate

    338
    keytool -import -alias tomcat -keystore .keystore -trustcacerts -file signed_certificate
    About server security and SSL/TLS certificates

    About Symantec Data Loss Prevention and antivirus software


    Symantec recommends installing antivirus software on your Symantec Data Loss Prevention servers. However, antivirus
    software may interpret Symantec Data Loss Prevention activity as virus-like behavior. Therefore, certain files and
    directories must be excluded from antivirus scans. These files and directories include the Symantec Data Loss Prevention
    and Oracle directories on your servers. If you do not have antivirus software installed on your Symantec Data Loss
    Prevention servers (not recommended), you can skip these antivirus-related post-installation tasks.
    Symantec Data Loss Prevention Directory and File Exclusion from Antivirus Scans
    Oracle directory and file exclusion from antivirus scans
    About post-installation tasks

    Symantec Data Loss Prevention Directory and File Exclusion from Antivirus Scans

    Exclude directories from antivirus scanning to ensure that Symantec Data Loss Prevention functions as expected.
    If you are using the Windows platform and using your antivirus software, remove the following OCR directory
    from antivirus scanning, if applicable:
    C:\SymantecDLPOCR\
    Consult your antivirus software documentation for information on how to exclude directories and files from antivirus scans.
    About Symantec Data Loss Prevention and antivirus software

    Paths to Exclude on the Enforce Server


    Using your antivirus software, exclude the Enforce Server directories that are listed in the following table
    from antivirus scanning:

    Table 141: Paths to Exclude on the Enforce Server

    Platform Directory

    Windows \ProgramData\Symantec\DataLossPrevention\EnforceServer
    \16.0.10000\logs
    Also exclude subdirectories from antivirus scanning.
    \ProgramData\Symantec\DataLossPrevention\EnforceServer
    \16.0.10000\scan
    \ProgramData\Symantec\DataLossPrevention\EnforceServer
    \16.0.10000\scan
    \Program Files\Symantec\DataLossPrevention\EnforceServer
    \16.0.10000\Protect\tomcat
    \Program Files\Symantec\DataLossPrevention\EnforceServer
    \16.0.10000\Protect\tomcat\temp
    \Program Files\Symantec\DataLossPrevention\EnforceServer
    \16.0.10000\Protect\tomcat\work
    \ProgramData\Symantec\DataLossPrevention\ServerPlatformCommon
    \16.0.10000\incidents

    339
    Platform Directory

    \ProgramData\Symantec\DataLossPrevention\ServerPlatformCommon
    \16.0.10000\index
    Linux /var/log/Symantec/DataLossPrevention
    Also exclude subdirectories from antivirus scanning.
    /Symantec/DataLossPrevention/EnforceServer/16.0.10000/Protect/scan
    /Symantec/DataLossPrevention/EnforceServer/16.0.10000/Protect/temp
    Also remove subdirectories from antivirus scanning.
    /Symantec/DataLossPrevention/EnforceServer/16.0.10000/Protect/
    tomcat
    /Symantec/DataLossPrevention/EnforceServer/16.0.10000/Protect/
    tomcat/temp
    /Symantec/DataLossPrevention/EnforceServer/16.0.10000/Protect/
    tomcat/work
    /var/Symantec/DataLossPrevention/ServerPlatformCommon/16.0.10000/
    incidents
    /var/Symantec/DataLossPrevention/ServerPlatformCommon/16.0.10000/
    index

    Related Links
    Oracle directory and file exclusion from antivirus scans on page 341

    Paths to Exclude on Detection Servers


    Using your antivirus software, remove the detection server directories that are listed in the following table
    from antivirus scanning:

    Table 142: Paths to Exclude on the Detection Server

    Platform Directory

    Windows \ProgramData\Symantec\DataLossPrevention\DetectionServer
    \16.0.10000\drop
    \ProgramData\Symantec\DataLossPrevention\DetectionServer
    \16.0.10000\spool\ICAP
    \ProgramData\Symantec\DataLossPrevention\DetectionServer
    \16.0.10000\spool\PacketCapture
    \ProgramData\Symantec\DataLossPrevention\DetectionServer
    \16.0.10000\Protect\incidents
    \ProgramData\Symantec\DataLossPrevention\DetectionServer
    \16.0.10000\Protect\index
    \ProgramData\Symantec\DataLossPrevention\DetectionServer
    \16.0.10000\logs
    \Program Files\Symantec\DataLossPrevention\DetectionServer
    \16.0.10000\Protect\temp
    Linux /opt/Symantec/DataLossPrevention/DetectionServer/16.0.10000/
    Protect

    340
    Platform Directory

    /opt/Symantec/DataLossPrevention/Detection/Server/16.0.10000/
    Protect/temp
    Also exclude subdirectories from antivirus scanning.
    /var/spool/Symantec/DataLossPrevention/DetectionServer/16.0.10000/
    drop
    /var/spool/Symantec/DataLossPrevention/DetectionServer/16.0.10000/
    icap_spool
    /var/spool/Symantec/DataLossPrevention/DetectionServer/16.0.10000/
    packet_spool
    /var/Symantec/DataLossPrevention/DetectionServer/16.0.10000/
    incidents
    /var/Symantec/DataLossPrevention/DetectionServer/16.0.10000/index

    Paths to Exclude on Network Discover Clusters


    Using your antivirus software, remove the detection server directories that are listed in the following table
    from antivirus scanning:

    Table 143: Paths to Exclude on the Enforce Server

    Platform Directory

    Windows \ProgramData\Symantec\DataLossPrevention\DetectionServer
    \16.0.10000\IgniteStorage
    \ProgramData\Symantec\DataLossPrevention\DetectionServer
    \16.0.10000\IgniteWork
    Linux /opt/Symantec/DataLossPrevention/DetectionServer/16.0.10000/
    IgniteStorage
    /opt/Symantec/DataLossPrevention/Detection/Server/16.0.10000/
    IgniteWork

    Paths to Exclude for OCR Scanning

    If you are using the Windows platform and using your antivirus software, remove the following OCR directory
    from antivirus scanning, if applicable:
    C:\SymantecDLPOCR\

    Oracle directory and file exclusion from antivirus scans

    When the Symantec Data Loss Prevention application accesses files and directories, it can appear to antivirus software
    as if it were a virus. Therefore, you must exclude certain directories from antivirus scans on Symantec Data Loss
    Prevention servers.
    Using your antivirus software, exclude the following Oracle directories from antivirus scanning:
    • Windows:
    – C:\app\Administrator\oradata\protect
    – C:\app\Administrator\product\<version>\dbhome_1

    341
    Where <version> is the Oracle software version you are runnin.
    • Linux:
    – /opt/oracle/oradata/protect
    – /opt/oracle/product/<version>/db_1
    Where <version> is the Oracle software version you are runnin.
    Most of the Oracle files to be excluded are located in these directories, but additional files are located in other directories.
    Use the Oracle Enterprise Manager (OEM) to check for additional files and exclude their directories from antivirus
    scanning. Use OEM to view the location of the following database files:
    • Data files, which have the file extension *.DBF
    • Control files, which have the file extension *.CTL
    • The REDO.LOG file
    Exclude all the directories with these files from antivirus scanning.
    About Symantec Data Loss Prevention and antivirus software
    Symantec Data Loss Prevention Directory and File Exclusion from Antivirus Scans
    About post-installation tasks

    Corporate firewall configuration


    If the Enforce Server is installed inside your corporate LAN behind a firewall and your detection servers are installed in the
    DMZ your corporate firewall settings need to:
    • Allow connections from the Enforce Server on the corporate network to the detection servers in the DMZ. Configure
    your firewall to accept connections on the port you entered when installing the detection servers. By default, the
    Enforce Server and the detection servers communicate over port 8100. You can configure the servers to use any port
    higher than 1024. Use the same port number for all your detection servers.
    • Allow Windows Remote Desktop Client connections (TCP port 3389). This feature can be useful for setup purposes.
    Port 3389 is optional for Linux.
    Symantec Data Loss Prevention servers communicate with the Enforce Server over a single port number. Port 8100 is
    the default, but you can configure Symantec Data Loss Prevention to use any port higher than 1024. Review your firewall
    settings and close any ports that are not required for communication between the Enforce Server and the detection
    servers.

    Windows security lockdown guidelines


    You should complete a set of hardening procedures after you install or upgrade a Symantec Data Loss Prevention server.
    Adapt these guidelines to suit your organization’s standards for secure communications and hardening procedures.
    The following Windows services must be running:

    342
    • Alerter
    • COM+ Event System
    • DCOM Server Process Launcher
    • Defwatch for Symantec (may not always be present)
    • DNS Client
    • Event log
    • Interix Subsystem Startup (for UNIX Services for Windows for RAs)
    • IPSEC Services
    • Logical Disk Manager
    • Network connections
    • OracleOraDb11g_home1TNSListener
    The service name is different if you use a non-default Oracle home directory.
    • OracleServicePROTECT (on the Enforce Server only)
    • Plug and play
    • Protected Storage
    • Remote procedure call (RPC)
    • Removable Storage
    • Security Accounts Manager
    • Server (required only for Enforce if EDMs are used)
    • Symantec AntiVirus
    • System Event Notification
    • Task Scheduler
    • TCP/IP NetBIOS Helper Service
    • Terminal Services
    • User Name Mapping (for UNIX Services for Windows for RAs)
    • SymantecDLPIncidentPersisterService (for Enforce Server only)
    • SymantecDLPManagerService (for Enforce Server only)
    • SymantecDLPDetectionServerService (for detection servers only)
    • SymantecDLPNotifierService (for Enforce Server only)
    • Windows Management (Instrumentation)
    • Windows Management (Instrumentation Driver Extensions Workstation)
    • Windows Time (required if no alternative Enforce/detection server system clock synchronization is implemented)
    • Workstation (required for Alerter Service)
    The following Windows services should be disabled:
    • Dist. File System
    • Dist. Link Tracking Client
    • Dist. Link Tracking Server
    • Dist. Transaction Coordinator
    • Error Reporting Service
    • Help & Support
    • Messenger
    • Print Spooler
    • Remote Registry
    • Wireless Config
    Consult your Windows Server documentation for information on these services.

    343
    Windows Administrative security settings
    The following tables provide recommended administrative settings available on a Microsoft Windows system for additional
    security hardening.
    Consult your Windows Server documentation for information on these settings.
    The Local Policy settings are described in the following tables:

    Table 144: Security settings > Account Policies > Account Lockout Policy

    Policy Recommended security settings

    Account lockout duration 0


    Account lockout threshold 3 invalid logon attempts
    Reset account lockout counter after 15 minutes

    Table 145: Security settings > Account Policies > Password Policy

    Password policy Recommended security settings

    Enforce password history 24 passwords remembered


    Maximum password age 60 days
    Minimum password age 2 days
    Minimum password length 10 characters
    Password must meet complexity requirements Enabled
    Store passwords using reversible encryption Disabled

    Table 146: Security settings > Local Policies > Audit Policy

    Local audit Recommended security settings

    Audit account logon events Success, Failure


    Audit account management Success, Failure
    Audit directory service access Success, Failure
    Audit logon events Success, Failure
    Audit object access Success, Failure
    Audit policy change Success, Failure
    Audit privilege use Success, Failure
    Audit process tracking No auditing
    Audit system events Success, Failure

    Table 147: Security settings > Local Policies > User rights assignment

    User rights assignment Recommended security settings

    Restore files and directories Administrators, Backup Operators


    Shut down the system Administrators, Power Users, Backup Operators
    Synchronize directory service data

    344
    User rights assignment Recommended security settings

    Take ownership of files or other objects Administrators


    Access this computer from the network Everyone, Administrators, Users, Power Users, Backup Operators
    Act as part of the operating system
    Add workstations to domain
    Adjust memory quotas for a process LOCAL SERVICE, NETWORK SERVICE, Administrators
    Allow log on locally Administrators, Users, Power Users, Backup Operators
    Allow log on through Terminal Services Administrators, Remote Desktop Users
    Back up files and directories Administrators, Backup Operators
    Bypass traverse checking Everyone, Administrators, Users, Power Users, Backup Operators
    Change the system time Administrators, Power Users
    Create a page file Administrators
    Create a token object
    Create global objects Administrators, SERVICE
    Create permanent shared objects
    Debug programs Administrators
    Deny access to this computer from the network
    Deny log on as a batch job
    Deny log on as a service
    Deny log on locally
    Deny log on through Remote Desktop Services
    Enable computer and user accounts to be trusted for delegation
    Force shutdown from a remote system Administrators
    Generate security audits LOCAL SERVICE, NETWORK SERVICE
    Impersonate a client after authentication Administrators, SERVICE
    Increase scheduling priority Administrators
    Load and unload device drivers Administrators
    Lock pages in memory
    Log on as a batch job LOCAL SERVICE
    Log on as a service NETWORK SERVICE
    Manage auditing and security log Administrators
    Modify firmware environment values Administrators
    Perform volume maintenance tasks Administrators
    Profile single process Administrators, Power Users
    Profile system performance Administrators
    Remove computer from docking station Administrators, Power Users
    Replace a process level token LOCAL SERVICE, NETWORK SERVICE
    Restore files and directories Administrators, Backup Operators
    Shut down the system Administrators, Power Users, Backup Operators
    Synchronize directory service data
    Take ownership of files or other objects Administrators

    345
    Table 148: Security settings > Local Policies > Security options

    Security options Recommended security settings

    Accounts: Administrator account status Enabled


    Accounts: Guest account status Disabled
    Accounts: Limit local account use of blank passwords to console Enabled
    logon only
    Accounts: Rename administrator account protectdemo
    Accounts: Rename guest account Guest
    Audit: Audit the access of global system objects Disabled
    Audit: Audit the use of Backup and Restore privilege Disabled
    Audit: Shut down system immediately if unable to log security Disabled
    audits
    Devices: Allow undock without having to log on Enabled
    Devices: Allowed to format and eject removable media Administrators
    Devices: Prevent users from installing printer drivers Enabled
    Devices: Restrict CD-ROM access to locally logged-on user only Enabled
    Devices: Restrict floppy access to locally logged-on user only Enabled
    Devices: Unsigned driver installation behavior Do not allow installation
    Domain controller: Allow server operators to schedule tasks Enabled
    Domain controller: LDAP server signing requirements Not Defined
    Domain controller: Refuse machine account password changes Not Defined
    Domain member: Digitally encrypt or sign secure channel data Enabled
    (always)
    Domain member: Digitally encrypt secure channel data (when Enabled
    possible)
    Domain member: Digitally sign secure channel data (when Enabled
    possible)
    Domain member: Disable machine account password changes Disabled
    Domain member: Maximum machine account password age 30 days
    Domain member: Require strong (Windows 2000 or later) session Enabled
    key
    Interactive logon: Do not display last user name Enabled
    Interactive logon: Do not require CTRL+ALT+DEL Disabled
    Interactive logon: Message text for users attempting to log on
    Interactive logon: Message title for users attempting to log on Not Defined
    Interactive logon: Number of previous logons to cache (in case 10 logons
    domain controller is not available)
    Interactive logon: Prompt user to change password before 14 days
    expiration
    Interactive logon: Require domain controller authentication to Disabled
    unlock workstation
    Interactive logon: Require smart card Disabled
    Interactive logon: Smart card removal behavior Force Logoff

    346
    Security options Recommended security settings

    Microsoft network client: Digitally sign communications (always) Enabled


    Microsoft network client: Digitally sign communications (if server Enabled
    agrees)
    Microsoft network client: Send unencrypted password to third- Disabled
    party SMB servers
    Microsoft network server: Amount of idle time required before 15 minutes
    suspending session
    Microsoft network server: Digitally sign communications (always) Enabled
    Microsoft network server: Digitally sign communications (if client Enabled
    agrees)
    Microsoft network server: Disconnect clients when logon hours Enabled
    expire
    Network access: Allow anonymous SID/Name translation Disabled
    Network access: Do not allow anonymous enumeration of SAM Enabled
    accounts
    Network access: Do not allow anonymous enumeration of SAM Disabled
    accounts and shares
    Network access: Do not allow storage of credentials or .NET Disabled
    Passports for network authentication
    Network access: Let Everyone permissions apply to anonymous Disabled
    users
    Network access: Named Pipes that can be accessed COMNAP, COMNODE, SQL\QUERY, SPOOLSS, EPMAPPER,
    anonymously LOCATOR, TrkWks, TrkSvr
    Network access: Remotely accessible registry paths System\CurrentControlSet\Control\ProductOptions, System
    \CurrentControlSet\Control\Server Applications, Software
    \Microsoft\Windows NT\CurrentVersion
    Network access: Remotely accessible registry paths and sub- System\CurrentControlSet\Control\Print\Printers, System
    paths \CurrentControlSet\Services\Eventlog

    About post-installation tasks

    About System Events and Syslog Servers


    Symantec Data Loss Prevention enables you to send severe system events to a syslog server. Configuring a syslog
    server in this manner can be helpful after installation to help identify problems with the initial deployment. To enable syslog
    logging, you must modify the Manager.properties file in the config directory.
    SeeMaintaining the DLP System.
    NOTE
    As an alternative to syslog logging, you can configure Symantec Data Loss Prevention to send email
    notifications of severe system events.

    Enforce Servers and unused NICs


    If the Enforce Server has multiple NICs, disable the unused NICs if possible. If the unused NIC cannot be disabled, make
    the following changes to the properties file. These changes enable the detection servers to talk to the Enforce Server.

    347
    On the Enforce Server \Program Files\Symantec\DataLossPrevention\EnforceServer
    \16.0.10000\protect\config\model.properties file:
    model.notification.host=IP
    model.notification.serverobject.host=IP

    On the detection server \Program Files\Symantec\DataLossPrevention\EnforceServer


    \16.0.10000\protect\config\model.properties file:
    model.notification.host=IP
    \Program Files\Symantec\DataLossPrevention\EnforceServer\16.0.10000\protect\bin\NotificationTrafficMonitor.lax
    lax.command.line.args=IP:37328

    Where IP is the IP address that you want to bind on.

    Performing initial setup tasks on the Enforce Server


    Immediately after installing the Enforce Server, you should perform the following initial tasks to set up Symantec Data
    Loss Prevention
    • Set up Symantec Data Loss Prevention
    • Add SQL*Plus to the SymantecDLP user path

    Set up Symantec Data Loss Prevention


    1. If you have not already done so, back up the unique CryptoMasterKey.properties file for your installation
    and store the file in a safe place. This file is required for Symantec Data Loss Prevention to encrypt and decrypt the
    Enforce Server database.
    WARNING
    If the unique CryptoMasterKey.properties file becomes lost or corrupted, you must restore a copy
    of the file in order for Symantec Data Loss Prevention to function. The Enforce Server database cannot be
    decrypted without the corresponding CryptoMasterKey.properties file.
    2. On single- and two-tier installations, add SQL*Plus to the SymantecDLP user's path to fetch database diagnostics
    information for the Tablespaces Summary page.
    To add SQL*Plus to the SymantecDLP user path
    3. If you use password authentication, change the Administrator’s password to a unique password known only to you.
    4. Add an email address for the Administrator user account so you can be notified of system events.
    5. Add user accounts for all users who are authorized to use the system, and provide them with their log on information.
    6. If you are responsible for adding policies, add one or more policies.
    If not, notify the policy administrator(s) that data profiles have been added and they can proceed with policy addition.
    Be sure that you have added user accounts with policy access for each policy administrator in your organization and
    provided them with their logon information.
    7. Configure any detection servers that you registered with the Enforce Server.
    8. If you installed Network Discover, set up Discover targets.
    9. Determine your organization’s incident management workflow and add incident attributes.
    You can continue to add data profiles, policies, and reports, and modify your settings to suit your organization’s needs.

    348
    Add SQL*Plus to the SymantecDLP user path
    1. On the Enforce Server host computer, log in as the SymantecDLP user.
    su - protect

    2. Open the .bash_profile file in a text editor.


    3. Add the SQL*Plus directory to the path:
    export ORACLE_HOME=/opt/oracle/product/<version>/db_1
    export PATH=$ORACLE_HOME/bin:$PATH

    Where version> is the Oracle software version you are running.


    4. Save and close the .bash_profile file.
    5. Restart the Enforce Server host computer to apply your changes.

    About FIPS encryption


    The Federal Information Processing Standards 140-2 (FIPS) are federally defined standards on the use of cryptography.
    Using FIPS encryption is not generally recommended for most customers because it requires additional computational
    overhead.
    Before you enable FIPS encryption, you must contact your Symantec representative.
    You should install Symantec Data Loss Prevention with FIPS encryption enabled only if your organization must comply
    with FIPS regulations (typical organizations include US government agencies and departments). If you do not choose
    to use FIPS encryption, the installer defaults to standard encryption. After you have installed Symantec Data Loss
    Prevention, you cannot switch to a different encryption option except by reinstalling Symantec Data Loss Prevention.
    When a re-installation is required, old incidents are not preserved.
    Installing an Enforce Server
    NOTE
    You must install all Symantec Data Loss Prevention servers with the same encryption option; you cannot mix
    encryption options. If the Endpoint Prevent Server is installed with FIPS enabled, no additional configuration is
    required to enable FIPS encrypted communication with your DLP Agents.

    Configuring Internet Explorer when using FIPS


    If you have installed Federal Information Processing Standards (FIPS) support, you must enable TLS 1.0 protocol support
    in Internet Explorer to access Symantec Data Loss Prevention with that browser.
    NOTE
    Firefox is already FIPS compatible. You do not need to perform the steps in this section to access Symantec
    Data Loss Prevention with Firefox.
    You must first enable TLS 1.0 protocol support in Internet Explorer, and then enable FIPS compliance in Windows. This
    procedure must be done on all Windows computers in your organization that access the Symantec Data Loss Prevention
    Enforce Server administration console.

    349
    To enable TLS 1.0 protocol support in Internet Explorer:
    1. Go to Tools > Internet Options.
    2. Go to the Advanced tab.
    3. Scroll down to the Security settings.
    4. Make sure that the following check boxes are selected: Use SSL 2.0, Use SSL 3.0, and Use TLS 1.0.
    5. Click Apply.
    6. Click OK.
    Internet Explorer on all computers that access the Enforce Server must be configured to use the TLS 1.0 protocol.
    All Windows computers that access the Enforce Server administration console with an Internet Explorer browser
    must be configured for FIPS compliance.
    To enable FIPS compliance in Windows
    7. Open the Windows Control Panel.
    8. Double-click Administrative Tools.
    9. Double-click Local Security Policy.
    10. In the Local Security Settings, double-click Local Policies.
    11. Double-click Security Options.
    12. In the Policy pane on the right, double-click System cryptography: Use FIPS compliant algorithms for encryption,
    hashing, and signing.
    13. Choose the Enabled radio button and then click Apply.

    350
    Upgrading DLP
    Upgrade the Enforce Server, detection servers, and DLP Agents.
    Preparing to upgrade
    Upgrading to a new release
    Upgrading Symantec DLP Agents
    Post-upgrade tasks
    Symantec Data Loss Prevention upgrade troubleshooting and recovery

    Preparing to upgrade
    Learn about preparing to upgrade the Enforce Server and detection servers.
    Preparing to Upgrade Symantec Data Loss Prevention
    Symantec Data Loss Prevention Upgrade Phases
    Minimum System Requirements for Upgrading to the Current Release
    Requirement for Language Pack Upgrades
    Preparing the Oracle Database for a Symantec Data Loss Prevention Upgrade
    Enabling Network Detection Uptime Protection
    Backward Compatibility for Agent Upgrades
    Upgrade Requirements and Restrictions
    Preparing your system for the upgrade
    Deleting ICE components from the Enforce Server
    Preparing Your Environment for Microsoft Rights Management File Monitoring

    About Updates to the Symantec Data Loss Prevention Upgrade Content


    The upgrade content is occasionally updated as new information becomes available.
    About updates to the Symantec Data Loss Prevention Help Center provides the history of updates.

    Preparing to Upgrade Symantec Data Loss Prevention


    Prepare to upgrade Symantec Data Loss Prevention by reviewing new features, upgrading components to the minimum
    version, and backing up your database.
    Prepare to update by compling the following upgrade preparation steps:
    1. Review the new features for Symantec Data Loss Prevention 16.0.1, see About What's New in Data Loss Prevention
    16.0.1 .
    2. Upgrade components to at least version 15.8.
    Symantec Data Loss Prevention does not support upgrades from earlier versions.
    3. Back up your database before any upgrade. See Backing Up and Recovering on Windows or Backing up and
    recovering on Linux.

    351
    Related Links
    Symantec Data Loss Prevention Upgrade Phases on page 352
    Complete the upgrade in the phases that are described in the following sections.
    Upgrade Requirements and Restrictions on page 366

    Symantec Data Loss Prevention Upgrade Phases


    Complete the upgrade in the phases that are described in the following sections.

    Phase 1: Review Important Information


    Review important information about the new release before starting the upgrade, including:
    • Known release issues
    See Release Notes to learn about any known upgrade issues or issues with the current release of Symantec Data
    Loss Prevention.
    • Minimum system requirements
    • Language pack requirements
    • New and changed features

    Phase 2: Prepare the System for Upgrading


    Prepare the system for upgrading. This preparation includes the following items:
    1. Prepare the Oracle database for upgrade.
    Back up the Oracle database and detection server data. If the upgrade fails, you can use these backups to restore
    your system.
    2. Run the Update Readiness Tool. If you find issues, fix them before you migrate your data to version 16.0.1.
    3. Create the Enforce Reinstallation Resources file.
    4. Review agent backward compatibility constraints.
    5. Review upgrade requirements and restrictions.
    6. Prepare your system for the upgrade.

    Phase 3: Remove ICE components from the Enforce Server


    If you have not already done so, Remove ICE components from the Enforce Server.

    Phase 4: Download and Extract the Software


    Download and extract the software.

    Phase 5: Upgrade the Enforce Server


    Upgrading the Enforce Server includes the following steps:
    1. Install the Java Runtime Environment on one of the following platforms:
    – Windows
    – Linux
    2. Install the version 16.0.1 Enforce Server on one of the following platforms:
    – Windows
    – Linux
    3. Migrate the previous version to the version 16.0.1 Enforce Server on one of the following platforms:

    352
    – Windows
    – Linux

    Phase 6: Upgrade Detection Servers and Clusters


    Upgrade detection servers, which includes the following steps:
    1. Install the Java Runtime Environment on one of the following platforms:
    – Windows
    – Linux
    2. Install the version 16.0.1 detection server or clusters on one of the following platforms:
    – Windows: detection server or clusters
    – Linux: detection server or clusters
    3. Migrate the previous version to the version 16.0.1 detection server or clusters on one of the following platforms:
    – Windows: detection server or clusters
    – Linux: detection server or clusters

    Phase 7: Back Up your System


    Back up your system in case the Symantec Data Loss Prevention crashes and needs to be restored.

    Phase 8: Upgrade Symantec Data Loss Prevention Agents


    Upgrade Symantec Data Loss Prevention agents.

    Phase 9: Upgrade Scanners


    Upgrade scanners to the latest version.

    Phase 10: Complete Post-upgrade Tasks


    Complete the required and optional post-upgrade tasks.

    Minimum System Requirements for Upgrading to the Current Release


    Ensure that your environment meets system requirements before upgrading to the current release.
    If you are using a Linux platform, there are additional package dependencies. See Third-party software requirements and
    recommendations for detailed information about these additional required packages.
    The free disk space requirements for upgrading an existing Symantec Data Loss Prevention installation depend on the
    server type:
    • Enforce Server single-, two-, or three-tier installation: 50 GB (for small/medium enterprise) to 100 GB (for large/very
    large enterprise) of free disk space on the volume where the server is installed.
    • Detection server and Network Discover clusters: 750 MB of free disk space on the volume where the server is
    installed.
    NOTE
    These numbers refer to the free disk space that is needed for the upgrade process, not the disk space that is
    required for server operation. For server disk space, operating system, and other requirements, see Minimum
    System Requirements for Symantec Data Loss Prevention Servers.

    Related Links

    353
    Requirement for Language Pack Upgrades on page 354
    Symantec Data Loss Prevention requires version-specific language packs.
    Preparing to Upgrade Symantec Data Loss Prevention on page 351
    Prepare to upgrade Symantec Data Loss Prevention by reviewing new features, upgrading components to the minimum
    version, and backing up your database.

    Requirement for Language Pack Upgrades


    Symantec Data Loss Prevention requires version-specific language packs.
    The upgrade process removes all older language packs and rolls the user interface back to the English-language default.
    After the upgrade, you must download and add new versions of each language pack as needed.
    See About Symantec Data Loss Prevention language packs for information about acquiring and adding updated language
    packs.

    Related Links
    Preparing to Upgrade Symantec Data Loss Prevention on page 351
    Prepare to upgrade Symantec Data Loss Prevention by reviewing new features, upgrading components to the minimum
    version, and backing up your database.

    Preparing the Oracle Database for a Symantec Data Loss Prevention Upgrade
    The following Oracle-related preparations must be made before you upgrade the Symantec Data Loss Prevention
    database schema for version 16.0.1:

    Table 149: Preparing the Oracle database for upgrade

    Step Action Description

    1 Back up the Oracle database before you start the upgrade. You cannot See Maintaining the DLP System.
    recover from an unsuccessful upgrade without a backup of your Oracle
    database.
    2 Run the Update Readiness Tool to confirm that the Oracle database is Checking the database update readiness
    ready to upgrade to Symantec Data Loss Prevention version 16.0.1.
    3 Set ORACLE_HOME and PATH variables. Setting ORACLE_HOME and PATH variables
    4 Confirm that the database user has permissions to connect to the Confirming the Oracle database user permissions
    Enforce Server.

    Checking the database update readiness


    You use the Update Readiness Tool to confirm that the Oracle database is ready to upgrade to the next Symantec Data
    Loss Prevention version.
    NOTE
    You can run the Update Readiness Tool while Symantec Data Loss Prevention continues to run.
    Symantec recommends that you prepare for the upgrade, including running the Update Readiness Tool, a few weeks
    before you plan to complete the upgrade process. Preparing helps ensure that any issues that arise can be resolved
    before the scheduled completion date.
    The Update Readiness Tool tests the following items in the database schema:

    354
    • Oracle version
    • Oracle patches
    • Permissions
    • Tablespaces
    • Existing schema against standard schema
    • Real Application Clusters
    • Change Data Capture
    • Virtual columns
    • Partitioned tables
    • Numeric overflow
    • Temp Oracle space
    • Policy size
    Table 150: Using the Update Readiness Tool lists tasks you complete to run the tool.

    Table 150: Using the Update Readiness Tool

    Step Task Details

    1 Prepare to run the Update Readiness Tool. Preparing to Run the Update Readiness Tool
    2 Create the Update Readiness Tool database Creating the Update Readiness Tool database account
    account.
    3 Run the tool. You can run the tool for the following scenarios:
    • From the command line on the Enforce Server host computer.
    Running the Update Readiness Tool at the Command Line
    • For Amazon RDS for Oracle.
    See the "Preparing the Amazon RDS for Oracle for upgrade" topic
    in the Symantec Data Loss Prevention Help for information.
    Preparing the Amazon RDS for Oracle for a Symantec Data Loss
    Prevention Upgrade
    4 Review the update readiness results. Reviewing Update Readiness Results

    Preparing to Run the Update Readiness Tool

    Preparing the Update Readiness Tool includes downloading the tool and moving it to the Enforce Server.
    1. Obtain the current version of the tool from Product Downloads at the Broadcom Support Portal.
    The current version of the Update Readiness Tool includes important fixes and improvements, and should be the
    version that you use before attempting any upgrade.
    Symantec recommends that you download the tool to a directory based on your platform:
    • Windows: DLPDownloadHome\DLP\16.0.1\
    • Linux: DLPDownloadHome/DLP/16.0.1/
    NOTE
    Review the Readme file that is included with the tool for a list of Symantec Data Loss Prevention versions
    the tool can test.

    355
    2. Confirm that sufficient disc space is available on the server where the database is running. You confirm space if you
    plan to analyze data during the Update Readiness Tool test.
    See Estimate the database system hard drive space.
    3. Log on as Administrator to the database server system.
    4. Confirm the following prerequisites if you are running a three-tier deployment:
    • You are running the same Oracle Client version as the Oracle Server version.
    If the versions do not match, the Oracle Client cannot connect to the database, which causes the Update
    Readiness Tool to fail.
    • The Oracle Client is installed as Administrator.
    If the Oracle Client is not installed as Administrator, reinstall it and select Administrator on the Select Installation
    Type panel. Selecting Administrator enables the command-line clients, expdp and impdp.
    5. Shut down all but one instance of the database on RAC nodes if you are upgrading on a system that uses Oracle
    RAC.
    6. Stop Oracle database jobs if your database has scheduled jobs.
    See Stopping Oracle database jobs.
    7. Check policy size to ensure past version agents receive policy updates.
    See Checking Policy Size for DLP 15.x Agent Compatibility.
    8. Unzip the Update_Readiness_Tool.zip file, and then copy the contents of the unzipped folder to the following
    location (based on your platform):
    • Windows: c:\Program Files\Symantec\DataLossPrevention\EnforceServer
    \16.0.1.00000\Protect\Migrator\URT\
    • Linux: opt/Symantec/DataLossPrevention/EnforceServer/16.0.1.00000/Protect/Migrator/
    URT/
    NOTE
    The contents of the tool folder must reside directly in the URT folder as specified.
    During the upgrade process, the Migration Utility runs the Update Readiness Tool from this location.
    Related Links
    Checking the database update readiness on page 354
    Running the Update Readiness Tool at the Command Line on page 361

    Estimate the database system hard drive space


    If you plan set the Update Readiness Tool to analyze the data residing in the database, plan for the tool to create two
    times the drive space that the data displaces in the production database. The data space requirement excludes the LOB
    data for incidents.
    Run the following command to estimate the disc space required to complete the Update Readiness Tool test.
    1. Run one of the following commands (based on your platform):
    • Windows:
    expdp protect/\<DLP schema password>\@protect
    NOLOGFILE=YES
    ESTIMATE_ONLY=YES
    schemas=protect

    356
    exclude=TABLE: \"IN\(\'MESSAGELOB\',\'MESSAGECOMPONENTLOB\',\'CONDITIONVIOLATIONLOB\',\'AGENTEVENT\',
    \'SYSTEMEVENT\',\'SYSTEMEVENTPARAMETER\'\)\"
    • Linux:
    expdp protect/<DLP schema password>@protect
    NOLOGFILE=YES
    ESTIMATE_ONLY=YES
    schemas=protect
    exclude=TABLE:\"IN\(\'MESSAGELOB\',\'MESSAGECOMPONENTLOB\',\'CONDITIONVIOLATIONLOB\',\'AGENTEVENT\',
    \'SYSTEMEVENT\',\'SYSTEMEVENTPARAMETER\'\)\"

    Where <DLP schema password> is the Symantec Data Loss Prevention schema password.
    The command returns details about the estimated space required to export LOB data from the production database.
    2. Confirm whether the space on the hard drive on the system where you plan to run the Update Readiness Tool is
    sufficient to perform the data export.
    Stopping Oracle database jobs
    If your database has scheduled jobs, you must unschedule them and clear the jobs queue before you run the Update
    Readiness Tool and start the migration process. After the jobs are unscheduled and the jobs queue is clear, you can run
    the Update Readiness Tool and continue your migration.

    1. Log on to SQL*Plus using the Symantec Data Loss Prevention database user name and password.
    2. Run the following:
    BEGIN
    FOR rec IN (SELECT * FROM user_jobs) LOOP
    dbms_job.broken( rec.job, true);
    dbms_job.remove( rec.job);
    END LOOP;
    END;
    /

    3. Verify that all jobs are unscheduled by running the following:


    select count(*) from user_jobs;

    Confirm that the count is zero. If the count is not zero, run the command to clear the queue again. If a job is running
    when you attempt to clear the queue, the job continues to run until it completes and is not cleared. For long running
    jobs, Symantec recommends that you wait for the job to complete instead of terminating the job.
    4. Exit SQL*Plus.
    Checking Policy Size for DLP 15.x Agent Compatibility
    Check policy size using the URT to ensure past version agents receive policy updates.
    Starting with version 16.0, Symantec Data Loss Prevention features a high-performance and memory-efficient policy
    evaluation engine. You can now create complex policies with many compound exceptions without adversely impacting
    memory or performance. In the case of endpoint detection, you can create policies that use rules that target specific
    components (such as body or attachment). The new engine helps reduce false positives, thereby increasing policy
    accuracy and effectiveness.
    The memory-efficient policy evaluation engine requires more memory than policies created with DLP 15.x. The 16.0 and
    later detection server prevents 15.x DLP Agents from running out of memory by reviewing policy size before sending
    policies to 15.x DLP Agents. In the event the aggregate size of all policies targeted at an Endpoint Server exceeds a
    threshold (the default threshold is 400 MB), policy updates are not sent to 15.x agents. A system event is generated on
    the Enforce Server and detail is logged on the Endpoint Server.

    357
    NOTE
    Symantec strongly recommends upgrading DLP Agents to version 16.0 to benefit from the new policy evaluation
    engine.

    Generate a List of Policies


    Use the --quick parameter when running the latest version of the Update Readiness Tool (URT) to identify Endpoint
    Servers that use policies larger than the 400 MB threshold.
    Download the latest version of the Update Readiness Tool at the Symantec Enterprise Security Product Downloads site.
    When you run the latest URT version using the --policy_size parameter, the URT creates a new log (for example,
    policy_evaluation_16.0.1_.txt) which lists aggregated policy size, grouped by individual detection servers, and
    information about individual policies which exceed the threshold.
    NOTE
    Version 15.x agents do not receive policy updates if either the policies targeted to an Endpoint Server exceed
    the policy size threshold collectively, or if individual policies targeted to an Endpoint Server exceed the threshold.
    Figure 5: Output of the policy evaluation.log in --quick mode lists Endpoint Server 1 (EP01) and Endpoint Server 2
    (EP02), which have policies whose aggregate size exceeds the policy size threshold. 15.x agents connected to these
    servers will not receive policy updates. The log also lists policies which individually exceed the threshold of 400MB.
    Figure 5: Output of the policy evaluation.log in --quick mode

    Generate a Detailed List of Policy Information


    Generate a detailed breakdown of policies using the --policy_size parameter (for example UpdateReadinessTool --
    policy_size.

    Symantec recommends that you re-run the URT with the --policy_size parameter if the policy log (generated using the
    --quick parameter) lists detection servers with policies that exceed the threshold and have 15.x agents connected to
    them.
    Do not use the --policy_size parameter with any other options. While the URT is generally run before the upgrade, it
    can be invoked after upgrading with the --policy_size parameter on a version 16.0 or later Enforce Server to identify an
    individual policy (or policies in a policy group) that exceed the threshold. By using --policy_size, all other URT checks
    are disabled. Using the --policy_size parameter ensures the report only lists policy info.

    358
    Figure 6: Detailed breakdown of policy size when using --policy_size includes a detailed breakdown of all active policies
    ordered by size and detection server. Use this log to identify which policies, individually or collectively, are not sent to 15.x
    agents because they exceed the threshold.
    Figure 6: Detailed breakdown of policy size when using --policy_size

    If the aggregate size of all policies sent to the legacy agents exceeds the threshold, Symantec recommends that you
    reduce the policy size by removing compound exceptions.
    Finding Non-BMP Unicode Characters in Policies
    Non-BMP Unicode characters are not supported in policies that detect on text. Follow these steps to remove them using
    the URT.
    1. Set the --nonbmp_validation parameter in the URT before updating. For example,
    UpdateReadinessTool --username <username> --password <password> --service_name <service_name> --
    readiness_username <readiness_username> --readiness_password <readiness_password> --target_version <target
    version> [--data_pump <DATA_PUMP_DIR>] [--data] [--quick] [--skip_export] [--skip_import] [--no_verbose]
    [–policy_size | --nonbmp_validation]
    2. Run the URT to identify non-BMP characters in policies and data identifiers. You can view the Non-BMP Validation
    Report to determine which policies contain non-BMP characters.
    3. Remove the non-BMP characters from policies and data identifiers. IR non-BMP characters remain in policies, the
    upgrade fails.
    4. Rerun the Update Readiness Tool to confirm that all non-BMP characters have been removed from policies and data
    identifiers.
    For more information on how non-BMP characters are handled in Data Loss Prevention 16.0.1, see:Handling Non-BMP
    Unicode Characters in Data Loss Prevention 16.0.1
    Creating the Update Readiness Tool database account

    Before you can run the Update Readiness Tool, you must create a database account.

    1. Navigate to the folder where you extracted the Update Readiness Tool (for Windows \script and for Linux /
    script ).
    2. Start SQL*Plus:
    sqlplus /nolog

    359
    3. Run the oracle_create_user.sql script:
    @oracle_create_user.sql

    4. At the Please enter the password for sys user prompt, enter the password for the SYS user.
    5. At the Please enter Service Name prompt, enter a service name for the Oracle Service Name.
    6. At the Please enter required username to be created prompt, enter a name for the new upgrade readiness
    database account.
    7. At the Please enter a password for the new username prompt, enter a password for the new upgrade readiness
    database account.
    Use the following guidelines to create an acceptable password:
    • Passwords cannot contain more than 30 characters.
    • Passwords cannot contain double quotation marks, commas, or backslashes.
    • Avoid using the & character.
    • Passwords are case-sensitive by default. You can change the case sensitivity through an Oracle configuration
    setting.
    • If your password uses special characters other than _, #, or $, or if your password begins with a number, you must
    enclose the password in double quotes when you configure it.
    Store the user name and password in a secure location for future use. You use this user name and password to run
    the Update Readiness Tool.
    8. As the database sysdba user, grant permission to the Symantec Data Loss Prevention schema user name for the
    following database objects.
    Run the following command if you are running the Oracle database in a non-RAC environment:
    sqlplus sys/<password> as sysdba
    GRANT READ,WRITE ON directory DATA_PUMP_DIR TO [schema user name];
    GRANT SELECT ON dba_registry_history TO [schema user name];
    GRANT SELECT ON dba_temp_free_space TO [schema user name];

    9. Run the following command if you are running the Oracle database in a RAC environment:
    sqlplus sys/<password>@<RAC node ip>:1521/protect as sysdba
    GRANT READ,WRITE ON directory DATA_PUMP_DIR TO [schema user name];

    10. Confirm that the password for the new upgrade readiness database account is compatible with the expdp and impdp
    commands by running the following command:
    expdp <oracle_username>/<password>@<oracle_service_name> dumpfile=sandbox.dmp schemas=<oracle_username>
    content=metadata_only directory=<dpdir> logfile=exp_sandbox.log reuse_dumpfiles=y exclude=grant

    If the command returns password errors, create a password that meets both Oracle password and EXPDP/IMPDP
    password requirements (expdp/impdp are OS commands).

    Table 151: Parameters for the expdp and impdp compatibility command

    Parameter Value

    <oracle_username> The Symantec Data Loss Prevention database user name.


    <password> The Symantec Data Loss Prevention database password.
    <oracle_service_name> The database service name (typically “protect”).

    360
    Parameter Value

    <dpdir> The DATA_PUMP_DIR location.


    You use this parameter if you have opted to use a custom data pump directory location.

    Related Links
    Preparing to Run the Update Readiness Tool on page 355
    Checking the database update readiness on page 354

    Running the Update Readiness Tool at the Command Line

    You can run the Update Readiness Tool from the command prompt on the database server host computer.
    Disable all instances of the DLP database on all but one RAC node if you are upgrading on a system that uses Oracle
    RAC. Also, run the tool on the active RAC node. Restore instances once the tool has completed running.
    NOTE
    The steps assume that you have logged on as the administrator user (for Windows) or as root (for Linux) to the
    computer where you run the Update Readiness Tool.
    1. Open a command prompt window.
    2. Go to the URT directory:
    • Windows: c:\Program Files\Symantec\DataLossPrevention\EnforceServer
    \16.0.1.00000\Protect\Migrator\URT
    • Linux: opt/Symantec/DataLossPrevention/EnforceServer/16.0.1.00000/Protect/Migrator/URT
    3. Run the Update Readiness Tool using the following command:

    For Windows

    "C:\Program Files\AdoptOpenJRE\<JRE version>\bin\java" UpdateReadinessTool


    --username <schema user name>
    --password <password>
    --readiness_username <readiness_username>
    --readiness_password <readiness_password>
    --service_name <database service name>
    --target_version <upgrade target>

    For Linux

    "/opt/AdoptOpenJRE/<JRE version>/bin/java" UpdateReadinessTool


    --username <schema user name>
    --password <password>
    --readiness_username <readiness_username>
    --readiness_password <readiness_password>
    --service_name <database service name>
    --target_version <upgrade target>

    The <JRE version> represents the OpenJRE version running on your system.
    Table 152: Update Readiness Tool Command Line Parameters identifies the command-line parameters:

    361
    Table 152: Update Readiness Tool Command Line Parameters

    Parameter Description

    --username The Symantec Data Loss Prevention schema user name.


    --password The Symantec Data Loss Prevention schema password.
    --readiness_username The Update Readiness Tool database account user that you created.
    Creating the Update Readiness Tool database account
    --readiness_password The password for the Update Readiness Tool database account user.
    --service_name The database system ID (SERVICE_NAME), typically "protect."
    If you are running the database on RAC, provide the database system ID as <RAC
    node ip>/protect.
    --target_version The Symantec Data Loss Prevention version that you are upgrading to.
    --data_pump The Data Pump directory name.
    If you have opted to use a custom data pump directory location, you can use this
    optional parameter.
    --data This optional parameter directs the Update Readiness Tool to test data. The tool
    copies data to be tested and does not test data in production. LOB data that is
    associated with incidents is not included with the test.
    Note: Before you run this command, confirm that you have enough disc space to
    accommodate the data extracted from the database.
    Note: Estimate the database system hard drive space

    --skip_export This optional parameter prevents the Update Readiness Tool from exporting from the
    Symantec Data Loss Prevention schema during the Update Readiness Tool test.
    Use this parameter for the following scenarios:
    • If you have already created an export DMP file.
    • If you plan to export data manually.
    --skip_import This optional parameter prevents the Update Readiness Tool from importing data to
    the Update Readiness Tool schema during the Update Readiness Tool test.
    Use this parameter if you plan to import the data manually.
    --no_verbose This optional parameter prevents extra logging details from appearing with the
    Update Readiness Tool test command prompt results.
    --quick This optional parameter runs the database object check, lists Endpoint Servers and
    their associated policies, but skips the update readiness test.
    Checking Policy Size for DLP 15.x Agent Compatibility
    --policy_size This optional parameter returns a detailed list of policies, policy size, associated
    detection servers, and information about individual policies.
    When you use this parameter, all other URT checks are disabled.
    Checking Policy Size for DLP 15.x Agent Compatibility
    --nonbmp_validation This optional parameter returns a list of policies that contain Non-BMP Unicode
    characters.
    When you use this parameter, the URT creates a separate log file for your review.
    Finding Non-BMP Unicode Characters in Policies
    Handling Non-BMP Unicode Characters in Data Loss Prevention 16.0.1

    Related Links
    Preparing to Run the Update Readiness Tool on page 355
    Reviewing Update Readiness Results on page 363

    362
    Reviewing Update Readiness Results

    After the test completes, you can locate the results in a log file in the /output/output directory. This directory is located
    where you extracted the Update Readiness Tool (URT). If you do not include quick when you run the tool, the test may
    take up to an hour to complete. You can verify the status of the test by reviewing log files in the /output/output
    directory.
    NOTE
    Symantec recommends that you contact Support prior to upgrading your system to review the URT results.

    Table 153: Update Readiness results

    Status Description

    Pass Items that display under this section are confirmed and ready for update.
    Warning If not fixed, items that display under this section may prevent the database from upgrading properly.
    Error These items prevent the upgrade from completing and must be fixed.

    Related Links
    Resolving the error "Data Foreign Key Constraint Validation for EndPointProtocolFilter" on page 363

    Resolving the error "Data Foreign Key Constraint Validation for EndPointProtocolFilter"
    When running the Update Readiness Tool before an upgrade from Symantec Data Loss Prevention 14.6 to the current
    version, the tool returns results in its log file with the error below.
    Start: Data Foreign Key Constraint Validation - [date and time] Data violations are detected on your schema,
    please use the below query(s) to retrieve the invalid data.
    SELECT DISTINCT protocolFilterId AS "PROTOCOLFILTERID" FROM ENDPOINTPROTOCOLFILTER
    WHERE protocolFilterId IS NULL OR protocolFilterId NOT IN (SELECT acv.protocolFilterId FROM
    AgentConfigurationVersion acv WHERE acv.protocolFilterId IS NOT NULL);
    End : Data Foreign Key Constraint Validation - elapsed 0s - FAILED (1 violation)

    Complete the following steps to resolve the error "Data Foreign Key Constraint Validation for EndPointProtocolFilter":
    1. Run the following command to create a data backup:
    create table EndpointProtocolFilter_nomatch as
    select * from EndpointProtocolFilter where protocolFilterId not in (select acv.protocolFilterId FROM
    AgentConfigurationVersion acv where acv.protocolFilterId IS NOT NULL);
    2. Run the following command to confirm the record count:
    select count(*) from EndpointProtocolFilter where protocolFilterId not in (select acv.protocolFilterId
    FROM AgentConfigurationVersion acv where acv.protocolFilterId IS NOT NULL);
    3. Note the record count.
    4. Run the following command to delete data that causes the upgrade to fail:
    DELETE FROM EndpointProtocolFilter WHERE protocolFilterId NOT IN (SELECT acv.protocolFilterId FROM
    AgentConfigurationVersion acv WHERE acv.protocolFilterId IS NOT NULL);
    5. Confirm that the number of records deleted matches the record count. See step 3. If the record counts do not match,
    contact Symantec Support.
    6. Run the following command to complete the delete operation:
    commit;
    7. Run the following command to confirm that the number of records match:

    363
    select count(*) from EndpointProtocolFilter where protocolFilterId not in (select acv.protocolFilterId
    FROM AgentConfigurationVersion acv where acv.protocolFilterId IS NOT NULL);

    Related Links
    Reviewing Update Readiness Results on page 363

    Setting ORACLE_HOME and PATH variables


    Verify that the ORACLE_HOME and PATH variables are set before you begin the upgrade process. If you do not set these
    variables, you cannot complete the migration process during the Enforce Server upgrade.
    Set the ORACLE_HOME and PATH variable on Windows

    1. Log on as a domain user.


    2. In the command prompt, run the following command to set the ORACLE_HOME variable. Confirm your Oracle version
    and installation path before setting this variable. For example:
    set ORACLE_HOME=c:\oracle\product\19.3.0.0\db_1

    3. Run the following command to set the PATH variable:


    set PATH=%ORACLE_HOME%\bin;%PATH%

    Set the ORACLE_HOME and path variable on Linux

    1. Log on as a root user.


    2. In the terminal, run the following command to set the ORACLE_HOME variable. Confirm your Oracle version and
    installation path before setting this variable. For example:
    export ORACLE_HOME=/opt/oracle/product/19.3.0.0/db_1

    3. Run the following command to set the PATH variable:


    export PATH=$ORACLE_HOME/bin:$PATH

    Confirming the Oracle database user permissions


    The Oracle database user (typically “protect”) must have permission to connect to the Enforce Server. The installation fails
    if the user cannot access the Enforce Server.
    1. Start SQL*Plus.
    2. Run the following commands:
    sqlplus sys/protect as sysdba
    GRANT read, write ON directory data_pump_dir TO protect;
    GRANT SELECT ON dba_registry_history TO protect;
    GRANT SELECT ON dba_temp_free_space TO protect;
    GRANT SELECT ON v_$version TO protect;
    GRANT EXECUTE ON dbms_lob TO protect;

    3. If you are running Oracle 19c, run the following command:


    GRANT create job TO protect;

    4. Exit SQL*Plus:
    exit

    364
    Enabling Network Detection Uptime Protection
    Enable network detection update protection on the previous version Network Monitor detection server to continue
    detecting sensitive data and reporting incidents to the version 16.0.1 Enforce Server.
    Enabling network detection update protection allows the server to continue detecting sensitive content by reading the
    policy and configuration information from disk.
    1. Define non-routable IP address filter if Packet Capture protocols are enabled on the Network Monitor server but no
    filters are defined.
    a) Go to System > Servers and Detectors > Overview.
    b) Click the Network Monitor detection server.
    c) Click Configure.
    d) Click the Packet Capture tab and edit an enabled protocol filter.
    e) Click Use Custom Settings and enter a non-routable IP address in the Use Custom Settings field.
    For example, enter 10.10.10.1.
    f) Save your changes and recycle the server.
    For more information, see Server controls.
    2. On the Network Monitor detection server, open the following file in a text editor:
    • Windows: c:\Program Files\Symantec\DataLossPrevention\DetectionServer
    \16.0.10000\config\protect.properties
    • Linux:opt/Symantec/DataLossPrevention/DetectionServer/16.0.10000/config/
    protect.properties
    3. Update the following settings.
    #Enable/disable Network Monitor Up-time Protection
    com.vontu.cache.config.enabled = true
    #Network Monitor Up-time Protection cache file location
    com.vontu.cache.config.dir = ../configCache
    #Network Monitor Up-time Protection timeout value in seconds
    com.vontu.cache.config.timeout = 10*60000
    NOTE
    To allow sufficient time for the Enforce Server to send settings to the Network Monitor detection server, Symantec
    recommends that you not enter a timeout setting lower than 3*60000.

    4. Save your changes.


    5. Restart the server on the Enforce Server administration console.
    For more information, see Server controls.

    Backward Compatibility for Agent Upgrades


    As you upgrade your Endpoint protection, you may have different components of the suite on different versions. During
    the upgrade process, you may have the Enforce Server, Endpoint Servers, and DLP Agents running different versions.
    The following table describes the scenarios where multi-version servers and agents are possible. The described scenarios
    are only possible during the upgrade process. The scenarios assume that you have already upgraded your Enforce
    Server to version 16.0.1. You cannot upgrade either your Endpoint Servers or your agents before upgrading your Enforce
    Server.

    365
    The most stable configuration is for all Enforce Servers, Endpoint Servers, and agents to be on version 16.0.1. Ideally,
    you are on one of the following backward-compatible scenarios for a limited time as you upgrade all servers and agents to
    version 16.0.1.
    As you upgrade Symantec Data Loss Prevention, you may have different components of the suite on different versions.
    Before you upgrade to 16.0.1, upgrade Symantec Data Loss Prevention components to at least version 15.8. Symantec
    Data Loss Prevention does not support upgrades from version 15.5 or earlier.
    NOTE
    Symantec recommends that you install the latest maintenance pack and hotfix to ensure that agents include the
    latest product defect fixes.

    Table 154: Backward compatibility for agent upgrades

    Enforce Endpoint Symantec DLP


    Results
    Server version Server version Agent version
    16.0.1 16.0.1 16.0.1 All incidents are sent to the Enforce Server.
    Policy and configuration updates can be sent to the Endpoint Servers and
    agents.
    16.0.1 16.0.1 16.0.1 All incidents are sent to the Enforce Server.
    16.0 Policy and configuration updates can be sent to the Endpoint Servers and
    15.8 DLP Agents.
    Note: Policies and configuration settings can be sent to agents. However,
    new policy rules that are introduced in a given release are not supported by
    earlier agents; in general, new policy rules are supported by the same agent
    version in which the rule is introduced.

    16.0.1 16.0.1 15.8 Agents and the Endpoint Server send incidents that are based on existing
    policies that were configured before the upgrade.
    Policies and configuration settings can be sent to agents. However, new
    policy rules that are introduced in a given release are not supported by
    earlier agents; in general, new policy rules are supported by the same agent
    version in which the rule is introduced.

    Upgrade Requirements and Restrictions


    The following section lists the requirements for performing an upgrade and known issues that can occur when you
    upgrade Symantec Data Loss Prevention:

    Table 155: Upgrade requirements and restrictions

    Requirements and Known Issues More Details

    Stop all Network Discover scans before you upgrade the Enforce You cannot restart Network Discover scans until at least one
    Server to version 16.0.1. Network Discover detection server has been upgraded to version
    16.0.1.
    Do not modify the host name or IP address of a detection server Detection servers use the original configured IP address or host
    to point to a different detection server after you complete the name to maintain and report server-level statistics.
    upgrade.
    Restart the Restarting the service verifies the upgraded detection server
    SymantecDLPDetectionServerControllerService versions in the Enforce Server administration console.
    service.

    366
    Requirements and Known Issues More Details

    Upgrade all Network Discover clusters and detection servers to After you upgrade the Enforce Server to version 16.0.1, any
    the latest version. configuration changes that you make have no effect on detection
    servers that are not upgraded to 16.0.1.
    Confirm that all scan status on the Discover Targets page are in See Managing Discover Scan Targets.
    a ready and healthy state and incident replication is completed.
    Run the Discover Cluster Admin Tool to reduce disk space and Download the Network Discover Cluster Admin Tool package
    stop collecting performance statistics. (Symantec_DLP_16.0.1_Discover_Cluster_Admin_Tool_606
    from the Broadcom Support Portal.
    Use the following options:
    1. Run defragmentation commands.
    These commands help to reduce the disk space used by the
    cluster storage.
    2. Stop collecting performance statistics.
    For more details, see the Readme.txt file that is included with
    the package.
    Confirm that the Enforce Server, data node, and worker
    node servers are on.
    Back up the Discover Cluster Authentication packages that are Back up the following files:
    generated for the data node and worker node.
    • Worker Node:
    dlp_discover_cluster_workernode_auth.zip
    • Data Node:
    dlp_discover_cluster_datanode_auth.zip
    You can back up both files by backing up
    dlp_discover_cluster_auth.zip.
    Migrating a Network Discover clusters to a detection server where Install Network Discover clusters on a separate server.
    Network Discover scans are run is not supported. Likewise, Create a File System - High Speed Discovery target that uses a
    migrating a detection server where Network Discover scans are Network Discover cluster.
    run to a Network Discover cluster is not supported.
    Install Network Discover clusters on a separate server.

    Related Links
    Preparing to Upgrade Symantec Data Loss Prevention on page 351
    Prepare to upgrade Symantec Data Loss Prevention by reviewing new features, upgrading components to the minimum
    version, and backing up your database.

    Preparing your system for the upgrade


    Before upgrading to the current version of Symantec Data Loss Prevention, make sure that your system meets the
    upgrade requirements. These requirements are described in the following topics:
    • Upgrade Requirements and Restrictions
    • Preparing the Oracle Database for a Symantec Data Loss Prevention Upgrade
    • Checking the database update readiness
    • Creating the Enforce Reinstallation Resources file
    Make sure that you have also reviewed and acted on the information in the following topic:
    Minimum System Requirements for Upgrading to the Current Release

    367
    Deleting ICT Components Before Upgrading
    Starting with Symantec Data Loss Prevention version 16.0, support for Information Centric Tagging (ICT) is removed. If
    you implemented ICT in DLP 15.8, use the following steps to remove Content Matches ICT Classification rules, and
    replace the rules with Content Matches Keyword rules.
    1. Deploy 15.8 MP3 agents that include support for detecting ICT tags by way of a Keyword policy.
    2. Switch the ”Content Matches ICT Classification” rules in policies to the ”Content Matches Keyword” rules.
    NOTE
    During the upgrade to DLP 16.0.1, the URT checks for ICT rules in existing policies. The upgrade fails and does not
    proceed If any ICT rules are detected. The rules must be modified before upgrade.
    3. Remove ICT eDAR scans and their related history information.
    4. Wait for one month to ensure that all agents receive the updated policies. Waiting also ensures that all ”Content
    Matches ICT Classification” incidents get time to synchronize to the Enforce database.
    NOTE
    Waiting a month after switching the rules is important before attempting to upgrade to 16.0.1. DLP 16.0.1 must not
    receive (by way of MVU functionality) .idc files that contain the old ICT rule references. If Enforce receives the .idc
    files that contain old ICT rule references, those .idc files are marked as .idc.bad and the old ICT rule references
    are dropped.
    5. If any ICT incidents are synchronized to Enforce after the upgrade, they are marked as .idc bad and the ICT incidents are not
    persisted. You must ensure that all detection servers are online so that all incidents are synchronized to Enforce.
    6. Once you have completed these necessary changes to ICT rules, you can rerun the URT. If you get a success message, you can
    then proceed with the upgrade to DLP 16.0.1.

    Deleting ICE components from the Enforce Server


    Starting with Symantec Data Loss Prevention version 15.8, support for ICE is removed. As a result, you must remove ICE
    components from the previous version Enforce Server before you upgrade.
    NOTE
    Before completing these steps, run the Update Readiness tool. In addition to testing the database schema,
    the tool identifies ICE components that are installed on the previous version Enforce Server. See Checking the
    database update readiness.
    Remove the following ICE components:
    1. ICE response rules from policies
    Remove ICE response rules
    2. ICE configuration settings
    Remove ICE settings
    3. ICE settings in the agent configuration
    Disable ICE settings in the agent configuration

    368
    Remove ICE response rules
    1. See the Response Rule section under Information Centric Encryption Data Validation in the Update Readiness
    Tool log. The section lists response rules that should be deleted.
    2. Log in to the Enforce Server administration console and go to the Manage > Policy > Response Rules screen.
    3. Complete the following steps for each ICE response rule that is listed in the Response Rule section.
    a) Open the response rule and note the policies where it is used.
    b) Open the Policies screen, go to the Response Rule tab, and remove the ICE response rule.
    c) Open the Response Rules screen and delete the ICE response rules.
    4. Run the Update Readiness Tool again to confirm that no ICE response rules are listed in the output.
    If the test lists responses rules, complete step 3 again to remove the ICE response rules.
    Next: Remove ICE settings

    Remove ICE settings


    1. See the ICE Configuration Setting section under the Information Centric Encryption Data Validation section in the
    Update Readiness Tool log. The section lists ICE settings that should be cleared.
    2. Remove the settings by completing the following steps:
    a) Go to the System > Settings > General screen.
    b) Click Configure, go to the ICE Cloud Access Settings section, and clear the settings.
    c) Click Save.
    A message appears that confirms that the ICE settings were deleted. The message prompts you to disable ICE
    from the Agent Configuration page.
    3. Run the Update Readiness Tool again to confirm that no ICE configuration settings are listed in the output.
    If the test lists ICE configuration settings, complete step 2 again to remove them.
    Next: Disable ICE settings in the agent configuration

    Disable ICE settings in the agent configuration


    1. See the Agent Configuration Name section under the Information Centric Encryption Data Validation section in
    the Update Readiness Tool log. The section lists agent configuration settings that should be disabled.
    2. Disable the agent configuration settings by completing the following steps:
    a) Go to the System > Agent > Agent Configuration screen.
    b) Click an agent configuration where ICE settings are enabled.
    c) Click the Settings tab, go to the Information Centric Encryption section, and clear the setting.
    d) Click Save.

    3. Run the Update Readiness Tool again to confirm that no agent configuration settings are listed in the output.
    If the test lists agent configuration settings, complete step 2 for each agent configuration where ICE settings are
    enabled.

    Preparing Your Environment for Microsoft Rights Management File Monitoring


    You must complete prerequisites before enabling Microsoft Rights Management (RMS) file monitoring on Windows
    servers. The following prerequisites apply to Azure RMS or Active Directory (AD) RMS.

    369
    Prepare the AD RMS Environment for RMS Monitoring
    Complete the following steps to prepare your AD RMS environment for monitoring.
    1. Confirm that the latest AD RMS client is installed.
    2. Confirm that the AD RMS account has Read and Execute permissions to access ServerCertification.asmx.
    For additional details, refer to the Microsoft Developer Network article: https://msdn.microsoft.com/en-us/library/
    mt433203.aspx.
    3. Confirm that the AD RMS superuser group and Service Group both have Read and Execute permissions.
    4. Add each detection server to the AD RMS domain.
    5. Complete the following to change the previous Symantec Data Loss Prevention version service user to a domain user
    that has access to the AD RMS superuser group.
    • Shut down all services on the detection server before updating the service user.
    • Run the ChangeServiceUser.exe utility to change the service user:
    C:\Program Files\Symantec\DataLossPrevention\ServerPlatformCommon
    \16.0.10000\Protect\bin\ChangeServiceUser.exe
    USAGE: ChangeServiceUser.exe [installation directory]
    [new service user username] [new service user password]

    Parameters:
    [new service user password] is optional.

    C:\Program Files\Symantec\DataLossPrevention\ServerPlatformCommon
    \16.0.10000\Protect\bin\ChangeServiceUser.exe
    C:\Program Files\Symantec\DataLossPrevention\ [AD RMS domain name]\[super user
    username]
    [super user password]
    After running the script, the command prompt displays the change status, including the service user change status.
    6. Start all services after updating the service user.

    Prepare the Azure RMS environment for RMS monitoring


    Complete the following steps to prepare your Azure RMS environment for RMS monitoring:

    Enabling Microsoft Rights Management File Monitoring

    Enabling Microsoft Rights Management File Monitoring


    Symantec Data Loss Prevention can detect files that are encrypted using Microsoft Rights Management (RMS)
    administered by Azure or Active Directory (AD).
    Before you enable Microsoft Rights Management file monitoring, confirm that prerequisites for the RMS environment and
    the detection server have been completed.
    See Preparing Your Environment for Microsoft Rights Management File Monitoring.
    Enabling RMS detection for Azure-managed RMS

    For Azure RMS, complete the following on each detection server to enable RMS file monitoring:
    1. Locate the plugin Enable-Plugin.ps1 located on the detection server at the following path:

    370
    C:\Program Files\Symantec\DataLossPrevention\ContentExtractionService
    \16.0.10000\Plugins\Protect\plugins\contentextraction
    2. Run the plugin by executing the following command:

    powershell.exe -ExecutionPolicy RemoteSigned -File


    "C:\Program Files\Symantec\DataLossPrevention\ContentExtractionService\16.0.10000\
    Plugins\Protect\plugins\contentextraction\Enable-Plugin.ps1"
    3. Run the configuration utility ConfigurationCreator.exe to add the system user. Run the utility as the protect
    user.
    NOTE
    Enter all credentials accurately to ensure that the feature is enabled.

    C:\Program Files\Symantec\DataLossPrevention\ContentExtractionService
    \16.0.10000\Plugins\Protect\plugins\contentextraction\MicrosoftRightsManagementPlugin
    \ConfigurationCreator.exe
    Do you want to configure ADAL authentication [y/n]: n
    Do you want to configure symmetric key authentication [y/n]: y
    Enter your symmetric key (base-64): [user's Azure RMS symmetric key]
    Enter your app principal ID: [user's Azure RMS app principal ID]
    Enter your BPOS tenant ID: [user's Azure RMS BPOS tenant ID]
    After running this script, the following files are created in the MicrosoftRightsManagementPlugin at \Program
    Files\Symantec\DataLossPrevention\ContentExtractionService\16.0.10000\Plugins\Protect
    \plugins\contentextraction:
    • rightsManagementConfiguration
    • rightsManagementConfigurationProtection
    4. Restart each detection server to complete the process.
    NOTE
    You can confirm that Symantec Data Loss Prevention is monitoring RMS content by reviewing
    the ContentExtractionHost_FileReader.log file (located at \ProgramData\Symantec
    \DataLossPrevention\DetectionServer\16.0.10000\logs\debug). Error messages that display
    for the MicrosoftRightsManagementPlugin.cpp item indicate that the plugin is not monitoring RMS
    content.
    Enabling RMS detection for AD-managed RMS

    For AD RMS, complete the following on each detection server to enable RMS file monitoring:
    1. Run the plugin, Enable-Plugin.ps1, which is located at located at \Program Files\Symantec
    \DataLossPrevention\Protect\bin on the Enforce Server.
    powershell.exe -ExecutionPolicy RemoteSigned -File
    "C:\Program Files\Symantec\DataLossPrevention\ContentExtractionService
    \16.0.10000\Plugins\Protect\plugins\contentextraction\MicrosoftRightsManagementPlugin
    \Enable-Plugin.ps1"

    371
    2. Restart each detection server to complete the process.
    NOTE
    You can confirm that Symantec Data Loss Prevention is monitoring RMS content by reviewing
    the ContentExtractionHost_FileReader.log file (located at \ProgramData\Symantec
    \DataLossPrevention\DetectionServer\16.0.10000\logs\debug). Error messages that display
    for the MicrosoftRightsManagementPlugin.cpp item indicate that the plugin is not monitoring RMS
    content.

    Upgrading to a new release


    Learn about upgrading the Enforce Server and detection servers on Windows or Linux.
    Upgrading Symantec Data Loss Prevention
    Downloading and extracting the upgrade software
    Migrating on Windows
    Migrating on Linux
    Backing up your system
    Verifying that the Enforce Server and the detection servers are running
    Applying the updated configuration to Endpoint Prevent servers
    Upgrading your scanners
    Upgrading Endpoint Prevent group directory connections
    Upgrading or installing Npcap for Network Monitor
    Updating an appliance

    Upgrading Symantec Data Loss Prevention


    After preparing your system for the upgrade, you are ready to perform the upgrade itself. The following table describes
    the high-level steps that are involved in upgrading Symantec Data Loss Prevention. Each step is described in more detail
    elsewhere in this chapter, as indicated.
    NOTE
    If you are upgrading your system and you have deployed Exact Data Matching (EDM) profiles and policies,
    there is a specific upgrade path that you must perform so that your profiles and policies update properly. See
    Updating EDM indexes to the latest version.

    Table 156: Upgrading Symantec Data Loss Prevention

    Step Action Description

    1 Download and extract the upgrade software. Downloading and extracting the upgrade software
    2 Confirm that your existing Enforce Server and Verifying that the Enforce Server and the detection
    detection servers are running. servers are running
    3 Close all files and folders in your existing Ensure that all folders and files in your Data Loss
    Enforce Server environment. Prevention (for Windows) or DataLossPrevention
    (for Linux) directory are closed and unlocked. The
    upgrader requires access to all folders and files
    during the upgrade process.

    372
    Step Action Description

    4 Install the Java Runtime Environment on the Install the Java Runtime Environment on the
    Enforce Server. Enforce Server on Windows
    Install the Java Runtime Environment on the
    Enforce Server on Linux
    5 Install the version 16.0.1 Enforce Server. Install an Enforce Server on Windows
    Install an Enforce Server on Linux
    6 Migrate the previous version to the version Migrate Data on the Enforce Server on Windows
    16.0.1 Enforce Server. Migrate Data on the Enforce Server on Linux
    7 Install the Java Runtime Environment on the Install the Java Runtime Environment on a
    detection server. Detection Server on Windows
    Install the Java Runtime Environment on a
    Detection Server on Linux
    8 Install the version 16.0.1 detection servers. Install a Detection Server on Windows
    Install a Detection Server on Linux
    9 Migrate the previous version to the version Migrate Data on a Detection Server on Windows
    16.0 detection servers. Migrate Data on a Detection Server on Linux
    10 Perform a system backup. Backing up your system
    11 (Optional) Apply the updated agent Applying the updated configuration to Endpoint
    configuration to Endpoint Prevent detection Prevent servers
    servers.
    12 (Optional) Update Symantec DLP Agents. About Symantec Data Loss Prevention Agent
    upgrades
    13 (Optional) Update any scanners. Upgrading your scanners
    14 If you are running a Windows platform, Upgrading or installing Npcap for Network Monitor
    upgrade WinPcap or install Npcap (Network
    Monitor deployments only).

    Downloading and extracting the upgrade software


    1. Download the following ZIP files from Product Downloads at the Broadcom Support Portal:
    • Windows: Symantec_DLP_16.0.1.00000.TBD_Platform_Win-IN.zip
    • Linux: Symantec_DLP_16.0.1.00000.TBD_Platform_Lin-IN.zip
    • Symantec_DLP_16.0.1_Agent_Win-IN.zip: (for Windows Endpoint deployments only)
    • Symantec_DLP_16.0.1_Agent_Mac-IN.zip (for macOS Endpoint deployments only)
    • Symantec_DLP_16.0.1_Agent_Lin-IN.zip(for Linux Endpoint deployments only)
    2. Copy the ZIP files to the computer from where you intend to perform the upgrade. That computer must have a reliable
    network connection to the Enforce Server.
    The files within this ZIP file must be extracted into a directory on a system that is accessible to you. The root directory
    into which the ZIP files are extracted is referred to as the DLPDownloadHome directory.
    3. Extract the contents of the file for your platform.
    • Windows: Symantec_DLP_16.0.1.00000.TBD_Platform_Win-IN.zip
    • Linux: Symantec_DLP_16.0.1.00000.TBD_Platform_Lin-IN.zip

    373
    4. Extract the contents of the Symantec_DLP_16.0.1_Agent_Win-IN.zip file.
    5. Extract the contents of the Symantec_DLP_16.0.1_Agent_Mac-IN.zip file.
    6. Extract the contents of the Symantec_DLP_16.0.1_Agent_Lin-IN.zipfile.
    7. Note where you saved the MSI and PKG files so you can quickly find them later.
    Related Links
    Symantec Data Loss Prevention Upgrade Phases on page 352
    Complete the upgrade in the phases that are described in the following sections.

    Migrating on Windows
    The following sections include steps to migrate to a new version on Windows:
    • Migrating the Previous Version to a New Enforce Server Installation on Windows
    • Migrating a Previous Version Detection Server or Cluster to the Latest Version on Windows
    • Migrating previous version data to a new single-tier installation on Windows

    Migrating the Previous Version to a New Enforce Server Installation on Windows


    Upgrading the Enforce Server includes installing the new version where the existing version is running and migrating data
    to the new version.
    NOTE
    Before starting the migration process, ensure that the database is ready for the migration. See Preparing the
    Oracle Database for a Symantec Data Loss Prevention Upgrade
    NOTE
    The migration process backs-up services .conf files. You can locate these files at \Program Files
    \Symantec\DataLossPrevention\EnforceServer\<source_version>\Protect\backups\ in a
    folder that is formatted as service-yyyy-mm-dd-hh-mm-ss. (Replace <source_version> with the previous
    version number.) You use the .conf files if you are recovering your previous version system. See Maintaining
    the DLP System.

    Table 157: Steps to migrate the previous version to a new Enforce Server installation

    Step Action More info

    1 Install the Microsoft Visual C++ Redistributable for Download the VC_redist.x64.exe file from The
    Visual Studio 2015, 2017, and 2019. latest supported Visual C++ downloads.
    After you complete the installation, restart the server.
    2 Install the Java Runtime Environment on the See Install the Java Runtime Environment on the Enforce
    Enforce Server. Server on Windows.
    3 Install the version 16.0.1 Enforce Server. See Install an Enforce Server on Windows.
    You install the Enforce Server on the same system
    where the previous version is running.
    4 Migrate the previous version to the version 16.0.1 See Migrate Data on the Enforce Server on Windows.
    Enforce Server.
    5 Back up the upgraded system. See Backing up your system.

    The process to migrate does not move all plug-ins. See Migrating plug-ins.

    374
    Install the Java Runtime Environment on the Enforce Server on Windows

    You install the Java Runtime Environment (JRE) on the Enforce Server before you install the Enforce Server.
    1. Log on (or remote logon) as Administrator to the Enforce Server system on which you intend to install Enforce.
    2. Copy OpenJDK8U-jre_x64_windows_hotspot_<version>.zip from your DLPDownloadHome\DLP
    \16.0.1\New_Installs\x64\Release directory to the computer where you plan to install the Enforce Server.
    Where <version> represents the latest supported version.
    For example, move the file to c:\temp).
    3. Unzip the file to C:\Program Files\AdoptOpenJRE\jdk<version>-jre.
    Install an Enforce Server on Windows
    Install an Enforce Server on Windows

    The instructions that follow describe how to install an Enforce Server on a Windows computer in a two- or three-tier
    environment. The steps to install the Enforce Server in a single-tier environment are different.
    Installing a single-tier server on Windows
    NOTE
    If you are running the database in a RAC environment, confirm that the scan host IP for RAC is accessible and
    the nodes associated with it are all up and running during the install process.
    These instructions assume that the EnforceServer.msi file and license file have been copied into the c:\temp
    directory on the Enforce Server computer.
    NOTE
    Enter directory names, account names, passwords, IP addresses, and port numbers that you create or specify
    during the installation process using standard 7-bit ASCII characters only. Extended (hi-ASCII) and double-byte
    characters are not supported.
    The installation process automatically generates log information saved to a file MSI*.log (* is replaced with random
    characters) in the %TEMP% folder. You can change log file name and location by starting the installation from the command
    line by running the /L*v option. See the example below:
    msiexec /i EnforceServer.msi /L*v c:\temp\enforce_install.log

    You can complete the installation silently or using a graphical user interface.

    Table 158: Enforce Server installation parameters for upgrading

    Command Description

    INSTALLATION_DIRECTORY Specifies where the Enforce Server is installed. The default location is C:\Program
    Files\Symantec\DataLossPrevention.
    DATA_DIRECTORY Defines where Symantec Data Loss Prevention stores files that are updated while the
    Enforce Server is running (for example, logs and licenses). The default location is c:
    \ProgramData\Symantec\DataLossPrevention\EnforceServer\.
    Note: If you do not use the default location, you must indicate a folder name for the data
    directory. If you set the data directory to the drive root (for example c:\ or e:\) you
    cannot successfully uninstall the program.

    JRE_DIRECTORY Specifies the path where the JRE resides.


    See Install the Java Runtime Environment on the Enforce Server on Windows.

    375
    Command Description

    FIPS_OPTION Defines whether to disable (Disabled) or enable (Enabled) FIPS encryption.


    The default is disabled.
    SERVICE_USER_USERNAME Defines a name for the account that is used to manage Symantec Data Loss Prevention
    services. The default user name is “SymantecDLP.”
    The name you enter should match the user name you used when you installed Symantec
    Data Loss Prevention. If the user name does not match, add the new user name log on
    credentials to the DLP services after you complete the migration process.
    SERVICE_USER_PASSWORD Defines the password for the account that is used to manage Symantec Data Loss
    Prevention services.
    ORACLE_HOME Defines the Oracle Home Directory. For example, use c:\oracle\product
    \19.3.0.0\db_1 to define the home directory if you use the Oracle 19c database.
    ORACLE_HOST Defines the IP address of the Oracle server computer.
    If you are running the Oracle database in a RAC environment, use the scan host IP
    address for the host, not the database IP address. Confirm that the scan host IP for
    RAC is accessible and that all of the nodes associated with it are running during the
    installation process.
    ORACLE_PORT Defines the Oracle listener port (typically 1521).
    ORACLE_USERNAME Defines the Symantec Data Loss Prevention database user name.
    ORACLE_PASSWORD Defines the Symantec Data Loss Prevention database password.
    ORACLE_SERVICE_NAME Defines the database service name (typically “protect”).

    The following is an example of what the completed command might look like. The command you use differs based on your
    implementation requirements. Using the following command as-is may cause the installation to fail.

    msiexec /i EnforceServer.msi /qn /norestart


    INSTALLATION_DIRECTORY="C:\Program Files\Symantec\DataLossPrevention"
    DATA_DIRECTORY="C:\ProgramData\Symantec\DataLossPrevention\EnforceServer"
    JRE_DIRECTORY="C:\Program Files\AdoptOpenJRE\jdk8u322-b06-jre"
    FIPS_OPTION=Disabled
    SERVICE_USER_PASSWORD=<password>
    ORACLE_HOST=[IP or host name]
    ORACLE_PORT=1521
    ORACLE_USERNAME=protect
    ORACLE_PASSWORD=<password>
    ORACLE_SERVICE_NAME=protect

    1. Symantec recommends that you disable any antivirus, pop-up blocker, and registry protection software before you
    begin the Symantec Data Loss Prevention installation process.
    2. Log on (or remote logon) as Administrator to the Enforce Server system where you intend to run the Migration Utility.
    3. Go to the folder where you copied the EnforceServer.msi file (c:\temp).
    4. Double-click EnforceServer.msi to start the installation wizard.
    NOTE
    The installation process automatically generates log information saved to a file MSI*.log (replace * with
    random characters) in the %TEMP% folder. You can change log file name and location by starting the
    installation from the command line by running the /L*v option.

    376
    msiexec /i EnforceServer.msi /L*v c:\temp\enforce_install.log

    5. In the Welcome panel, click Next.


    6. After you review the license agreement, select I accept the terms in the License Agreement, and click Next.
    7. In the Destination Folder panel, accept the default destination directory, or enter an alternate directory, and click
    Next. The default installation directory is:
    c:\Program Files\Symantec\DataLossPrevention\

    Symantec recommends that you use the default destination directory. References to the "installation directory" in
    Symantec Data Loss Prevention documentation are to this default location.
    8. In the Data Directory panel, accept the default data directory, or enter an alternate directory, and click Next. The
    default data directory is:
    c:\ProgramData\Symantec\DataLossPrevention\
    NOTE
    If you do not use the default location, you must indicate a folder name for the data directory (for example,
    c:\enforcedata). If you set the data directory to the drive root (for example c:\ or e:\) you cannot
    successfully uninstall the program.
    9. In the JRE Directory panel, click Browse to locate the JRE, and click Next.
    10. In the FIPS Cryptography Mode panel, select whether to disable or enable FIPS encryption.
    11. In the Service User panel, select one of the following options.
    • Existing Users: Select this option to use an existing local or domain user account.
    Click Next.
    12. In the Oracle Database panel, enter details about the Oracle database server. Specify one of the following options in
    the Oracle Database Server field:

    Host Enter host information based on your Symantec Data Loss Prevention installation:
    • Single- and two-tier installation (Enforce and Oracle servers on the same system): The Oracle Server
    location is 127.0.0.1.
    • Three-tier installation (Enforce Server and Oracle server on different systems): Specify the Oracle server
    host name or IP address.
    If you are running the Oracle database in a RAC environment, use the scan host IP address for the host,
    not the database IP address. Confirm that the scan host IP for RAC is accessible and that all of the nodes
    associated with it are running during the installation process.
    Port Enter the Oracle Listener Port, or accept the default.
    Service Name Enter the database service name (typically “protect”).
    Username Enter the Symantec Data Loss Prevention database user name.
    Password Enter the Symantec Data Loss Prevention database password.

    If your Oracle database is not a supported version, you are warned and offered the choice of continuing or canceling
    the installation. You can continue and upgrade the Oracle database later.
    NOTE
    Symantec Data Loss Prevention requires the Oracle database to use the AL32UTF8 character set. If your
    database is configured for a different character set, you are notified and the installation is canceled. Correct
    the problem and re-run the installer.

    377
    13. Click Next.
    14. In the Additional Locale panel, select an alternate locale, or accept the default of None, and click Next.
    Locale controls the format of numbers and dates, and how lists and reports are alphabetically sorted. If you accept
    the default choice of None, English is the locale for this Symantec Data Loss Prevention installation. If you choose an
    alternate locale, that locale becomes the default for this installation, but individual users can select English as a locale
    for their use.
    See About locales for more information on locales.
    15. Click Install.
    The installation process can take a few minutes. After a successful installation, a completion notice displays.
    16. Restart any antivirus, pop-up blocker, or other protection software that you disabled before starting the Symantec Data
    Loss Prevention installation process.
    17. Run the Upgrade Readiness tool to confirm that the Oracle database is ready to be migrated to the new instance.

    Next: Migrate Data on the Enforce Server on Windows


    Migrate Data on the Enforce Server on Windows

    After you install the version 16.0.1 Enforce Server, you use the Migration Utility to migrate data to the new instance. The
    Migration Utility migrates Enforce Server data in two phases as listed in the following table:

    Table 159: Enforce Server migration phases

    Phage Description

    1 Runs a report to confirm the status of the file system.


    The report lists information to confirm that the file system is ready for migration and identifies
    issues. The report lists saved customizations. Saved customizations include certificates, keystores,
    plugins, FlexResponse scripts, and configuration file settings.
    The first phase of the migration also moves data files, document profiles, property files, plugins,
    and keystores to the 16.0.1 instance.
    2 Performs pre-checks before DLP services are taken down during the migration.
    The second phase moves incidents, indexes, services, and the database.

    Before you run the Migration Utility, run the Update Readiness Tool to confirm that the database is ready for migration.
    See Checking the database update readiness.
    You can migrate data silently or using interactive mode.
    Migrate Silently
    1. Log on (or remote logon) as Administrator to the Enforce Server system where you intend to run the Migration Utility.
    2. Use the command prompt to navigate to the following directory:
    C:\Program Files\Symantec\DataLossPrevention\EnforceServer\16.0.10000\Protect\Migrator
    3. Run the following command in an elevated command prompt:
    MigrateEnforce.bat
    -silent
    -sourceVersion="<previous version>"
    -jreDirectory="C:\Program Files\AdoptOpenJRE\jdk8u<version>-b10-jre"

    378
    Where previous version represents the previous, active version (for example, use -sourceVersion=16.0 to
    migrate from Symantec Data Loss Prevention version 16.0).
    A message indicates when the migration completes.
    Migrate Using Interactive Mode
    1. Log on (or remote logon) as Administrator to the Enforce Server system where you intend to run the Migration Utility.
    2. Use the command prompt to navigate to the following directory:
    C:\Program Files\Symantec\DataLossPrevention\EnforceServer\16.0.10000\Protect\Migrator
    3. Run the Migration Utility: migrateEnforce.bat.
    4. Confirm that OpenJRE is installed at the listed location, then press Enter.
    If no JRE displays, you must install it before proceeding.
    See Install the Java Runtime Environment on the Enforce Server on Windows.
    A list of the migration phases appears.
    5. Enter Y and press Enter to start phase 1.
    6. Select the active Symantec Data Loss Prevention version to migrate and press Enter.
    After phase 1 completes, a message provides a path to where you can access the phase 1 report. The report
    lists details about the data files, document profiles, property files, plugins, and keystores that were migrated. Resolve
    any errors listed on this page before proceeding to phase 2.
    NOTE
    The previous version continues to run, including the services and the database, after phase 1
    completes. You can exit the migration process and continue to phase 2 at a later time.
    7. Press Enter to start phase 2.
    A message indicates when the migration completes.
    NOTE
    If the upgrade fails because of DatabaseProcessCheck, see Stop all Symantec Data Loss Prevention
    database sessions.
    8. If migration fails, review the Enforce Server MigrationUtility.log located at C:\ProgramData\Symantec
    \DataLossPrevention\EnforceServer\16.0.10000\logs\debug\ for more details.

    Migrating a Previous Version Detection Server or Cluster to the Latest Version on Windows
    Upgrade the detection server or cluster by installing the new version where the existing version is running and migrating
    data to the new version.
    The migration process backs up services .conf files. You can locate these files at \Program Files\Symantec
    \DataLossPrevention\DetectionServer\<source_version>\Protect\backups\ in a folder formatted
    as service-yyyy-mm-dd-hh-mm-ss. (Replace <source_version> with the previous version number.) You use the
    .conf files if you are recovering your previous version system. See Backing Up and Recovering on Windows for more
    information about recovering your system.

    379
    Table 160: Steps to Migrate the Previous Version to a New Detection Server or Cluster

    Step Action

    1 Install the Java Runtime Environment on a Detection Server on Windows on the detection server or
    cluster.
    2 Install the 16.0.1 detection server or clusters.
    3 Migrate the previous version to the version 16.0.1 detection servers or clusters.
    4 Backup the upgraded system.

    Install the Java Runtime Environment on a Detection Server on Windows

    You install the Java Runtime Environment (JRE) on the server computer before you install the detection server.
    1. Log on (or remote logon) as Administrator to the Enforce Server system on which you intend to install Enforce.
    2. Copy OpenJDK8U-jre_x64_windows_hotspot_<version>.zip from your DLPDownloadHome\DLP
    \16.0.1\New_Installs\x64\Release directory to the computer where you plan to install the detection server.
    For example, move the file to c:\temp).
    3. Unzip the file to C:\Program Files\AdoptOpenJRE\<version>-jre.
    Replace <version> with the JRE version.
    Install a Detection Server on Windows
    Install a Detection Server on Windows

    Complete the following steps to install a detection the detection server software on a server computer.
    After you install the detection server, you migrate previous version data to complete the upgrade process.
    NOTE
    The following instructions assume that the DetectionServer.msi file has been copied into the c:\temp
    directory on the server computer. SeeDownloading and extracting the upgrade software.
    The installation process automatically generates log information saved to a file MSI*.log (* is replaced with random
    dcharacters) in the %TEMP% folder. You can change log file name and location by starting the installation from the
    command line by running the /L*v option. See the example bellow:
    msiexec /i DetectionServer.msi /L*v c:\temp\detectionserver_install.log

    You can complete the installation silently from the command line. Enter values with information specific to your installation
    for the following:

    380
    Table 161: Detection Server Installation Parameters for Upgrading

    Command Description

    INSTALLATION_DIRECTORY Specifies where the detection server is installed. The default location is C:\Program Files
    \Symantec\DataLossPrevention.
    DATA_DIRECTORY Defines where Symantec Data Loss Prevention stores files that are updated while the Enforce
    Server is running (for example, logs and licenses). The default location is \ProgramData
    \Symantec\DataLossPrevention\DetectionServer\.
    Note: If you do not use the default location, you must indicate a folder name for the data
    directory. If you set the data directory to the drive root (for example c:\ or e:\) you cannot
    successfully uninstall the program.

    JRE_DIRECTORY Specifies where the JRE resides.


    See Install the Java Runtime Environment on a Detection Server on Windows.
    FIPS_OPTION Defines whether to disable (Disabled) or enable (Enabled) FIPS encryption.
    The default is disabled.
    SERVICE_USER_USERNAME Defines a name for the account that is used to manage Symantec Data Loss Prevention
    services. The default user name is “SymantecDLP.”
    The name you enter should match the user name you used when you installed Symantec Data
    Loss Prevention. If the user name does not match, you must update DLP services to have
    access to the new user name after you complete the migration process.
    SERVICE_USER_PASSWORD Defines the password for the account that is used to manage Symantec Data Loss Prevention
    services.

    The following text is an example of what the completed command might look like. The command you use differs based on
    your implementation requirements. Using the following command as-is may cause the installation to fail.
    msiexec /i DetectionServer.msi /qn /norestart
    INSTALLATION_DIRECTORY="C:\Program Files\Symantec\DataLossPrevention"
    DATA_DIRECTORY="C:\ProgramData\Symantec\DataLossPrevention\DetectionServer"
    JRE_DIRECTORY="C:\Program Files\AdoptOpenJRE\jdk8u322-b06-jre"
    FIPS_OPTION=Disabled
    SERVICE_USER_OPTION=ExistingUser

    1. Log on as Administrator to the computer on which you plan to install the detection server.
    2. If you are installing a Network Monitor detection server, install Npcap on the server computer.
    Complete the following steps to install Npcap:
    a) Locate the Npcap file npcap-1.10-oem.exe at DLP_Home\Third_Party directory, where DLP_Home is the
    name of the directory in which you unzipped the Symantec Data Loss Prevention software.
    b) Double-click on the npcap-1.10-oem.exe and follow the on-screen installation instructions.
    c) Install Npca using WinPcap Compatible Mode.
    3. Copy the detection server installer (DetectionServer.msi) from the Enforce Server to a local directory on the
    detection server.
    DetectionServer.msi is included in your software download (DLPDownloadHome) directory.

    381
    4. Click Start > Run > Browse to navigate to the folder where you copied the DetectionServer.msi file.
    5. Double-click DetectionServer.msi to start the installation wizard.
    The Welcome panel of the Installation Wizard appears.
    NOTE
    The installation process automatically generates log information saved to a file MSI*.log (replace * with
    random characters) in the %TEMP% folder. You can change log file name and location by starting the
    installation from the command line by running the /L*v option. See the example bellow:
    msiexec /i EnforceServer.msi /L*v c:\temp\detectionserver_install.log

    6. Click Next.
    The End-User License Agreement panel displays.
    7. After reviewing the license agreement, select I accept the terms in the License Agreement, and click Next.
    8. In the Destination Folder panel, accept the default destination directory, or enter an alternate directory, and click
    Next.
    For example: c:\Program Files\Symantec\DataLossPrevention\
    Symantec recommends that you use the default destination directory. However, you can click Change to navigate to a
    different installation location instead.
    NOTE
    Directory names, IP addresses, and port numbers created or specified during the installation process must
    be entered in standard 7-bit ASCII characters only. Extended (hi-ASCII) and double-byte characters are not
    supported.
    9. In the Data Directory panel, accept the default data directory, or enter an alternate directory, and click Next. The
    default data directory is c:\ProgramData\Symantec\DataLossPrevention\.

    NOTE
    If you do not use the default location, you must indicate a folder name for the data directory. If you set the
    data directory to the drive root (for example c:\ or e:\) you cannot successfully uninstall the program.
    10. In the JRE Directory panel, click Browse to locate the JRE, and click Next.
    11. In the FIPS Cryptography Mode panel, select whether to disable or enable FIPS encryption.
    12. In the Service User panel select the existing local or domain user account.
    13. In the Server Bindings panel, enter the following settings:
    • Host. Enter the host name or IP address of the detection server.
    • Port. Accept the default port number (8100) on which the detection server should accept connections from the
    Enforce Server. If you cannot use the default port, you can change it to any port higher than port 1024, in the range
    of 1024–65535.
    14. Click Install to begin the installation process.
    The Installing panel appears, and displays a progress bar. After a successful installation, the Completed panel
    appears. Click Finish.
    15. Restart any antivirus, pop-up blocker, or other protection software that you disabled before starting the detection
    server installation process.
    Migrate Data on a Detection Server on Windows

    382
    Migrate Data on a Detection Server on Windows

    Use the Migration Utility to migrate data to the new version 16.0.1 detection server instance.
    The Migration Utility migrates detection server data in two phases as listed in the following table:

    Table 162: Detection Server Migration Phases

    Phase Description

    1 Runs a report to confirm the status of the file system


    The first phase of the migration moves data files, document profiles, property files, plugins, and
    keystores to the 16.0.1 instance. Phase 1 completes by generating a report that lists saved
    customizations. Saved customizations includes certificates, keystores, plugins, FlexResponse scripts, and
    configuration file settings. Previous version services continue to run.
    2 Performs pre-checks before DLP services are taken down during the migration
    The second phase migrates services.

    You can migrate data silently or using interactive mode.


    Migrate Using Silent Mode
    1. Use the command prompt to navigate to the following directory:
    C:\Program Files\Symantec\DataLossPrevention\DetectionServer\16.0.10000\Protect
    \Migrator
    2. Use the following command to complete the migration using Silent Mode:
    MigrateDetectionServer.bat
    -silent
    -sourceVersion="<previous version>"
    -jreDirectory="C:\Program Files\AdoptOpenJRE\jdk8u<version>-b10-jre"

    where <previous version> represents where the previous, active version (for example, use -sourceVersion=16.0 to
    migrate from Symantec Data Loss Prevention version 16.0.
    A message indicates when the migration completes.
    Migrate Using Interactive Mode
    1. Use the command prompt to navigate to the following directory:
    C:\Program Files\Symantec\DataLossPrevention\DetectionServer\16.0.10000\Protect
    \Migrator
    2. Run the Migration Utility: migrateDetection.bat.
    3. Confirm that OpenJRE is installed at the listed location, then press Enter.
    If no JRE displays, you must install it before proceeding.
    See Install the Java Runtime Environment on a Detection Server on Windows.
    4. Enter Y and press Enter to start phase 1.

    5. Select the active Symantec Data Loss Prevention version to migrate and press Enter.
    After phase 1 completes, a message provides a path to where you can access the phase 1 report. The report
    lists details about the data files, document profiles, property files, plugins, and keystores that were migrated. Resolve
    any errors listed on this page before proceeding to phase 2.

    383
    NOTE
    The previous version continues to run, including the services and the database, after phase 1
    completes. You can exit the migration process and continue to phase 2 at a later time.
    6. Press Enter to start phase 2.
    A message indicates when the migration completes.
    7. If the migration fails, review the detection server migration logs in MigrationUtility.log located at C:
    \ProgramData\Symantec\DataLossPrevention\DetectionServer\16.0.10000\logs\debug.

    The process to migrate data does not move all plug-ins. Migrating Plug-ins
    Install a Network Discover Cluster on Windows

    Follow this procedure to install the Network Discover Cluster software on a Windows server computer.
    Before You Begin
    Complete the following prerequisites before starting the Network Discover Cluster installation:
    • Copy the DetectionServer.msi file into the c:\temp directory on the server computer.
    • Install the JRE where you plan to install the nodes. See Install the Java Runtime Environment on a Detection Server
    on Windows.
    Install the Nodes
    Complete the following procedure to install the node software on a server computer. You specify the node type during the
    installation process.
    Install a data node before installing worker nodes. Installing the data node first defines where worker nodes communicate
    once they are installed.
    See Detection Servers for details on nodes.
    The installation process automatically generates log information that is saved to a file MSI*.log (* is replaced with
    random characters) in the %TEMP% folder. You can change log file name and location by starting the installation from the
    command line by running the /L*vexampl option. See the e below:
    msiexec /i DetectionServer.msi /L*v c:\temp\detectionserver_install.log

    You can complete the installation silently from the command line or from a graphical user interface.
    Install Nodes Silently
    You can opt to install nodes from the command line.
    Enter values with information specific to your installation for the parameters listed in the following table:

    384
    Table 163: Node installation parameters for upgrading

    Command Description

    INSTALLATION_DIRECTORY Specifies where the node is installed. The default location is C:\Program
    Files\Symantec\DataLossPrevention.
    DATA_DIRECTORY Defines where Symantec Data Loss Prevention stores files that are updated
    while the Enforce Server is running (for example, logs and licenses). The
    default location is \ProgramData\Symantec\DataLossPrevention
    \DetectionServer\.
    Note: If you do not use the default location, you must indicate a folder
    name for the data directory. If you set the data directory to the drive root (for
    example, c:\ or e:\) you cannot successfully uninstall the program.

    JRE_DIRECTORY Specifies where the JRE resides.


    See Install the Java Runtime Environment on a detection server on Windows.
    FIPS_OPTION Defines whether to disable (Disabled) or enable
    (Enabled) FIPS encryption.
    The default is disabled.
    SERVICE_USER_USERNAME Defines a name for the account that is used to manage Symantec Data Loss
    Prevention services. The default username is “SymantecDLP.”
    The name that you enter should match the user name you used when you
    installed Symantec Data Loss Prevention. If the user name does not match,
    you must update DLP services to have access to the new user name after you
    complete the migration process.
    SERVICE_USER_PASSWORD Defines the password for the account that is used to manage Symantec Data
    Loss Prevention services.
    DISCOVER_CLUSTER_ROLE_OPTION Defines the type of server that you are installing, which includes the following
    values:
    • DN for data node
    • WN for worker node
    DISCOVER_CLUSTER_IP Defines the data node IP address.
    If you are installing the data node, enter the internal IP address of the server
    where you plan to install the data node.
    DISCOVER_CLUSTER_DISCOVERY_PORT_RANGE Used with the cluster IP to discover data nodes in a cluster.
    This parameter is required for the data node installation.
    The default value is 47500..47520.
    Defines the range of ports used for communication between worker and data
    DISCOVER_CLUSTER_CLIENT_CONNECTION_PORT_RANGE
    nodes in a cluster.
    This parameter is required for the data node and worker node installation.
    The default value is 10800..10820.
    DISCOVER_CLUSTER_AUTH_PACKAGE Defines the authentication package location.
    Target the file based on the node type that you are installing:
    • Worker node: dlp_discover_cluster_workernode_auth.zip
    • Data node: dlp_discover_cluster_datanode_auth.zip

    The following examples list completed commands for worker nodes and data nodes. The commands that you use differ
    based on your implementation requirements. Using the following commands as-is may cause the installation to fail.
    • Data node example command:
    msiexec /i "DetectionServer.msi" /qn /norestart /log "package_det_install.log"

    385
    JRE_DIRECTORY="C:\Program Files\AdoptOpenJDK\jre-8.0.262.10-hotspot"
    FIPS_OPTION="Disabled"
    SERVICE_USER_USERNAME="SymantecDLP"
    SERVICE_USER_PASSWORD=<password>
    DISCOVER_CLUSTER_ROLE_OPTION=DN
    DISCOVER_CLUSTER_IP=0.0.0.0
    INSTALLATION_DIRECTORY="C:\Program Files\Symantec\DataLossPrevention"
    DISCOVER_CLUSTER_AUTH_PACKAGE="C:\temp\dlp_discover_cluster_datanode_auth.zip"
    DISCOVER_CLUSTER_CLIENT_CONNECTION_PORT_RANGE=<StartPort>..<EndPort>
    DISCOVER_CLUSTER_DISCOVERY_PORT_RANGE=<StartPort>..<EndPort>
    • Worker node example command:
    msiexec /i "DetectionServer.msi" /qn /norestart /log "package_det_install.log"
    JRE_DIRECTORY="C:\Program Files\AdoptOpenJDK\jre-8.0.262.10-hotspot"
    FIPS_OPTION="Disabled"
    SERVICE_USER_USERNAME="SymantecDLP"
    SERVICE_USER_PASSWORD=<password>
    DISCOVER_CLUSTER_ROLE_OPTION=WN
    DISCOVER_CLUSTER_IP=0.0.0.0
    INSTALLATION_DIRECTORY="C:\Program Files\Symantec\DataLossPrevention"
    DISCOVER_CLUSTER_AUTH_PACKAGE="C:\temp\dlp_discover_cluster_workernode_auth.zip"
    DISCOVER_CLUSTER_CLIENT_CONNECTION_PORT_RANGE=<StartPort>..<EndPort>

    Install Nodes Using a Graphical User Interface


    You can opt to install nodes using a graphical user interface.
    1. Log on as Administrator to the computer on which you plan to install the node.
    2. Copy the detection server installer (DetectionServer.msi) from the Enforce Server to a local directory on the
    node.
    DetectionServer.msi is included in your software download (DLPDownloadHome) directory.
    3. Click Start > Run > Browse to navigate to the folder where you copied the DetectionServer.msi file.
    4. Double-click DetectionServer.msi to start the installation wizard.
    The Welcome panel of the Installation Wizard appears.
    NOTE
    The installation process automatically generates log information that is saved to a file MSI*.log (replace *
    with random characters) in the %TEMP% folder. You can change log file name and location by starting the
    installation from the command line by running the /L*v option. See the example bellow:
    msiexec /i EnforceServer.msi /L*v c:\temp\detectionserver_install.log

    5. Click Next.
    The End-User License Agreement panel displays.
    6. After reviewing the license agreement, select I accept the terms in the License Agreement, and click Next.
    7. In the Destination Folder panel, accept the default destination directory, or enter an alternate directory, and click
    Next.
    For example: c:\Program Files\Symantec\DataLossPrevention\
    Symantec recommends that you use the default destination directory. However, you can click Change to navigate to a
    different installation location instead.

    386
    NOTE
    Directory names, IP addresses, and port numbers that are created or specified during the installation
    process must be entered in standard 7-bit ASCII characters only. Extended (hi-ASCII) and double-byte
    characters are not supported.
    8. In the Data Directory panel, accept the default data directory, or enter an alternate directory, and click Next. The
    default data directory is: c:\ProgramData\Symantec\DataLossPrevention\.
    NOTE
    If you do not use the default location, you must indicate a folder name for the data directory. If you set the
    data directory to the drive root (for example, c:\ or e:\) you cannot successfully uninstall the program.
    9. In the JRE Directory panel, click Browse to locate the JRE, and click Next.
    10. In the FIPS Cryptography Mode panel, select whether to disable or enable FIPS encryption.
    11. In the Service User panel select the existing local or domain user account.
    12. In the Server Bindings panel, enter the following settings:
    • Host: Enter the host name or IP address of the data node.
    • Port: Accept the default port number (8100) on which the data node should accept connections from the Enforce
    Server. If you cannot use the default port, you can change it to any port higher than port 1024, in the range of
    1024–65535.
    Click Next.
    13. Server Role panel, select the node type you plan to install.
    Install a data node before installing worker nodes. Installing the data node first defines where worker nodes
    communicate once they are installed.
    14. In the Network Discover Cluster Settings panel, enter the following settings:
    • Cluster Discovery Port Range:
    Enter the starting and ending ports to use for discovering data nodes in a cluster. This parameter is required for the
    data node installation. The default values of the start port and end port are 47500 and 47520, respectively.
    • Client Connection Port Range:
    Enter the starting and ending ports used for communication between the worker and data nodes in a cluster. This
    parameter is required for the data node and worker node installation. The default values of the start port and end
    port are 10800 and 10820 respectively.
    Click Next.
    15. In the Network Discover Cluster Authentication Package panel, select the authentication package for the node type
    you are installing:
    • Worker node: dlp_discover_cluster_workernode_auth.zip
    • Data node: dlp_discover_cluster_datanode_auth.zip
    Click Next.
    16. Click Install to begin the installation process.
    The Installing panel appears, and displays a progress bar. After a successful installation, the Completed panel
    appears. Click Finish.

    387
    17. Restart any antivirus, pop-up blocker, or other protection software that you disabled before starting the node
    installation process.
    Migrate Data on a Network Discover Cluster on Windows

    Use the Migration Utility to migrate data to the new version 16.0.1 Network Discover Cluster instance.
    After you install the version 16.0.1 Network Discover cluster, you use the Migration Utility to migrate data to the new
    instance.
    The Migration Utility migrates Network Discover cluster data in two phases as listed in the following table:

    Table 164: Network Discover Cluster Migration Phases

    Phase Description

    1 Runs a report to confirm the status of the file system


    The first phase of the migration moves data files, document profiles, property files, plugins, and
    keystores to the 16.0.1 instance. Phase 1 completes by generating a report that lists saved
    customizations. Saved customizations includes certificates, keystores, plugins, FlexResponse scripts, and
    configuration file settings. Previous version services continue to run.
    2 Performs pre-checks before DLP services are taken down during the migration
    The second phase migrates services.

    You can migrate data silently or using interactive mode.


    Migrate Using Silent Mode
    1. Use the command prompt to navigate to the following directory:
    C:\Program Files\Symantec\DataLossPrevention\DetectionServer\16.0.10000\Protect
    \Migrator
    2. Use the following command to complete the migration using Silent Mode:
    MigrateDetectionServer.bat
    -silent
    -sourceVersion="<previous version>"
    -jreDirectory="C:\Program Files\AdoptOpenJRE\jdk8u<version>-b10-jre"

    Where <previous version> represents where the previous, active version (for example, use -sourceVersion=16.0 to
    migrate from Symantec Data Loss Prevention version 16.0.
    A message indicates when the migration completes.
    Migrate Using Interactive Mode
    1. Use the command prompt to navigate to the following directory:
    C:\Program Files\Symantec\DataLossPrevention\DetectionServer\16.0.10000\Protect
    \Migrator
    2. Run the Migration Utility: migrateDetection.bat.
    3. Confirm that OpenJRE is installed at the listed location, then press Enter.
    If no JRE displays, you must install it before proceeding.
    See Install the Java Runtime Environment on a Detection Server on Windows.
    4. Enter Y and press Enter to start phase 1.

    388
    5. Select the active Symantec Data Loss Prevention version to migrate and press Enter.
    After phase 1 completes, a message provides a path to where you can access the phase 1 report. The report
    lists details about the data files, document profiles, property files, plugins, and keystores that were migrated. Resolve
    any errors listed on this page before proceeding to phase 2.
    NOTE
    The previous version continues to run, including the services and the database, after phase 1
    completes. You can exit the migration process and continue to phase 2 at a later time.
    6. Press Enter to start phase 2.
    A message indicates when the migration completes.
    7. If the migration fails, review the Network Discover cluster migration logs in MigrationUtility.log located at C:
    \ProgramData\Symantec\DataLossPrevention\DetectionServer\16.0.10000\logs\debug.

    The process to migrate data does not move all plug-ins. Migrating Plug-ins

    Migrating previous version data to a new single-tier installation on Windows


    After you install the version 16.0.1 single-tier system, you use the Migration Utility to migrate data to the new instance.
    Before you run the Migration Utility, run the Update Readiness Tool to confirm that the database is ready for migration.
    NOTE
    Before starting the migration process, ensure that the database is ready for the migration. See Preparing the
    Oracle Database for a Symantec Data Loss Prevention Upgrade.
    NOTE
    The migration process backs up .conf files. You can locate these files at \Program Files\Symantec
    \DataLossPrevention\SingleTierServer\<source_version>\Protect\backups\ in a folder
    formatted as service-yyyy-mm-dd-hh-mm-ss. (Replace <source_version> with the previous version
    number.) You use the .conf files if you are recovering your previous version system. See Maintaining the
    DLP System.

    Table 165: Steps to migrate the previous version to a new new single-tier installation

    Step Action More info

    1 Install the Microsoft Visual C++ Download the VC_redist.x64. exe


    Redistributable for Visual Studio 2015, file from The latest supported Visual C
    2017, and 2019. ++ downloads. After you complete the
    installation, restart the server.
    2 Install the Java Runtime Environment. See Installing the Java Runtime
    Environment for a Single-tier Installation on
    Windows.
    3 Install the version 16.0.1 single-tier system. See Installing a single-tier server on
    Windows.
    4 Migrate the previous version to the version See Migrating data on a single-tier
    16.0.1 single-tier installation. installation on Windows.
    5 Back up the upgraded system. See Backing up your system.

    389
    Installing the Java Runtime Environment for a Single-tier Installation on Windows

    You install the Java Runtime Environment (JRE) before you complete a single-tier installation.
    1. Log on (or remote logon) as Administrator to the computer where you plan to install the single-tier system.
    2. Copy OpenJDK8U-jre_x64_windows_hotspot_<version>.zip from your DLPDownloadHome\DLP
    \16.0.1\New_Installs\Release directory to the computer where you plan to install the Enforce Server.
    Where <version> represents the latest supported version.
    For example, move the file to c:\temp).
    3. Unzip the file to C:\Program Files\AdoptOpenJRE\jdk<version>-jre.
    Next: Installing a single-tier server on Windows
    Installing a single-tier server on Windows

    Symantec recommends that you disable any antivirus, pop-up blocker, and registry-protection software before you begin
    the Symantec Data Loss Prevention installation process.
    NOTE
    Create the Enforce Reinstallation Resources file before starting the installation process. This file contains the
    unique CryptoMasterKey.properties file and keystore files for your Symantec Data Loss Prevention
    deployment that you can use if you need to uninstall your deployment.
    Creating the Enforce Reinstallation Resources file
    The following instructions assume that the SingleTierServer.msi file, license file, and solution pack file have been
    copied into the c:\temp directory on the Enforce Server.
    The installation process automatically generates log information saved to a file MSI*.log (* is replaced with random
    characters) in the %TEMP% folder. You can change log file name and location by starting the installation from the command
    line by running the /L*v option. See the example bellow:
    msiexec /i EnforceServer.msi /L*v c:\temp\enforce_install.log.

    After you complete the Single Tier installation, you can find the installation log file at c:\temp\.
    You can complete the installation silently from the command line. Enter values with information specific to your installation
    for the following:

    Table 166: Single-tier server installation parameters for upgrading

    Command Description

    INSTALLATION_DIRECTORY Specifies where the Enforce Server is installed. The default location is C:
    \Program Files\Symantec\DataLossPrevention.
    DATA_DIRECTORY Defines where Symantec Data Loss Prevention stores files that are
    updated while the Enforce Server is running (for example, logs and
    licenses). The default location is C:\ProgramData\Symantec
    \DataLossPrevention.
    Note: If you do not use the default location, you must indicate a folder
    name for the data directory. If you set the data directory to the drive root (for
    example c:\ or e:\) you cannot successfully uninstall the program.

    390
    Command Description

    JRE_DIRECTORY Specifies where the JRE resides.


    See Installing the Java Runtime Environment for a Single-tier Installation on
    Windows.
    FIPS_OPTION Defines whether to disable (Disabled) or enable (Enabled) FIPS
    encryption.
    The default is disabled.
    SERVICE_USER_USERNAME Defines a name for the account that is used to manage Symantec Data Loss
    Prevention services. The default user name is “SymantecDLP.”
    Enter the user name you used in the previous Symantec Data Loss
    Prevention version. Leave this parameter blank if you used the default
    user name in the previous Symantec Data Loss Prevention version. The
    name you enter should match the user name you used when you installed
    Symantec Data Loss Prevention. If the user name does not match, add
    the new user name log on credentials to the DLP services after you
    complete the migration process.
    SERVICE_USER_PASSWORD Defines the password for the account that is used to manage Symantec Data
    Loss Prevention services.
    ORACLE_HOME Defines the Oracle Home Directory. For example, use c:\oracle
    \product\19.3.0.0\db_1 to define the home directory if you use the
    Oracle 19c database.
    ORACLE_HOST Defines the IP address of the Oracle server computer.
    Note: If you are running the Oracle database in a RAC environment, use the
    Scan Host IP address for Oracle Host, not the database IP address.

    ORACLE_PORT Defines the Oracle listener port (typically 1521).


    ORACLE_USERNAME Defines the Symantec Data Loss Prevention database user name.
    ORACLE_PASSWORD Defines the Symantec Data Loss Prevention database password.
    ORACLE_SERVICE_NAME Defines the database service name (typically “protect”).
    ADDITIONAL_LOCALE Defines an additional locale for use by individual users.
    ENFORCE_ADMINISTRATOR_PASSWORD This parameter is required during the migration.

    The following is an example of what the completed command might look like. The command you use differs based on your
    implementation requirements. Using the following command as-is may cause the installation to fail.

    msiexec /i SingleTierServer.msi /qn /norestart


    INSTALLATION_DIRECTORY="C:\Program Files\Symantec\DataLossPrevention"
    DATA_DIRECTORY="C:\ProgramData\Symantec\DataLossPrevention"
    JRE_DIRECTORY="C:\Program Files\AdoptOpenJRE\jdk8u322-b06-jre"
    FIPS_OPTION=Disabled
    SERVICE_USER_USERNAME=SymantecDLP
    SERVICE_USER_PASSWORD=Password
    ORACLE_HOME="C:\oracle\product\19.3.0.0\db_1"
    ORACLE_HOST=[IP or host name]
    ORACLE_USERNAME=protect
    ORACLE_PASSWORD=Password

    391
    ORACLE_SERVICE_NAME=protect

    1. Log on (or remote logon) as Administrator to the computer that is intended for the Symantec Data Loss Prevention
    single-tier installation.
    2. Copy the Symantec Data Loss Prevention installer (SingleTierServer.msi) from DLPDownloadHome to a local
    directory on the computer where you plan to install the single-tier system.
    3. Click Start > Run > Browse to navigate to the folder where you copied the SingleTierServer.msi file.
    4. Double-click SingleTierServer.msi to launch the installation wizard.
    A welcome notice appears.
    5. Click Next.
    6. In the End-User License Agreement panel, select I accept the terms in the License Agreement, and click Next.
    7. In the Destination Folder panel, accept the Symantec Data Loss Prevention default destination directory and click
    Next.
    Symantec recommends that you use the default destination directory. However, you can click Browse to navigate to a
    different installation location instead.
    Directory names, account names, passwords, IP addresses, and port numbers created or specified during the
    installation process must be entered in standard 7-bit ASCII characters only. Extended (hi-ASCII) and double-byte
    characters are not supported.
    8. In the Data Directory panel, accept the default data directory, or enter an alternate directory, and click Next. The
    default data directory is:
    c:\ProgramData\Symantec\DataLossPrevention\
    9. In the JRE Directory panel, click Browse and locate the JRE, and click Next.
    10. In the FIPS Cryptography Mode panel, select whether to disable or enable FIPS encryption.
    11. In the Service User panel, select an existing local or domain user account.
    12. Click Next.
    13. In the Update User panel, confirm the account name and password.
    This account is used to manage updates sent to the detection server.
    14. In the Oracle Database Server Information panel, enter the Oracle Database Server host name or IP address and
    the Oracle Listener Port.
    NOTE
    If you are running the Oracle database in a RAC environment, use the scan host IP address for the host,
    not the database IP address. Confirm that the scan host IP for RAC is accessible and that all of the nodes
    associated with it are running during the installation process.
    You also enter information in the following fields:

    Service Name Enter the database service name (typically “protect”).


    Username Enter the Symantec Data Loss Prevention database user name.
    Password Enter the Symantec Data Loss Prevention database password.

    Default values should already be present for these fields. Since this is a single-tier installation with the Oracle
    database on this same system, 127.0.0.1 is the correct value for Oracle Database Server Information and 1521 is the
    correct value for the Oracle Listener Port.

    392
    15. Click Next.

    16. In the Additional Locale panel, select an alternate locale, or accept the default of None, and click Next.
    Locale controls the format of numbers and dates, and how lists and reports are alphabetically sorted. If you accept
    the default choice of None, English is the locale for this Symantec Data Loss Prevention installation. If you choose an
    alternate locale, that locale becomes the default for this installation, but individual users can select English as a locale
    for their use.
    See the .
    17. In the Server Bindings panel, enter the following settings:
    • Host. Enter the host name or IP address of the detection server.
    • Port. Accept the default port number (8100) on which the detection server should accept connections from the
    Enforce Server. If you cannot use the default port, you can change it to any port higher than port 1024, in the range
    of 1024–65535.
    18. Click Install to begin the installation process.
    The Installing panel appears, and displays a progress bar. After a successful installation, the Completing panel
    displays.
    19. If you have not done so already, run the Upgrade Readiness tool to confirm that the Oracle database is ready to be
    migrated to the new instance. If you have already run the Upgrade Readiness tool, skip this step.
    Migrating data on a single-tier installation on Windows

    After you install the version 16.0.1 Enforce Server, you use the Migration Utility to migrate data to the new instance. The
    Migration Utility migrates Enforce Server data in the following two phases:
    1. Runs a report to confirm the status of the file system
    The report lists information to confirm that the file system is ready for migration and identifies issues. The report lists
    saved customizations. Saved customizations include certificates, keystores, plugins, FlexResponse scripts, and
    configuration file settings.
    The first phase moves data files, document profiles, property files, plugins, and keystores to the 16.0.1 instance.
    2. Performs pre-checks before DLP services are taken down during the migration
    The second phase moves incidents, indexes, services, and the database.
    Before you start the migration, use the Upgrade Readiness tool to confirm that the Oracle database is ready for migration.
    See Checking the database update readiness.
    You can migrate data silently or using interactive mode.
    • Migrate silently
    • Migrate using interactive mode
    Migrate silently
    1. Log on (or remote logon) as Administrator to the Single Tier Server system where you intend to run the Migration
    Utility.
    2. Run the following command in an elevated command prompt:
    MigrateSingleTierServer.bat
    -silent
    -sourceVersion="<previous version>"
    -jreDirectory="C:\Program Files\AdoptOpenJRE\jdk8u<version>-b10-jre"

    Where <previous version> represents the previous, active version (for example, use -sourceVersion=16.0 to migrate
    from Symantec Data Loss Prevention version 16.0).

    393
    Migrate using interactive mode
    1. Log on (or remote logon) as Administrator to the Single Tier Server system where you intend to run the Migration
    Utility.
    2. Use the command prompt to navigate to the following directory:
    C:\Program Files\Symantec\DataLossPrevention\SingleTierServer\16.0.10000\Protect
    \Migrator
    3. Run the Migration Utility: migrateSingleTierServer.bat.
    4. Confirm that OpenJRE is installed at the listed location, then press Enter.
    If no JRE displays, you must install it before proceeding.
    Installing the Java Runtime Environment for a Single-tier Installation on Windows
    A list of the migration phases appears.
    5. Enter Y and press Enter to start phase 1.
    6. Select the active Symantec Data Loss Prevention version to migrate and press Enter.
    After phase 1 completes, a message provides a path to where you can access the phase 1 report. The report
    lists details about the data files, document profiles, property files, plugins, and keystores that were migrated. Resolve
    any errors listed on this page before proceeding to phase 2.
    NOTE
    The previous version continues to run, including the services and the database, after phase 1
    completes. You can exit the migration process and continue to phase 2 at a later time.
    7. Press Enter to start phase 2.
    A message indicates when the migration completes.
    NOTE
    If the upgrade fails because of DatabaseProcessCheck, see Stop all Symantec Data Loss Prevention
    database sessions.
    8. If migration fails, review the Enforce Server migration logs in the MigrationUtility.log located at C:
    \ProgramData\Symantec\DataLossPrevention\SingleTierServer\16.0.10000\logs\debug.

    Migrating on Linux
    The following sections include steps to migrate to a new version on Linux:
    • Migrating the previous version to a new Enforce Server installation on Linux
    • Migrating a Previous Version Detection Server or Cluster to the Latest Version on Linux
    • Migrating Previous Version Data to a New Single-Tier Installation on Linux

    Migrating the previous version to a new Enforce Server installation on Linux


    Upgrading the Enforce Server includes installing the new version where the existing version is running and migrating data
    to the new version.
    NOTE
    Before starting the migration process, ensure that the database is ready for the migration. See Preparing the
    Oracle Database for a Symantec Data Loss Prevention Upgrade

    394
    NOTE
    The migration process backs-up services .conf files. You can locate these files at /opt/Symantec/
    DataLossPrevention/EnforceServer/<source_version>/Protect/backups in a folder that is
    formatted as service-yyyy-mm-dd-hh-mm-ss. (Replace <source_version> with the previous version
    number.) You use the .conf files if you are recovering your previous version system. See .

    Table 167: Steps to migrate the previous version to a new Enforce Server installation

    Step Action More info

    1 Install the Java Runtime Environment on See Install the Java Runtime Environment
    the Enforce Server. on the Enforce Server on Linux.
    2 Sign RPM files. See Sign RPM files.
    3 Install the version 16.0.1 Enforce Server. See Install an Enforce Server on Linux.
    You install the Enforce Server on the same
    system where the previous version is
    running.
    4 Migrate the previous version to the version SeeMigrate Data on the Enforce Server on
    16.0.1 Enforce Server. Linux.
    5 Back up the upgraded system. SeeBacking up your system.

    The process to migrate does not move all plug-ins. See Migrating plug-ins.
    Install the Java Runtime Environment on the Enforce Server on Linux

    You install the Java Runtime Environment (JRE) on the Enforce Server before you install the Enforce Server.
    1. Log on as root to the Enforce Server system on which you intend to install Enforce.
    2. Copy OpenJDK8U-jre_x64_linux_hotspot_<version>.tar.gz from your DLPDownloadHome/DLP/16.0.1/
    New_Installs/Release directory to the computer where you plan to install the Enforce Server.
    Where <version> represents the latest supported version.
    3. Unzip the file contents (for example, unzip to opt/AdoptOpenJRE).
    Next: Sign RPM files
    Sign RPM files

    Before you install the latest Symantec Data Loss Prevention version on a Linux platform, Symantec recommends
    that you use the RPM signing key to verify the signature of RPM files. All RPM packages provided in the
    Symantec_DLP_16_0_1_Platform_Lin-IN_<platform_lin_version>.zip are signed with a GPG key. The
    signature provides integrity protection and ensures that the packages are the same packages produced by Symantec and
    were not altered in any way by a malicious third-party.
    NOTE
    If you try to install and do not use the RPM signing key, a "NOKEY" warning message displays during the
    installation.

    395
    Use the RPM signing key before you install the Enforce Server, detection server, or a single-tier system.
    1. Locate the Symantec_DLP_RPM_Signing_Key.asc file in the DLPDownloadHome directory. The
    Symantec_DLP_RPM_Signing_Key.asc is packaged in the Symantec_DLP_16_0_1_Platform_Lin-
    IN_<platform_lin_version>.zip file.
    2. Copy the Symantec_DLP_RPM_Signing_Key.asc file to the computer where you plan to install the server
    component.
    3. Log on as root to the computer where you plan to install the server component.
    4. Import the key to the RPM key ring by running the following command:
    rpm --import Symantec_DLP_RPM_Signing_Key.asc

    5. Display the imported key by running the following command:


    rpm -qi gpg-pubkey-b891399b-59c04bd7

    6. Verify the signature of files before installing them by running the following command:
    rpm -K *rpm

    Next: Install an Enforce Server on Linux


    Install an Enforce Server on Linux

    The instructions that follow describe how to install an Enforce Server on a Linux computer.
    These instructions assume that the EnforceServer.zip file and license file have been copied into the /opt/temp
    directory on the Enforce Server computer.
    1. Symantec recommends that you disable any antivirus, pop-up blocker, and registry protection software before you
    begin the Symantec Data Loss Prevention installation process.
    2. Log on as root to the Enforce Server system on which you intend to install Enforce.
    3. Navigate to the directory where you copied the EnforceServer.zip file (/opt/temp/).
    4. Unzip the file to the same directory (/opt/temp/).
    If you prompted whether or not to replace install.sh, enter Y for yes. The install.sh is identical for all
    packages.
    5. Confirm file dependencies for RPM files by running the following command:
    rpm -qpR *.rpm

    You can also specify a file to confirm by running the following command:
    rpm -qpR .rpm-file

    If the command indicates that dependancies are missing, you can use YUM repositories to install them. Use the
    following command:
    yum install repo

    Replace repo with the repository package name.


    6. Install the Enforce Server by running the following command:
    ./install.sh -t enforce

    Parameters for install.sh

    396
    NOTE
    If you use YUM to install, you cannot override the default relocatable roots where Symantec Data Loss
    Prevention is installed.
    7. Restart any antivirus, pop-up blocker, or other protection software that you disabled.
    8. Run the Update Readiness Tool to confirm that the Oracle database is ready to be migrated to the new instance, if you
    haven't run it already.
    9. Start the migration process.
    Next: Migrate Data on the Enforce Server on Linux
    Migrate Data on the Enforce Server on Linux

    After you install the version 16.0.1 Enforce Server, you use the Migration Utility to migrate data to the new instance. The
    Migration Utility migrates Enforce Server data in the following two phases:
    1. Runs a report to confirm the status of the file system
    The report lists information to confirm that the file system is ready for migration and identifies issues. The report lists
    saved customizations. Saved customizations includes certificates, keystores, plugins, FlexResponse scripts, and
    configuration file settings.
    The first phase of the migration also moves data files, document profiles, property files, plugins, and keystores to the
    16.0.1 instance.
    2. Performs pre-checks before DLP services are taken down during the migration
    The second phase of the migration moves incidents, indexes, services, and the database.
    Before you start the migration, use the Upgrade Readiness tool to confirm that the Oracle database is ready for migration.
    See Checking the database update readiness
    You can migrate data silently or using interactive mode.
    The process to migrate data does not move all plug-ins. See Migrating Plug-ins.
    NOTE
    Before you run the Migration Utility, you must switch to root user.
    Migrate silently
    1. Open the command prompt window.
    2. Switch user to root: su - root.
    3. Go to the following directory:
    opt/Symantec/DataLossPrevention/EnforceServer/16.0.10000/Protect/Migrator
    4. Use the following command to complete the migration silently:
    ./migrateEnforce.sh
    -silent
    -sourceVersion="<previous version>"
    -jreDirectory="/opt/AdoptOpenJRE/jdk8u322-b06-jre"

    Where <previous version> is the previous version number of the previous active version installation. The path /opt/
    AdoptOpenJRE/jdk8u322-b06-jre points to the current JRE location.
    A message indicates when the migration completes.

    397
    Migrate using interactive mode
    1. Open the command prompt window.
    2. Switch user to root: su - root.
    3. Go to the following directory:
    opt/Symantec/DataLossPrevention/EnforceServer/16.0.10000/Protect/Migrator
    4. Run the Migration Utility by running the following command:
    ./migrateEnforce.sh

    5. Confirm that OpenJRE is installed and that the directory is correct, then enter Y.
    6. Press Enter.
    If no JRE displays, you must install it before proceeding.
    See Install the Java Runtime Environment on the Enforce Server on Linux.
    A list of the migration phases appears.
    7. Enter Y and press Enter to start phase 1.
    After phase 1 completes, a message provides a path to where you can access the phase 1 report. The report lists
    details about the data files, document profiles, property files, plugins, and keystores that were migrated. Resolve any
    errors listed on this page before proceeding to phase 2.
    8. Select the active Symantec Data Loss Prevention version to migrate and press Enter.
    NOTE
    The previous version continues to run, including the services and the database, after phase 1 completes.
    You can exit the migration process and continue to phase 2 at a later time.
    9. Enter Y and press Enter to start phase 2.
    A message indicates when the migration completes.
    NOTE
    If the upgrade fails because of DatabaseProcessCheck, see Stop all Symantec Data Loss Prevention
    database sessions.
    10. If the migration fails, review the Enforce Server migration logs in MigrationUtility.log at /var/log/
    Symantec/DataLossPrevention/EnforceServer/16.0.10000/debug/ for more details.

    Migrating a Previous Version Detection Server or Cluster to the Latest Version on Linux
    Upgrading the detection server or cluster includes installing the new version where the existing version is running and
    migrating data to the new version.
    Please add that all Discover servers and Cluster nodes should be upgrade to latest version. Applicable to windows also.
    NOTE
    The migration process backs up services .conf files. You can locate these files at /opt/Symantec/
    DataLossPrevention/DetectionServer/<source_version>/Protect/backups in a folder formatted
    as service-yyyy-mm-dd-hh-mm-ss. (Replace <source_version> with the previous version number.)
    You use the .conf files if you are recovering your previous version system. See Backing up and recovering on
    Linux for more information about recovering your system.

    398
    Table 168: Steps to migrate the previous version to a new detection server or cluster

    Step Action

    1 Install the Java Runtime Environment on the detection server or cluster.


    2 Install the 16.0.1 detection server or cluster.
    3 Migrate the previous version to the version 16.0.1 detection server or cluster.
    4 Back up the upgraded system.

    Install the Java Runtime Environment on a Detection Server on Linux

    You install the Java Runtime Environment (JRE) on the server computer before you install the detection server.
    1. Log on as root to the Enforce Server system on which you intend to install Enforce.
    2. Copy OpenJDK8U-jre_x64_linux_hotspot_8u322-b06.tar.gz from your DLPDownloadHome/DLP/16.0.1/
    New_Installs/Release directory to the computer where you plan to install the Enforce Server.
    3. Unzip the file contents (for example, unzip to opt/AdoptOpenJRE).
    Install a Detection Server on Linux
    Install a Detection Server on Linux

    Follow this procedure to install the detection server software on a server computer. You
    specify the type of detection server during the server registration process that follows
    this installation process. See Preparing to Upgrade Symantec Data Loss Prevention.
    Follow this procedure to install the detection server software on a server computer. You specify the type of detection
    server during the server registration process that follows this installation process.
    NOTE
    The following instructions assume that the DetectionServer.zip file has been copied into the /opt/temp/
    directory on the server computer.
    1. Log on as root to the computer on which you intend to install the detection server.
    2. Copy the detection server installer (DetectionServer.zip) from the Enforce Server to a local directory on the
    detection server. The DetectionServer.zip file is included in your software download (DLPDownloadHome)
    directory. It should have been copied to a local directory on the Enforce Server during the Enforce Server installation
    process.
    3. Navigate to the directory where you copied the DetectionServer.zip file (/opt/temp/).
    4. Unzip the file contents (for example, unzip to /opt/temp).
    5. Confirm file dependencies for RPM files by running the following command:
    rpm -qpR *.rpm

    You can also specify a file to confirm by running the following command:
    rpm -qpR .rpm-file

    where .rpm-file is the file you want to confirm.


    If the command indicates that dependencies are missing, you can use YUM repositories to install them. Use the
    following command:
    yum install repo

    399
    Replace repo with the repository package name.
    6. Install the detection server by running the following command:
    ./install.sh -t detection

    Parameters for install.sh


    NOTE
    If you use YUM to install, you cannot override the default relocatable roots where Symantec Data Loss
    Prevention is installed.
    Migrate Data on a Detection Server on Linux
    Migrate Data on a Detection Server on Linux

    After you install the version 16.0.1 detection server, you use the Migration Utility to migrate data to the new instance.
    The Migration Utility migrates detection server data in two phases as listed in the following table:

    Table 169: Detection server migration phases

    Phage Description

    1 Runs a report to confirm the status of the file system


    The first phase of the migration moves data files, document profiles, property files, plugins, and
    keystores to the 16.0.1 instance. Phase 1 completes by generating a report that lists saved
    customizations. Saved customizations includes certificates, keystores, plugins, FlexResponse scripts, and
    configuration file settings. Previous version services continue to run.
    2 Performs pre-checks before DLP services are taken down during the migration
    The second phase of the migration moves services.

    You can migrate data silently or using interactive mode.


    NOTE
    Before you run the Migration Utility, you must switch to root user.
    Migrate Using Silent Mode
    1. Open the command prompt window.
    2. Switch user to root: su - root.
    3. Go to the following directory:
    /opt/Symantec/DataLossPrevention/DetectionServer/16.0.1.00000/Protect/Migrator
    4. Use the following command to complete the migration using Silent Mode:
    ./migrateDetectionServer.sh
    -silent
    -sourceVersion="<previous version>"
    -jreDirectory="/opt/Symantec/DataLossPrevention/ServerJRE/1.8.0_202"

    Where <previous version> represents the previous version number. The /opt/Symantec/DataLossPrevention/
    ServerJRE/1.8.0_202 points to the current JRE location.
    A message indicates when the migration completes.

    400
    Migrate Using Interactive Mode
    1. Open the command prompt window.
    2. Switch user to root: su - root.
    3. Go to the following directory:
    /opt/Symantec/DataLossPrevention/DetectionServer/16.0.1.00000/Protect/Migrator
    4. Run the Migration Utility by running the following command:
    ./migrateDetectionServer.sh

    5. Confirm the JRE directory that displays.


    If no JRE displays, install the JRE.
    6. Confirm that OpenJRE is installed and that the directory is correct, then enter Y and press Enter.
    If no JRE displays, you must install it before proceeding.
    See Install the Java Runtime Environment on a Detection Server on Linux.
    7. Enter Y and press Enter to start phase 1.
    After phase 1 completes, a message provides a path to where you can access the phase 1 report. The report lists
    details about the data files, document profiles, property files, plugins, and keystores that were migrated. Resolve any
    errors listed on this page before proceeding to phase 2.
    8. Select the active Symantec Data Loss Prevention version to migrate and press Enter.
    9. Enter Y and press Enter to start phase 2.
    A message indicates when the migration completes.
    10. If the migration fails, review the detection server migration logs in MigrationUtility.log at /var/log/
    Symantec/DataLossPrevention/DetectionServer/16.0.1.00000/debug/.

    The process to migrate data does not move all plug-ins. See Migrating Plug-ins.
    Install a Network Discover Cluster on Linux

    Follow this procedure to install the Network Discover cluster software on a server computer.
    You specify the type of cluster during the server registration process that follows this installation process.
    Before you Begin
    Complete the following prerequisites before starting the Network Discover cluster installation:
    • Complete upgrade preparation steps. See Preparing to Upgrade Symantec Data Loss Prevention.
    • Copy the DetectionServer.zip file into the /opt/temp/ directory on the server computer.
    Steps to Install a Network Discover Cluster on Linux
    The following section lists steps that you complete to install clusters on Linux platforms.

    401
    Step 1: Secure the Communications between Nodes
    Create an authentication package using the DiscoverClusterKeyTool before installing worker and data nodes. The
    authentication package enables encrypted communication between nodes and the Enforce Server.
    1. Locate the DiscoverClusterKeyTool at /opt/Symantec/DataLossPrevention/
    EnforceServer/16.0.1.00000/Protect/bin/DiscoverClusterKeyTool
    2. Prepare to run the authentication package.
    Enter values that include information specific to your installation. See the following table for a list of parameters and
    descriptions.

    Table 170: DiscoverClusterKeyTool parameters

    Command Description

    generate-package-type Defines the type of node for which the authentication is used,
    including the following:
    • WN for worker nodes.
    • DN for a data node.
    • All for both worker and data nodes.
    enforce-url (Optional) Enter the Enforce Server host name or IP.
    If you do not enter a value, the tool assigns the URL https://
    <localhost>/.
    enforce-username Enter an Enforce Server username with administrator rights.
    enforce-password Enter the password for the user specified in enforce-username.
    keystore-password (Optional) Enter a password for the keystore.
    If you do not specify a password, the tool assigns a randomly
    generated password.
    truststore-password (Optional) Enter a password for the truststore.
    If you do not specify a password, the tool assigns a randomly
    generated truststore password.
    disable-ssl-verification (Optional) Indicate whether to disable SSL verification while
    connecting to the Enforce Server.
    You can enter one of the following values:
    • true disables SSL verification at the client side
    • false (default) keeps SSL verification that is enabled at the
    client side

    output-dir (Optional) Define the directory where the tool creates the
    authentication package zip.
    By default, the tool creates the package at the current directory.

    The following command is an example that includes all options.


    DiscoverClusterKeyTool
    -generate-package
    -type=All
    -enforce-url=https://<localhost>/
    -enforce-username=SymantecDLP
    -enforce-password=<password>
    -keystore-password=<password>
    -truststore-password=<password>

    402
    -disable-ssl-verification=true
    -output-dir=/opt/Symantec/DataLossPrevention/DataLossPreventionDetectionServer
    /16.0.1.00000/Protect/keystore/discovercluste

    3. Run the command.


    The tool creates files based on the location you defined with generate-package-type. The following table lists
    outputs based on the package type.

    Table 171: Authentication Package Outputs

    Package type File generated

    WN dlp_discover_cluster_workernode_auth.zip
    se during the worker node installation.
    DN dlp_discover_cluster_datanode_auth.zip
    Use during the data node installation.
    All dlp_discover_cluster_auth.zip
    The file contains dlp_discover_cluster_workernode_auth.zip and
    dlp_discover_cluster_datanode_auth.zip in it.
    Extract the individual ZIP files for access during worker node and data node installation.

    Step 2: Install the JRE


    See #unique_548/unique_548_Connect_42_v127245530.
    Step 3: Install Nodes
    Complete the following procedure to install the node software on a server computer. You specify the node type during the
    configuration process.
    Install a data node before installing worker nodes. Installing the data node first defines where worker nodes communicate
    once they are installed.
    1. Complete the preinstallation steps.
    See Preparing for a Detection Server Installation.
    2. Log on as root to the computer on which you intend to install the detection server software.
    3. Copy the detection server installer (DetectionServer.zip) from the Enforce Server to a local directory on the
    detection server. The DetectionServer.zip file is included in your software download (DLPDownloadHome)
    directory. It should have been copied to a local directory on the Enforce Server during the Enforce Server installation
    process.
    4. Navigate to the directory where you copied the DetectionServer.zip file (/opt/temp/).
    5. Unzip the file contents (for example, unzip to /opt/temp).
    6. Confirm file dependencies for RPM files by running the following command:
    rpm -qpR *.rpm

    You can also specify a file to confirm by running the following command:
    rpm -qpR .rpm-file

    where .rpm-file is the file that you want to confirm.


    If the command indicates that dependencies are missing, you can use YUM repositories to install them. Use the
    following command:
    yum install repo

    403
    Replace repo with the repository package name.
    7. Install the detection server by running the following command:
    ./install.sh -t detection

    Parameters for install.sh


    NOTE
    If you use YUM to install, you cannot override the default relocatable roots where Symantec Data Loss
    Prevention is installed.
    8. Start the node configuration process.
    Step 4: Configure the Node Software
    After you install a detection server, you configure it by running the Detection Server Configuration Utility.
    You can complete the installation silently or interactively from the command line. The following table lists the installation
    parameters that you use during the installation.

    Table 172: Network Discover cluster installation parameters

    Command Description

    jreDirectory Specifies where the JRE resides.


    See #unique_548/unique_548_Connect_42_v127245530.
    fipsOption Defines whether to disable (Disabled) or enable
    (Enabled) FIPS encryption.
    serviceUserOption Defines the service user by entering NewUser or
    ExistingUser.
    serviceUserUsername Defines a name for the account that is used to manage
    Symantec Data Loss Prevention services. The default user name
    is “SymantecDLP.”
    detectionCommunicationDefaultCertificates Defines whether you use default certificates (Enabled) or
    certificates you create (Disabled).
    About the sslkeytool utility and server certificates
    bindHost Defines the detection server network interface to use to
    communicate with the Enforce Server. If there is only one
    network interface, leave this field blank.
    bindPort Defines the port number on which the detection server should
    accept connections from the Enforce Server. The default port
    number is 8100.
    If you cannot use the default port, you can change it to any port
    higher than port 1024, in the range of 1024–65535.
    discoverClusterRoleOption Defines the type of server that you are installing, which includes
    the following:
    • DN for data node
    • WN for worker node
    If a worker node is installed, the CAP_NET_BIND_SERVICE is
    set for java processes during the installation. This capability is
    removes if the worker node is uninstalled.

    404
    Command Description

    discoverClusterIP Defines the data node IP.


    If you are installing the data node, enter the internal IP of the
    server where you plan to install the data node.
    discoverClusterDiscoveryPortRange Used with the cluster IP to discover data nodes in a cluster.
    This parameter is required for the data node installation.
    The default value is 47500..47520.
    discoverClusterClientConnectionPortRange Defines the range of ports used for communication between
    worker and data nodes in a cluster.
    This parameter is required for the data node and worker node
    installation.
    The default value is 10800..10820.
    discoverClusterAuthPackage Defines the authentication package location.
    Target the file based on the node type that you are installing:
    • Worker node:
    dlp_discover_cluster_workernode_auth.zip
    • Data node:
    dlp_discover_cluster_datanode_auth.zip

    The following examples list completed commands for worker nodes and data nodes. The commands that you use differ
    based on your implementation requirements. Using the following commands as-is may cause the installation to fail.
    • Data node example command:
    ./DetectionServerConfigurationUtility -silent
    -jreDirectory=/usr/lib/jvm/adoptopenjdk-8-hotspot-jre/
    -serviceUserOption=SymantecDLP
    -serviceUserUsername=protect
    -bindHost=[IP or host name]
    -bindPort=8100
    -fipsOption=Disabled
    -detectionCommunicationDefaultCertificates=Enabled
    -discoverClusterRoleOption=DN
    -discoverClusterIP=0.0.0.0
    -discoverClusterAuthPackage=/opt/dlp_discover_cluster_datanode_auth.zip
    -discoverClusterClientConnectionPortRange=<StartPort>..<EndPort>
    -discoverClusterDiscoveryPortRange=<StartPort>..<EndPort>

    • Worker node example command:


    ./DetectionServerConfigurationUtility -silent
    -jreDirectory=/usr/lib/jvm/adoptopenjdk-8-hotspot-jre/
    -serviceUserOption=ExistingUser
    -serviceUserUsername=protect
    -bindHost=[IP or host name]
    -bindPort=8100
    -fipsOption=Disabled
    -detectionCommunicationDefaultCertificates=Enabled
    -discoverClusterRoleOption=WN
    -discoverClusterIP=0.0.0.0
    -discoverClusterAuthPackage=/home/bishnu/Desktop/dlp_discover_cluster_workernode_auth.zip

    405
    -discoverClusterClientConnectionPortRange=<StartPort>..<EndPort>

    1. Navigate to the installation directory. Go to the default directory at /opt/Symantec/DataLossPrevention/


    DetectionServer/16.0.1.00000/Protect/install or to the path that you used if you selected a non-default
    installation.
    2. Run the Detection Server Configuration Utility. Use the following command to launch the utility:
    ./DetectionServerConfigurationUtility

    3. Enter the following information in the Detection Server Configuration Utility:

    License agreement Review and accept the License Agreement by entering 1.


    JRE directory Enter the JRE directory.
    The recommended directory is /opt/AdoptOpenJRE/[JRE version].
    FIPS encryption Select whether to disable or enable FIPS encryption.
    About FIPS encryption
    Service user Enter 1 to add a new user or enter 2 to use an existing user.
    The default new user name is "SymantecDLP." If you create a new service user, enter the user name
    when prompted.
    Note: If you create a new service user, the user must be a member of a group and the service user and
    the group names must match. If these conditions are not present, upgrades fail.

    Network port Accept the default port number (8100) on which the detection server should accept connections from the
    Enforce Server. If you cannot use the default port, you can change it to any port higher than port 1024, in
    the range of 1024–65535.
    Network interface Enter the detection server network interface (bind address) to use to communicate with the Enforce
    Server. If there is only one network interface, leave this field blank.
    Node type Define the type of server that you are installing, which includes the following:
    • DN for data node
    • WN for worker node
    Data node IP If you are installing the data node, enter the IP of the server where you plan to install the data node.
    Network Discover cluster Used with the cluster IP to discover data nodes in a cluster.
    discovery port range This parameter is required for the data node installation.
    The default value is 47500..47520.
    Network Discover cluster Defines the range of ports used for communication between worker and data nodes in a cluster.
    client connection port This parameter is required for the data node and worker node installation.
    range The default value is 10800..10820.
    Cluster authentication Define the authentication package location.
    package Target the file based on the node type that you are installing:
    • Worker node: dlp_discover_cluster_workernode_auth.zip
    • Data node: dlp_discover_cluster_datanode_auth.zip

    4. Verify that the node is properly installed.


    Verifying a Detection Server or Node Installation
    5. Create a backup of your system after completing the installation.
    Backing up your system

    406
    Migrate Data on a Network Discover Cluster on Linux

    After you install the version 16.0.1 Network Discover cluster, you use the Migration Utility to migrate data to the new
    instance.
    The Migration Utility migrates Network Discover cluster data in two phases as listed in the following table:

    Table 173: Network Discover cluster migration phases

    Phage Description

    1 Runs a report to confirm the status of the file system


    The first phase of the migration moves data files, document profiles, property files, plugins, and
    keystores to the 16.0.1 instance. Phase 1 completes by generating a report that lists saved
    customizations. Saved customizations includes certificates, keystores, plugins, FlexResponse scripts, and
    configuration file settings. Previous version services continue to run.
    2 Performs pre-checks before DLP services are taken down during the migration
    The second phase of the migration moves services.

    You can migrate data silently or using interactive mode.


    NOTE
    Before you run the Migration Utility, you must switch to root user.
    Migrate using silent mode
    1. Open the command prompt window.
    2. Switch user to root: su - root.
    3. Go to the following directory:
    /opt/Symantec/DataLossPrevention/DetectionServer/16.0.10000/Protect/Migrator
    4. Use the following command to complete the migration using Silent Mode:
    ./migrateDetectionServer.sh
    -silent
    -sourceVersion="<previous version>"
    -jreDirectory="/opt/Symantec/DataLossPrevention/ServerJRE/1.8.0_202"

    Where <previous version> represents the previous version number. The /opt/Symantec/DataLossPrevention/
    ServerJRE/1.8.0_202 points to the current JRE location.
    A message indicates when the migration completes.
    Migrate using interactive mode
    1. Open the command prompt window.
    2. Switch user to root: su - root.
    3. Go to the following directory:
    /opt/Symantec/DataLossPrevention/DetectionServer/16.0.10000/Protect/Migrator
    4. Run the Migration Utility by running the following command:
    ./migrateDetectionServer.sh

    407
    5. Confirm the JRE directory that displays.
    If no JRE displays, install the JRE.
    6. Confirm that OpenJRE is installed and that the directory is correct, then enter Y and press Enter.
    If no JRE displays, you must install it before proceeding.
    SeeInstall the Java Runtime Environment on a Detection Server on Linux.
    7. Enter Y and press Enter to start phase 1.
    After phase 1 completes, a message provides a path to where you can access the phase 1 report. The report lists
    details about the data files, document profiles, property files, plugins, and keystores that were migrated. Resolve any
    errors listed on this page before proceeding to phase 2.
    8. Select the active Symantec Data Loss Prevention version to migrate and press Enter.
    9. Enter Y and press Enter to start phase 2.
    A message indicates when the migration completes.
    10. If the migration fails, review the Network Discover cluster migration logs in MigrationUtility.log at /var/log/
    Symantec/DataLossPrevention/DetectionServer/16.0.10000/debug/.

    The process to migrate data does not move all plug-ins. See Migrating Plug-ins.

    Migrating Previous Version Data to a New Single-Tier Installation on Linux


    After you install the version 16.0.1 single-tier system, you use the Migration Utility to migrate data to the new instance.
    Before you run the Migration Utility, run the Update Readiness Tool to confirm that the database is ready for migration.
    NOTE
    Before starting the migration process, ensure that the database is ready for the migration. See Preparing the
    Oracle Database for a Symantec Data Loss Prevention Upgrade.
    NOTE
    The migration process backs up .conf files. You can locate these files at /opt/Symantec/
    DataLossPrevention/SingleTierServer/<source_version>/Protect/backups in a folder
    formatted as service-yyyy-mm-dd-hh-mm-ss. (Replace <source_version> with the previous version
    number.) You use the .conf files if you are recovering your previous version system. See Maintaining the
    DLP System.

    Table 174: Steps to migrate the previous version to a new new single-tier installation

    Step Action More info

    1 Install the Java Runtime Environment. See Installing the Java Runtime
    Environment for a Single-tier Installation.
    2 Sign RPM files. See Sign RPM files .
    3 Install the version 16.0.1 single-tier system. See Installing a Single-tier Server on Linux.
    4 Migrate the previous version to the version 16.0.1 single-tier See Migrating Data on a Single-tier
    installation. Installation on Linux.
    5 Back up the upgraded system. See Backing up your system.

    408
    Installing the Java Runtime Environment for a Single-tier Installation

    You install the Java Runtime Environment (JRE) before you complete a single-tier installation.
    1. Log on as root to the computer where you plan to install the single-tier system.
    2. Copy OpenJDK8U-jre_x64_linux_hotspot_<version>.tar.gz from your DLPDownloadHome/DLP/16.0.1/
    New_Installs/Release directory to the computer where you plan to install the Enforce Server.
    Where <version> represents the latest supported version.
    3. Unzip the file contents (for example, unzip to opt/AdoptOpenJRE).
    Next: Installing a Single-tier Server on Linux
    Installing a Single-tier Server on Linux

    Symantec recommends that you disable any antivirus, pop-up blocker, and registry-protection software before you begin
    the Symantec Data Loss Prevention installation process.
    NOTE
    The following instructions assume that the SingleTierServer.zip file, license file, and solution pack file
    have been copied into the /opt/temp directory on the Symantec Data Loss Prevention single-tier installation
    server.
    1. Log on as root to the computer that is intended for the Symantec Data Loss Prevention single-tier installation.
    2. Copy the Symantec Data Loss Prevention single-tier installer (SingleTierServer.zip) from DLPDownloadHome
    to a local directory on the single-tier computer (for example, /opt/temp/).
    3. Unzip the file contents (for example, unzip to /opt/temp).
    If you prompted whether or not to replace install.sh, enter Y for yes. The install.sh is identical for all
    packages.
    4. Confirm file dependencies for RPM files by running the following command:
    rpm -qpR *.rpm

    If the command indicates that dependencies are missing, you can use YUM repositories to install them. Use the
    following command:
    yum install repo

    Replace repo with the repository package name.


    5. Restart any antivirus, pop-up blocker, or other protection software that you disabled.
    6. If you have not done so already, run the Update Readiness Tool to confirm that the Oracle database is ready to be
    migrated to the new instance. If you have already run the Upgrade Readiness tool, skip this step.
    7. Start the migration process.
    Next: Migrating Data on a Single-tier Installation on Linux
    Migrating Data on a Single-tier Installation on Linux

    After you install the version 16.0.1 Enforce Server, you use the Migration Utility to migrate data to the new instance. The
    Migration Utility migrates Enforce Server data in the following two phases:
    1. Runs a report to confirm the status of the file system

    409
    The report lists information to confirm that the file system is ready for migration and identifies issues. The report lists
    saved customizations. Saved customizations includes certificates, keystores, plugins, FlexResponse scripts, and
    configuration file settings.
    The first phase of the migration also moves data files, document profiles, property files, plugins, and keystores to the
    16.0.1 instance.
    2. Performs pre-checks before DLP services are taken down during the migration
    The second phase of the migration moves incidents, indexes, services, and the database.
    Before you start the migration, use the Upgrade Readiness tool to confirm that the Oracle database is ready for migration.
    See Checking the database update readiness.
    You can migrate data silently or using interactive mode.
    The process to migrate data does not move all plug-ins. See Migrating plug-ins.
    NOTE
    Before you run the Migration Utility, you must switch to root user.
    Migrate silently
    1. Open the command prompt window.
    2. Switch to root user: su root.
    3. Go to the following directory:
    /opt/Symantec/DataLossPrevention/SingleTierServer/16.0.1.00000/Protect/Migrator
    4. Run the following command as root to complete the migration using silent mode:
    ./migrateSingleTierServer.sh
    -silent
    -sourceVersion="<previous version>"
    -jreDirectory="/opt/AdoptOpenJRE/jdk8u<version>-b10-jre"

    Where <previous version> is the previous version number and /opt/AdoptOpenJRE/jdk8u<version>-b10-jre points to
    the current JRE location.
    Migrate using interactive mode
    1. Open the command prompt window.
    2. Switch to root user: su root.
    3. Go to the following directory:
    /opt/Symantec/DataLossPrevention/SingleTierServer/16.0.1.00000/Protect/Migrator
    4. Run the Migration Utility using the following command:
    ./migrateSingleTierServer.sh

    5. Confirm that OpenJRE is installed and that the directory is correct, then enter Y.
    6. Press Enter.
    If no JRE displays, you must install it before proceeding.
    SeeInstalling the Java Runtime Environment for a Single-tier Installation.
    A list of the migration phases appears.

    410
    7. Enter Y and press Enter to start phase 1.
    After phase 1 completes, a message provides a path to where you can access the phase 1 report. The report lists
    details about the data files, document profiles, property files, plugins, and keystores that were migrated. Resolve any
    errors listed on this page before proceeding to phase 2.
    8. Select the active Symantec Data Loss Prevention version to migrate and press Enter.
    NOTE
    The previous version continues to run, including the services and the database, after phase 1 completes.
    You can exit the migration process and continue to phase 2 at a later time.
    9. Enter Y and press Enter to start phase 2.
    A message indicates when the migration completes.
    NOTE
    If the upgrade fails because of DatabaseProcessCheck, see Stop all Symantec Data Loss Prevention
    database sessions.
    10. If the migration fails, review the Enforce Server migration logs in MigrationUtility.log at /var/log/
    Symantec/DataLossPrevention/EnforceServer/16.0.1.00000/debug/ for more details.

    Parameters for install.sh


    You can use the following parameters when using install.sh. If you do not change parameters, a default installation is
    completed.

    Table 175: Parameters for install.sh

    Parameter Default Description

    -t N/A This required parameter defines the installation type. Enter one of the
    following, depending on what you plan to install:
    • enforce
    • detection
    • singletier
    • indexers
    -i /opt/Symantec/ Defines the path to the installation directory. You can indicate a path
    DataLossPrevention where you want to relocate the installation type.
    -d /var/Symantec/ Defines the path to the data directory.
    DataLossPrevention
    -l /var/log/Symantec/ Defines the path to the logs directory.
    DataLossPrevention
    -r /var/run/Symantec/ Defines the path to the run directory.
    DataLossPrevention
    -s /var/spool/Symantec/ Defines the path to the spool directory.
    DataLossPrevention

    Backing up your system


    Symantec recommends that administrators perform backups of their entire system immediately after completing
    the migration or installation processes.
    See Maintaining the DLP System for information on backing up your system.

    411
    Verifying that the Enforce Server and the detection servers are running
    Verify that the Enforce Server is running.
    Check that all of the detection servers to be upgraded are running the appropriate Symantec Data Loss Prevention
    version.
    1. Log on to the Enforce Server.
    2. Go to System > Servers and Detectors > Overview and check that the Symantec Data Loss Prevention servers are
    running.
    Related Links
    Upgrading Symantec Data Loss Prevention on page 372

    Applying the updated configuration to Endpoint Prevent servers


    The upgrade process updates existing Endpoint Prevent agent configurations with new settings. After you complete the
    upgrade, the Enforce Server administration console reports that existing Endpoint Servers use an outdated configuration.
    Follow this procedure to apply the updated agent configuration to your Endpoint Servers.
    1. Log on to the Enforce Server administration console using the Administrator account.
    2. Select System > Agents > Agent Configuration.
    3. Select Apply Configuration.
    4. Select all available configurations, and then click Apply and Update.
    5. Click Done.

    Upgrading your scanners


    If you have any version 15.x or earlier scanners, you should upgrade them to Symantec Data Loss Prevention
    version 16.0.1 scanners. To upgrade a scanner, remove the older software and then install the Symantec Data Loss
    Prevention 16.0.1 scanner.
    For information on adding and removing scanners, see Managing Discover Scan Targets.

    Related Links
    Symantec Data Loss Prevention Upgrade Phases on page 352
    Complete the upgrade in the phases that are described in the following sections.

    Upgrading Endpoint Prevent group directory connections


    Symantec Data Loss Prevention provides server-side group-based policies, which require an index for each group
    directory connection that you use. If you have existing Endpoint Prevent group directories from a previous Symantec Data
    Loss Prevention version, you must create indexes and configure the indexing schedule for those group directories before
    associated group-based policies can be applied to detection servers.
    See Creating connections to LDAP servers for information about creating group directory connections and see Scheduling
    Directory Server Indexing for scheduling directory server indexing.

    Upgrading or installing Npcap for Network Monitor


    Npcap is required for the Network Monitor detection server on Windows platforms.

    412
    NOTE
    Npcap is also recommended for any type of Windows-based detection server you deploy.
    1. Download Npcap from https://nmap.org/npcap.
    2. Run the npcap-<version>.exe file.
    3. On the Installation Options screen select Install Npcap in WinPcap API-compatible Mode.
    4. Click install.

    Updating an appliance
    You update appliance software using the Enforce Server administration console.
    For steps to update an appliance, see Updating appliance software.

    Upgrading Symantec DLP Agents


    Learn about upgrading DLP Agents.
    About Symantec Data Loss Prevention Agent upgrades
    Secure Communications between DLP Agents and Endpoint Servers upgrade
    Process to upgrade the DLP Agent on Windows
    Process to upgrade the DLP Agent on Mac

    About Symantec Data Loss Prevention Agent upgrades


    You can upgrade DLP Agents from one version to another by using systems management software, or you can update
    the agents manually. Manual upgrades are not recommended for large deployments. You can upgrade DLP Agents as a
    group if you upgrade using systems management software. If you upgrade the agents manually, you must upgrade each
    agent individually.
    NOTE
    Before you upgrade agents to 16.0.1, upgrade Symantec Data Loss Prevention components to 15.8 if you are
    running an earlier version.
    Symantec recommends installing antivirus software on your endpoints. However, antivirus software may interrupt the DLP
    Agent upgrade if antivirus scans are being performed on agent installation directories. Therefore, pause antivirus scans on
    agent installation directories during the upgrade process.
    After you upgrade agents to the latest version, each agent must reconnect to the Endpoint Server before detection
    resumes. After the agents reconnect to an Endpoint Server, the agents download the relevant policies.
    The following table provides a general overview of the upgrade process:

    413
    Table 176: Upgrade process for Symantec DLP Agents

    Step Description Process

    1 Create the Symantec Data Loss Prevention Agent installation You create the agent installation package using the
    package. Enforce Server administration console. This package
    contains a BAT file that you use to upgrade Windows
    agents and a PKG file you use to upgrade the Mac
    agents.
    Secure Communications Between DLP Agents and
    Endpoint Servers
    2 Bundle the Mac agent installation files if you plan to upgrade Process to upgrade the DLP Agent on Mac
    Mac agents.
    3 Install the upgrade package on endpoints. Choose one of the following upgrade methods:
    • Upgrade the DLP Agent by using silent upgrades.
    Upgrading the Windows agent silently
    Upgrading DLP Agents on Mac endpoints silently
    • Upgrade the DLP Agent manually.
    Upgrading the Windows agent manually
    Upgrading the DLP Agent for Mac manually
    • Performing the DLP Agent Upgrade for Linux

    Secure Communications between DLP Agents and Endpoint Servers


    Symantec Data Loss Prevention uses SSL certificates and public-key encryption to authenticate and secure
    communications between DLP Agents and Endpoint Servers.
    When you install or upgrade the Enforce Server, DLP sets up a root Certificate Authority (CA). DLP automatically
    generates the public certificates and the keys that are required to authenticate and secure communications
    between DLP Agents and Endpoint Servers. The certificates are signed by the Symantec Data Loss Prevention CA.
    The public certificates and keys are securely stored in the Enforce Server database. The DLP Agent initiates connections
    to one of the Endpoint Prevent Servers or load balancer servers and authenticates the server certificate.
    When you deploy an Endpoint Prevent Server, the system generates the server public-private key pair that is signed by
    the DLP root CA certificate. These files are versioned. When you generate the agent package, the system generates the
    agent public-private key pair and the agent certificate, also signed by the DLP root CA.
    You can view which CA version is in use at the System > Settings > General screen. The password for the DLP root CA
    is randomly generated and used by the system. Changing the root CA password is reserved for internal use.

    Support for custom certificates


    You can use custom certificates to verify the identities of endpoints and Endpoint Prevent Servers. With custom
    certificates, you can integrate DLP with your Enterprise PKI (Public Key Infrastructure). Endpoint Prevent Servers also can
    check for revoked endpoint certificates.
    On Windows and macOS endpoints, DLP Agent uses custom endpoint certificates that are provisioned in the operating
    system certificate store. The DLP Agent does not support custom endpoint certificates on Linux endpoints.
    The certificate management feature enables you to add your own keystores to Endpoint Prevent Servers. You can also
    add your own truststores that endpoints and Endpoint Prevent Servers can use to verify each other's identity.
    For instructions about configuring new and existing Endpoint Prevent Servers to use custom certificates, see Configuring
    Endpoint Prevent Servers to Use Custom Certificates.

    414
    For instructions about migrating endpoints from the default DLP Agent certificate to a custom certificate, see Configuring
    DLP Agents to Use Custom Certificates.
    For information about the limitations of using custom certificates, see Limitations of DLP support for custom certificates.
    Related links

    Related Links
    Generating agent installation packages on page 415
    Agent installation package contents on page 417
    Generate the agent installation package for agents at the System > Agents > Agent Packaging screen.

    Generating agent installation packages


    The packaging process creates a zip file that contains the installer of your choice. The zip file includes public certificate
    and keys and installation scripts to install DLP Agents. You generate a single installation package for each endpoint
    platform where you want to deploy.
    For example, if you want to install DLP Agents on Windows 64-bit endpoints, you generate a single
    AgentInstaller_Win64.zip package. If you specify more than one installer for packaging, such as the Windows 64-
    bit agent installer and the Mac 64-bit agent installer, the system generates separate agent packages for each platform.
    Before you start generating the agent installation packages confirm that your system is ready to package by doing the
    following:
    • Confirm that the agent installers are copied to the Enforce Server local file system.
    • Confirm that the Enforce Server has at least 3 GB of free space. The packaging process fails if the Enforce Server has
    less than 3 GB of free space.
    The following table provides instructions for generating agent installation packages. The instructions assume that you
    have deployed an Endpoint Server.

    Table 177: Generating the agent installation package

    Step Action Description

    1 Navigate to the Agent Packaging Log on to the Enforce Server administration console as an administrator and
    page. navigate to the System > Agents > Agent Packaging page.
    2 Select one or more DLP Agent Browse to the folder on the Enforce Server where you copied the agent installer
    installation files. files.
    The following installer files are available:
    • Windows 64-bit: AgentInstall-x64_16_0_1.msi
    • Windows 32-bit: AgentInstall-x86_16_0_1.msi
    • Linux 64 bit RPM:
    For Linux distributions, you package each operating system type separately.
    – Red Hat Enterprise Linux: AgentInstall-x86_64_16_0_1.rpm
    – Ubuntu: AgentInstall-x86_64_16_0_1.deb
    • Mac 64-bit: AgentInstall_16_0_1.pkg

    415
    Step Action Description

    3 Enter the server host name. Typically you enter the common name (CN) of the Endpoint Server host, or you can
    enter the IP address of the server.
    Be consistent with the type of identifier you use (CN or IP). If you used the CN for
    the Endpoint Server when deploying it, use the same CN for the agent package. If
    you used an IP address to identify the Endpoint Server, use the same IP address
    for the agent package.
    Alternatively, you can enter the CN or IP address of a load balancer server.
    Note: The Enforce Server administration console does not accept IPv6 addresses
    as input. Instead of specifying an IPv6 address, you can enter the host name
    instead.
    Note: To ensure that IPv6-only endpoints can communicate with an Endpoint
    Prevent Server, make sure that the Endpoint Prevent Server is running on a dual
    stack host. If the Endpoint Prevent Server is running on an IPv4 host, you might
    need to configure NAT devices to translate the IP addresses of IPv6-only endpoints.

    4 Enter the port number for the The default port is 10443. Typically you do not need to change the default port
    server. unless it is already in use or intended for use by another process on the server
    host.
    5 Add additional servers (optional). Click the plus sign to add additional servers for failover.
    If you configure agents to connect to more than one Endpoint Prevent Server, you
    can specify a mix of servers that use the DLP Default KeyStore and servers that
    use custom keystores.
    Note: Symantec Data Loss Prevention allots 2048 characters for Endpoint Server
    names. This allotment includes the characters that are used for the Endpoint Server
    name, port numbers, and semicolons to delimit each server.
    The first server that is listed is the primary; additional servers are secondary and
    provide backup if the primary is down.
    See About Endpoint Server redundancy.
    6 Enter the Endpoint tools password. A password is required to use the Endpoint tools to administer DLP Agents. The
    Endpoint tools password is case-sensitive. The password is encrypted and stored
    in a file on the Enforce Server. You should store this password in a secure format of
    your own so that it can be retrieved if forgotten.
    After installing agents, you can change the password on the Agent Password
    Management screen.
    See About agent password management.
    7 Re-enter the Endpoint tools The system validates that the passwords match and displays a message if they do
    password. not.
    8 Enter the target directory for the The default installation directory for Windows 32- and 64-bit agents is
    agent installation (Windows only). %PROGRAMFILES%\Manufacturer\Endpoint Agent. Change the default
    path if you want to install the Windows agent to a different location on the endpoint
    host. You can only install the DLP Agent to an ASCII directory using English
    characters. Using non-English characters can prevent the DLP Agent from starting
    and from monitoring data in some scenarios.
    Note: Include the drive letter if you plan to change the default directory. For
    example, use C:\Endpoint Agent. Not including a drive letter causes the
    agent installation to fail.
    The target directory for the Mac agent is set by default.

    416
    Step Action Description

    9 Enter the uninstall password The agent uninstall password is supported for Windows agents. The uninstall
    (optional, Windows only). password is a tamper-proof mechanism that requires a password to uninstall the
    DLP Agent.
    The password is encrypted and stored in a file on the Enforce Server. You should
    store this password in a secure format of your own so that it can be retrieved if
    forgotten.
    For information on uninstalling Mac agents, see Removing a DLP Agent from a Mac
    Endpoint.
    After installing agents, you can change the password on the Agent Password
    Management screen.
    See About agent password management.
    10 Re-enter the uninstall password. The system validates that the passwords match and displays a message if they do
    not.
    11 Select the truststore that contains You can select either the default truststore that contains the self-signed certificate
    the certificate that is used to and key or a custom truststore that you added.
    validate the Endpoint Prevent If you configured the Endpoint Prevent Servers to use a custom certificate,
    Server certificate. select the truststore that contains the corresponding corresponding CA public
    certificate that can validate the custom Endpoint Prevent Server certificate.
    Note: If you previously chose to use the DLP Default TrustStore while creating
    agent packages, you can switch to a custom truststore the next time you generate
    new packages for upgrading agents.

    12 Click Generate Installer This action generates the agent installer package for each platform that you
    Packages. selected in step 3.
    The generation process may take a few minutes.
    13 Save the agent package zip file. When the agent packaging process is complete, the system prompts you to
    download the agent installation package. Save the zip file to the local file system.
    After you save the file you can navigate away from the Agent Packaging screen to
    complete the process.
    The zip file is named according to the agent installer you uploaded:
    • AgentInstaller_Win64.zip
    • AgentInstaller_Win32.zip
    • AgentInstaller_Linux64.zip
    • AgentInstaller_Mac64.zip
    If you upload more than one agent installer, the package name is
    AgentInstallers.zip. In this case, the zip file contains separate zip files for
    each agent package for each platform you selected in step 3.
    14 Install DLP Agents using the agent Once you have generated and downloaded the agent package, you use it to install
    package. all agents for that platform.

    Related Links
    Agent installation package contents on page 417
    Generate the agent installation package for agents at the System > Agents > Agent Packaging screen.

    Agent installation package contents


    Generate the agent installation package for agents at the System > Agents > Agent Packaging screen.
    When you upgrade agents, you generate the agent installation package and use the upgrade.bat file for Windows
    endpoints, the install.sh file for macOS endpoints, and to upgrade DLP Agents.

    417
    The Mac agent package contains endpoint certificates, installation files, the package manifest, and a file to generate the
    installation script for macOS.

    Table 178: AgentInstaller_Mac64.zip installation package contents

    File Description

    AgentInstall_16_0.pkg Mac DLP Agent installer


    AgentInstall.plist Mac DLP Agent installation properties configuration file
    create_package No longer used due to notarization and signing restrictions applied
    by macOS.
    endoint_cert.pem Agent certificate and encryption keys
    endpoint_priv.pem Working with endpoint certificates

    endpoint_truststore.pem
    addin_trustore.pem Agent certificates required for Outlook monitoring.
    addin_cert.pem
    addin_priv.pem
    install_agent.sh Use to install the DLP Agent.
    Install_Readme.rtf Provides commands for packaging and installing the agent

    Windows Agent Package Contents

    The agent installation package for Windows agents contains the endpoint certificates, installation files, and the package
    manifest.

    macOS Agent Package Contents

    The Mac agent package contains endpoint certificates, installation files, the package manifest, and a file to generate the
    installation script for macOS.

    Table 179: AgentInstaller_Mac64.zip installation package contents

    File Description

    AgentInstall_16_0_1.pkg Mac DLP Agent installer


    AgentInstall.plist Mac DLP Agent installation properties configuration file
    create_package No longer used due to notarization and signing restrictions applied
    by macOS.
    endoint_cert.pem Agent certificate and encryption keys
    endpoint_priv.pem See About secure communications between DLP Agents and
    Endpoint Servers install .
    endpoint_truststore.pem
    addin_trustore.pem Agent certificates required for Outlook monitoring.
    addin_cert.pem
    addin_priv.pem
    install_agent.sh Use to install the DLP Agent.
    Install_Readme.rtf Provides commands for packaging and installing the agent

    418
    Linux Agent Package Contents

    The Mac agent package contains endpoint certificates, installation files, the package manifest, and a file to generate the
    installation script for Linux distributions.

    Table 180: AgentInstaller_Linux64.zip or AgentInstaller_LinuxDeb64.zipinstallation package contents

    File Description

    AgentInstall.json Linux DLP Agent installation properties configuration file


    AgentInstall-x86_64_16_0_1.rpm for Red Hat Linux DLP Agent installer
    Enterprise Linux
    AgentInstall-x86_64_16_0_1.deb for Ubuntu
    endpoint_cert.pem Agent certificate and encryption keys
    endpoint_priv.pem See About secure communications between DLP Agents and
    Endpoint Servers install .
    endpoint_truststore.pem
    install_agent.sh Use to install the DLP Agent.

    Working with endpoint certificates


    Symantec Data Loss Prevention automatically generates the public certificates and the keys needed for authentication
    and secure communications between DLP Agents and Endpoint Server. The public certificates and keys are securely
    stored in the Enforce Server database.
    When you install or upgrade the Enforce Server, the system generates the DLP root certificate authority (CA). This file
    is versioned and the version is incremented if the file is regenerated. You can view which CA version is currently in use
    at the System > Settings > General screen. The password for the DLP root CA is randomly generated and used by the
    system. Changing the root CA password is reserved for internal use.
    When you deploy an Endpoint Server, the system generates the server public-private key pair signed by the DLP root
    CA certificate. These files are versioned. When you generate the agent package, the system generates the agent public-
    private key pair and the agent certificate, also signed by the DLP root CA.

    Related Links
    Secure Communications between DLP Agents and Endpoint Servers upgrade on page 414
    Symantec Data Loss Prevention uses SSL certificates and public-key encryption to authenticate and secure
    communications between DLP Agents and Endpoint Servers.

    Process to upgrade the DLP Agent on Windows


    You can upgrade one DLP Agent to a Windows endpoint at a time, or you can use system management software (SMS)
    to upgrade many DLP Agents automatically. Symantec recommends that you upgrade one DLP Agent using the manual
    method before you upgrade many DLP Agents using your SMS. Upgrading in this manner helps you troubleshoot
    potential issues and ensure that upgrading using your SMS goes smoothly.
    Before you upgrade DLP Agents on Windows endpoints, confirm that you have completed prerequisite steps. See About
    Symantec Data Loss Prevention Agent upgrades.

    419
    Table 181: Process to upgrade agents on Windows endpoints

    Step Action Description

    1 Prepare endpoints that have Safe Mode monitoring enabled. Upgrading previous version DLP Agents with
    Windows Safe Mode monitoring enabled
    2 Upgrade the agent. Upgrading the Windows agent manually
    Upgrade an agent manually. You can upgrade an agent manually when you Upgrading the Windows agent silently
    want to test the configuration.
    Upgrade the agents using your SMS. You upgrade agents using this
    method to upgrade many agents at one time.

    Upgrading previous version DLP Agents with Windows Safe Mode monitoring enabled
    If you are upgrading DLP Agents with Safe Mode monitoring enabled, you must delete the registry entries for the TDI
    drivers before you upgrade the agents.
    Locate and delete the following TDI registry entries on each endpoint with Safe Mode monitoring enabled:

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tdifdvvvv.sys]

    For the file tdifdvvvv.sys, replace vvvv with the DLP Agent version. For example, DLP Agent version 12.5.2 would
    display as tdifd1252.sys.

    Related Links
    Process to upgrade the DLP Agent on Windows on page 419

    Upgrading the Windows agent manually


    You can upgrade DLP Agents manually on your endpoints by using the upgrade_agent.bat file. Under normal
    circumstances, you upgrade DLP Agents manually when you troubleshoot or test DLP Agents in your implementation.
    These steps assume that you have generated the agent installation package. See Generating agent installation packages.
    1. Run the DLP Agent upgrade batch file.
    You run the upgrade_agent.bat located in the agent installation package ZIP file. The user running the batch file
    must have administrator rights.
    2. Confirm that the agent is running.
    Once installed, the DLP Agent initiates a connection with the Endpoint Server. Confirm that the agent is running by
    going to Agent > Overview and locating the agent in the list.
    Related Links
    Process to upgrade the DLP Agent on Windows on page 419

    Upgrading the Windows agent silently


    You can upgrade DLP Agents silently using a systems management software (SMS) product. Symantec recommends that
    you use the upgrade_agent.bat package to upgrade agents. You must upgrade agents from a local directory. If you do
    not upgrade from a local directory, some functions of the DLP Agent are disabled.

    420
    NOTE
    These steps assume that you have generated the agent installation package. See Generating agent installation
    packages.
    1. In your SMS package, specify the upgrade_agent.bat package.
    NOTE
    Do not rename the upgrade_agent.bat file for any reason. If you rename this file, your systems
    management software cannot recognize the file and the installation fails.
    2. Specify the upgrade_agent.bat installation properties.
    When you install the Symantec DLP Agent, your systems management software issues a command to the specified
    endpoints. The following is an example of what the command might look like:

    msiexec /i InstallAgent.bat /q INSTALLDIR="C:\Program Files\Manufacturer\Symantec DLP Agent\"


    ARPSYSTEMCOMPONENT="1" ENDPOINTSERVER="epserver1:8001;epserver2:8001" SERVICENAME="ENDPOINT"
    WATCHDOGNAME="WATCHDOG" UNINSTALLPASSWORDKEY="password" TOOLS_KEY="<tools key password>"
    ENDPOINT_CERTIFICATE="endpoint_cert.pem" ENDPOINT_PRIVATEKEY="endpoint_priv.pem"
    ENDPOINT_TRUSTSTORE="endpoint_truststore.pem" ENDPOINT_PRIVATEKEY_PASSWORD="<endpoint private key
    password>" VERIFY_SERVER_HOSTNAME="No" STARTSERVICE="Yes" ENABLEWATCHDOG="YES" LOGDETAILS="Yes" /
    log C:\installAgent.log

    The following table outlines each command and what it does.

    msiexec The Windows command for executing MSI packages.


    /i Specifies the name of the package.
    /q Specifies a silent install.
    ARPSYSTEMCOMPONENT Optional properties to msiexec.
    ENDPOINTSERVER, SERVICENAME, INSTALLDIR, Properties for the agent installation package.
    UNINSTALLPASSWORDKEY, and WATCHDOGNAME
    TOOLS_KEY, ENDPOINT_CERTIFICATE, Properties that reference the files and the passwords that are
    ENDPOINT_PRIVATEKEY, ENDPOINT_TRUSTSTORE, associated with the agent certificates.
    ENDPOINT_PRIVATEKEY_PASSWORD, and
    VERIFY_SERVER_HOSTNAME.

    3. Specify the msiexec properties.

    For details on entering this information into your particular systems management software, see the software product
    documentation.
    After you upgrade the agents, the DLP Agent service automatically starts on each endpoint computer. Log on to the
    Enforce Server and go to System > Agents > Overview, then locate the upgraded agent. Verify that the newly upgraded
    agent is registered by the confirming that the latest version displays in the list.
    Related Links
    Process to upgrade the DLP Agent on Windows on page 419

    Process to upgrade the DLP Agent on Mac


    You can upgrade one DLP Agent to a Mac endpoint at a time, or you can use system management software (SMS) to
    upgrade many DLP Agents automatically. Symantec recommends that you upgrade one DLP Agent using the manual
    method before you upgrade many DLP Agents using your SMS. Upgrading in this manner helps you troubleshoot
    potential issues and ensure that upgrading using your SMS goes smoothly.

    421
    Before you upgrade DLP Agents on Mac endpoints, confirm that you have completed prerequisite steps. About Symantec
    Data Loss Prevention Agent upgrades

    Table 182: Process to upgrade agents on Mac endpoints

    Step Action More information

    1 Package the Mac agent installation files. Packaging Mac agent upgrade files
    You compile the Mac agent installation files into one PKG file. You later
    use this file to manually upgrade an agent, or to insert in your SMS to
    upgrade many Mac endpoint agents simultaneously.
    You can also add endpoint tools to the package and add a custom
    package identifier.
    2 Upgrade the agent. Upgrading the DLP Agent for Mac manually
    Upgrade an agent manually. You can upgrade an agent manually when Upgrading DLP Agents on Mac endpoints
    you want to test the configuration. silently
    Upgrade the agents using your SMS. You upgrade agents using this
    method to upgrade many agents at one time.
    3 Confirm that the Mac agent service is running. Confirming that the Mac agent is Running
    4 (Optional) Review the upgraded Mac agent components. What gets upgraded for DLP Agents on
    These components include the drivers that prevent tampering and keep Mac endpoints
    the agent running.

    Packaging Mac agent upgrade files


    You use the create_package tool to bundle the Mac agent upgrade-related files into a single package. You place this
    package in your SMS software to perform a silent upgrade. You also use the create_package tool to assign a package ID
    and to bundle endpoint tools with the agent upgrade.
    The following steps assume that you have generated the agent installation package and completed all prerequisites. See
    Secure Communications between DLP Agents and Endpoint Servers upgrade .
    1. Locate the AgentInstaller_Mac64.zip agent installation package. Unzip the contents of this file to the folder on a
    Mac endpoint, for example, /tmp/MacInstaller.
    NOTE
    If you are running macOS 10.15.x and later, unzip the file contents to the /tmp/MacInstaller folder.
    macOS 10.15.x and later prevents the create_package tool from running from default folder locations (for
    example, Downloads, Documents, Applications, and so on).
    2. Use the Terminal.app to bundle the Mac agent upgrade-related file by running the following commands:

    $ cd /tmp/MacInstaller Defines the path where the Mac agent upgrade files reside.
    $ ./create_package Calls the create_package tool.
    -i <com.company.xyz> (Optional) Includes a custom package identifier.
    You can register the DLP Agent installer receipt data with a
    custom package identifier. Replace <com.company.xyz> with
    information specific to your deployment.
    -t ./Tools (Optional) Calls the create_package tool to bundle the agent tools.
    About optional maintenance tools

    The following is an example of what the completed command might look like:

    $ cd /tmp/MacInstaller; $ ./create_package; -i <com.company.xyz>; -t ./Tools

    422
    After you execute the command, a message displays the package creation status.
    A file that is named AgentInstall_WithCertificates.pkg is created in the location you indicated. Based on the
    example, AgentInstall_WithCertificates.pkg is created at /tmp/MacInstaller.
    3. (Optional) If you opted to register the DLP Agent with a custom package identifier, verify the custom package identity.
    Execute the following command:
    $ pkgutil --pkg-info <com.company.xyz>

    Replace com.company.xyz with information specific to your deployment.


    Related Links
    Process to upgrade the DLP Agent on Mac on page 421

    About optional maintenance tools

    The maintenance tools can be found in the Symantec_DLP_16.0_Agent_Mac-IN.zip file.


    The following table lists the available tools.

    Table 183: Mac agent maintenance tools

    Tool type Description

    Maintenance • vontu_sqlite3 lets you inspect the agent database.


    • logdump creates agent log files.

    Related Links
    Packaging Mac agent upgrade files on page 422

    Upgrading the DLP Agent for Mac manually


    The following table provides steps for upgrading the DLP Agent for Mac manually.
    Normally you perform a manual installation or upgrade when you want to test the agent installation package. If you do not
    plan to test the agent installation package, you install Mac agents using an SMS.
    NOTE
    The following steps assume that you have generated the agent installation package and completed all
    prerequisites. See Secure Communications between DLP Agents and Endpoint Servers upgrade .

    Table 184: Instructions for installingupgrading the DLP Agent on a Mac endpoint

    Step Action Description

    1 Locate the agent installation Unzip the file to /tmp/MacInstaller.


    package ZIP Symantec recommends that you unzip the file contents to the /
    (AgentInstaller_Mac64.zip), tmp/MacInstaller folder if you are running macOS 10.15.x and
    and unzip it to the Mac endpoint. later. macOS prevents the installation from running at locations like Downloads,
    Documents, and etc.
    2 Upgrade the Mac Agent from the Run the following command on the target endpoint:
    command line using the Terminal $ sudo sh install_agent.sh
    application. Replace /tmp/MacInstaller with the path where you unzipped the agent
    installation package.

    423
    Step Action Description

    3 Verify the Mac agent upgrade. To verify the Mac agent upgrade, open the Activity Monitor and search for the
    edpa process. It should be up and running.
    The Activity Monitor displays processes being run by logged on user
    and edpa runs as root. Select View All Processes to view edpa if you are not
    logged on as root user.
    You can also confirm that agent was installed to the default directory: /
    Library/Manufacturer/Endpoint Agent.
    4 (Optional) Troubleshoot the upgrade. If you experience upgrade issues, use the Console application to check the log
    messages.
    Review the Mac Agent installer logs at /var/log/install.log.
    In addition, you can rerun the installer with -dumplog option to create detailed
    installation logs. For example, use the command sudo installer -pkg /
    tmp/AgentInstall/AgentInstall_15_8.pkg -target / -dumplog.
    Replace /tmp/MacInstaller with the path where you unzipped the agent
    installation package.
    5 (Optional) Review information about See What gets upgraded for DLP Agents on Mac endpoints.
    the Mac agent installation.

    Related Links
    Process to upgrade the DLP Agent on Mac on page 421

    Upgrading DLP Agents on Mac endpoints silently


    You can use a silent installation process by using systems management software (SMS) to upgrade DLP Agents to
    endpoints. You must always install the agent installation package from a local directory. If you do not install from a local
    directory, some functions of the DLP Agent are disabled.
    These steps assume that you have generated the agent installation package. See Generating agent installation packages.
    1. Enable the SMS client on the Mac endpoints.
    2. Obtain root user access to the Mac endpoints.
    3. Specify the install_agent.sh file in your systems management software.
    4. Specify a list or range of network addresses where you want to upgrade the DLP Agent.
    5. Start the silent upgrade process.

    NOTE
    If messages indicate that the process failed, review the install.log file that is located in the /var/log
    directory on each Mac endpoint.
    Related Links
    Setting up and configuring Endpoint Discover on page 1886
    How to implement Endpoint Prevent on page 1877

    Confirming that the Mac agent is Running


    The CUI and EDPA services are deployed during the agent installation and begin running after the installation completed.
    You can also confirm that the com.symantec.dlp.edpa service is running. This service displays pop-up notifications on the
    Mac endpoint.

    424
    If you are running macOS 10.15 and later, the SEHA application must be running. If the SEHA is not running, the
    Endpoint Security Client Down agent event is logged and the endpoint goes into a critical state. For the SEHA
    application to run, you must configure disk access using MDM profiles. See Complete macOS Endpoint Agent Installation
    Prerequisites.

    What gets upgraded for DLP Agents on Mac endpoints


    When the DLP Agent is installed or upgraded on a macOS endpoint, a number of components are installed. Do not
    disable or modify any of these components or the DLP Agent may not function correctly.

    Table 185: Mac agent components

    Component Description

    Endpoint Agent daemon (EDPA) The installation process places the EDPA files here: /Library/
    Manufacturer/Endpoint Agent.
    The com.symantec.manufacturer.agent.plist file
    contains configuration settings for the Endpoint Agent daemon.
    This file is located at /Library/LaunchDaemons/.
    Encrypted database Each DLP Agent maintains an encrypted database at the
    endpoint. The database stores incident metadata in the database,
    contents on the host file system, and the original file that triggered
    the incident, if needed. The DLP Agent analyzes the content
    locally.
    Log files The DLP Agent logs information on completed and failed
    processes.
    Database (rrc.ead) This database maintains and contains non-matching entries for
    rules results caching (RRC). About rules results caching (RRC)

    Related Links
    Setting up and configuring Endpoint Discover on page 1886
    How to implement Endpoint Prevent on page 1877

    Upgrading the DLP Agent on Linux


    DLP administrators upgrade agents on Linux endpoints.

    Before You Begin the Upgrade


    Confirm the following prerequisites before you start the process to upgrade DLP Agents on Linux endpoints:
    • Verify that you meet the minimum requirements for Linux Operating System Requirements for Endpoint Systems.
    • Confirm that at least one Endpoint Server is installed.
    • Generate the agent installation package.
    NOTE
    Optionally, you can sign RPM installation files on any Linux machine before deploying the package to endpoints
    in your organization. See Signing RPM Files for Linux Endpoints.

    425
    Steps to Install the Agent on Linux Endpoints
    Complete the following steps to install agents on Linux endpoints:
    1. Completing the Linux Endpoint Agent Upgrade Prerequisites
    2. (Optional) Signing RPM Files for Linux Endpoints
    3. Performing the DLP Agent Upgrade for Linux
    4. Confirm That the Linux Agent is Running

    Completing the Linux Endpoint Agent Upgrade Prerequisites


    Complete the following prerequisites to ensure that the DLP Agent upgrade is successful on Linux endpoints.
    Complete the following prerequisites before upgrading the Linux endpoint agent:
    • Confirm that the required Red Hat Package Manager (RPM) packages are available on Linux endpoints.
    • Set permissions for executable files. Complete the following task to set permissions.
    Set Permissions for Executable Files

    The DLP Agent requires permissions to be set for executable files. If permissions are not applied, the agent upgrade fails.
    1. Use sudo credentials to log on to the computer where you plan to install the DLP Agent.
    2. Enable repository access on the endpoint to ensure that required packages are installed during the agent upgrade.
    Skip this step if the required packages are already installed on the endpoint.
    3. Locate the agent installation package ZIP (AgentInstaller_Linux64.zip).
    This file is generated during the agent installation packaging process. See Agent installation package contents.
    4. Unzip the file to the Linux endpoint at /opt/temp/LinuxInstaller.

    5. Open a terminal and run the following commands.


    cd /opt/temp/LinuxInstaller
    sudo chmod +x *.rpm
    sudo chmod +x install_agent.sh

    NOTE
    You only must run sudo chmod +x *.rpm if changing permissions is required on the endpoint.
    Signing RPM Files for Linux Endpoints

    Signing RPM Files for Linux Endpoints


    Before you install the latest DLP Agent version on a supported Linux distribution endpoint, Symantec recommends that
    you use the RPM signing key to verify the signature of RPM files.
    All RPM packages provided in the Symantec_DLP_16.0.1_Agent_Lin-IN.zip are signed with a GPG key. The
    signature provides integrity protection and ensures that the packages are the same packages produced by Symantec and
    were not altered in any way by a malicious third-party.

    426
    NOTE
    If you try to install and do not use the RPM signing key, a "NOKEY" warning message displays during the
    installation.
    1. Locate the Symantec_DLP_Linux_Signing_Key.asc file in the DLPDownloadHome directory. The
    Symantec_DLP_Linux_Signing_Key.asc is packaged in the Symantec_DLP_16.0.1_Agent_Lin-IN.zip
    file.
    2. Copy the Symantec_DLP_Linux_Signing_Key.asc file to the computer where you plan to install the DLP Agent.
    3. Use sudo credentials to log on to the computer where you plan to install the DLP Agent.
    4. Import the key to the RPM key ring by running the following command:
    rpm --import Symantec_DLP_RPM_Signing_Key.asc

    5. Display the imported key by running the following command:


    rpm -qi gpg-pubkey-b891399b-59c04bd7

    6. Verify the signature of files before installing them by running the following command:
    • Run the following command for Linux endpoints: rpm -K *rpm
    • Run the following command for Ubuntu endpoints:
    sudo gpg --import Symantec_DLP_DEB_Signing_Key.ascsudo gpg --verify AgentInstall-x86_64_16.0.1.deb sudo
    dpkg-sig --verify AgentInstall-x86_64_16.0.1.deb

    Performing the DLP Agent Upgrade for Linux

    Performing the DLP Agent Upgrade for Linux


    DLP administrators upgrade agents on Linux endpoints manually.

    Before You Begin the Upgrade

    These steps assume you have completed prerequisites and generated the agent installation package.
    Upgrade the DLP Agent

    Complete the following steps for upgrading the DLP Agent for Linux manually.
    1. Open a terminal and go to /opt/temp/LinuxInstaller.
    2. Upgrade the Linux agent by running the following command on the target endpoint:
    sudo ./install_agent.sh

    You can locate the agent installation path at /opt/Manufacturer/EndpointAgent.


    3. Review installation logs at /var/log/AgentInstall.log.
    4. Confirm that the Linux Agent was upgraded successfully by completing the following steps:
    a) Open a terminal and run the following command:
    rpm -q AgentInstall
    b) Review the displayed information to confirm that the agent package name appears correctly.
    The following example log shows an upgraded agent.
    command :- sudo rpm -q AgentInstall
    output = AgentInstall-16.0.10000.60239-1.x86_64

    427
    command :- sudo rpm -qip '/root/Downloads/AgentInstaller_Linux64/AgentInstall-x86_64_16_0_1.rpm'
    output = Name : AgentInstall
    Version : 16.0.10000.60239
    Release : 1
    Architecture: x86_64
    Install Date: (not installed)
    Group : Unspecified
    Size : 567801693
    License : Broadcom
    Signature : RSA/SHA256, Monday 20 February 2023 04:43:01 AM CST, Key ID 0b2b5c54b891399b
    Source RPM : AgentInstall-16.0.10000.60239-1.src.rpm
    Build Date : Monday 20 February 2023 04:41:35 AM CST
    Build Host : cb-rh65-xoxo

    Confirm That the Linux Agent is Running

    Confirm That the Linux Agent is Running


    Confirm that the Linux agent is running after completing the upgrade.
    Perform the following procedure to confirm that the Linux agent is running after completing the upgrade:
    1. Open a terminal and run the following command:
    sudo systemctl status symantec-dlp-agent

    2. Review the log to confirm that the agent is active.


    The following example log shows an active agent.
    [admin@hkrhel_79_final EndpointAgent]$ sudo systemctl status symantec-dlp-agent
    ● symantec-dlp-agent.service - Data Loss Prevention
    Loaded: loaded (/usr/lib/systemd/system/symantec-dlp-agent.service; enabled; vendor preset: enabled)
    Active: active (running) since Thu 2022-09-08 12:43:17 IST; 22h ago
    Main PID: 23467 (edpa)
    Tasks: 20
    CGroup: /system.slice/symantec-dlp-agent.service
    ├─23467 /opt/Manufacturer/EndpointAgent/edpa
    ├─23505 /opt/Manufacturer/EndpointAgent/Verity/kvoop 23 26 0 23467_-1325164416
    └─23507 /opt/Manufacturer/EndpointAgent/Verity/kvoop 23 28 0 23467_-1325164416

    Sep 08 12:43:17 hkrhel_79_final systemd[1]: Started Data Loss Prevention.

    Post-upgrade tasks
    Perform certain tasks after you finish upgrading Symantec Data Loss Prevention.
    Performing post-upgrade tasks
    Verifying Symantec Data Loss Prevention operations
    Updating Connections to the Cloud Detection Service
    Migrating Plug-ins
    About securing communications between the Enforce Server and the database
    About remote indexers

    428
    About updating the JRE to the latest version

    Verifying Symantec Data Loss Prevention operations


    Verify that Symantec Data Loss Prevention operates correctly by performing some checks.
    1. Log on to the Enforce Server administration console as Administrator.
    2. Log out of the Enforce Server administration console and then log on as a user other than Administrator.
    3. Go to the System Overview screen and recycle the current version detection servers to verify that they are
    connected.
    4. Click on each heading in the Enforce Server navigation pane to view the data that was carried over from the previous
    version.
    5. Verify that any reports that you had saved from your previous version are still there.
    6. Send test emails to trigger a few existing policies and then run a traffic report to confirm that the test messages
    generated incidents.
    7. Network Discover provides incremental scanning for certain target types. After you upgrade Symantec Data Loss
    Prevention, verify that incremental scanning is configured for valid targets. See About Network Discover incremental
    scans for information about configuring incremental scans available.
    8. If you have deployed any Lookup plug-ins, go to the System > Lookup Plugins screen and verify that the plug-in
    appears in the list of plug-ins and is configured correctly.
    9. Check the Events screen for any severe events.

    Updating Connections to the Cloud Detection Service


    Review the following tasks to update the cloud detector and CloudSOC Gatelets or Securlets configurations.
    Complete these tasks after upgrading to Symantec Data Loss Prevention version 16.0.1. Review the following sections to
    confirm whether your previous Symantec Data Loss Prevention version requires updates.

    Syncing the Application Detection Configurations to Cloud Detectors


    If the following scenarios are true in the previous Symantec Data Loss Prevention version, sync the configurations to
    CloudSOC:
    • A Cloud Detector was registered in the previous Symantec Data Loss Prevention release
    • CloudSOC Gatelets or Securlets are configured in the previous Symantec Data Loss Prevention release
    Syncing ensures that Symantec Data Loss Prevention gets the latest Application Detection configurations from
    CloudSOC. Complete the following steps in the current Symantec Data Loss Prevention version.
    1. Go to Manage > Application Detection > Configuration.
    2. Click Sync to CloudSOC.

    Adding a Cloud Detector and Configuring Gatelets or Securlets


    Review the cloud detector, Gatelets, and Securlets configurations in the previous Symantec Data Loss Prevention
    version.
    If the previous Symantec Data Loss Prevention version does not include a Cloud Detector, add one and configure the
    Gatelets or Securlets.

    429
    Complete the following steps in the current Symantec Data Loss Prevention version.
    1. Add a cloud detector.
    For more information, see Adding a cloud detector.
    2. Complete the following steps to select the cloud detector in the Gatelet or Securelet configuration.
    a) Navigate to the Manage > Application Detection > Configuration page.
    b) Click the edit icon for the Cloud Connector that you want to modify.
    The Edit Configuration page appears.
    c) Select the cloud detector in the Rest Detectors area.
    d) Save your changes.

    Migrating Plug-ins
    During the upgrade process, the Migration Utility moves plug-ins from the previous version system to the new system
    location:
    • Windows: \Program Files\Symantec\DataLossPrevention\EnforceServer\16.0.1.00000\Protect
    \plugins
    • Linux: /opt/Symantec/DataLossPrevention/EnforceServer/16.0.1.00000/Protect/plugin
    The following table lists the plugins that are migrated based on your platform.

    Table 186: Migrated plugins

    Windows Linux

    FileShare\plugin_settings FileShare/plugin_settings
    MicrosoftRightsManagementPlugin MicrosoftRightsManagementPlugin/
    \rightsManagementConfiguration rightsManagementConfiguration
    MicrosoftRightsManagementPlugin MicrosoftRightsManagementPlugin/
    \rightsManagementConfigurationProtection rightsManagementConfigurationProtection
    contentextraction\MarkupTestPlugin contentextraction/MarkupTestPlugin

    The Migration Utility does not move plug-ins in other locations, custom plug-ins, custom scripts, previous version log files,
    or JAR files to the new version system location. You manually copy these files to the new location.
    1. Locate the files you plan to move.
    Most plug-ins and scripts are stored on the previous version system at one of the following locations:
    • Windows: SymantecDLP\Protect\plugins
    • Linux: opt/SymantecDLP/Protect/plugins

    430
    2. Copy the files to the following locations on the new version system based on server and platform:

    Server Windows Linux

    Enforce Server \Program Files\Symantec /opt/Symantec/


    \DataLossPrevention DataLossPrevention/
    \EnforceServer EnforceServer/16.0.1.00000/
    \16.0.1.00000\Protect\plugins Protect/plugins
    Detection server \Program Files\Symantec /opt/Symantec/
    \DataLossPrevention DataLossPrevention/
    \DetectionServer DetectionServer/16.0.1.00000/
    \16.0.1.00000\Protect\plugins Protect/plugins

    About securing communications between the Enforce Server and the database
    You can use Transport Layer Security (TLS) to encrypt all data that is transmitted between the Enforce Server and the
    database server in a three-tier environment. You create unique, self-signed certificates that you store on the Enforce
    Server.
    You must upgrade Symantec Data Loss Prevention before you secure communications between the Enforce Server and
    the database using TLS. The Symantec Data Loss Prevention upgrade cannot communicate over TLS.
    Table 121: Steps to secure communications between the Enforce Server and the database describes the process to
    secure communications between the Enforce Server and the database.

    Table 187: Steps to secure communications between the Enforce Server and the database

    Step Action More info

    1 Generate the self-signed certificates using the orapki About orapki command line options
    command-line utility that is provided with the Oracle database. Using orapki to generate the server certificate on the
    Oracle database
    2 Configure the JDBC driver on the Enforce Server to use the Configuring communication on the Enforce Server
    TLS connection and port.
    3 Configure the server certificate on the Enforce Server. Configuring the Server Certificate on the Enforce Server
    4 Verify the database certificate usage on the Enforce Server. Verifying the Enforce Server database certificate usage

    About orapki command line options


    You use the orapki command-line utility to create a wallet where certificates are stored. You then use the utility to generate
    a unique pair of TLS self-signed certificates that are used to secure communication between the Enforce Server and the
    Oracle database.
    The orapki utility can be found in one of the following folders folder where the Oracle database is located:
    • Windows: $ORACLE_HOME/bin
    • Linux: %ORACLE_HOME%\bin
    You run the orapki utility on the computer where the Oracle database is located.
    The following table lists the command forms and options that you use when generating a unique pair of TLS self-signed
    certificates.

    431
    Table 188: Orapki utility examples

    Command and options based on platform Description

    Windows: orapki wallet create -wallet c:\oracle You use this command to create a wallet where certificates are
    \wallet\server_wallet -auto_login -pwd password stored.
    Linux: orapki wallet create -wallet ./ This command also creates the server_wallet directory.
    server_wallet -auto_login -pwd password
    Windows: orapki wallet add -wallet c:\oracle You use this command to add a self-signed certificate and a pair
    \wallet\server_wallet -dn "CN=oracleserver" - of private/public keys to the wallet.
    keysize 2048 -self_signed -validity 3650 -pwd
    password -sign_alg sha256
    Linux: orapki wallet add -wallet /opt/oracle/
    wallet/server_wallet -dn "CN=oracleserver" -
    keysize 2048 -self_signed -validity 3650 -pwd
    password -sign_alg sha256
    Windows: orapki wallet display -wallet c:\oracle You use this command to view the contents of the wallet to
    \wallet\server_wallet confirm that the self-signed certificate was created successfully.
    Linux: orapki wallet display -wallet /opt/oracle/
    wallet/server_wallet
    Windows: orapki wallet export -wallet c:\oracle You use this command to export the self-signed certificate.
    \wallet\server_wallet -dn "CN=oracleserver" -cert In addition to exporting the certificate files, the command creates
    c:\oracle\wallet\server_wallet\cert.txt the file cert.txt in a location based on your platform:
    Linux: orapki wallet export -wallet /opt/oracle/
    wallet/server_wallet -dn "CN=oracleserver" -
    • Windows: c:\oracle\wallet\server_wallet
    cert /opt/oracle/wallet/server_wallet/cert.txt • Linux: /opt/oracle/wallet/server_wallet

    Related Links
    Using orapki to generate the server certificate on the Oracle database on page 432

    Using orapki to generate the server certificate on the Oracle database


    Complete the following to generate the server certificate on the Oracle database.
    1. Prepare to generate the server certificates by completed the following based on your platform:
    • Windows:
    a. Shut down all Oracle services if they are running in Windows Services.
    b. View the services by going to Start > Control Panel > Administrative Tools > Computer Management,
    expanding Services and Applications, and clicking Services.
    • Linux:
    a. Stop the Oracle database.
    Stop the database by running the following command as a root user:
    $ sh /etc/init.d/dbora stop
    b. Log on as the Oracle User by running the following command:
    su - oracle

    2. Go to the oracle directory by running the following command (based on your platform):
    • Windows: cd c:\oracle
    • Linux: cd /opt/oracle

    432
    3. Create the wallet directory by running the following command:
    mkdir wallet

    cd wallet

    4. Create a wallet on the Oracle server with auto login enabled by running the following command (based on your
    platform):
    • Windows: At the directory c:\oracle\wallet, run orapki wallet create -wallet .\server_wallet -
    auto_login -pwd walletpassword
    • Linux: At the directory /opt/oracle/wallet, run orapki wallet create -wallet ./server_wallet -
    auto_login -pwd walletpassword

    NOTE
    Use a wallet password that adheres to the password policy. Passwords must have a minimum length of eight
    characters and contain alphabetic characters combined with numbers or special characters.
    On Oracle 12c systems, the Operation is successfully completed message displays when the command completes.
    The following two files are created under the server_wallet directory (among similarly named .lck files):
    • cwallet.sso
    • ewallet.p12
    5. Generate the self-signed certificate and add it to the wallet by running the following command (based on your
    platform):
    • Windows:
    orapki wallet add -wallet c:\oracle\wallet\server_wallet -dn "CN=oracleserver" -keysize 2048 -
    self_signed -validity 3650 -pwd walletpassword -sign_alg sha256
    • Linux:
    orapki wallet add -wallet /opt/oracle/wallet/server_wallet -dn "CN=oracleserver" -keysize 2048
    -self_signed -validity 3650 -pwd walletpassword -sign_alg sha256

    Replace oracleserver with the name of the computer where Oracle is running.
    6. View the wallet to confirm that the certificate was created successfully by running the following command (based on
    your platform):
    • Windows:
    orapki wallet display -wallet c:\oracle\wallet\server_wallet
    • Linux:
    orapki wallet display -wallet /opt/oracle/wallet/server_wallet

    When the certificate is created successfully, the command returns information in the following form:
    Requested Certificates:
    User Certificates:
    Subject: CN=oracleserver
    Trusted Certificates:
    Subject: CN=oracleserver

    7. Export the certificate by running the following command (based on your platform):
    • Windows:
    orapki wallet export -wallet c:\oracle\wallet\server_wallet -dn "CN=oracleserver" -cert c:
    \oracle\wallet\server_wallet\cert.txt
    • Linux:

    433
    orapki wallet export -wallet /opt/oracle/wallet/server_wallet -dn "CN=oracleserver" -cert /
    opt/oracle/wallet/server_wallet/cert.txt

    8. Confirm that cert.txt is created at the following location (based on your platform):
    • Windows: c:\oracle\wallet\server_wallet
    • Linux: /opt/oracle/wallet/server_wallet
    Next: Configuring communication on the Enforce Server

    Configuring communication on the Enforce Server


    After you generate the server certificate on the Oracle database, you update the listener.ora file to point to the self-
    signed certificate.
    1. Back up the listener.ora file before you update it.
    The file is based on your platform:
    • Windows: %ORACLE_HOME%\network\admin
    • Linux: $ORACLE_HOME/network/admin
    2. Switch to the Oracle user by running the following command:
    su - oracle
    3. Stop the listener by running the following command:
    lsnrctl stop

    You can skip this step if the database is already stopped.


    4. Open the listener.ora file.
    5. Update the port number to 2484 and the protocol to TCPS on the Address line.
    The Listener section should read as follows:
    LISTENER =
    (DESCRIPTION_LIST =
    (DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCPS)(HOST = [oracle host name])(PORT = 2484))
    (ADDRESS = (PROTOCOL = IPC)(KEY = protect))
    )
    )

    6. Add the following section to follow the Listener section:


    NOTE
    Confirm that the directory points to the server_wallet location.
    • Windows:
    SSL_CLIENT_AUTHENTICATION = FALSE
    WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = c:\oracle
    \wallet\server_wallet)))
    • Linux:
    SSL_CLIENT_AUTHENTICATION = FALSE
    WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /opt/
    oracle/wallet/server_wallet)))

    434
    7. Navigate to the admin directory (based on your platform):
    • Windows: %ORACLE_HOME%\network\admin
    • Linux: $ORACLE_HOME/network/admin
    8. Open the sqlnet.ora file. Create a new sqlnet.ora file if it does not exist.
    9. Replace the line SQLNET.AUTHENTICATION_SERVICES=(TNS) with the following (based on your platform):
    • Windows:
    SQLNET.AUTHENTICATION_SERVICES=(NONE)
    SSL_CLIENT_AUTHENTICATION = FALSE
    WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = c:\oracle
    \wallet\server_wallet)))
    • Linux:
    SQLNET.AUTHENTICATION_SERVICES=(NONE)
    SSL_CLIENT_AUTHENTICATION = FALSE
    WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /opt/
    oracle/wallet/server_wallet)))

    10. Open the tnsnames.ora file.


    11. Update the protocol to TCPS and the port to 2484. The updated content should match the following:
    PROTECT =
    (DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCPS)(HOST = [oracle host name])(PORT = 2484))
    (CONNECT_DATA =
    (SERVER = DEDICATED)
    (SERVICE_NAME = protect)
    )
    )

    LISTENER_PROTECT =
    (ADDRESS = (PROTOCOL = TCPS)(HOST = [oracle host name])(PORT = 2484))

    12. Start all Oracle services.


    To view the services go to Start > Control Panel > Administrative Tools > Computer Management, and then
    expand Services and Applications and click Services.
    13. Start the Oracle database by running the following command:
    Linux: $ sh /etc/init.d/dbora start
    14. Confirm that the Oracle listener is operating by running the following command:
    lsnrctl status

    The listener status displays in the command prompt. If the command prompt indicates that the listener is running but
    no services are running on the database, run the following commands:
    su - oracle (Only required for Linux)

    export ORACLE_SERVICE_NAME=protect

    sqlplus /nolog

    SQL> conn sys/<password> as sysdba

    435
    If Connected to an idle instance appears, run the following command:
    SQL> startup

    SQL> exit

    lsnrctl status
    Next: Configuring the Server Certificate on the Enforce Server

    Configuring the Server Certificate on the Enforce Server


    After you configure communication on the Enforce Server, you configure the JDBC driver and the server certificate. You
    configure the JDBC driver to use the TLS connection and port, then you configure the server certificate.
    1. Locate the jdbc.properties file at the location based on your platform:
    • Windows: C:\Program Files\Symantec\DataLossPrevention\EnforceServer\16.0.10000\protect
    \config
    • Linux: /opt/Symantec/DataLossPrevention/EnforceServer/16.0.10000/protect/config
    2. Modify the following communication port and connection information:
    a) Update the jdbc.dbalias.oracle-thin line to use TCPS.
    b) Change the port number to 2484.
    The updated communication port and connection information should appear as follows:
    jdbc.dbalias.oracle-thin=@(description=(address=(host=[oracle host name])
    (protocol=tcps)(port=2484))(connect_data=(service_name=protect))
    (SSL_SERVER_CERT_DN="CN=oracleserver"))

    NOTE
    If the server certificate on the Oracle database is signed by a public CA (instead of being self-signed), skip to
    step 4.
    3. Add the certificate to the cacerts file that is located on the Enforce Server by completing the following steps:
    Replace <version> with the OpenJRE version running on your system.
    a) Copy the cert.txt file to the security folder:
    • Windows: C:\Program Files\AdoptOpenJRE\jdk8u<version>-b10-jre\lib\security
    • Linux: opt/AdoptOpenJRE/jdk8u<version>-b10-jre/lib/security
    b) Change the directory by running the following command based on your platform:
    • Windows: cd C:\Program Files\AdoptOpenJRE\jdk8u<version>-b10-jre\lib\security
    • Linux: cd opt/AdoptOpenJRE/jdk8u<version>-b10-jre/lib/security
    c) Insert the certificate into the cacerts file by running the following command as an administrator (for Windows) or
    as a root user (for Linux).
    keytool -import -alias oracleservercert -keystore cacerts -file cert.txt

    Enter the default password when you are prompted: changeit.


    d) Confirm that the certificate was added by running the following command based on your platform:
    • Windows: keytool -list -v -keystore C:\Program Files\AdoptOpenJRE\jdk8u<version>-b10-jre\lib
    \security\cacerts -storepass changeit
    • Linux: keytool -list -v -keystore opt/AdoptOpenJRE/jdk8u<version>-b10-jre/lib/security/
    cacerts -storepass changeit

    436
    4. Restart all Symantec Data Loss Prevention services.
    Next: Verifying the Enforce Server database certificate usage

    Verifying the Enforce Server database certificate usage


    To confirm that certificates are configured correctly and the Enforce Server is communicating with the database, log on to
    the Enforce Server administration console. If you can log on, the Enforce Server and database are communicating over a
    secure communication.
    If you cannot log on, confirm the SSL Java application connection. To confirm the SSL Java application connection,
    check the listener status on the database server. In the listener status, the TCPS protocol and port 2484 should be in
    use. If the listener status does not display these connection statuses, re-complete the process to generate the self-signed
    certificates.
    For full details on how to configure secure sockets layer authentication, see the following platform-specific documentation
    from Oracle Corporation, available from the Oracle Documentation Library:
    Oracle 12c SE2: https://docs.oracle.com/database/121/DBSEG/asossl.htm#DBSEG070

    Related Links
    About securing communications between the Enforce Server and the database on page 431

    About remote indexers


    The process of installing an EMDI, IDM, or EDM remote indexer is similar to installing a detection server, except that you
    use the Indexers.msi for Windows or Indexers.zip for Linux.
    See About Installing Remote Indexers for detailed information on installing and using a remote indexer.

    About updating the JRE to the latest version


    You use the JREMigrationUtility to update the JRE on each server. Update the Enforce Server, detection server, indexers,
    the server that hosts a single-tier environment, and so on. If there is an off-cycle update to the OpenJRE, you can upgrade
    the JRE.

    Steps to update the JRE


    Prepare for updating the JRE by completing the steps outlined in the following table.

    Table 189: Steps to update the JRE

    Step Action Description

    1 Download the latest version of The utility is located in


    the JREMigrationUtility. Symantec_DLP_16.0.1.00000.TBD_Platform_Win-
    IN.zipSymantec_DLP_16.0.1.00000.TBD_Platform_Lin-
    IN.zip,
    available from Product Downloads at the Broadcom Support Portal.
    2 Back up the cacerts file. Perform this step on the Enforce Server and each detection server
    where you plan to update the JRE.
    See Backing up the cacerts file.

    437
    Step Action Description

    3 Install the OpenJRE. See Installing the OpenJRE for steps to install.
    Note: The latest JRE improves LDAP security. However, the
    improved security may cause the SSL connection to Microsoft Active
    Directory to fail. If the SSL connection fails, add the following key to
    your SymantecDLPManager.conf file, then restart the Enforce Server:
    Note:
    wrapper.java.additional.30 =-
    Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true

    4 Update the JRE. Updating the JRE to the latest version on Windows
    Updating the JRE to the latest version on Linux
    5 Reinstate the CA certificates included in Reinstate CA certificates
    the cacerts file backup.

    Backing up the cacerts file


    Before you update the JRE, back up the cacerts file.
    The JRE update process overwrites your existing cacerts file. Overwriting the file prevents Symantec Data Loss
    Prevention from communicating with the with internal systems like Active Directory. The cacerts file contains CA
    certificates, for example, the Oracle Wallet and Active Directory CA certificate.
    1. Locate the cacerts file (based on your platform).
    • Windows: C:\Program Files\AdoptOpenJRE\jdk8u<version>-jre\lib\security\
    • Linux: /opt/AdoptOpenJRE/jdk8u<version>-jre/lib/security
    2. Back up the cacerts file to a secure location.
    Installing the OpenJRE

    Installing the OpenJRE


    Back up the cacerts file before installing a new OpenJRE version. See Backing up the cacerts file.
    1. Complete the following steps for Endpoint Servers where you plan to install OpenJRE.
    Applying this setting allows DLP Agents to connect to the Endpoint Server where the OpenJRE is installed.
    a) Go to System > Servers and Detectors > Overview > Server/Detector Detail screen, and click Server Settings
    for the Endpoint Server.
    b) Locate the BoxMonitor.EndpointServerMemory setting and enter the following string:
    Djdk.security.allowNonCaAnchor=true.
    c) Save your changes.
    d) Restart the Endpoint Server.
    2. Obtain the latest supported version of OpenJRE from https://adoptopenjdk.net/.
    See #unique_124/unique_124_Connect_42_v19815255.
    See the Symantec Data Loss Prevention System Requirements and Compatibility Guide available at the Tech Docs
    Portal.

    438
    3. Download the file (in ZIPtar.gz format) and move it to the Enforce Server and the detection servers.
    4. Unzip the file to the JRE directory on the server.
    Symantec recommends that you use the following directory:
    C:\Program Files\AdoptOpenJRE\jdk8u<version>-jre/opt/AdoptOpenJRE/jdk8u<version>-jre
    The unzipping process completes the installation.
    Updating the JRE to the latest version on Windows

    Updating the JRE to the latest version on Windows


    During the update process, all Symantec Data Loss Prevention services are shut down and restarted automatically.
    You can upgrade the JRE using either of the following modes:
    • Interactive mode
    Update the JRE using interactive mode
    • Silent mode
    Update the JRE using silent mode

    Update the JRE using interactive mode

    1. Login to the Windows system as Administrator.


    2. Create a directory called C:\JREMigrationUtility.
    3. Move the JREMigrationUtility.zip file to C:\JREMigrationUtility directory.
    4. Unzip JREMigrationUtility.zip.
    5. Open a command prompt and navigate to the C:\JREMigrationUtility\Migrator directory.
    6. Execute the following command:
    ServerJREMigrationUtility.exe

    7. Enter the JRE location (for example, C:\Program Files\AdoptOpenJRE\jdk8u322-b06-jre).


    8. Enter the number that corresponds with the Symantec Data Loss Prevention version where you want to upgrade the
    JRE version.
    9. Press Enter.
    The migration process displays in the command line. You can find the migration log in the C:
    \JREMigrationUtility\Migrator folder.

    After the migration process completes, you have the option to delete the previous version directory (at C:\Program
    Files\AdoptOpenJRE\jdk8u<previous_version>-b10-jre), where previous version refers to the previous JRE
    version. You can also safely leave the previous JRE version on the server.

    439
    Update the JRE using silent mode

    1. Login to the Windows system as Administrator.


    2. Create directory called JREMigrationUtility.
    3. Move the JREMigrationUtility.zip file to the c:\JREMigrationUtility directory.
    4. Unzip JREMigrationUtility.zip.
    5. Open a command prompt and navigate to the Migrator directory.
    6. Execute the silent command.
    The following is an example of what the command might look like:
    c:\JREMigrationUtility\Migrator>ServerJREMigrationUtility.exe
    -silent
    -sourceVersion=16.0.10000
    -jreDirectory="C:\Program Files\AdoptOpenJRE\jdk8u<version>-b10-jre"
    The following table lists and describes the parameters.

    Table 190: Silent mode parameters on Windows

    Parameter Description Values

    -silent Enables silent mode. N/A


    -sourceVersion Identifies the Symantec Data Loss 15.8.00000, 16.0.00000, or 16.0.10000
    Prevention version for which you want to
    upgrade the JRE version.
    -jreDirectory Points to where the JRE installation is For example, C:\Program Files
    located. Use this parameter when you are \AdoptOpenJRE\jdk8u<version>-
    migrating a JRE that is not provided by b10-jre.
    Symantec.

    After the migration process completes, you have the option to delete the previous version directory (at C:\Program
    Files\AdoptOpenJRE\jdk8u<previous_version>-b10-jre), where previous version refers to the previous JRE
    version. You can also safely leave the previous JRE version on the server.

    Updating the JRE to the latest version on Linux


    During the update process, all Symantec Data Loss Prevention services are shut down and restarted automatically.
    You can update the JRE on Linux using either of the following methods:
    • Interactive mode
    Update the JRE using interactive mode
    • Silent mode
    Update the JRE using silent mode

    440
    Update the JRE using interactive mode

    During the migration process, all Symantec Data Loss Prevention services are shut down and restarted automatically.
    1. Log on as a root user.
    2. Create a directory called /JREMigrationUtility.
    3. Move the JREMigrationUtility.zip file to /JREMigrationUtility directory.
    4. Unzip JREMigrationUtility.zip.
    5. Open a command prompt and navigate to the /JREMigrationUtility/Migrator directory.
    6. Execute the following command:
    ./ServerJREMigrationUtility -jreDirectory=<JRE directory>

    Where <JRE directory> is the directory where the JRE is located (for example, /opt/AdoptOpenJRE/
    jdk8u<version>-b10-jre).
    7. Choose the Symantec Data Loss Prevention version where you are upgrading the JRE. Enter the number
    corresponding with the version.
    8. Press Enter.
    The migration process displays in the command line. You can find the migration log (MigrationUtility.log) in the
    /JREMigrationUtility/Migrator folder.

    After the migration process completes, you have the option to delete the previous version directory (at /opt/
    AdoptOpenJRE/jdk8u<previous_version>-b10-jre), where previous version refers to the previous JRE version.
    You can also safely leave the previous JRE version on the server.
    Update the JRE using silent mode

    1. Log on as a root user.


    2. Create directory called /JREMigrationUtility.
    3. Move the JREMigrationUtility.zip file to /JREMigrationUtility directory.
    4. Unzip JREMigrationUtility.zip.
    5. Open command prompt and navigate to the Migrator directory.
    6. Execute the silent command.
    The following is an example of what the command might look like:
    ./ServerJREMigrationUtility
    -silent
    -sourceVersion=16.0.10000-jreDirectory=/opt/AdoptOpenJRE/jdk8u<version>-b10-jre

    The following table lists and describes the parameters.

    441
    Table 191: Silent mode parameters on Linux

    Parameter Description Values

    -silent Enables silent mode. N/A


    -sourceVersion Identifies the Symantec Data Loss 15.8.00000, 16.0.00000, or 16.0.10000
    Prevention version for which you want to
    upgrade the JRE version.
    -jreDirectory Points to where the JRE installation is For example, /opt/AdoptOpenJRE/
    located. jdk8u<version>-b10-jre.

    After the migration process completes, you have the option to delete the previous version directory (at /opt/
    AdoptOpenJRE/jdk8u<previous_version>-b10-jre), where previous version refers to the previous JRE version.
    You can also safely leave the previous JRE version on the server.

    Reinstate CA certificates
    You reinstate the cacerts file to ensure that various components can communicate with Symantec Data Loss
    Prevention.
    These steps assume you have updated the JRE.
    1. Export any custom certificates from the cacerts backup you created.
    Backing up the cacerts file
    The cacerts file may include expired or obsolete certificates. Select certificates that you have previously
    imported into the cacerts file. Selecting previously imported certificates ensures that the cacerts file
    includes certificates required for communicating with Symantec Data Loss Prevention components.
    2. Import the certificates to the new cacerts file.
    Locate the cacerts file at one of the following locations:
    • Windows: C:\Program Files\AdoptOpenJRE\jdk8u<version>-jre\lib\security\
    • Linux: /opt/AdoptOpenJRE/jdk8u<version>-jre/lib/security

    Reverting a JRE version to a previous release


    You can revert the JRE to a previous version. The following steps use [previous_version] to refer to the previous JRE
    version.
    NOTE
    The process to revert the JRE temporarily shuts down then restarts services.

    Related Links
    Reverting the JRE on Windows on page 443
    Reverting the JRE on Linux on page 443

    442
    Reverting the JRE on Windows

    1. Confirm that the Symantec Data Loss Prevention system is running.


    2. Confirm that the JRE version you plan to revert to is installed on the Symantec Data Loss Prevention system.
    3. Run the following command to point the ServerJREMigrationUtility to the previous JRE:
    C:\JREMigrationUtility\Migrator>ServerJREMigrationUtility.exe -jreDirectory="<JRE directory>"

    Replace <JRE directory> with the directory where the previous JRE is located.
    4. Choose the Symantec Data Loss Prevention version where you are upgrading the JRE. Enter the number
    corresponding with the version.

    You can uninstall the unused JRE version, but you are not required to do so.
    Reverting the JRE on Linux

    1. Confirm that the Symantec Data Loss Prevention system is running.


    2. Confirm that the JRE version you plan to revert to is installed on the Symantec Data Loss Prevention system.
    3. Run the following command to point the ServerJREMigrationUtility to the previous JRE:
    ./ServerJREMigrationUtility -jreDirectory="<JRE directory>"

    Replace <JRE directory> with the directory where the previous JRE is located.

    You can uninstall the unused JRE version, but you are not required to do so.

    Symantec Data Loss Prevention upgrade troubleshooting and


    recovery
    Get information on troubleshooting issues and recovering data.
    About troubleshooting Symantec Data Loss Prevention upgrade problems
    Stop all Symantec Data Loss Prevention database sessions
    Troubleshooting Enforce Server services
    Rolling back to the previous Symantec Data Loss Prevention release
    Creating the Enforce Reinstallation Resources file

    About troubleshooting Symantec Data Loss Prevention upgrade problems


    If you experience problems with completing a successful product upgrade, see these topics:
    • Troubleshooting Enforce Server services
    • Rolling back to the previous Symantec Data Loss Prevention release

    443
    Stop all Symantec Data Loss Prevention database sessions
    The upgrade process fails if database sessions remain active during the migration. Confirm that the database
    DatabaseProcessCheck action is stopped before starting the Enforce Server migration.
    1. Reboot the previous version Enforce Server.
    2. Access the server where the database is running.
    3. Start SQL*Plus:
    sqlplus /nolog

    4. Log on as the SYS user:


    SQL> connect sys/<password>@protect as sysdba

    Where <password> represents the SYS password.


    5. Run the following query to identify processes running in the database:
    SELECT module, action, client_identifier, machine FROM v$session
    WHERE (
    UPPER(module) LIKE 'VONTU%' OR
    UPPER(client_identifier) LIKE 'VONTU%' OR
    UPPER(module) = 'SYMANTEC DLP: INCIDENT DELETOR' OR
    UPPER(module) = 'DATAUSER_MERGE' OR
    UPPER(module) = 'DATA INSIGHT DATA REFRESH'
    ) AND
    module <> 'Vontu Refresh CBO Stats' AND
    UPPER(module) NOT LIKE '%SCHEMA UPGRADER%';

    6. Confirm that the machine referenced does not have DLP services running. If services are running, stop them.
    7. Rerun the query in step 5 to confirm that sessions are no longer running. If sessions are still running in the database,
    continue to the next step. If no sessions are running, rerun phase 2 of the Enforce Server migration process.
    See Migrate Data on the Enforce Server on Windows.
    See Migrating data on a single-tier installation on Windows.
    See Migrate Data on the Enforce Server on Linux.
    See Migrating Data on a Single-tier Installation on Linux.
    8. Run the following SQL command to stop orphaned sessions:
    SET SERVEROUTPUT ON;

    DECLARE
    CURSOR inactive_process IS
    SELECT 'ALTER SYSTEM KILL SESSION ' || '''' || sid || ',' ||
    serial# || ''''
    AS kill_stmt, module, sid, serial#
    FROM v$session
    WHERE (
    UPPER(module) LIKE 'VONTU%' OR
    UPPER(client_identifier) LIKE 'VONTU%' OR
    UPPER(module) = 'SYMANTEC DLP: INCIDENT DELETOR' OR
    UPPER(module) = 'DATAUSER_MERGE' OR

    444
    UPPER(module) = 'DATA INSIGHT DATA REFRESH'
    ) AND
    module <> 'Vontu Refresh CBO Stats' AND
    UPPER(module) NOT LIKE '%SCHEMA UPGRADER%';
    BEGIN
    FOR x IN inactive_process LOOP
    DBMS_OUTPUT.put_line(x.kill_stmt);
    EXECUTE IMMEDIATE x.kill_stmt;
    END LOOP;
    END;
    /

    9. Rerun phase 2 of the Enforce Server migration process.


    See Migrate Data on the Enforce Server on Windows.
    See Migrating data on a single-tier installation on Windows.
    See Migrate Data on the Enforce Server on Linux.
    See Migrating Data on a Single-tier Installation on Linux.

    Troubleshooting Enforce Server services


    If the Symantec Data Loss Prevention services do not start after you upgrade your system, check the log files for possible
    issues (for example, connectivity, password, or database access issues).

    Table 192: Log file details

    Log information Log location

    Symantec Data Loss Prevention installation logs /var/log/Symantec/DataLossPrevention/


    EnforceServer/16.0.1.00000/debug
    Symantec Data Loss Prevention operational logs • Windows: C:\ProgramData\Symantec
    \DataLossPrevention\<EnforceServer> or
    <DetectionServer>\16.0.1.00000\logs
    • Linux: /var/log/Symantec/
    DataLossPrevention/<Enforce Server> or
    <Detection Server>/16.0.1.00000/directory
    Oracle logs The following logs are located on the Oracle server computer:
    • Windows: %ORACLE_BASE%\diag\rdbms\protect
    \protect\trace\alert_protect.log
    • Linux: $ORACLE_BASE/diag/rdbms/protect/
    protect/trace/alert_protect.log

    You may also need to install the Update for Universal C Runtime in Windows. See https://support.microsoft.com/en-us/
    kb/2999226.

    Rolling back to the previous Symantec Data Loss Prevention release


    If you experience problems with the new version of Symantec Data Loss Prevention, you can roll back to the previous
    release.
    To roll back to a previous release, you must have the following available:

    445
    • The Symantec Data Loss Prevention license file for your deployment.
    • If your deployment uses Symantec Management Console, the host name or IP address of the Symantec Management
    Console server to use for managing Symantec Data Loss Prevention Endpoint Agents.
    • A backup of the Symantec Data Loss Prevention Oracle database. For more information, see Maintaining the
    DLP System.
    • The location of the Oracle Base and Home directories.
    • The Administrator credentials for your Symantec Data Loss Prevention deployment.
    • The credentials for connecting to the Oracle database.
    • The type of authentication that is used in your Symantec Data Loss Prevention deployment.
    • The host name or IP address and port number that the Enforce Server uses to communicate with the Oracle database.

    Related Links
    Reverting the Enforce Server to a Previous Release on page 446
    Reverting Detection Servers and Network Discover Clusters to the Previous Release on page 447
    Use the following steps to complete a detection server or Network Discover cluster rollback after you complete the
    Enforce Server rollback.

    Reverting the Enforce Server to a Previous Release


    If the upgrade procedure fails for any reason, you can restore the previous versions of Symantec Data Loss Prevention.
    The procedure that is described in this section applies to any type of Symantec Data Loss Prevention installation (single-
    tier, two-tier, and three-tier).
    NOTE
    This procedure assumes that you have not uninstalled the previous Symantec Data Loss Prevention version
    Enforce Server and detection servers.
    1. Stop all Symantec Data Loss Prevention services that are running on the version 16.0.1 Enforce Server.
    See Symantec Data Loss Prevention Services.
    2. Disable all Symantec Data Loss Prevention services that are running on the version 16.0.1 Enforce Server.
    3. Stop all the Oracle services.
    4. Restore Symantec Data Loss Prevention services.
    Symantec Data Loss Prevention services are backed up during the migration process. You must move the service files
    to the previous release Services folder.
    a) Locate the backed up services at the location based on your platform:
    • Windows: \Program Files\Symantec\DataLossPrevention\EnforceServer\vv.u\Protect
    \backup\service-<date>-<time>
    • Linux: /opt/Symantec/DataLossPrevention/EnforceServer/vv.u/Protect/backup/service-
    <date>-<time>
    Replace vv.u with the previous version and <date>-<time> with the date and time the migration process completed.
    b) Copy the following services:
    • SymantecDLPNotifier.conf
    • SymantecDLPManager.conf
    • SymantecDLPIncidentPersister.conf
    • SymantecDLPDetectionServerController.conf

    446
    c) Paste the services to a location based on your platform:
    • Windows: \Program Files\Symantec\DataLossPrevention\EnforceServer\Services
    • Linux: /opt/Symantec/DataLossPrevention/EnforceServer/Services
    5. Restore the Symantec Data Loss Prevention Oracle database from the latest backup.
    Consult the Oracle documentation for more information.
    For Linux platforms, the restored database files should be owned by the oracle user. If they are not, set the owner
    on the /opt/oracle/oradata/protect directory (this directory is the default directory for Oracle installation; your
    deployment may use different directory) by running the following command as the root user:
    chown -R oracle:oinstall protect

    6. Restart all the Oracle services.


    Consult the Oracle documentation for more information.
    7. Enable the services on the previous Symantec Data Loss Prevention version.
    For Windows platforms, confirm that the Startup type is set to automatic for each service.
    8. Start services on the previous Symantec Data Loss Prevention version.
    Related Links
    Reverting Detection Servers and Network Discover Clusters to the Previous Release on page 447
    Use the following steps to complete a detection server or Network Discover cluster rollback after you complete the
    Enforce Server rollback.

    Reverting Detection Servers and Network Discover Clusters to the Previous Release
    Use the following steps to complete a detection server or Network Discover cluster rollback after you complete the
    Enforce Server rollback.
    These steps apply to detection servers and worker and data nodes that comprise a Network Discover cluster.
    NOTE
    If you roll back the detection server first, the detection server displays a Unknown status on the System >
    Servers and Detectors > Overview > Server / Detector Detail screen.
    1. Stop all Symantec Data Loss Prevention services that are running on the detection server host.

    2. Restore Symantec Data Loss Prevention services.


    Symantec Data Loss Prevention services are backed up during the migration process. You must move the service files
    to the previous release Services folder.
    • Locate the backed up services at the following location (based on your platform):
    – Windows: \Program Files\Symantec\DataLossPrevention\DetectionServer\vv.u\Protect
    \backup\service-<date>-<time>
    – Linux: /opt/Symantec/DataLossPrevention/DetectionServer/vv.u/Protect/backup/
    service-<date>-<time>
    Replace vv.u with the previous version and <date>-<time> with the date and time the migration process
    completed.
    • Copy the SymantecDLPDetectionServer.conf services.
    • Paste the service to the following location (based on your platform):
    – Windows: \Program Files\Symantec\DataLossPrevention\DetectionServer\Services
    – Linux: /opt/Symantec/DataLossPrevention/DetectionServer/Services

    447
    3. Enable the services on the previous Symantec Data Loss Prevention version.
    For Windows platform, confirm that the Startup type is set to automatic for each service.
    4. Start services on the previous Symantec Data Loss Prevention version.
    Start services based on the server type you are reverting:
    • Detection server: Symantec DLP Detection Server
    • Network Discover cluster data node:
    – Symantec DLP Detector
    – Symantec DLP Enforce Connector
    • Network Discover cluster worker node: Symantec DLP Detector
    5. Complete the following steps if you are restoring a cluster:
    a) Open DiscoverCluster.properties, which is located at the following path (based on your platform):
    • Windows: \Program Files\Symantec\DataLossPrevention\DetectionServer
    \16.0.10000\Protect\configb
    • Linux /opt/Symantec/DataLossPrevention/DetectionServer/16.0.10000/Protect/config
    b) Replace the paths for the variables listed in the table that matches your platform.

    Table 193: Windows Variables

    Variable name Paths

    discover.cluster.ignite. From: C:/ProgramData/Symantec/


    work.dir DataLossPrevention/DetectionServer/[vv.uu]/
    IgniteWork
    To: C:/ProgramData/Symantec/DataLossPrevention/
    DetectionServer/IgniteWork
    discover.cluster.ignite. From: C:/ProgramData/Symantec/
    storage.dir DataLossPrevention/DetectionServer/[vv.uu]/
    IgniteStorage
    To: C:/ProgramData/Symantec/DataLossPrevention/
    DetectionServer/IgniteStorage

    Table 194: Linux Variables

    Variable name Path

    discover.cluster.ignite.work.dir From /Var/Symantec/DataLossPrevention/


    DetectionServer/[vv.uu]/ IgniteWork
    To: /Var/Symantec/DataLossPrevention/
    DetectionServer/IgniteWork
    discover.cluster.ignite.storage.dir From: /Var/Symantec/DataLossPrevention/
    DetectionServer/[vv.uu]/IgniteStorage
    To: /Var/Symantec/DataLossPrevention/
    DetectionServer/IgniteStorage

    Where [vv.uu] is the previous Symantec Data Loss Prevention version.

    448
    Creating the Enforce Reinstallation Resources file
    Before you uninstall Symantec Data Loss Prevention, create an EnforceReinstallationResources.zip file
    using the Reinstallation Resources Utility. This file includes files such as the CryptoMasterKey.properties file and
    keystore files, which are required to connect Symantec Data Loss Prevention to an existing DLP database.
    Each Symantec Data Loss Prevention installation encrypts its database using a unique
    CryptoMasterKey.properties file. An exact copy of this file is required if you intend to reuse the existing Symantec
    Data Loss Prevention database. If the CryptoMasterKey.properties file becomes lost or corrupted and you do not
    have a backup, contact Symantec Technical Support to recover the file.
    Complete the following procedure to create the EnforceReinstallationResources.zip file required by the
    Symantec Data Loss Prevention 16.0.1 installer.

    Creating the Enforce Reinstallation Resources file on Windows


    Complete the following procedure to create the Enforce Reinstallation Resources file on Windows.
    1. Switch to the \EnforceServer\16.0.10000\Protect\bin directory by running the following command:
    cd C:\Program Files\Symantec\DataLossPrevention\EnforceServer\16.0.10000\Protect\bin

    2. Generate an Enforce Reinstallation Resources file by running the following command:


    "C:\Program Files\Symantec\DataLossPrevention\EnforceServer\16.0.10000\Protect\bin
    \ReinstallationResourcesUtility.exe"
    export "C:\Program Files\Symantec\DataLossPrevention\EnforceServer\16.0.10000\Protect
    C:\EnforceReinstallationResources.zip"
    3. Identify this new EnforceReinstallationResources.zip when reinstalling Symantec Data Loss Prevention from
    your backup version.
    If you reinstall using Silent Mode, you include the following parameters (in addition to other required parameters):
    REINSTALLATION_RESOURCE_FILE="c:\EnforceReinstallationResources.zip"

    If you choose to run the EnforceServer.msi file to complete the installation, on the Initialize Database panel
    select Preserve Database Data and specify the EnforceReinstallationResources.zip file.

    Creating the Enforce Reinstallation Resources file on Linux


    Complete the following procedure to create the Enforce Reinstallation Resources file on Linux.
    1. Locate the ReinstallationResourcesUtility at /opt/Symantec/DataLossPrevention/
    EnforceServer/16.0.10000/Protect/bin.
    2. Generate an Enforce Reinstallation Resources file by running the following command:
    ./ReinstallationResourcesUtility export /opt/Symantec/DataLossPrevention/EnforceServer/16.0.10000/Protect/
    opt/EnforceReinstallationResources.zip

    3. Identify this new EnforceReinstallationResources.zip when reinstalling Symantec Data Loss Prevention from
    your backup version.
    Include the following parameters (in addition to other required parameters):
    reinstallationResourceFile="/opt/EnforceReinstallationResources.zip"

    449
    Maintaining the DLP System
    Learn about maintaining the Symantec Data Loss Prevention system.
    Performing system maintenance
    Understanding Underlying System Resources
    System Event Reports and Alerts
    Using Diagnostic Tools
    Working with the DLP database
    Backing Up and Recovering on Windows
    Backing up and recovering on Linux
    Log files
    Uninstalling Data Loss Prevention components
    About High Availability and Disaster Recovery for Symantec Data Loss Prevention

    About the System Maintenance Schedule


    Perform system maintenance regularly to keep the Symantec Data Loss Prevention system working properly.
    Set up a regular schedule for the maintenance that operates after installation, upgrades, or other key events. You can also
    set up regular backup times to create restore points of your system. System maintenance also includes the diagnostic
    tools that troubleshoot issues as they arise.
    Develop a schedule for the following system maintenance tasks:
    • Respond to system events as they occur.
    • Back up your system
    • Use diagnostic tools
    Back up your system at the following time:
    • After installation
    • Before upgrades
    • After custom configuration changes
    • After the encrypted key is generated
    • Before you change network topology or system configuration by adding new detection servers
    • On a regular basis, such as weekly or bi-weekly; or, if your company already has internal backup policies, follow them
    as a general proactive maintenance procedure
    About Backup and Recovery on Windows
    About backup and recovery on Linux
    Use Diagnostic Tools at the following times:
    • After installation but before initial setup and configuration changes
    • After new detection servers are added
    • Before calling Symantec Support to help troubleshoot issues
    • Periodically to monitor system health

    450
    Diagnostic Tools

    Understanding Underlying System Resources


    Learn about Symantec Data Loss Prevention system resources.
    Having an understanding of system resources allows you to make informed decisions about maintaining your Symantec
    Data Loss Prevention system.
    This section includes the following topics:
    Enforce Server Directory Structure
    Detection Server and Network Discover Cluster Directory Structure
    Incident Attachment External Storage Directory
    Symantec Data Loss Prevention Services
    Using Log Files
    DLP Agent Logs
    Symantec Data Loss Prevention System Statistics
    Monitoring the Incident Count
    Incident Hiding

    Enforce Server Directory Structure


    Learn about the Enforce Server directory structure.
    The Symantec Data Loss Prevention installer creates these directories on the Enforce Server during the installation
    process. Never modify the directory structure.
    About the detection server directory structure

    Table 195: Enforce Server directory structures

    Linux directory structure Windows directory structure Description

    /opt/Symantec/ \Program Files\Symantec Core product (includes manager.ver).


    DataLossPrevention/ \DataLossPrevention\
    EnforceServer/16.0.10000/ EnforceServer
    Protect \16.0.10000\Protect
    /opt/Symantec/ \Program Files\Symantec Files that are used to update Endpoint
    DataLossPrevention/ \DataLossPrevention\ Agents.
    EnforceServer/16.0.10000/ EnforceServer
    Protect/agentupdates \16.0.10000\Protect
    \agentupdates
    /opt/Symantec/ \Program Files\Symantec The executable files that reside in this
    DataLossPrevention/ \DataLossPrevention\ directory are described in
    EnforceServer/16.0.10000/ EnforceServer
    Protect/bin \16.0.10000\Protect\bin
    /opt/Symantec/ \Program Files\Symantec The files with extensions of
    DataLossPrevention/ \DataLossPrevention\ .properties and .conf store
    EnforceServer/16.0.10000/ EnforceServer server configurations.
    Protect/config \16.0.10000\Protect\config

    451
    Linux directory structure Windows directory structure Description

    /var/Symantec/ \ProgramData\Symantec Exact Data: database profiles to be


    DataLossPrevention/ \DataLossPrevention\ indexed.
    ServerPlatformCommon/ ServerPlatformCommon
    16.0.10000/datafiles \16.0.10000\datafiles
    /var/Symantec/ \ProgramData\Symantec Index Document: document archives
    DataLossPrevention/ \DataLossPrevention\ uploaded for indexes and whitelists.
    ServerPlatformCommon/ ServerPlatformCommon
    16.0.10000/documentprofiles \16.0.10000\documentprofiles
    /var/Symantec/ \ProgramData\Symantec End User License Agreement.
    DataLossPrevention/ \DataLossPrevention\
    EnforceServer/16.0.10000/EULA EnforceServer\16.0.10000\EULA
    /var/Symantec/ \ProgramData\Symantec Incidents that are stored on the Enforce
    DataLossPrevention/ \DataLossPrevention\ Server before they are written to the
    ServerPlatformCommon/ ServerPlatformCommon database.
    16.0.10000/incidents \16.0.10000\incidents
    /var/Symantec/ \ProgramData\Symantec Profile indices for protected content (EDM,
    DataLossPrevention/ \DataLossPrevention\ IDM, DGM, Form Recognition); .rdx file
    ServerPlatformCommon/ ServerPlatformCommon extension.
    16.0.10000/index \16.0.10000\index
    /opt/Symantec/ \Program Files\Symantec SQL used in table creation.
    DataLossPrevention/ \DataLossPrevention
    EnforceServer/16.0.10000/ \ EnforceServer
    Protect/install \16.0.10000\Protect\install
    • /var/Symantec/ • \ProgramData\Symantec Keystore files for TLS (Transport Layer
    DataLossPrevention/ \DataLossPrevention\ Security) encryption of communication
    EnforceServer/16.0.10000/ EnforceServer between Symantec Data Loss Prevention
    keystore \16.0.10000\keystore servers and agents.
    • /opt/Symantec/ • \Program Files\Symantec
    DataLossPrevention/ \DataLossPrevention\
    EnforceServer/16.0.10000/ EnforceServer
    keystore \16.0.10000\Protect
    \keystore
    /opt/Symantec/ \Program Files\Symantec Language pack files.
    DataLossPrevention/ \DataLossPrevention\
    EnforceServer/16.0.10000/ EnforceServer
    Protect/languages \16.0.10000\Protect\languages
    /opt/Symantec/ \Program Files\Symantec .jar files with libraries used by Enforce
    DataLossPrevention/ \DataLossPrevention\ Server processes. Used by the Notifier and
    EnforceServer/16.0.10000/ EnforceServer Incident Persister, for example.
    Protect/lib \16.0.10000\Protect\lib
    /var/Symantec/ \ProgramData\Symantec Symantec Data Loss Prevention license
    DataLossPrevention/ \DataLossPrevention\ files.
    EnforceServer/16.0.10000/ EnforceServer
    license \16.0.10000\license
    /var/log/Symantec/ \ProgramData\Symantec Enforce Server log files.
    DataLossPrevention/ \DataLossPrevention\
    EnforceServer/16.0.10000/ EnforceServer\
    16.0.10000\logs

    452
    Linux directory structure Windows directory structure Description

    /opt/Symantec/ \Program Files\Symantec Custom code, data, and configuration


    DataLossPrevention/ \DataLossPrevention\ changes, usually added with the help of
    ContentExtractionService/ ContentExtractionService Symantec Support.
    16.0.10000/Plugins/Protect/ \16.0.10000\Plugins\Protect
    plugins/ \plugins
    /opt/Symantec/ \Program Files\Symantec A temporary directory that is used when the
    DataLossPrevention/ \DataLossPrevention\ application processes the Personal Storage
    EnforceServer/16.0.10000/ EnforceServer Table (.pst) files.
    Protect/Pstdepositfolder \16.0.10000\Protect
    \Pstdepositfolder
    /opt/Symantec/ \Program Files\Symantec A temporary directory that is used when the
    DataLossPrevention/ \DataLossPrevention\ application processes Personal Storage
    EnforceServer/16.0.10000/ EnforceServer Table (.pst) files.
    Protect/Pstlocalcopy \16.0.10000\Protect
    \Pstlocalcopy
    /var/Symantec/ \ProgramData\Symantec Catalog and incremental index files for
    DataLossPrevention/ \DataLossPrevention\ Discover.
    EnforceServer/16.0.10000/scan EnforceServer\16.0.10000\scan
    /var/Symantec/ \Program Files\Symantec Discover target share lists.
    DataLossPrevention/ \DataLossPrevention\
    EnforceServer/16.0.10000/ EnforceServer
    sharelists \16.0.10000\Protect
    \sharelists
    /var/Symantec/ \ProgramData\Symantec Temporary, Enforce-generated files are
    DataLossPrevention/ \DataLossPrevention\ stored here. Duration of files depends on
    EnforceServer/16.0.10000/temp EnforceServer\16.0.10000\temp the type of file.
    /opt/Symantec/ \Program Files\Symantec Contains the code that runs the Enforce
    DataLossPrevention/ \DataLossPrevention\ Web server. You must have the assistance
    EnforceServer/16.0.10000/ EnforceServer of Symantec Support if you want to make
    Protect/tomcat \16.0.10000\Protect\tomcat changes.
    /opt/Symantec/ \Program Files\Symantec Contains various SQL scripts and Server
    DataLossPrevention/ \DataLossPrevention\ FlexResponse examples.
    EnforceServer/16.0.10000/ EnforceServer
    Protect/tools \16.0.10000\Protect\tools

    Detection Server and Network Discover Cluster Directory Structure


    Learn about the detection server and Network Discover cluster directory structures.

    Detection Server
    The following table describes the detection server directory structure.

    453
    Table 196: Detection Server Directory Structures

    Linux directory structure Windows directory structure Description

    /var/spool/Symantec/ \ProgramData\Symantec Used to induct email traffic with an SMTP


    DataLossPrevention/ \DataLossPrevention\ copy rule and test with MIME email files
    DetectionServer/16.0.10000/ DetectionServer (.eml).
    drop/SMTP \16.0.10000\drop\SMTP
    /var/spool/Symantec/ \ProgramData\Symantec Temporary storage directory for data from
    DataLossPrevention/ \DataLossPrevention\ the endpoint agents.
    DetectionServer/16.0.10000/ DetectionServer
    drop/endpoint \16.0.10000\drop\endpoint
    /var/spool/Symantec/ \ProgramData\Symantec Temporary storage directory for log files
    DataLossPrevention/ \DataLossPrevention\ from the endpoint agents.
    DetectionServer/16.0.10000/ DetectionServer
    drop/endpointlogs \16.0.10000\drop\endpointlogs
    /var/spool/Symantec/ \ProgramData\Symantec Temporary storage for reassembled
    DataLossPrevention/ \DataLossPrevention\ network streams.
    DetectionServer/16.0.10000/ DetectionServer
    drop/PacketCapture/ \16.0.10000\drop
    \PacketCapture
    • /var/spool/Symantec/ • \ProgramData\Symantec Spool location for traffic capture.
    DataLossPrevention/ \DataLossPrevention\
    DetectionServer/16.0.10000/ DetectionServer
    packet_spool \16.0.10000\spool
    • /var/spool/Symantec/ \PacketCapture
    DataLossPrevention/ • \ProgramData\Symantec
    DetectionServer/16.0.10000/ \DataLossPrevention\
    icap_spool DetectionServer
    \16.0.10000\spool\ICAP
    /opt/Symantec/ \Program Files\Symantec Core product (includes monitor.ver).
    DataLossPrevention/ \DataLossPrevention\
    DetectionServer/16.0.10000/ DetectionServer
    Protect \16.0.10000\Protect
    /opt/Symantec/ \Program Files\Symantec Directory for product upgrades.
    DataLossPrevention/ \DataLossPrevention\
    DetectionServer/16.0.10000/ DetectionServer\Protect
    Protect/agentupdates \agentupdates
    /opt/Symantec/ \Program Files\Symantec .exe files for the Network Monitor Server.
    DataLossPrevention/ \DataLossPrevention\ These files are described in the Symantec
    DetectionServer/16.0.10000/ DetectionServer Data Loss Prevention Help Center.
    Protect/bin \16.0.10000\Protect\bin
    /opt/Symantec/ \Program Files\Symantec The files with extensions of
    DataLossPrevention/ \DataLossPrevention\ .properties and .conf store
    DetectionServer/16.0.10000/ DetectionServer configurations for the detection server.
    Protect/config \16.0.10000\Protect\config
    /var/Symantec/ \ProgramData\Symantec Incidents that are stored on the detection
    DataLossPrevention/ \DataLossPrevention\ server (monitors) before they are sent to
    ServerPlatformCommon/ ServerPlatformCommon the Enforce Server.
    16.0.10000/incidents \16.0.10000\incidents

    454
    Linux directory structure Windows directory structure Description

    /var/Symantec/ \ProgramData\Symantec Profile indices for protected content (EDM,


    DataLossPrevention/ \DataLossPrevention\ EMDI, IDM, DGM, Form Recognition);
    ServerPlatformCommon/ ServerPlatformCommon .rdx file extension.
    16.0.10000/index \16.0.10000\index
    /opt/Symantec/ \Program Files\Symantec
    DataLossPrevention/ \DataLossPrevention\
    DetectionServer/16.0.10000/ DetectionServer
    Protect/install \16.0.10000\Protect\install
    • /var/Symantec/ • \ProgramData\Symantec Keystore files for TLS (Transport Layer
    DataLossPrevention/ \DataLossPrevention\ Security) encryption of communication
    DetectionServer/16.0.10000/ DetectionServer between Symantec Data Loss Prevention
    keystore \16.0.10000\keystore servers.
    • /opt/Symantec/ • \Program Files\Symantec
    DataLossPrevention/ \DataLossPrevention\
    DetectionServer/16.0.10000/ DetectionServer
    keystore \16.0.10000\Protect
    \keystore
    /opt/Symantec/ \Program Files\Symantec
    DataLossPrevention/ \DataLossPrevention\
    DetectionServer/16.0.10000/ DetectionServer
    Protect/lib \16.0.10000\Protect\lib
    /var/log/Symantec/ \ProgramData\Symantec\ Detection server log files.
    DataLossPrevention/ DataLossPrevention\
    DetectionServer/16.0.10000/ DetectionServer
    logs \16.0.10000\logs
    /opt/Symantec/ \Program Files\Symantec Custom code, data, or configuration
    DataLossPrevention/ \DataLossPrevention\ changes, usually added with the help of
    ContentExtractionService/ ContentExtractionService Symantec Support.
    16.0.10000/Plugins/Protect/ \16.0.10000\Plugins\Protect
    plugins \plugins
    /opt/Symantec/ \ProgramData\Symantec A temporary folder that the application uses
    DataLossPrevention/ \DataLossPrevention\ when it processes the Personal Storage
    DetectionServer/16.0.10000/ DetectionServer Table (.pst) files.
    Protect/Pstdepositfolder \16.0.10000\Pstdepositfolder
    /opt/Symantec/ \ProgramData\Symantec A temporary folder that the application uses
    DataLossPrevention/ \DataLossPrevention\ when it processes the Personal Storage
    DetectionServer/16.0.10000/ DetectionServer Table (.pst) files.
    Protect/Pstlocalcopy \16.0.10000\Pstlocalcopy
    /opt/Symantec/ \Program Files\Symantec A temporary folder for general application
    DataLossPrevention/ \DataLossPrevention\ use.
    DetectionServer/16.0.10000/ DetectionServer\Protect\temp
    Protect/temp

    Network Discover Cluster


    The following table describes the Network Discover cluster directory structure.

    455
    Table 197: Network Discover Cluster Directory Structures

    Linux directory structure Windows directory structure Description

    /var/daata/Symantec/ \ProgramData\Symantec Data storage for scans, incremental


    DataLossPrevention/ \DataLossPrevention\ indexes, scan data and so on.
    DetectionServer/IgniteStorage DetectionServer\IgniteStorage
    /var/data/Symantec/ \ProgramData\Symantec Data storage for scans, incremental
    DataLossPrevention/ \DataLossPrevention\ indexes, scan data and so on.
    DetectionServer/IgniteWork DetectionServer\IgniteWork

    Incident Attachment External Storage Directory


    Learn about the incident attachment external storage director structure.
    You can store incident attachments such as email messages or documents on a file system rather than in the Symantec
    Data Loss Prevention database. Storing incident attachments externally saves a great deal of space in your database,
    providing you with a more cost-effective storage solution.
    You can store incident attachments either in a directory on the Enforce Server host computer, or on a stand-alone
    computer. You can use any file system you choose. Symantec recommends that you work with your data storage
    administrator to set up an appropriate directory for incident attachment storage.
    To set up an external storage directory, Symantec recommend these best practices:

    Table 198: External storage best practices

    Scenerio Best practices

    If you store your incident attachments on the Enforce Server host Do not place your storage directory under the /SymantecDLP
    computer folder
    If you store incident attachments on a computer other than your • Ensure that both the external storage server and the Enforce
    Enforce Server host computer Server are in the same domain.
    • Create a "protect" user with the same password as your
    Enforce Server "protect" user to use with your external storage
    directory.
    • If you are using a Linux system for external storage, change
    the owner of the external storage directory to the external
    storage "protect" user.
    • If you are using a Microsoft Windows system for external
    storage, share the directory with Read/Write permissions with
    the external storage "protect" user.

    After you have set up your storage location you can enable external storage for incident attachments in the Installation
    Wizard. All incident attachments will be stored in the external storage directory. Incident attachments in the external
    storage directory cannot be migrated back to the database. All incident attachments stored in the external storage
    directory are encrypted and can only be accessed from the Enforce Server administration console.
    The incident deletion process deletes incident attachments in your external storage directory after it deletes the
    associated incident data from your database. You do not need to take any special action to delete incidents from the
    external storage directory.

    456
    Configuring the Incident Attachment External Storage Directory after Installation or Upgrade
    If you did not configure the incident attachment external storage directory during the installation or upgrade process, you
    can enable or update external storage settings in the Protect.properties configuration file. You can also disable
    external storage of incident attachments in this file.
    1. On the Enforce Server host, open the following file in a text editor:
    Microsoft Windows: \Program Files\Symantec\DataLossPrevention\EnforceServer
    \16.0.10000\Protect\config\Protect.properties
    Linux: /opt/Symantec/DataLossPrevention/EnforceServer/16.0.10000/Protect/config/
    Protect.properties
    2. Enable incident attachment external storage:
    com.symantec.dlp.incident.blob.externalize=true

    3. Specify the path to the external storage directory:


    com.symantec.dlp.incident.blob.externalization.dir=<PATH TO DIRECTORY>

    4. Save the file.


    5. Restart the SymantecDLPManagerService and SymantecDLPIncidentPersisterService services.

    Disable External Storage for Incident Attachments


    If you choose to disable incident attachment external storage, be sure to preserve the setting that specifies the path to the
    external storage directory to ensure that the Enforce Server retains access to the incident attachments.
    1. On the Enforce Server host, open the following file in a text editor:
    Microsoft Windows: \Program Files\Symantec\DataLossPrevention\EnforceServer
    \16.0.10000\Protect\config\Protect.properties
    Linux: /opt/Symantec/DataLossPrevention/EnforceServer/16.0.10000/Protect/config/
    Protect.properties
    2. Disable incident attachment external storage:
    com.symantec.dlp.incident.blob.externalize=false

    Do not change or delete the parameter specifying the path to the external storage directory.
    3. Save the file.
    4. Restart the SymantecDLPManagerService and SymantecDLPIncidentPersisterService services.

    Symantec Data Loss Prevention Services


    Stop or start Symantec Data Loss Prevention services to perform administrative tasks.
    The Symantec Data Loss Prevention services for the Enforce Server are described in the following table:

    457
    Table 199: Symantec Data Loss Prevention Enforce Server services

    Service Name Description

    Symantec DLP Provides the centralized reporting and management services for Symantec Data Loss Prevention.
    Manager
    Symantec DLP Controls the detection servers.
    Detection Server
    Controller
    Symantec DLP Notifier Manages communications between other DLP services and prevents transactional conflicts between the
    services and the database.
    Symantec DLP Incident Writes the incidents to the database.
    Persister
    Symantec DLP Enforce This service is hosted and runs on the data node of a Network Discover Cluster. The data node
    Connector communicates with the Monitor Controller through the Enforce Connector Service.
    See Network Discover Cluster.
    Symantec DLP This service is hosted and runs on the data node and worker nodes of a Network Discover Cluster. The data
    Detection Server node communicates with worker nodes through the Detector Connector Service. This service also helps
    with the entire scanning activity.
    When this service is hosted on the data node, you must ensure that this service is never shutdown
    instantaneously by aborting its process.

    Increase the Max Memory


    If you have more than 50 policies, 50 detection servers, or 50,000 agents, increase the Max Memory for this service from
    2048 to 4096. Adjust Max Memory to ensure Symantec Data Loss Prevention performance.
    You adjust the Max Memory setting in the SymantecDLPManager.conf file.
    1. Open the SymantecDLPManager.conf file in a text editor.
    You can find this configuration file in one of the following locations:
    • Windows: \Program Files\Symantec\DataLossPrevention\EnforceServer\Services
    • Linux: /opt/Symantec/DataLossPrevention/EnforceServer/Services
    You can find this configuration file at /opt/Symantec/DataLossPrevention/EnforceServer/Services.
    2. Change the value of the wrapper.java.maxmemory parameter to 4096.
    wrapper.java.maxmemory = 4096

    3. Save and close the file.

    Starting and Stopping Services on Windows


    Stop or start Symantec Data Loss Prevention services on Windows servers to perform administrative tasks.
    The procedures for starting and stopping services vary according to installation configurations and between Enforce and
    detection servers.
    • Starting an Enforce Server on Windows
    • Stopping an Enforce Server on Windows
    • Starting a Detection Server on Windows
    • Stopping a Detection Server on Windows
    • Starting Services on Single-tier Windows Installations
    • Stopping Services on Single-tier Windows Installations

    458
    Starting an Enforce Server on Windows

    Use the following procedure to start the Symantec Data Loss Prevention services on a Windows Enforce Server.
    To start the Symantec Data Loss Prevention services on a Windows Enforce Server
    1. On the computer that hosts the Enforce Server, navigate to Start > All Programs > Administrative Tools > Services
    to open the Windows Services menu.
    2. Start the Symantec Data Loss Prevention services in the following order:
    • SymantecDLPNotifierService
    • SymantecDLPManagerService
    • SymantecDLPIncidentPersisterService
    • SymantecDLPDetectionServerControllerService

    NOTE
    Start the SymantecDLPNotifierService service first before starting other services.
    Related Links
    Stopping an Enforce Server on Windows on page 459

    Stopping an Enforce Server on Windows

    Use the following procedure to stop the Symantec Data Loss Prevention services on a Windows Enforce Server.
    To stop the Symantec Data Loss Prevention services on a Windows Enforce Server
    1. On the computer that hosts the Enforce Server, navigate to Start > All Programs > Administrative Tools > Services
    to open the Windows Services menu.
    2. From the Services menu, stop all running Symantec Data Loss Prevention services in the following order:
    • SymantecDLPDetectionServerControllerService
    • SymantecDLPIncidentPersisterService
    • SymantecDLPManagerService
    • SymantecDLPNotifierService

    Related Links
    Starting an Enforce Server on Windows on page 459

    Starting a Detection Server on Windows

    Use the following procedure to start the Symantec Data Loss Prevention services on a detection server.
    1. On the computer that hosts the detection server, navigate to Start > All Programs > Administrative Tools >
    Services to open the Windows Services menu.
    2. Start the SymantecDLPDetectionServerService service.
    Related Links
    Stopping a Detection Server on Windows on page 460

    459
    Stopping a Detection Server on Windows

    Use the following procedure to stop the Symantec Data Loss Prevention service on a Windows detection server.
    1. On the computer that hosts the detection server, navigate to Start > All Programs > Administrative Tools >
    Services to open the Windows Services menu.
    2. Stop the SymantecDLPDetectionServerService service.
    Related Links
    Starting a Detection Server on Windows on page 459

    Starting a Network Discover Cluster on Windows

    Use the following procedure to start the Network Discover cluster services on a Windows server.

    1. On the computer that hosts the detection server, navigate to Start > All Programs > Administrative Tools >
    Services to open the Windows Services menu.
    2. Start the following services.
    • SymantecDLPDetectorService
    • SymantecEnforceConnectorService
    Related Links
    Stopping a Network Discover Cluster on Windows on page 460
    Use the following procedure to stop the Network Discover cluster service on a Windows server.

    Stopping a Network Discover Cluster on Windows

    Use the following procedure to stop the Network Discover cluster service on a Windows server.

    1. On the computer that hosts the Network Discover cluster, navigate to Start > All Programs > Administrative Tools >
    Services to open the Windows Services menu.
    2. Stop the following services.
    • SymantecDLPDetectorService
    • SymantecEnforceConnectorService
    Related Links
    Starting a Detection Server on Windows on page 459

    Starting Services on Single-tier Windows Installations

    Use the following procedure to start the Symantec Data Loss Prevention services on a single-tier installation on Windows.
    1. On the computer that hosts the Symantec Data Loss Prevention server applications, navigate to Start > All Programs
    > Administrative Tools > Services to open the Windows Services menu.
    2. Start the Symantec Data Loss Prevention in the following order:
    • SymantecDLPNotifierService
    • SymantecDLPManagerService
    • SymantecDLPIncidentPersisterService
    • SymantecDLPDetectionServerControllerService
    • SymantecDLPDetectionServerService

    460
    NOTE
    Start the SymantecDLPNotifierService service before starting other services.
    Related Links
    Stopping Services on Single-tier Windows Installations on page 461

    Stopping Services on Single-tier Windows Installations

    Use the following procedure to stop the Symantec Data Loss Prevention services on a single-tier installation on Windows.
    1. On the computer that hosts the Symantec Data Loss Prevention server applications, navigate to Start > All Programs
    > Administrative Tools > Services to open the Windows Services menu.
    2. From the Services menu, stop all running Symantec Data Loss Prevention services in the following order:
    • SymantecDLPDetectionServerService
    • SymantecDLPDetectionServerControllerService
    • SymantecDLPIncidentPersisterService
    • SymantecDLPManagerService
    • SymantecDLPNotifierService

    Related Links
    Starting Services on Single-tier Windows Installations on page 460

    Starting and Stopping Services on Linux


    Stop or start Symantec Data Loss Prevention services to perform administrative tasks.
    The procedures for starting and stopping services vary according to installation configurations and between the Enforce
    Server and detection servers.
    • Starting an Enforce Server on Linux
    • Stopping an Enforce Server on Linux
    • Starting a Detection Server on Linux
    • Stopping a Detection Server on Linux
    • Starting services on single-tier Linux installations
    • Stopping Services on Single-tier Linux Installations

    Starting an Enforce Server on Linux

    Use the following procedure to start the Symantec Data Loss Prevention services on a Linux Enforce Server.
    1. On the computer that hosts the Enforce Server, log on as root.
    2. Start the Symantec DLP Notifier service by running the following command:
    service SymantecDLPNotifierService start

    3. Start the remaining Symantec Data Loss Prevention services, by running the following commands:
    service SymantecDLPManagerService start
    service SymantecDLPIncidentPersisterService start
    service SymantecDLPDetectionServerControllerService start

    Related Links
    Stopping an Enforce Server on Linux on page 462

    461
    Stopping an Enforce Server on Linux

    Use the following procedure to stop the Symantec Data Loss Prevention services on a Linux Enforce Server.
    1. On the computer that hosts the Enforce Server, log on as root.
    2. Stop all running Symantec Data Loss Prevention services by running the following commands:
    service SymantecDLPDetectionServerControllerService stop
    service SymantecDLPIncidentPersisterService stop
    service SymantecDLPManagerService stop
    service SymantecDLPNotifierService stop

    Related Links
    Starting an Enforce Server on Linux on page 461

    Starting a Detection Server on Linux

    Use the following procedure to start the Symantec Data Loss Prevention service on a Linux detection server.
    1. On the computer that hosts the detection server, log on as root.
    2. Start the Symantec Data Loss Prevention service by running the following command:
    service SymantecDLPDetectionServerService start

    Related Links
    Stopping a Detection Server on Linux on page 462

    Stopping a Detection Server on Linux

    Use the following procedure to stop the Symantec Data Loss Prevention service on a Linux detection server.
    1. On the computer that hosts the detection server, log on as root.
    2. Stop the Symantec Data Loss Prevention service by running the following command:
    service SymantecDLPDetectionServerService stop

    Related Links
    Starting a Detection Server on Linux on page 462

    Starting a Network Discover Cluster Server on Linux

    Use the following procedure to start the Network Discover cluster service on a Linux server.

    1. On the computer that hosts the Network Discover cluster server, log on as root.
    2. Start the Network Discover cluster service by running the following command:
    service SymantecDLPDetectorService start
    service SymantecEnforceConnectorService start

    Related Links
    Stopping a Network Discover Cluster Server on Linux on page 463
    Use the following procedure to stop the Symantec Data Loss Prevention service on a Linux Network Discover
    cluster server.

    462
    Stopping a Network Discover Cluster Server on Linux

    Use the following procedure to stop the Symantec Data Loss Prevention service on a Linux Network Discover
    cluster server.

    1. On the computer that hosts the Network Discover cluster server, log on as root.
    2. Stop the Network Discover cluster server service by running the following command:
    service SymantecDLPDetectorService stop
    service SymantecEnforceConnectorService stop

    Related Links
    Starting a Network Discover Cluster Server on Linux on page 462
    Use the following procedure to start the Network Discover cluster service on a Linux server.

    Starting services on single-tier Linux installations

    Use the following procedure to start the Symantec Data Loss Prevention services on a single-tier installation on Linux.
    1. On the computer that hosts the Symantec Data Loss Prevention server applications, log on as root.
    2. Start the Symantec DLP Notifier service by running the following command:
    service SymantecDLPNotifierService start

    3. Start the remaining Symantec Data Loss Prevention services by running the following commands:
    service SymantecDLPManagerService start
    service SymantecDLPIncidentPersisterService start
    service SymantecDLPDetectionServerControllerService start
    service SymantecDLPDetectionServerService start

    Related Links
    Stopping Services on Single-tier Linux Installations on page 463

    Stopping Services on Single-tier Linux Installations

    Use the following procedure to stop the Symantec Data Loss Prevention services on a single-tier installation on Linux.
    1. On the computer that hosts the Symantec Data Loss Prevention servers, log on as root.
    2. Stop all running Symantec Data Loss Prevention services by running the following commands:
    service SymantecDLPDetectionServerService stop
    service SymantecDLPDetectionServerControllerService stop
    service SymantecDLPIncidentPersisterService stop
    service SymantecDLPManagerService stop
    service SymantecDLPNotifierService stop

    Related Links
    Starting services on single-tier Linux installations on page 463

    Using Log Files


    Symantec Data Loss Prevention provides many log files that can be used to interpret how the system is running.

    Related Links
    Log files on page 518

    463
    DLP Agent Logs
    DLP Agent logs contain service and operational data for every DLP Agent. Each DLP Agent has multiple components
    that are logged. The amount of information that is logged can be configured by setting the log level for each DLP Agent
    component. After the log level for an DLP Agent component has been configured, the log can be collected and sent
    to Symantec Support. Symantec Support can use the log to troubleshoot a problem or to improve performance for a
    Symantec Data Loss Prevention Endpoint installation.
    See Setting the log levels for an Endpoint Agent.

    Symantec Data Loss Prevention System Statistics


    Symantec Data Loss Prevention provides summary statistics for the Enforce Server and each detection server. To view
    the general system statistics, go to the System > Servers and Detectors > Overview screen.
    To view statistics for an individual server, click on the server's name. For individual servers, the following statistics are
    displayed:
    • The Avg. CPU item is a snapshot of the CPU utilization at the time it was measured. CPU utilization is measured
    periodically.
    • The Physical Memory item is the amount of physical memory available to the CPU at a given time. The physical
    memory usage for the Enforce Server is fairly constant.
    – On Linux, (MemTotal - MemFree)/MemTotal from the /proc/meminfo file
    – On Windows, total and available physical memory from the Windows function GlobalMemoryStatusEx
    • The Disk Usage item is defined as follows:

    Windows Total number of free bytes divided by the total number of available bytes
    Linux Disk usage of the root partition

    Symantec recommends using standard system tools to determine the system state. Do not rely solely on the system
    statistics that are provided on the Server/Detector Detail page.
    Diagnostic Tools

    Monitoring the Incident Count


    When Symantec Data Loss Prevention identifies new policy violations, it creates and stores incidents in the Oracle
    database that is used by the Enforce Server. Over time, the number of incidents that are stored in the database grows and
    can affect the performance of incident reports. To alert administrators when the number of incidents has grown too large,
    Symantec Data Loss Prevention runs the Incident Counter process daily and generates a system event when the number
    of incidents exceeds a configurable threshold. The number of incidents does not include archived incidents.
    The Incident Counter generates system event code 2316 when the number of incidents exceeds the threshold. You can
    see this event in the Enforce Server administration console, on the Servers > Events page. The summary text for this
    event is:
    Over <num> incidents currently contained in the database.

    You can also define a system alert that sends an email when the event occurs.

    464
    By default, the Incident Counter is enabled and the threshold is set to 1,000,000 incidents. The Incident Counter runs
    daily at 2:05 A.M. Using the configuration parameters described in Incident counter parameters, you can configure the
    threshold, specify when the Incident Counter runs, and you can enable or disable the Incident Counter.
    1. On the Enforce Server host, open the following file in a text editor:
    Microsoft Windows: \Program Files\Symantec\DataLossPrevention\EnforceServer
    \16.0.10000\Protect\config\Manager.properties
    Linux: /opt/Symantec/DataLossPrevention/EnforceServer/16.0.10000/Protect/config/
    Manager.properties
    2. Set the parameters that are described in the following table to configure the Incident Counter.

    Property Description

    com.vontu.manager.system.IncidentCounter.enabled Set to True to enable the Incident Counter task.


    Default value: True.
    The number of incidents that trigger the system event.
    com.vontu.manager.system.IncidentCounter.max_incident_count
    Default value: 1000000.
    Note: Reporting performance often deteriorates when the number
    of incidents exceeds 1,000,000. However, reporting performance
    also depends on a variety of other factors. If performance has
    already deteriorated before the number of incidents exceeds the
    threshold, lower the threshold.

    (Optional) The number of milliseconds after the


    SymantecDLPManagerService service starts before the
    com.vontu.manager.system.statistics.IncidentCounter.delay
    Incident Counter task runs.
    By default, this parameter is omitted. This parameter is intended
    for testing purposes only unless you have other reasons to
    change when the Incident Counter task runs.
    If this parameter is omitted, the Incident Counter runs daily at 2:05
    A.M.
    (Optional) The number of milliseconds the Incident Counter waits between
    each invocation of the task.
    com.vontu.manager.system.statistics.IncidentCounter.period
    By default, this parameter is omitted. This parameter is intended
    for testing purposes only unless you have other reasons to
    change when the Incident Counter task runs.

    If you need to use either of the two optional parameters, you must add them.
    3. Save the file.
    4. Restart the SymantecDLPManagerService service.

    Incident Hiding
    Incident hiding lets you flag specified incidents as "hidden." Because these hidden incidents are excluded from normal
    incident reporting, you can improve the reporting performance of your Symantec Data Loss Prevention deployment by
    hiding any incidents that are no longer relevant. The hidden incidents remain in the database; they are not moved to
    another table, database, or other type of offline storage.
    You can set filters on incident reports in the Enforce Server administration console to display only hidden incidents or to
    display both hidden and non-hidden incidents. Using these reports, you can flag one or more incidents as hidden by using
    the Hide/Unhide options that are available when you select one or more incidents and click the Incident Actions button.
    Review the following table for a description of available options.

    465
    Table 200: Incident Hiding options

    Option Description

    Hide Incidents Flags the selected incidents as hidden.


    Unhide Incidents Restores the selected incidents to the unhidden state
    Do Not Hide Prevents the selected incidents from being hidden
    Allow Hiding Allows the selected incidents to be hidden

    The hidden state of an incident displays in the incident snapshot screen in the Enforce Server administration console. The
    History tab of the incident snapshot includes an entry for each time the Do Not Hide or Allow Hiding flags are set for the
    incident.
    Filtering Incident Lists and Reports using the Filter By controls
    Access to hiding functionality is controlled by roles. You can set the following user privileges on a role to control access,
    as described in the following table.

    Table 201: User privileges options

    Option Description

    Hide Incidents Grants permission for a user to hide incidents


    Unhide Incidents Grants permission for a user to show hidden incidents
    Remediate Incidents Grants permission for a user to set the Do Not Hide or Allow
    Hiding flags

    Hiding incidents
    Unhiding hidden incidents
    Preventing incidents from being hidden

    System Event Reports and Alerts


    Learn about Symantec Data Loss Prevention system events and alerts.
    This section includes the following topics:
    System Events
    System Alerts

    System Events
    Review system events to
    System events related to your Symantec Data Loss Prevention installation are monitored, reported, and logged. System
    events include notifications from Cloud Operations for cloud services.
    System event reports are viewed from the Enforce Server administration console:
    • The five most recent system events of severity Warning or Severe are listed on the Overview screen (System >
    Servers and Detectors > Overview).
    About the Overview screen
    See #unique_744/unique_744_Connect_42_v15599810 for information on the Servers Overview screen.
    • Reports on all system events of any severity can be viewed by going to System > Servers and Detectors > Events.

    466
    System Events Reports
    • Recent system events for a particular detection server or cloud service are listed on the Server/Detector Detail screen
    for that server or detector.
    Server/Detector Detail screen
    See for information on the Server Detail screen.
    • Click on any event in an event list to go to the Event Details screen for that event. The Event Details screen provides
    additional information about the event.
    Server and Detectors Event Detail
    There are three ways that system events can be brought to your attention:
    • System event reports displayed on the administration console
    • System alert email messages
    System Alerts
    • Syslog functionality
    Enabling a Syslog Server
    Some system events require a response.
    About System Svent Responses
    To narrow the focus of system event management you can:
    • Use the filters in the various system event notification methods.
    System Events Reports
    • Configure the system event thresholds for individual servers.
    Configuring Event Thresholds and Triggers

    System Events Reports


    To view all system events, go to the system events report screen (System > Servers and Detectors > Events). This
    screen lists events, one event per line. The list contains those events that match the selected data range, and any other
    filter options that are listed in the Applied Filters bar. For each event, the following information is displayed:

    Table 202: System events descriptions

    Events Description

    Type The type (severity) of the event. Type may be any one of those listed in the "System event types" folder.
    Time The date and time of the event.
    Server The name of the server on which the event occurred.
    Host The IP address or host name of the server on which the event occurred.
    Code A number that identifies the kind of event.
    See System event codes and messages for information on event code numbers.
    Summary A brief description of the event. Click on the summary for more detail about the event.

    467
    Table 203: System event types

    Event Description

    System
    information
    Warning

    Severe

    You can select from several report handling options.


    Click any event in the list to go to the Event Details screen for that event. The Event Details screen provides additional
    information about the event.
    Server and Detectors event detail
    Since the list of events can be long, filters are available to help you select only the events that you are interested in. By
    default, only the Date filter is enabled and it is initially set to All Dates. The Date filter selects events by the dates the
    events occurred.
    Filter the List of System Events by Date of Occurrence

    1. Go to the Filter section of the events report screen and select one of the date range options.
    2. Click Apply.
    3. Select Custom from the date list to specify beginning and end dates.
    Apply Additional Advanced Filters

    In addition to filtering by date range, you can also apply advanced filters. Advanced filters are cumulative with the current
    date filter. This means that events are only listed if they match the advanced filter and also fall within the current date
    range. Multiple advanced filters can be applied. If multiple filters are applied, events are only listed if they match all the
    filters and the date range.
    1. Click on Advanced Filters and Summarization.
    2. Click on Add Filter.
    3. Choose the filter you want to use from the left-most drop-down list. Available filters are listed in System events
    advanced filter options.
    4. Choose the filter-operator from the middle drop-down list.
    NOTE
    You can use the Cloud Operations filter value to view events from Cloud Operations for your detectors.
    For each advanced filter you can specify a filter-operator Is Any Of or Is None Of.
    5. Enter the filter value, or values, in the right-hand text box, or click a value in the list to select it.
    • To select multiple values from a list, hold down the Control key and click each one.
    • To select a range of values from a list, click the first one, then hold down the Shift key and click the last value in the
    range you want.

    468
    6. (Optional) Specify additional advanced filters if needed.
    7. When you have finished specifying a filter or set of filters, click Apply.
    Click the red X to delete an advanced filter.

    The Applied Filters bar lists the filters that are used to produce the list of events that is displayed. Note that multiple
    filters are cumulative. For an event to appear on the list it must pass all the applied filters.
    The following advanced filters are available:

    Table 204: System events advanced filter options

    Filter Description

    Event Code Filter events by the code numbers that identify each kind of event.
    You can filter by a single code number or multiple code numbers
    separated by commas (2121, 1202, 1204). Filtering by code
    number ranges, or greater than, or less than operators is not
    supported.
    Event type Filter events by event severity type (Info, Warning, or Severe).
    Server Filter events by the server on which the event occurred.

    NOTE
    A small subset of the parameters that trigger system events have thresholds that can be configured. These
    parameters should only be adjusted with advice from Symantec Support. Before changing these settings, you
    should have a thorough understanding of the implications that are involved. The default values are appropriate
    for most installations.
    Configuring event thresholds and triggers
    Related Links
    on page 469

    Server and Detectors Event Detail


    To view the Server and Detectors Event Detail screen, go to System > Servers and Detectors > Events and click one
    of the listed events.
    System events reports
    The Server and Detectors Event Detail screen displays all of the information available for the selected event. The
    information on this screen is not editable.
    The Server and Detectors Event Detail screen is divided into two sections—General and Message.

    Table 205: Event detail — General

    Item Description

    Type The event is one of the following types:


    • Info: Information about the system.
    • Warning: A problem that is not severe enough to generate an error.
    • Severe: An error that requires immediate attention.
    Time The date and time of the event.

    469
    Item Description

    Server or The name of the server or detector.


    Detector
    Host The host name or IP address of the server.

    Table 206: Event detail — Message

    Item Description

    Code A number that identifies the kind of event.


    System event codes and messages
    Summary A brief description of the event.
    Detail Detailed information about the event.

    About system events


    System events reports
    About system alerts

    Working with Saved System Reports


    Save system reports to make them available later.
    The System Reports screen lists system and agent-related reports that have previously been saved. To display the
    System Reports screen, click System > System Reports. Use this screen to work with saved system reports.
    The System Reports screen is divided into two sections:
    • System Event - Saved Reports lists saved system reports.
    • Agent Management - Saved Reports lists saved agent reports.
    For each saved report you can perform the following operations:
    • Share the report. Click share to allow other Symantec Data Loss Prevention users who have the same role as you to
    share the report. Sharing a report cannot be undone; after a report is shared it cannot be made private. After a report is
    shared, all users with whom it is shared can view, edit, or delete the report.
    Saving custom incident reports
    • Change the report name or description. Click the pencil icon to the right of the report name to edit it.
    • Change the report scheduling. Click the calendar icon to the right of the report name to edit the delivery schedule of
    the report and to whom it is sent.
    Saving custom incident reports
    Delivery Schedule Options for Incident and System Reports
    • Delete the report. Click the red X to the right of the report name to delete the report.
    1. Go to one of the following screens:
    • System Events (System > Events)
    • Agents Overview (System > Agents > Overview)
    • Agents Events (System > Agents > Events)
    About the Enforce Server administration console
    2. Select the filters and summaries for your custom report.
    About custom reports and dashboards

    470
    3. Select Report > Save As.
    4. Enter the saved report information.
    Saving custom incident reports
    5. Click Save.

    Configuring Event Thresholds and Triggers

    The default event threshold values are appropriate for most installations. A small subset of the parameters that trigger
    system events have thresholds that can be configured. These parameters are configured for each detection server or
    detector separately. These parameters should only be adjusted with advice from Symantec Support. Before changing
    these settings, you should have a thorough understanding of the implications.
    1. Go to the Overview screen (System > Servers and Detectors > Overview).
    2. Click on the name of a detection server or detector to display that server's Server/Detector Detail screen.
    3. Click Server/Detector Settings.
    The Advanced Server/Detector Settings screen for that server is displayed.
    4. Change the configurable parameters, as needed.

    Table 207: Configurable parameters that trigger events

    Parameter Description Event

    BoxMonitor.DiskUsageError Indicates the amount of filled disk space (as a Low disk space
    percentage) that triggers a severe system event.
    For example, a Severe event occurs if a detection
    server is installed on the C drive and the disk
    space error value is 90. The detection server
    creates a Severe system event when the C drive
    usage is 90% or greater. The default is 90.
    BoxMonitor.DiskUsageWarning Indicates the amount of filled disk space (as Low disk space
    a percentage) that triggers a Warning system
    event. For example, a Warning event occurs if the
    detection server is installed on the C drive and the
    disk space warning value is 80. Then the detection
    server generates a Warning system event when
    the C drive usage is 80% or greater. The default is
    80.
    BoxMonitor.MaxRestartCount Indicates the number of times that a system Process name restarts
    process can be restarted in one hour before a excessively
    Severe system event is generated. The default is
    3.
    IncidentDetection.MessageWaitSevere Indicates the number of minutes messages need Long message wait time
    to wait to be processed before a Severe system
    event is sent about message wait times. The
    default is 240.
    IncidentDetection.MessageWaitWarning Indicates the number of minutes messages need Long message wait time
    to wait to be processed before sending a Severe
    system event about message wait times. The
    default is 60.

    471
    Parameter Description Event

    IncidentWriter.BacklogInfo Indicates the number of incidents that can be N incidents in queue


    queued before an Info system event is generated.
    This type of backlog usually indicates that
    incidents are not processed or are not processed
    correctly because the system may have slowed
    down or stopped. The default is 1000.
    IncidentWriter.BacklogWarning Indicates the number of incidents that can be N incidents in queue
    queued before generating a Warning system
    event. This type of backlog usually indicates that
    incidents are not processed or are not processed
    correctly because the system may have slowed
    down or stopped. The default is 3000.
    IncidentWriter.BacklogSevere Indicates the number of incidents that can N incidents in queue
    be queued before a Severe system event is
    generated. This type of backlog usually indicates
    that incidents are not processed or are not
    processed correctly because the system may have
    slowed down or stopped. The default is 10000.

    Related Links
    System Events on page 466
    Review system events to

    About System Svent Responses

    There are three ways that system events can be brought to your attention:
    • System event reports displayed on the administration console
    • System alert email messages
    System Alerts
    • Syslog functionality
    Enabling a Syslog Server
    In most cases, the system event summary and detail information should provide enough information to direct investigation
    and remediation steps. The following table provides some general guidelines for responding to system events.

    Table 208: System event responses

    System event or category Appropriate response

    Low disk space If this event is reported on a detection server, recycle the Symantec Data Loss Prevention services
    on the detection server. The detection server may have lost its connection to the Enforce Server.
    The detection server then queues its incidents locally, and fills up the disk.
    If this event is reported on an Enforce Server, check the status of the Oracle and the Symantec DLP
    Incident Persister services. Low disk space may result if incidents do not transfer properly from the
    file system to the database. This event may also indicate a need to add additional disk space.
    Tablespace is almost full Add additional data files to the database. When the hard disk is at 80% of capacity, obtain a bigger
    disk instead of adding additional data files.
    Licensing and versioning Contact Symantec Support.

    472
    System event or category Appropriate response

    Monitor not responding Restart the Symantec DLP Detection Server service. If the event persists, check the network
    connections. Make sure the computer that hosts the detections server is turned on by connecting
    to it. You can connect with terminal services or another remote desktop connection method. If
    necessary, contact Symantec Support.
    Symantec Data Loss Prevention Services
    Alert or scheduled report Go to System > Settings > General and ensure that the settings in the Reports and Alerts and
    sending failed SMTP sections are configured correctly. Check network connectivity between the Enforce Server
    and the SMTP server. Contact Symantec Support.
    Auto key ignition failed Contact Symantec Support.
    Cryptographic keys are Contact Symantec Support.
    inconsistent
    Long message wait time Increase detection server capacity by adding more CPUs or replacing the computer with a more
    powerful one.
    Decrease the load on the detection server. You can decrease the load by applying the traffic filters
    that have been configured to detect fewer incidents. You can also re-route portions of the traffic to
    other detection servers.
    Increase the threshold wait times if all of the following items are true:
    • This message is issued during peak hours.
    • The message wait time drops down to zero before the next peak.
    • The business is willing to have such delays in message processing.
    process_name restarts Check the process by going to System > Servers > Overview. To see individual processes on this
    excessively screen, Process Control must be enabled by going to System > Settings > General > Configure.
    N incidents in queue Investigate the reason for the incidents filling up the queue.
    The most likely reasons are as follows:
    • Connection problems. Response: Make sure the communication link between the Endpoint
    Server and the detection server is stable.
    • Insufficient connection bandwidth for the number of generated incidents (typical for WAN
    connections). Response: Consider changing policies (by configuring the filters) so that they
    generate fewer incidents.

    Enabling a Syslog Server


    Syslog servers allow system administrators to filter and route the system event notifications on a more granular level.
    System administrators who use syslog regularly for monitoring their systems may prefer to use syslog instead of alerts.
    Syslog may be preferred if the volume of alerts seems unwieldy for email.

    473
    Syslog functionality is an on or off option. If syslog is turned on, all Severe events are sent to the syslog server.
    1. Go to the \Program Files\Symantec\DataLossPrevention\EnforceServer\16.0.10000\Protect
    \config directory on Windows or the /opt/Symantec/DataLossPrevention/EnforceServer/16.0.10000/
    Protect/config directory on Linux.
    2. Open the Manager.properties file.
    3. Uncomment the #systemevent.syslog.protocol = line by removing the # symbol from the beginning of the line, and
    enter [ udp | tcp | tls ] to secure communications sent from the Enforce Server to the syslog server.
    4. Uncomment the #systemevent.syslog.host= line by removing the # symbol from the beginning of the line, and enter
    the hostname or IP address of the syslog server.
    5. Uncomment the #systemevent.syslog.port= line by removing the # symbol from the beginning of the line. Enter the
    port number that should accept connections from the Enforce Server server. The default is 514.
    NOTE
    If you are using TCP or TLS communication, ensure that the port you enter correctly corresponds to the port
    that is configured on the syslog server.
    6. Uncomment the #systemevent.syslog.format= [{0}] {1} - {2} line by removing the # symbol from the
    beginning of the line. Then define the system event message format to be sent to the syslog server:
    If the line is uncommented without any changes, the notification messages are sent in the format: [server name]
    summary - details. The format variables are:
    • {0} - the name of the server on which the event occurred
    • {1} - the event summary
    • {2} - the event detail
    For example, the following configuration specifies that Severe system event notifications are sent to a syslog host
    named server1 which uses port 600.
    systemevent.syslog.protocol = TCP
    systemevent.syslog.host=server1
    systemevent.syslog.port=600
    systemevent.syslog.format= [{0}] {1} - {2}

    Using this example, a low disk space event notification from an Enforce Server on a host named server1 would look like:
    server1 Low disk space - Hard disk space for
    incident data storage server is low. Disk usage is over 82%.

    System Events

    System Alerts
    Configure system alerts to notify Symantec Data Loss Prevention administrators about a wide variety of system
    conditions.
    System alerts are email messages that are sent to designated addresses when a particular system event occurs. You
    define what alerts (if any) that you want to use for your installation. Alerts are specified and edited on the Configure Alert
    screen, which is reached by System > Servers and Detectors > Alerts > Add Alert.
    Alerts can be specified based on event severity, server name, or event code, or a combination of those factors. Alerts can
    be sent for any system event.

    474
    The email that is generated by the alert has a subject line that begins with Symantec Data Loss Prevention System
    Alert followed by a short event summary. The body of the email contains the same information that is displayed by the
    Event Detail screen to provide complete information about the event.
    Configuring the Enforce Server to send email alerts
    Configuring system alerts
    Server and Detectors event detail

    Configuring the Enforce Server to Send Email Alerts

    To send out email alerts regarding specified system events, the Enforce Server has to be configured to support the
    sending of alerts and reports. This section describes how to specify the report format and how to configure Symantec
    Data Loss Prevention to communicate with an SMTP server.
    After completing the configuration described here, you can schedule the sending of specific reports and can create
    specific system alerts.
    1. Go to System > Settings > General and click Configure.
    The Edit General Settings screen is displayed.
    2. In the Reports and Alerts section, select one of the following distribution methods:
    • Send reports as links, logon is required to view. Symantec Data Loss Prevention sends email messages with
    links to reports. You must log on to the Enforce Server to view the reports.
    NOTE
    If the Send reports as links option is set, reports with incident data cannot be distributed.
    • Send report data with emails. Symantec Data Loss Prevention sends email messages and attaches the report
    data.
    3. Enter the Enforce Server domain name or IP address in the Fully Qualified Manager Name field.
    If you send reports as links, Symantec Data Loss Prevention uses the domain name as the basis of the URL in the
    report email.
    Do not specify a port number unless you have modified the Enforce Server to run on a port other than the default of
    443.
    4. If you want alert recipients to see any correlated incidents, check the Correlations Enabled box.
    When correlations are enabled, users see them on the Incident Snapshot screen.

    475
    5. In the SMTP section, identify the SMTP server to use for sending out alerts and reports.
    Enter the relevant information in the fields as described in the following table:

    Server The fully qualified hostname or IP address of the SMTP server


    that Symantec Data Loss Prevention uses to deliver system
    events and scheduled reports.
    If the SMTP server that Symantec Data Loss Prevention
    uses does not accept connections on the default TCP port 25, and
    uses another port number instead, specify this port number as a
    suffix to the fully-qualified hostname or IP address. For example:
    Note: smtp.domain.com:587
    In this example, the fully-qualified hostname is
    smtp.domain.com , and the port number preceded by a
    colon:587 , is the suffix.
    System email The email address for the alert sender. Symantec Data Loss
    Prevention specifies this email address as the sender of all
    outgoing email messages. Your IT department may require the
    system email to be a valid email address on your SMTP server.
    User ID Type a valid user name for accessing the server. For example,
    enter DOMAIN\bsmith.
    Password Enter the password for the User ID.
    Anonymous SMTP servers are supported. If you use
    an Anonymous SMTP server, you can leave the User ID and
    Password fields blank.

    6. Click Save.

    About system alerts


    Configuring system alerts
    About system events

    Configuring System Alerts


    You can configure Symantec Data Loss Prevention to send an email alert whenever it detects a specified system event.
    Alerts can be specified based on event severity, server name, or event code, or a combination of those factors. Alerts can
    be sent for any system event.
    System Alerts
    Note that the Enforce Server must first be configured to send alerts and reports.
    Configuring the Enforce Server to Send Email Alerts
    Alerts are specified and edited on the Configure Alert screen, which is reached by System > Servers > Alerts and then
    choosing Add Alert to create a new alert, or clicking on the name of an existing alert to modify it.
    There are three kinds of conditions that you can specify to trigger an alert:
    • Event type - the severity of the event.
    • Server - the server associated with the event.
    • Event code - a code number that identifies a particular kind of event.
    For each kind of condition, you can choose one of two operators:

    476
    • Is any of.
    • Is none of.
    For each kind of condition, you can specify appropriate parameters:
    • Event type. You can select one, or a combination of, Information, Warning, Severe. Click on an event type to specify
    it. To specify multiple types, hold down the Control key while clicking on event types. You can specify one, two, or all
    three types.
    • Server. You can select one or more servers from the list of available servers. Click on the name of the server to specify
    it. To specify multiple servers, hold down the Control key while clicking on server names. You can specify as many
    different servers as necessary.
    • Event code. Enter the code number. To enter multiple code numbers, separate them with commas or use the Return
    key to enter each code on a separate line.
    System event codes and messages
    By combining multiple conditions, you can define alerts that cover a wide variety of system conditions.
    NOTE
    If you define more than one condition, the conditions are treated as if they were connected by the Boolean
    "AND" operator. This means that the Enforce Server only sends the alert if all conditions are met. For example,
    if you define an event type condition and a server condition, the Enforce Server only sends the alert if the
    specified event occurs on the designated server.
    1. Go to the Alerts screen (System > Servers and Detectors > Alerts).
    2. Click the Add Alert tab to create a new alert, or click on the name of an alert to modify it.
    The Configure Alert screen is displayed.
    3. Fill in (or modify) the name of the alert. The alert name is displayed in the subject line of the email alert message.
    4. Fill in (or modify) a description of the alert.
    5. Click Add Condition to specify a condition that will trigger the alert.
    Each time you click Add Condition you can add another condition. If you specify multiple conditions, every one of the
    conditions must be met to trigger the alert.
    Click on the red X next to a condition to remove it from an existing alert.
    6. Enter the email address that the alert is to be sent to. Separate multiple addresses by commas.
    7. Limit the maximum number of times this alert can be sent in one hour by entering a number in the Max Per Hour box.
    If no number is entered in this box, there is no limit on the number of times this alert can be sent out. The
    recommended practice is to limit alerts to one or two per hour, and to substitute a larger number later if necessary. If
    you specify a large number, or no number at all, recipient mailboxes may be overloaded with continual alerts.
    8. Click Save to finish.
    The Alerts list is displayed.

    Using Diagnostic Tools


    Use diagnostic tools to monitor system health and troubleshoot problems with the underlying system
    This section includes the following topics:
    Diagnostic Tools
    System Information Review

    477
    Diagnostic Tools
    Use diagnostics tools available on dashboard pages of the Enforce Server administration console and from log files.
    Symantec Data Loss Prevention provides diagnostic tools that can be used to monitor system health and troubleshoot
    problems with the underlying system.
    The following tools are included:
    • Diagnostic system information is displayed on-screen in the dashboard pages of the Enforce Server administration
    console.
    System Information Review
    • Diagnostic information about the Symantec Data Loss Prevention is displayed on-screen in the dashboard pages of
    the Enforce Server administration console.
    • A utility for bundling system log files is installed with Symantec Data Loss Prevention.
    Log Collection Utility

    System Information Review


    Various on-screen pages of the Symantec Data Loss Prevention software provide sources of information relevant to
    system maintenance.
    The on-screen system administration pages provide access to features that are helpful in performing system
    maintenance.
    These pages are referenced in many other sections of this guide in specific system maintenance tasks. Become familiar
    with their general contents for ease of use when you perform system maintenance.
    Diagnostic Tools

    Table 209: System Administration pages

    System Administration Page Description

    System > Servers and Detectors > Overview Displays a list of the system servers as well as recent error-
    level and warning-level system events. The overview provides
    functionality for adding servers, upgrading, and accessing the
    Server/Detector Detail pages.
    System > Servers and Detectors > Overview > Server/ Displays the detailed information about the server, provides
    Detector Detail functionality to stop, start, and recycle services, configure the
    server, and access the Server/Detector Settings page.
    System > Servers and Detectors > Overview > Server/ Enables the system administrators to modify Advanced Server
    Detector Detail > Server Settings settings.
    System > Servers and Detectors > Events Provides a system events report.
    System > Servers and Detectors > Events > Server/Detector Provides the additional details for the individual events that are
    Event Detail listed in the system events report.
    System > Servers and Detectors > Alerts Enables the system administrators to enable alerts for system
    events.

    Log Collection Utility


    System and environment information is collected in the log files. The Log Collection Utility bundles the log files into a
    compressed file that can be emailed to Symantec Support when issues arise.
    The Log Collection Utility collects all of the log files, including those related to system maintenance.

    478
    Working with the DLP database
    This section includes the following topics:
    Working with Symantec Data Loss Prevention database diagnostic tools
    Viewing Tablespaces and Data File Allocations
    Adjusting warning thresholds for tablespace usage in large databases
    Generating a Database Report
    Viewing Table Details
    Recovering from Symantec Data Loss Prevention database connectivity issues

    Working with Symantec Data Loss Prevention database diagnostic tools


    The Enforce Server administration console lets you view diagnostic information about the tablespaces and tables in your
    database to help you better manage your database resources. You can see how full your tablespaces and tables are, and
    whether or not the files in the tables are automatically extendable to accommodate more data. This information can help
    you manage your database by understanding where you may want to enable the Oracle Autoextend feature on data files,
    or otherwise manage your database resources. You can also generate a detailed database report to share with Symantec
    Technical Support for help with troubleshooting database issues.
    You can view the allocation of tablespaces, including the size, memory usage, extendability, status, and number of files in
    each tablespace. You can also view the name, size, and Autoextend setting for each file in a tablespace. In addition, you
    can view table-level allocations for incident data tables, other tables, indexes, and large object (LOB) tables.
    You can generate a full database report in HTML format to share with Symantec Technical Support at any time by clicking
    Get full report. The data in the report can help Symantec Technical Support troubleshoot issues in your database.
    Generating a database report

    Viewing Tablespaces and Data File Allocations


    View tablespaces and data file allocations to confirm information about the database.
    You can view tablespaces and data file allocations on the Database Tablespaces Summary page (System > Database
    > Tablespaces Summary).
    The following table lists details about the Database Tablespaces Summary page.

    Table 210: Database tablespaces summary

    Field Description

    Name The name of the tablespace.


    Size The size of the tablespace in megabytes.
    Used (%) The percentage of the tablespace currently in use. This
    percentage is calculated based on the Used (MB) and Size
    values. It does not take into account the Extendable To (MB)
    value.
    Used (MB) The amount of the tablespace currently in use, in megabytes.
    Extendable To (MB) The size to which the tablespace can be extended. This
    value is based on the Autoextend settings of the files within
    the tablespace.

    479
    Field Description

    Status The current status of the tablespace according to the percentage


    of the tablespace currently in use, depending on the warning
    thresholds. If you are using the default warning threshold settings,
    the status is:
    • OK: The tablespace is under 80% full, or the tablespace can
    be automatically extended.
    • Warning: The tablespace is between 80% and 90% full .
    If you see a warning on a tablespace, you may consider
    enabling Autoextend on the data files in the tablespace or
    extending the maximum value for data file auto-extensibility.
    • Severe: The tablespace is more than 90% full. If you
    see a severe warning on a tablespace, you should
    enable Autoextend on the data files in the tablespace, extend
    the maximum value for data file auto-extensibility, or determine
    whether you can purge some of the data in the tablespace.

    Number of Files The number of data files in the tablespace.


    Select a tablespace from the list to view details about the files
    it contains. The tablespace file view displays the following
    information:
    • Name: The name of the file.
    • Size: The size of the file, in megabytes.
    • Auto Extendable: Specifies if the file is
    automatically extendable based on the Autoextend setting of
    the file in the Oracle database.
    • Extendable To (MB): The maximum size to which the file can
    be automatically extended, in megabytes.
    • Path: The path to the file.

    Name The name of the file.


    Size The size of the file, in megabytes.
    Auto Extendable Specifies if the file is automatically extendable based on
    the Autoextend setting of the file in the Oracle database.
    Extendable To (MB) The maximum size to which the file can be automatically
    extended, in megabytes.
    Path The path to the file.

    Adjusting warning thresholds for tablespace usage in large databases


    If your database contains a very large amount of data (1 terabyte or more), you may want to adjust the warning thresholds
    for tablespace usage. For such large databases, Symantec recommends adjusting the Warning threshold to 85% full, and
    the Severe threshold to 95% full. You may want to set these thresholds even higher for larger databases. You can specify
    these values in the Manager.properties file.
    To adjust the tablespace usage warning thresholds
    1. Open the Manager.properties file in a text editor.
    2. Set the Warning and Severe thresholds to the following values:
    com.vontu.manager.tablespaceThreshold.warning=85
    com.vontu.manager.tablespaceThreshold.severe=95

    480
    3. Save the changes to the Manager.properties file and close it.
    4. Restart the Symantec DLP Manager service to apply your changes.

    Generating a Database Report


    Generate a database report to review database details and to troubleshoot database issues.
    You can generate a full database report in HTML format at any time by clicking Get full report on the Database
    Tablespaces Summary page. The database report includes the following information:
    • Detailed database information
    • Incident data distribution
    • Message data distribution
    • Policy group information
    • Policy information
    • Endpoint agent information
    • Detection server (monitor) information
    Symantec Support may request this report to help troubleshoot database issues.
    1. Navigate to System > Database > Tablespaces Summary.
    2. Click Get full report.
    3. The report takes several minutes to generate. Refresh your screen after several minutes to view the link to the report.
    4. To open or save the report, click the link above the Tablespaces Allocation table. The link includes the timestamp of
    the report for your convenience.
    5. In the Open File dialog box, choose whether to open the file or save it.
    6. To view the report, open it in a web browser or text editor.
    7. To update the report, click Update full report.

    Viewing Table Details


    You can view table-level allocations on the Database Table Details page (System > Database > Table Details). Viewing
    table-level allocations can be useful after a large data purge to see the de-allocation of space within your database
    segments. You can refresh the information displayed on this page by clicking Update table data at any time.
    The following table lists details about the Database Table Details page displays your table-level allocations on one of four
    tabs.

    Table 211: Database table details description

    Tab and description Field and description

    Incident Tables Table Name


    This tab lists all the incident data tables in the Symantec Data The name of the table.
    Loss Prevention database schema. In Tablespace
    The name of the tablespace that contains the table.
    Size (MB)
    The size of the table, in megabytes.

    481
    Tab and description Field and description

    % Full
    The percentage of the table currently in use.
    Other Tables Table Name
    This tab lists all other tables in the schema. The name of the table.
    In Tablespace
    The name of the tablespace that contains the table.
    Size (MB)
    The size of the table, in megabytes.
    % Full
    The percentage of the table currently in use.
    Indices Index Name
    This table lists all of the indexes in the schema. The name of the index.
    Table Name
    The name of the table that contains the index.
    In Tablespace
    The name of the tablespace that contains the table.
    Size (MB)
    The size of the table, in megabytes.
    % Full
    The percentage of the table currently in use.
    LOB Segments Table Name
    This table lists all of the large object (LOB) tables in the schema. The name of the table.
    Column Name
    The name of the table column containing the LOB data.
    In Tablespace
    The name of the tablespace that contains the table.
    LOB Segment Size (MB)
    The size of the LOB segment, in megabytes.
    LOB Index Size
    The size of the LOB index, in megabytes.
    % Full
    The percentage of the table currently in use.

    NOTE
    The percentage used value for each table displays the percentage of the table currently in use as reported by
    the Oracle database in dark blue. It also includes an additional estimated percentage used range in light blue.
    Symantec Data Loss Prevention calculates this range based on tablespace utilization.

    Recovering from Symantec Data Loss Prevention database connectivity issues


    If the connection between Symantec Data Loss Prevention and the database is lost for any reason, you must restart all
    SymantecDLP Services on the Enforce Server after the connection is restored.

    Backing Up and Recovering on Windows


    Review the following information to identify important items to backup on a Windows.

    482
    This section includes the following topics:
    About Backup and Recovery on Windows
    About periodic system backups on Windows
    About partial backups on Windows
    Preparing the backup location on Windows
    Performing a cold backup of the Oracle database on Windows
    Backing up the server configuration files on Windows
    Backing up files stored on the file system on Windows
    Oracle hot backups on Windows platforms
    About Windows System Recovery

    About Backup and Recovery on Windows


    Perform system backups in case the Symantec Data Loss Prevention system crashes and needs to be restored.
    The system that should be backed up includes the Enforce Server, the detection servers, the database, and the incident
    attachment external storage directory, if present. These backup procedures can be used for single-tier, two-tier, and three-
    tier installations.
    The cold backup procedures for the Oracle database are for non-database administrators who have no standard backup
    methods for databases.
    Symantec recommends that administrators perform backups of their entire system. Administrators should follow all of the
    backup instructions that are in this section in the order in which they are presented.
    Administrators who would prefer to back up only part of their system must determine which subsets of the system backup
    instructions to follow.
    Symantec recommends that your data storage administrator perform all backups of your incident attachment external
    storage directories.
    About periodic system backups on Windows
    About partial backups on Windows

    About periodic system backups on Windows


    Perform system backups regularly. The frequency of system backups should be determined based on the size of the
    system and the internal company policies.
    Large databases may take longer to back up. Database backups should be performed at least weekly.
    Server configuration and file system backups should be performed after configuration changes are made on the Enforce
    Server or detection servers. Backups should also be made when you generate encrypted keys.
    Symantec recommends that administrators perform backups of their entire system. Administrators should follow all of the
    backup instructions that are in this section in the order in which they are presented.
    Complete system backups should be performed at the following times:
    • After installation
    • Before any system upgrades
    • Any time the system changes, such as when a Symantec Data Loss Prevention server is added to or removed from
    the system configuration

    483
    About scheduling a system backup on Windows

    About scheduling a system backup on Windows


    When scheduling system backups, keep in mind the following concepts:
    • Administrators of single-tier installations should note that the system is offline during backups while the files are
    copied.
    During backups, Symantec Data Loss Prevention does not scan or find incidents. Reports are inaccessible during
    backups. For these reasons, backups should be scheduled during times when the system is typically not very active.
    Such times may be on weekends when users are unlikely to use the system and when incidents are less likely to be
    generated.
    For a description of single-tier installations, see Performing a single-tier installation.
    • The backup methods that are described in this section do not accommodate point-in-time recovery. If the last system
    backup was two days ago and the system crashes, the information from those two days is lost. The system cannot be
    restored to times other than the time of the last backup.
    • Before performing a backup, use regular company or system notifications to let users know that the system is offline
    and unavailable during the system backup.

    Related Links
    About periodic system backups on Windows on page 483

    About partial backups on Windows


    Administrators who want to perform partial system backups can use either of the following subsets of the instructions.
    • To back up a database only:
    • Preparing the backup location on Windows
    • Performing a cold backup of the Oracle database on Windows
    • To back up an Enforce Server or detection server only:
    • Preparing the backup location on Windows
    • Backing up the server configuration files on Windows
    • Backing up files stored on the file system on Windows

    Preparing the backup location on Windows


    Preparing the backup location involves determining the size of the backup and identifying a suitable backup location.
    Symantec Data Loss Prevention provides a Recovery Information Worksheet to help record the locations of the backup
    directories. The procedures in this section include instructions for when to record information in the worksheet. These
    instructions are for performing backups on hard drives. After you perform the backup on a hard drive, the data should be
    archived to tape.
    Recovery Information Worksheet for Windows
    Preparing the backup location consists of the following steps:

    Table 212: Preparation of the backup location

    Step Action Description

    1 Determine the size of the backup sections. Determining the Size of the Backup on Windows
    2 Calculate the total size of the backup. Calculating the total size of the backup on Windows

    484
    Step Action Description

    3 Identify a backup location. Identifying a backup location on Windows


    4 Create the backup directories. Creating Backup Directories on Windows

    Recovery Information Worksheet for Windows


    About partial backups on Windows

    Determining the Size of the Backup on Windows


    The size of a full backup is the sum of the following items:
    • The size of the database
    • The size of the file system files to be backed up
    • The size of the server configuration files to be backed up
    However, file system and server configuration files do not need to be backed up as often as the database. The size of the
    backup varies depending on what is backed up. Only follow the sizing procedures in this section that are relevant to the
    backup being performed.
    Preparing the backup location on Windows
    Determine the Size of the Database

    1. Log on to the computer that hosts the database as a user with administrative privileges.
    2. Navigate to Windows > Start > All Programs > Oracle - OraDb<ver>_home1 > Application Development > SQL
    Plus to open Oracle SQL*Plus.

    3. In the logon dialog box, in the User Name field, enter:


    /nolog

    4. Click OK.
    5. At the SQL> command prompt, to connect as the sysdba user, enter:
    connect sys/password as sysdba

    where the password is the SYS password.


    6. After receiving the Connected message, run the following SQL query by copying or entering it at the command prompt:
    SELECT ROUND(SUM(bytes)/1024/1024/1024, 4) GB
    FROM (
    SELECT SUM(bytes) bytes
    FROM dba_data_files
    UNION ALL
    SELECT SUM(bytes) bytes
    FROM dba_temp_files
    UNION ALL
    SELECT SUM(bytes) bytes
    FROM v$log
    );

    7. Note the size of the database.


    Calculating the total size of the backup on Windows

    485
    8. To exit Oracle SQL*Plus, enter:
    exit

    Determine the Size of the File System Files

    1. On the computer that hosts the server on which customizations were added or changes were made, select the
    \Program Files\Symantec\DataLossPrevention\<server>\16.0.10000 directory.
    Where <server> represents either EnforceServer or DetectionServer.
    2. Right-click the directory. Select Properties.
    3. On the General tab, note the Size.
    4. Repeat steps 1–3 for the \ProgramData\Symantec\DataLossPrevention\DetectionServer
    \16.0.10000\logs directory.
    5. Repeat steps 1–4 for any other computers that host Symantec Data Loss Prevention server applications.
    6. Calculate the total size of the directories and record this number.
    Calculating the total size of the backup on Windows
    Determine the Size of the Server Configuration Files

    1. On the computer that hosts the server on which configuration changes were made, select the \Program Files
    \Symantec\DataLossPrevention\<server>\16.0.10000\Protect\config directory.
    Where <server> represents either EnforceServer or DetectionServer.
    2. Right-click the directory and select Properties.
    3. On the General tab, note the Size.
    4. Repeat steps 1–3 for any other computers that host Symantec Data Loss Prevention server applications.
    5. Calculate the total size of the configuration directories on all servers and record this number.
    Calculating the total size of the backup on Windows
    Calculating the total size of the backup on Windows

    Use the sizes from the individual procedures to sum the total size of the backup.
    1. Enter the size of the database here: _______
    2. Enter the size of the file system files here: _______
    3. Enter the size of the server configuration files here: _______
    4. Add the size of the database to the size of the configuration files and file system files for a total size here: _______

    Preparing the backup location on Windows

    Identifying a backup location on Windows


    The backup location should be on a computer other than the ones that host the database, the Enforce Server, or the
    detection servers. The backup location must have enough available space for the backup files.

    486
    To identify a backup location
    1. Make sure that the backup location is accessible from the computers that host the servers and databases that need to
    be backed up.
    2. Verify that the amount of available disk space in a potential backup location is greater than the size of the backup.
    To determine the amount of space available on the hard disk, on the General tab, check the capacity.
    Make sure that this number is greater than the size of the database.
    Determining the Size of the Backup on Windows
    3. After you identify a computer with enough disk space, note down its fully qualified domain name. Enter this information
    on the Recovery Information Worksheet.
    To determine the name of a computer, navigate to My Computer > Properties > Computer Name.
    Recovery Information Worksheet for Windows
    Preparing the backup location on Windows

    Creating Backup Directories on Windows


    Create the following directories, preferably on an external storage device or on a system separate from the computer that
    hosts the Oracle database.
    1. Create a directory in which to store the backup files:
    \Program Files\Symantec\DataLossPrevention\SymantecDLP_Backup_Files

    Remember that this directory should be created on a computer other than the one that hosts the database, the Enforce
    Server, or the detection servers.
    2. Create the following subdirectories in which to store the backup files:
    \Program Files\Symantec\DataLossPrevention\SymantecDLP_Backup_Files\File_System
    \Program Files\Symantec\DataLossPrevention\SymantecDLP_Backup_Files\
    Server_Configuration_Files
    \Program Files\Symantec\DataLossPrevention\SymantecDLP_Backup_Files\Database
    \Program Files\Symantec\DataLossPrevention\SymantecDLP_Backup_Files\Recovery_Aid
    \Program Files\Symantec\DataLossPrevention\SymantecDLP_Backup_Files\Services
    3. Complete the Recovery Information Worksheet with the Drive you used in the previous step.
    Recovery Information Worksheet for Windows
    Preparing the backup location on Windows

    Performing a cold backup of the Oracle database on Windows


    Cold backups are recommended primarily for non-database administrator users.
    You perform a cold backup by:
    • Stopping the Symantec Data Loss Prevention system
    • Shutting down the Oracle database
    • Copying important files to a safe backup location
    If your company has its own database administration team and backup policies, you may not need to perform cold
    backups.
    Be aware that Symantec only provides support for the cold backup procedures that are described here.

    487
    Oracle hot backups on Windows platforms

    Table 213: Steps to perform a cold backup of the Oracle database

    Step Action Description

    1 Create recovery aid files. Creating recovery aid files on Windows


    2 Collect a list of directories that should be backed up. Collecting a list of files to be backed up
    3 Shut down all of the Symantec Data Loss Prevention and Shutting Down the Symantec Data Loss Prevention System
    Oracle services. on Windows
    4 Copy the database files to the backup location. Copying the database files to the backup location on
    Windows
    5 Optional: back up the incident attachment external storage If you are using an external storage directory for incident
    directory. attachments, work with your storage system administrator
    to back up that directory.
    6 Restart the Oracle and Symantec Data Loss Prevention Restarting the system on Windows
    services.

    Creating Recovery Aid Files on Windows


    You should create recovery aid files for use in recovery procedures. A trace file of the control file and a copy of the
    init.ora file are very helpful for database recoveries.
    The trace file of the control file contains the names and locations of all of the data files. This trace includes any additional
    data files that have been added to the database. It also contains the redo logs and the commands that can be used to re-
    create the database structure.
    The init.ora file contains the initialization parameters for Oracle, including the names and locations of the database
    control files.
    NOTE
    The following steps assume you created the backup directory C:\Program Files\Symantec
    \DataLossPrevention\SymantecDLP_Backup_Files\Recovery_Aid. If you did not, do so now.
    Creating Backup Directories on Windows
    To generate a trace file of the control file:
    1. At the command prompt, enter sqlplus /nolog.
    NOTE
    The Oracle SQL*Plus application is case sensitive.
    2. At the SQL> command prompt, to connect as the sysdba user, enter
    connect sys/password@protect as sysdba

    where the password is the SYS password.


    3. After receiving the Connected message, at the SQL> command prompt, enter:
    alter database backup controlfile to trace as
    'C:\Program Files\Symantec\DataLossPrevention\SymantecDLP_Backup_Files\
    Recovery_Aid\controlfile.trc';

    Success is indicated by the message "Database altered."

    488
    With this command you are generating a copy of the backup control file and outputting this file to the \Program Files
    \Symantec\DataLossPrevention\SymantecDLP_Backup_Files\Recovery_Aid directory that you created previously.
    Creating Backup Directories on Windows
    NOTE
    The normal destination of a trace file is the user_dump directory. Assuming you followed the installation
    steps in the Symantec Data Loss Prevention Oracle Installation and Upgrade Guide, this directory is
    \oracle\diag\rdbms\protect\trace. If you installed Oracle differently, issue SQL*Plus command
    show parameter user_dump_dest; to display the user_dump directory.
    4. Issue the following command to backup the init.ora file.
    create pfile='C:\Program Files\Symantec\DataLossPrevention\SymantecDLP_Backup_Files\
    Recovery_Aid\init.ora' from spfile;
    Exit Sql*Plus:
    exit;

    5. Navigate to the C:\Program Files\Symantec\DataLossPrevention\SymantecDLP_Backup_Files\Recovery_Aid


    directory. You should see the controlfile.trc and init.ora files in this directory.
    6. Rename the file controlfile.trc so that it can be easily identified, for example:
    controlfilebackupMMDDYY.trc

    Collecting a List of Files to be Backed up


    Performing a cold backup of the Oracle database on Windows

    Collecting a List of Files to be Backed up


    You can create a list of files that need to be backed up. These lists are used in a later step.
    1. Open SQL*Plus using the following command:
    sqlplus sys/<password> as sysdba

    2. Enter the following SQL commands to create lists of files that must be backed up:
    SELECT file_name FROM dba_data_files
    UNION
    SELECT file_name FROM dba_temp_files
    UNION
    SELECT name FROM v$controlfile
    UNION
    SELECT member FROM v$logfile;

    3. Save the list of files returned by the query to use in the following procedures: C:\Program Files
    \Symantec\DataLossPrevention\ SymantecDLP_Backup_Files\Recovery_Aid\
    oracle_datafile_directories.txt.
    4. Exit SQL*Plus:
    exit;

    Creating a Copy of the spfile on Windows


    After you generate a trace file of the control file, you must create a copy of the spfile.

    489
    Creating Recovery Aid Files on Windows
    1. In Oracle SQL*Plus, at the SQL> command prompt, enter:
    create pfile='C:\Temp\inittemp.ora' from spfile;

    2. To exit Oracle SQL*Plus, enter:


    exit

    3. Navigate to the C:\Temp directory and verify that the inittemp.ora file was created.
    4. In Windows, copy the inittemp.ora file from the C:\Temp directory to the \Recovery_Aid subdirectory that you
    created earlier on the backup computer.
    Creating Backup Directories on Windows

    Performing a cold backup of the Oracle database on Windows

    Shutting Down the Symantec Data Loss Prevention System on Windows


    Shut down the Symantec Data Loss Prevention system during the cold back up process.
    1. On the computer that hosts the Enforce Server, navigate to Start > All Programs > Administrative Tools > Services
    to open the Windows Services menu.
    2. Open the Services menu and stop all running Symantec Data Loss Prevention services in the following order:
    • SymantecDLPDetectionServerService (on the computers that also host a detection server)
    • SymantecDLPDetectionServerControllerService (on the computers that also host the Enforce Server)
    • SymantecDLPIncidentPersisterService (on the computers that also host the Enforce Server)
    • SymantecDLPManagerService (on the computers that also host the Enforce Server)
    • SymantecDLPNotifierService (on the computers that also host the Enforce Server)

    3. On the computer that hosts the database, stop the OracleService databasename, where databasename is the Global
    Database Name and SERVICE_NAME selected during installation.
    See Installing an Enforce Server.
    Related Links
    Performing a cold backup of the Oracle database on Windows on page 487

    Copying the database files to the backup location on Windows


    The database files that should be backed up include the files in the \Protect directory and the database password file.
    1. Make sure that the Oracle services are stopped.
    If the Oracle services are not stopped, the backup files may be corrupt and unusable.
    Shutting Down the Symantec Data Loss Prevention System on Windows
    2. On the computer that hosts the database, copy the files from the list that you collected in the procedure Collecting a
    List of Files to be Backed up to the computer that hosts the backup files.
    3. Copy the Protect directory into the C:\Program Files\Symantec\DataLossPrevention
    \SymantecDLP_Backup_Files\Protect directory of the computer that hosts the backup files.
    NOTE
    If you are performing this backup as part of a complete backup of a Symantec Data Loss Prevention
    deployment, the file path and the name of the computer that hosts the backup files should have been

    490
    recorded in the Recovery Information Worksheet for reference. Otherwise, create a backup location on a
    computer that is accessible from the Oracle host.
    Recovery Information Worksheet for Windows
    4. On the computer that hosts the database, select the %ORACLE_HOME%\database\PWDprotect.ora file and copy
    it into the C:\Program Files\Symantec\DataLossPrevention\SymantecDLP_Backup_Files\Database
    directory of the computer that hosts the backup files.

    Performing a cold backup of the Oracle database on Windows

    Restarting the system on Windows

    1. On the computer that hosts the database, navigate to Start > All Programs > Administrative Tools > Services to
    open the Windows Services menu.
    2. From the Services menu, start all of the Oracle services:
    • OracleServiceDATABASENAME
    where DATABASENAME is the Global Database Name and SERVICE_NAME selected during installation.
    SeeInstalling an Enforce Server.
    3. On the computer that hosts the Enforce Server, start the SymantecDLPNotifierService service before starting other
    Symantec Data Loss Prevention services.
    4. Start the remaining Symantec Data Loss Prevention services, which might include the following:
    • SymantecDLPManagerService (on the computer that also host the Enforce Server)
    • SymantecDLPIncidentPersisterService (on the computer that also host the Enforce Server)
    • SymantecDLPDetectionServerControllerService (on the computers that also hosts the Enforce Server)
    • SymantecDLPDetectionServerService (on the computers that also host a detection server)

    Performing a cold backup of the Oracle database on Windows

    Backing up the server configuration files on Windows


    Server configuration files should be backed up any time configuration changes are made on the Enforce Server or
    detection servers. These changes can be made on the System > Servers and Detectors > Overview > server_name
    > Server/Detector Details page. To make these changes, you can also edit any of the .properties files that
    reside in the \Program Files\Symantec\DataLossPrevention\<Enforce Server or Detection Server>
    \16.0.10000\Protect\config directory.
    1. On the computer that hosts the Enforce Server or detection server on which configuration changes were made, select
    the \Program Files\Symantec\DataLossPrevention\<Enforce Server or Detection Server>
    \16.0.10000\Protect\config directory. Copy it to the \Program Files\Symantec\DataLossPrevention
    \SymantecDLP_Backup_Files\Server_Configuration_Files directory on the computer that hosts the
    backup files. The drive and the name of the computer that hosts the backup files was recorded in the Recovery
    Information Worksheet for reference.
    Recovery Information Worksheet for Windows
    2. Rename the directory that was copied in the previous step to indicate which server it came from, such as
    config_ServerName.

    This renamed directory is especially important for multi-tier installations, where configuration directories reside on
    multiple servers.

    491
    Performing a cold backup of the Oracle database on Windows

    Backing up files stored on the file system on Windows


    Some files that are stored on the file system for the Enforce Server and detection servers should be backed up whenever
    they are changed. These files include:
    • Custom configuration changes
    Backing up custom configuration changes on Windows
    • System logs
    Backing up system logs on Windows
    • Keystore file
    Backing up keystore files on Windows
    • Services
    Backing up services on Windows

    Backing up custom configuration changes on Windows


    The \plugins directory may contain custom code, data, or configuration changes. This directory should be backed up
    any time you make changes to its default settings. It should also be backed up when custom code is added.
    Custom code is usually added with the help of Symantec Support.
    To back up customized changes stored in the \plugins directory
    1. On the computer that hosts the Enforce Server, select the \Program Files\DataLossPrevention
    \ContentExtractionService\16.0.10000\Plugins\Protect\plugins directory. Copy it into the \Program
    Files\Symantec\DataLossPrevention\SymantecDLP_Backup_Files\File_System directory on the
    computer that hosts the backup files. The drive and the name of the computer that hosts the backup files was recorded
    in the Recovery Information Worksheet for reference.
    Recovery Information Worksheet for Windows
    2. Rename the directory that was copied in the previous step to indicate which server it came from, such as
    plugins_ServerName.

    Backing up files stored on the file system on Windows

    Backing up system logs on Windows


    You should back up server log files any time configuration changes are made on the Enforce Server or detection servers.
    1. On the computer that hosts the server on which configuration changes were made, select the \ProgramData
    \Symantec\DataLossPrevention\<Enforce Server or Detection Server>\16.0.10000\logs
    directory. Copy it into the \Program Files\Symantec\DataLossPrevention\SymantecDLP_Backup_Files
    \File_System directory of the computer that hosts the backup files.
    The drive and the name of the computer that hosts the backup files was recorded in the Recovery Information
    Worksheet for reference.
    Recovery Information Worksheet for Windows
    2. Rename the directory that was copied in the previous step to indicate which server it came from, such as
    logs_ServerName.

    This renamed directory is especially important for multi-tier installations, where configuration directories reside on
    multiple servers.

    492
    Backing up files stored on the file system on Windows

    Backing up keystore files on Windows


    If the administrators in your organization generate their own Tomcat server certificate, back up the keystore files
    containing the certificate.
    Back up the Tomcat keystore file

    1. Copy the \Program Files\Symantec\DataLossPrevention\EnforceServer\16.0.10000\Protect


    \tomcat\conf\.keystore file from the computer that hosts the Enforce Server for which the certificate was
    generated.
    2. Copy this file to the \Program Files\Symantec\DataLossPrevention\SymantecDLP_Backup_Files
    \File_System\ directory on the computer that hosts the backup files.
    The file path and the name of the computer that hosts the backup files was recorded in the Recovery Information
    Worksheet for reference.
    Backing up files stored on the file system on Windows
    Recovery Information Worksheet for Windows
    Back up the keystore directory

    1. Copy the \keystore directory from the Enforce Server and the detection servers.
    NOTE
    The \keystore folder is located at both the Program Files and ProgramData locations depending
    on the features and products running in your environment. Copy the contents at both locations to create a
    complete backup.
    Locate the \keystore directory at the following paths:
    • Enforce Server:
    – \ProgramData\DataLossPrevention\EnforceServer\16.0.10000\keystore
    – \Program Files\DataLossPrevention\EnforceServer\16.0.10000\Protect\keystore
    • Detection servers:
    – \ProgramData\Symantec\DataLossPrevention\DetectionServer\16.0.10000\keystore
    – \Program Files\Symantec\DataLossPrevention\DetectionServer\16.0.10000\Protect
    \keystore
    2. Copy these directories to the \Program Files\Symantec\DataLossPrevention
    \SymantecDLP_Backup_Files\File_System directory on the computer that hosts the backup files.
    The file path and the name of the computer that hosts the backup files was recorded in the Recovery Information
    Worksheet for reference.
    Related Links
    Backing up files stored on the file system on Windows on page 492
    About Windows System Recovery on page 494

    Backing up the Network Discover incremental scan index on Windows


    Incremental scanning is a way to let you resume a scan from where you left off. Some Network Discover targets have an
    option for incremental scanning.

    493
    The incremental scan index keeps track of which items have already been scanned. This index is automatically created
    and updated during incremental scans.
    The incremental scan index is in the directory C:\Program Files\Symantec\DataLossPrevention
    \DetectionServer\16.0.10000\Protect\scan\incremental_index.
    1. Pause or stop any incremental scans that are in progress or scheduled to run.
    2. Stop the SymantecDLPDetectionServerControllerService service.
    3. Copy the incremental scan index directory to a backup location.
    4. If you need to restore the incremental scan index, copy the files back into this directory.
    Make sure all the Network Discover targets have the same target identifiers as when the incremental scan index was
    backed up.

    Backing up services on Windows


    Services are backed up during the migration process at \Program Files\Symantec\DataLossPrevention
    \EnforceServer\16.0.10000\Protect\backup\service-<date>-<time>.
    Copy this directory to \Program Files\Symantec\DataLossPrevention\SymantecDLP_Backup_Files
    \File_System\services.

    Oracle hot backups on Windows platforms


    If you are an experienced Oracle database administrator accustomed to managing enterprise-level Oracle installation,
    you may choose to perform hot backups. If you do, you should also perform archive logging. However, keep in mind that
    Symantec Data Loss Prevention does not support hot backup procedures and Symantec Support may not be able to
    provide assistance.
    Performing a cold backup of the Oracle database on Windows

    About Windows System Recovery


    Symantec Data Loss Prevention contains recovery options should your database or system ever experience a failure.
    The process for Windows system recovery is described in the following table. For additional guidance, contact Symantec
    Support for help with recovery. If installation and system maintenance recommendations were not followed before the
    system failure, contact Symantec Support. Before contacting Symantec Support, make sure that the backup files are
    available for use in a recovery installation.

    Table 214: Windows system recovery components

    Component Description

    Windows recovery information worksheet Recovery Information Worksheet for Windows


    Windows recovery process About recovering your system on Windows platforms

    Recovery Information Worksheet for Windows


    Use the recovery information worksheet to record important information about your system.
    Assuming you followed the recommended backup instructions, the backup files are located on an alternate computer
    in directory \Program Files\Symantec\DataLossPrevention\SymantecDLP_Backup_Files and its
    subdirectories, each of which is listed in Table 215: Recovery Information Worksheet.
    Performing a cold backup of the Oracle database on Windows

    494
    About Windows System Recovery
    1. Print this page containing the Recovery Information Worksheet.
    2. In the first row of the "Customer names and locations" column, write in the computer name of the host where you have
    set up the backup directory.
    3. In the subsequent rows in the "Customer names and locations" column, in the space provided preceding the backup
    directory, write in the volume drive letter where the backup directory is located.
    For example, if the drive is "D" you would enter:
    _D_:\Program Files\Symantec\DataLossPrevention\SymantecDLP_Backup_Files
    4. Store this worksheet in a secure location because it contains sensitive data.

    Table 215: Recovery Information Worksheet

    Backup file information Example names and locations Customer names and locations

    Name of the computer machine_name


    that hosts backup files
    Directory containing \Program Files\Symantec\ ___:\Program Files\Symantec\
    backup files DataLossPrevention\ DataLossPrevention\
    SymantecDLP_Backup_Files SymantecDLP_Backup_Files

    Subdirectory containing ___:\Program Files\Symantec\


    file system backup files \Program Files\Symantec\ DataLossPrevention\
    DataLossPrevention\ SymantecDLP_Backup_Files\
    SymantecDLP_Backup_Files\ File_System
    File_System

    Subdirectory containing \Program Files\Symantec\ ___:\Program Files\Symantec\


    Enforce and detection DataLossPrevention\ DataLossPrevention\
    server configuration SymantecDLP_Backup_Files\ SymantecDLP_Backup_Files\
    backup files
    Server_Configuration_Files Server_Configuration_Files

    Subdirectory containing \Program Files\Symantec\ ___:\Program Files\Symantec\


    database backup files DataLossPrevention\ DataLossPrevention\
    SymantecDLP_Backup_Files\ SymantecDLP_Backup_Files\
    Database Database

    Subdirectory containing \Program Files\Symantec\ ___:\Program Files\Symantec\


    Database Recovery Aid DataLossPrevention\ DataLossPrevention\
    files SymantecDLP_Backup_Files\ SymantecDLP_Backup_Files\
    Recovery_Aid Recovery_Aid

    About recovering your system on Windows platforms


    The recovery process re-creates the part of the system that failed.
    After a successful recovery, you should copy the backup files to their previous location in the system.
    NOTE
    System recovery procedures do not vary according to installation tier. These instructions are appropriate for
    single-tier, two-tier, and three-tier installations.
    If you did not follow the backup procedures as documented in this guide, these recovery steps are not appropriate.

    495
    About Windows System Recovery
    The following table describes the steps necessary to recover Windows.

    Table 216: Windows recovery

    Step Action Description

    Step 1 Recover the database. About recovering the database on Windows


    Step 2 Recover the Enforce Server. Recovering the Enforce Server on Windows
    Step 3 Recover the detection server. Recovering a detection server on Windows

    About recovering the database on Windows

    Based on the type of database failure you experienced, choose the appropriate database recovery procedure:
    • If the previous database can no longer be used, create a new database.
    • If the database malfunctioned due to a system failure or user error, restore the previously existing database. For
    example, if an important file was accidentally deleted, you can restore the database to a point in time when the
    important file still existed.
    Restoring an Existing Database on Windows
    Creating a New Database on Windows
    About recovering your system on Windows platforms

    Restoring an Existing Database on Windows

    Use the following steps to restore a database backup to a Windows server.


    About recovering the database on Windows
    1. Make sure that the database environment is healthy. Check the existing database, the database server that hosts the
    existing database, and the computer that hosts the database server.
    2. On the computer that hosts the Enforce Server, navigate to Start > All Programs > Administrative Tools > Services.
    This navigation opens the Windows Services menu.
    3. From the Windows Services menu, stop all Symantec Data Loss Prevention services in the following order:
    • SymantecDLPDetectionServerService (on the computer or computers hosting a detection server)
    • SymantecDLPDetectionServerControllerService (on the computer hosting the Enforce Server)
    • SymantecDLPIncidentPersisterService (on the computer hosting the Enforce Server)
    • SymantecDLPManagerService (on the computer hosting the Enforce Server)
    • SymantecDLPNotifierService (on the computer hosting the Enforce Server)

    4. On the computer that hosts the database, stop all of the Oracle services.
    5. Copy the contents of the \Program Files\Symantec\DataLossPrevention\SymantecDLP_Backup_Files
    \Database directory to the %ORACLE_BASE%\oradata\protect directory (for example, C:\oracle\oradata
    \protect) on the computer that hosts the new database. The information about the computers and directories is
    located on the Recovery Information Worksheet.
    Recovery Information Worksheet for Windows

    496
    6. To open Oracle SQL*Plus, navigate to Windows > Start > All Programs > Oracle - OraDb<ver>_home1 >
    Application Development > SQL Plus. This navigation assumes the default locations from the Oracle installation
    process.
    7. At the SQL> command prompt, to connect as the sysdba user, enter:
    connect sys\password as sysdba

    where the password is the SYS password.


    See Installing an Enforce Server.
    8. At the SQL> prompt, enter:
    startup

    Related Links
    About recovering your system on Windows platforms on page 495

    Creating a New Database on Windows

    Create a new database then copy the contents of the backup database to the new database.
    About recovering the database on Windows
    1. If you have not co-located the database and the database server, make sure that each is in a healthy state.
    2. See #unique_217/unique_217_Connect_42_v120001064 to install an Oracle database.
    This step assumes that the drive structure of the new database is the same as the drive structure of the old database.
    Perform the following tasks in the order presented:
    • Copy the contents of the \SymantecDLP_Backup_Files\Database directory to the \oracle\product
    \19.3.0.0\oradata\protect directory on the computer that hosts the new database. The information about
    the computers and directories is located on the Recovery Information Worksheet.
    Recovery Information Worksheet for Windows
    • To open Oracle SQL*Plus, navigate to Windows > Start > All Programs > Oracle - OraDb<ver>_home1 >
    Application Development > SQL Plus. This navigation assumes the default locations from the Oracle installation
    process.
    • At the SQL> command prompt, to connect as the sysdba user, enter
    connect sys/password@protect as sysdba
    Where password is the password created for single- and two-tier installations.
    • At the SQL> prompt, enter
    startup

    3. If the drive structure of the new database is different from the drive of the old database, perform the following tasks in
    the order presented:
    • Edit the inittemp.ora file in the \SymantecDLP_Backup_Files\Recovery_Aid directory to reflect the drive
    structure of the new database. The information about this computer is in the Recovery Information Worksheet.
    Recovery Information Worksheet for Windows
    The following parameters might need to be modified to accommodate differences in directory structure:
    *.background_dump_dest
    *.control_files
    *.core_dump_dest

    497
    *.user_dump_dest
    • Rename the edited inittemp.ora file to initprotect.ora.
    • Copy the initprotect.ora file to the $ORACLE_HOME\database directory on the computer that hosts the new
    database.
    • Copy the contents of the \SymantecDLP_Backup_Files\Database directory to the \oracle\product
    \19.3.0.0\oradata\protect directory on the computer that hosts the new database. The information about
    this computer is in the Recovery Information Worksheet.
    Recovery Information Worksheet for Windows
    • On the computer that hosts the new database, open Oracle SQL*Plus. Navigate to Windows > Start > All
    Programs > Oracle - OraDb19g_home1 > Application Development > SQL Plus.
    This navigation assumes that the default locations were accepted during the Oracle installation process. See
    #unique_217/unique_217_Connect_42_v120001064 for additional details.
    • At the SQL> command prompt, to connect as the sysdba user, enter:
    connect sys/password@protect as sysdba
    Where password is the password created for single- and two-tier installations.
    • At the SQL> prompt, enter:
    create spfile from pfile='%ORACLE_HOME%\database\
    initprotect.ora';
    • To shut down, enter:
    shutdown
    • To start, enter:
    startup

    About recovering your system on Windows platforms


    Recovering the Enforce Server on Windows

    1. Make sure that the Enforce Server application and the computer hosting it are in a healthy state.
    2. Make sure that the Oracle database is intact and running correctly.
    About recovering the database on Windows
    3. Reinstall the Enforce Server.
    See Installing an Enforce Server.

    498
    4. When you get to the Final Confirmation window in the installation procedure, make sure that the Initialize Enforce
    Data box is not checked.
    5. Continue with the installation procedure as described in Installing an Enforce Server on Windows.
    6. Restore the server files listed in the following table.

    Description Copy from Copy to

    Server configuration files \SymantecDLP_Backup_Files \Program Files\Symantec


    \Server_Configuration_Files \DataLossPrevention
    \config \EnforceServer
    \16.0.10000\Protect\config on
    the computer that hosts the new Enforce
    Server
    Customized changes \SymantecDLP_Backup_Files \Program Files
    \File_System\plugins \DataLossPrevention
    \ContentExtractionService
    \16.0.10000\Plugins\Protect
    \plugins directory on the computer that
    hosts the new Enforce Server
    Tomcat keystore file \SymantecDLP_Backup_Files \Program Files
    \File_System\.keystore \DataLossPrevention
    \EnforceServer
    \16.0.10000\Protect\tomcat
    \conf\ directory on the computer that
    hosts the new Enforce Server
    Keystore directories Program Files and \Program Files
    ProgramData locations at \DataLossPrevention
    \SymantecDLP_Backup_Files \EnforceServer
    \File_System\keystore \16.0.10000\Protect
    \keystore and \ProgramData
    \DataLossPrevention
    \EnforceServer
    \16.0.10000\keystore directories
    on the computer that hosts the new Enforce
    Server

    Related Links
    Recovery Information Worksheet for Windows on page 494
    Use the recovery information worksheet to record important information about your system.
    About recovering your system on Windows platforms on page 495

    499
    Recovering a detection server on Windows

    1. Make sure the server to host the recovered detection server application and the computer that hosts the server are in
    a healthy state.
    2. Follow the instructions in Installing a detection server on Windows create a detection server.
    3. Restore the server files.

    Description Copy from Copy to

    Server configuration files \SymantecDLP_Backup_Files \Program Files\Symantec


    \Server_Configuration_Files \DataLossPrevention
    \config \DetectionServer
    \16.0.10000\Protect\config on
    the computer that hosts the new detection
    server
    Customized changes \SymantecDLP_Backup_Files \Program Files
    \File_System\plugins \DataLossPrevention
    \ContentExtractionService
    \16.0.10000\Plugins\Protect
    \plugins directory on the computer that
    hosts the new detection server
    Keystore directories Program Files and \Program Files
    ProgramData locations at \DataLossPrevention
    \SymantecDLP_Backup_Files \DetectionServer
    \File_System\keystore \16.0.10000\Protect
    \keystore and \ProgramData
    \DataLossPrevention
    \DetectionServer
    \16.0.10000\keystore directories
    on the computer that hosts the new
    detection server

    Recovery Information Worksheet for Windows


    About recovering your system on Windows platforms

    Backing up and recovering on Linux


    Review the following information to identify important items to backup on a Linux server.
    This section includes the following topics:
    About backup and recovery on Linux
    About periodic system backups on Linux
    About partial backups on Linux
    Preparing the backup location on Linux
    Performing a Cold Backup of the Oracle Database on Linux
    Backing up the server configuration files on Linux
    Backing up Files Stored on the File System on Linux
    Oracle hot backups on Linux platforms
    Recovering Your System on Linux

    500
    About backup and recovery on Linux
    Perform system backups in case the Symantec Data Loss Prevention system crashes and needs to be restored. The
    system that should be backed up includes the Enforce Server, the detection servers, the database, and the incident
    attachment external storage directory, if present. These backup procedures can be used for single-tier, two-tier, and three-
    tier installations.
    The cold backup procedures for the Oracle database are for non-database administrators who have no standard backup
    methods for databases.
    Symantec recommends that administrators perform backups of their entire system. Administrators should follow all of the
    backup instructions that are in this section in the order in which they are presented.
    Administrators who would prefer to back up only part of their system must determine which subsets of the system backup
    instructions to follow.
    Symantec recommends that your storage system administrator perform all backups of your incident attachment external
    storage directories.
    About periodic system backups on Linux
    About partial backups on Linux

    About periodic system backups on Linux


    Perform system backups regularly. The frequency of system backups should be determined based on the size of the
    system and the internal company policies.
    Large databases may take longer to back up. Database backups should be performed at least weekly.
    Server configuration and file system backups should be performed after configuration changes are made on the Enforce
    Server or detection server. You should also perform backups when you generate encrypted keys.
    Symantec recommends that administrators perform backups of their entire system. Administrators should follow all of the
    backup instructions that are in this section in the order in which they are presented.
    Complete system backups should be performed at the following times:
    • After installation
    • Before any system upgrades
    • Any time the system changes, such as when a Symantec Data Loss Prevention server is added to or removed from
    the system configuration
    Keep in mind schedule considerations when performing your backups.
    About Scheduling a System Backup on Linux
    About partial backups on Linux
    About backup and recovery on Linux

    About Scheduling a System Backup on Linux


    When scheduling system backups, keep in mind the following concepts:
    • For single-tier installations, the system is offline during backups while the files are copied.
    During backups, Symantec Data Loss Prevention does not scan or find incidents. Reports are also inaccessible during
    backups. For these reasons, backups should be scheduled during times when the system is typically not very active.

    501
    Such times may be on weekends when users are unlikely to use the system and when incidents are less likely to be
    generated.
    • The backup methods that are described in this section do not accommodate point-in-time recovery. If the last system
    backup was two days ago and the system crashes, the information from those two days is lost. The system cannot be
    restored to times other than the time of the last backup.
    • Before performing a backup, use regular company or system notifications to let users know that the system is offline
    and unavailable during the system backup.

    Related Links
    About periodic system backups on Linux on page 501

    About partial backups on Linux


    Administrators who want to perform partial system backups can use either of the following subsets of the instructions:
    • To back up a database only:
    • Preparing the backup location on Linux
    • Performing a Cold Backup of the Oracle Database on Linux
    • To back up an Enforce Server or detection server only:
    • Preparing the backup location on Linux
    • Backing up the server configuration files on Linux
    • Backing up Files Stored on the File System on Linux

    Preparing the backup location on Linux


    Preparing the backup location involves determining the size of the backup and identifying a suitable backup location.
    Symantec Data Loss Prevention provides a convenient Recovery Information Worksheet to help record the locations of
    the backup directories. The procedures in this section include instructions for when to record information in the worksheet.
    These instructions are for performing backups on hard drives. After you perform the backup on a hard drive, the data
    should be archived to tape.
    Recovery Information Worksheet for Linux
    Preparing the backup location consists of the following steps:

    Table 217: Preparing the backup location

    Step Action Description

    1 Determine the size of the backup sections. Determining the Size of the Backup on Linux
    2 Calculate the total size of the backup. Calculating the total size of the backup on Linux
    3 Identify the backup location. Identifying a backup location on Linux
    4 Create the backup directories. Creating backup directories on Linux

    Determining the Size of the Backup on Linux


    The size of a full backup is the sum of the following items:
    • The size of the database
    • The size of the file system files to be backed up
    • The size of the server configuration files to be backed up

    502
    However, file system and server configuration files do not need to be backed up as often as the database. The size of the
    backup varies depending on what is backed up. Only follow the sizing procedures in this section that are relevant to the
    backup being performed.
    Preparing the backup location on Linux
    Determine the Size of the Database

    1. Log on to the computer that hosts the Oracle database as the oracle user.
    2. To open Oracle SQL*Plus, enter:
    sqlplus /nolog

    3. At the SQL> command prompt, to connect as the sysdba user, enter:


    connect sys/password as sysdba

    where the password is the SYS password.


    4. After receiving the Connected message, run the following SQL query by copying or entering it into the command
    prompt:

    SELECT ROUND(SUM(bytes)/1024/1024/1024, 4) GB
    FROM (
    SELECT SUM(bytes) bytes
    FROM dba_data_files
    UNION ALL
    SELECT SUM(bytes) bytes
    FROM dba_temp_files
    UNION ALL
    SELECT SUM(bytes) bytes
    FROM v$log
    );

    5. Note the size of the database.


    Calculating the total size of the backup on Linux
    6. To exit Oracle SQL*Plus, enter:
    exit

    Determine the Size of the File System File

    1. On the computer that hosts the server on which customizations were added or changes were made, logon as root.
    2. Change to the /opt/Symantec/DataLossPrevention/ContentExtractionService/16.0.10000/
    Plugins/Protect/plugins directory.
    3. Use the disk usage command to determine the sizes of the directory trees and their contents. The output is displayed
    in kilobytes, megabytes, and gigabytes.
    du -h

    503
    4. Note the size.
    5. Repeat steps 2 through 4 for the /var/log/Symantec/DataLossPrevention<Enforce Server or
    Detection Server>/16.0.10000/ directory.
    6. Repeat steps 1 through 5 for any other computers that host Symantec Data Loss Prevention servers.
    7. Calculate the total size of the directories and record this number.
    Calculating the total size of the backup on Linux
    Determine the Size of the Server Configuration Files

    1. On the computer that hosts the server on which configuration changes were made, logon as root.
    2. Change to the /opt/Symantec/DataLossPrevention/<Enforce Server or Detection
    Server>/16.0.10000/Protect/config directory.
    3. Use the disk usage command to determine the sizes of the directory trees and their contents:
    du -h

    The output is displayed in kilobytes, megabytes, and gigabytes.


    4. Note the total size of the directory.
    5. Repeat steps On the computer that hosts the server on which configuration changes were made, logon as root.
    through Note the total size of the directory. for any other computers that host Symantec Data Loss Prevention servers.
    6. Calculate the total size of the configuration directories on all servers and record this number.
    Calculating the total size of the backup on Linux
    Calculating the total size of the backup on Linux

    Use the sizes from the individual procedures to sum the total size of the backup.
    1. Enter the size of the database here: _______
    2. Enter the size of the file system files, here: _______
    3. Enter the size of the server configuration files here: _______
    4. Add the size of the database to the size of the configuration files and file system files for a total size here: _______

    Preparing the backup location on Linux

    Identifying a backup location on Linux


    The backup location should be on a computer other than the ones that host the database, the Enforce Server, or the
    detection servers. The backup location must have enough available space for the backup files.
    1. Make sure that the backup location is accessible from the computers that host the servers and databases that need to
    be backed up.
    2. Verify that the amount of available disk space in a potential backup location is greater than the size of the backup:
    To determine the amount of space available on the hard disk, while logged on as root, enter:
    df

    Make sure that this number is greater than the size of the database.
    Determining the Size of the Backup on Linux

    504
    3. After you identify a computer that has enough disk space, note down its fully qualified domain name. Enter this
    information on the Recovery Information Worksheet.
    Recovery Information Worksheet for Linux
    4. To determine the name of a computer, enter:
    hostname -f

    Preparing the backup location on Linux

    Creating backup directories on Linux


    1. Create a directory in which to store the backup files:
    mkdir /opt/Symantec/DataLossPrevention_Backup_Files

    This directory is usually under /opt if the backup computer has a Linux operating system. It can be created in any
    directory.
    Remember that this directory should be created on a computer other than the one that hosts the database, the Enforce
    Server, or the detection servers.
    2. Create the following subdirectories in which to store the backup files:
    mkdir /opt/Symantec/DataLossPrevention_Backup_Files/File_System
    mkdir /opt/Symantec/DataLossPrevention_Backup_Files/Server_Configuration_Files
    mkdir /opt/Symantec/DataLossPrevention_Backup_Files/Database
    mkdir /opt/Symantec/DataLossPrevention_Backup_Files/Recovery_Aid
    mkdir /opt/Symantec/DataLossPrevention_Backup_Files/Recovery_Aid/Services

    3. Complete the Recovery Information Worksheet, making use of the /opt/Symantec/DataLossPrevention


    directory as described in the previous two steps.
    Recovery Information Worksheet for Linux
    4. To grant permissions to these directories to the Oracle user, enter:
    chmod 777 /opt/Symantec/DataLossPrevention/ -R

    Preparing the backup location on Linux

    Performing a Cold Backup of the Oracle Database on Linux


    Cold backups are recommended primarily for non-database administrator users. You perform a cold backup by
    • Stopping the Symantec Data Loss Prevention system
    • Shutting down the Oracle database
    • Copying important files to a safe backup location
    If your company has its own database administration team, you may not need to perform cold backups. Also, you may not
    need to perform a cold backup if your company already has its own database backup policies and procedures.
    The cold backup procedures that are included in this guide are the only backup procedures that Symantec supports.
    Oracle hot backups on Linux platforms

    505
    Table 218: Steps to perform a cold backup of the Oracle database

    Step Action Description

    1 Create recovery aid files. Creating Recovery Aid Files on Linux


    2 Collect a list of directories that should be backed up. Collecting a list of files to be backed up
    3 Shut down all of the Symantec Data Loss Prevention and Shutting Down the Symantec Data Loss Prevention System
    Oracle services. on Linux
    4 Copy the database files to the backup location. Copying the Database Files to the Backup Location on
    Linux
    5 Optional: back up the incident attachment external storage If you are using an external storage directory for incident
    directory attachments, work with your storage system administrator
    to back up that directory.
    6 Restart the Oracle and Symantec Data Loss Prevention Restarting the System on Linux
    services.

    Creating Recovery Aid Files on Linux


    You should create recovery aid files for use in recovery procedures. A trace file of the control file and a copy of the
    init.ora file are very helpful for database recovery.
    The trace file of the control file contains the names and locations of all of the data files. This trace includes any additional
    data files that have been added to the database. It also contains the redo logs and the commands that can be used to re-
    create the database structure.
    The init.ora file contains the initialization parameters for Oracle, including the names and locations of the database
    control files.
    To create a trace file of the control file:
    1. Log on to the computer that hosts the Oracle database as the oracle user.
    2. To open Oracle SQL*Plus, enter:
    sqlplus /nolog

    3. At the SQL> command prompt, to connect as the sysdba user, enter


    connect sys/password as sysdba

    where the password is the SYS password.


    4. After receiving the Connected message, at the SQL> command prompt, enter:
    alter session set tracefile_identifier = 'controlfile';

    5. Run the following command:


    alter database backup controlfile to trace;

    6. If you have not already done so, create the recovery aid directory on the computer that hosts the Oracle database:
    /opt/oracle/Recovery_Aid
    7. To find the directory in which the trace file was created, in the next line, enter:
    show parameter user_dump;

    8. Enter the following command:


    create pfile='/opt/oracle/Recovery_Aid/init.ora' from spfile;

    506
    9. To exit Oracle SQL*Plus, enter:
    exit

    10. Change to the directory from step 5. Copy the trace file from the Recovery_Aid subdirectory on the computer that
    hosts the Oracle database to the /Recovery_Aid subdirectory on the backup computer that you created earlier.
    Other trace files are located in the user_dump directory. Be sure to copy the file with the most recent date and
    timestamp.
    To check the date and the timestamps of the files in the directory, enter:
    ls -l *controlfile.trc

    11. Rename the file so that it can be easily identified, for example:
    controlfilebackupMMDDYY.trc.

    Related Links
    Collecting a list of files to be backed up on page 507
    Performing a Cold Backup of the Oracle Database on Linux on page 505

    Collecting a list of files to be backed up


    You can create a list of files that need to be backed up. These lists are used in a later step.
    1. Open SQL*Plus using the following command:
    sqlplus sys/<password> as sysdba

    2. Enter following SQL commands to create lists of files that must be backed up:
    SELECT file_name FROM dba_data_files
    UNION
    SELECT file_name FROM dba_temp_files
    UNION
    SELECT name FROM v$controlfile
    UNION
    SELECT member FROM v$logfile;

    3. Save the list of files returned by the query: /opt/Symantec/DataLossPrevention_Backup_Files/


    Recovery_Aid/oracle_datafile_directories.txt.
    4. Exit SQL*Plus:
    exit;

    Creating a Copy of the spfile on Linux


    After you create a trace file of the control file, you must create a copy of the spfile.
    Creating Recovery Aid Files on Linux
    1. Log on to the computer that hosts the Enforce Server as the oracle user.
    2. To open Oracle SQL*Plus, enter:
    sqlplus /nolog

    3. At the SQL> command prompt, to connect as the sysdba user, enter:


    connect sys/password as sysdba

    where the password is the SYS password.

    507
    4. After receiving the Connected message, at the SQL> command prompt, enter:
    create pfile='/tmp/inittemp.ora' from spfile;

    5. To exit Oracle SQL*Plus, enter:


    exit

    6. Change to the /tmp directory and verify that the inittemp.ora file was created.
    7. Copy the inittemp.ora file to the /Recovery_Aid subdirectory on the backup computer that you created earlier.
    Creating backup directories on Linux

    Performing a Cold Backup of the Oracle Database on Linux

    Shutting Down the Symantec Data Loss Prevention System on Linux


    Shut down the Symantec Data Loss Prevention system during the cold back up process.
    1. On the computer that hosts the Enforce Server, log on as root.
    2. Go to the /opt/Symantec/DataLossPrevention/<Enforce Server or Detection
    Server>/16.0.10000/Protect/bin directory.
    3. Stop all running Symantec Data Loss Prevention services in the following order:
    • ./SymantecDLPDetectionServerService.sh stop (on the computers that also host a detection server)
    • ./SymantecDLPDetectionServerControllerService.sh stop (on the computers that also host the Enforce
    Server)
    • ./SymantecDLPIncidentPersisterService.sh stop (on the computers that also host the Enforce Server)
    • ./SymantecDLPManagerService.sh stop (on the computers that also host the Enforce Server)
    • ./SymantecDLPNotifierService.sh stop (on the computers that also host the Enforce Server)
    Services can be started by going to the /etc directory and running the following command:
    ./init.d/SymantecDLPServiceName start

    Services can be stopped by changing to the /etc directory and running the following command:
    ./init.d/SymantecDLPServiceName stop

    4. On the computer that hosts the database, log on as the oracle user.
    5. To open Oracle SQL*Plus, enter:
    sqlplus /nolog

    6. At the SQL> command prompt, to connect as the sysdba user, enter:


    connect sys/password as sysdba

    where the password is the SYS password.


    See the Symantec Data Loss Prevention Installation Guide.
    7. After receiving the Connected message, at the SQL> command prompt, to stop all of the Oracle services, enter:
    shutdown immediate

    Performing a Cold Backup of the Oracle Database on Linux

    508
    Copying the Database Files to the Backup Location on Linux
    Back up database files in the /Recovery_Aid directory and the database password file.

    1. Make sure that the Oracle services are stopped.


    If the Oracle services are not stopped, the backup files will be corrupt and unusable.
    Shutting Down the Symantec Data Loss Prevention System on Linux
    2. On the computer that hosts the database, copy the directories (and their contents) using the list of
    directories that you collected previously (see Collecting a list of files to be backed up) to the/opt/
    DataLossPrevention_Backup_Files/Database directory of the computer or storage device that hosts the
    backup files.
    NOTE
    If you are performing this backup as part of a complete backup of a Symantec Data Loss Prevention
    deployment, the file path and the name of the computer that hosts the backup files should have been
    recorded in the Recovery Information Worksheet for reference. Otherwise, create a backup location on a
    computer that is accessible from the Oracle host.
    Recovery Information Worksheet for Linux
    3. Copy the /Recovery_Aid/ subdirectory from the computer that hosts the database to the backup computer.
    If you have not yet created this directory, create the following directory on a computer or storage device other than the
    computer that hosts the Oracle database:
    /opt/Symantec/DataLossPrevention_Backup_Files/Recovery_Aid
    Set permissions for this directory for the Oracle user by running the following command:
    chmod 777 /opt/Symantec/DataLossPrevention_Backup_Files/ -R

    4. On the computer that hosts the database, copy the $ORACLE_HOME/dbs/orapwprotect file into the /opt/
    DataLossPrevention_Backup_Files/Database directory of the computer or storage device that hosts the
    backup files.
    The file path and the name of the computer or storage device that hosts the backup files should have been recorded in
    the Recovery Information Worksheet for reference.

    Performing a Cold Backup of the Oracle Database on Linux

    Restarting the System on Linux


    Restart the system after you have copied database files to the backup location.
    1. On the computer that hosts the database, log on as the oracle user.
    2. To open Oracle SQL*Plus, enter:
    sqlplus /nolog

    3. At the SQL> command prompt, to connect as the sysdba user, enter:


    connect sys/password as sysdba

    where the password is the SYS password.


    4. After you receive the Connected message, at the SQL> command prompt, start all of the Oracle services. To start all of
    the Oracle services, enter the following command:
    startup

    509
    5. On the computer that hosts the Enforce Server, log on as root.
    6. Change directory to /opt/Symantec/DataLossPrevention/<Enforce Server or Detection
    Server>/16.0.10000/Protect/bin.
    7. Before starting other Symantec Data Loss Prevention services, start the SymantecDLPNotifierService service.
    ./SymantecDLPNotifierService.sh start

    8. Start the remaining Symantec Data Loss Prevention services in the following order:
    • ./SymantecDLPManagerService.sh start (on the computers that also host the Enforce Server)
    • ./SymantecDLPIncidentPersisterService.sh start (on the computers that also host the Enforce Server)
    • ./SymantecDLPDetectionServerControllerService.sh start (on the computers that also host the Enforce
    Server)
    • ./SymantecDLPDetectionServerService.sh start (on the computers that also host a detection server)
    Services can be started by changing to the etc directory and running the following command:
    ./init.d/SymantecDLPServiceName start
    Services can be stopped by changing to the etc directory and running the following command:
    ./init.d/SymantecDLPServiceName stop.

    Performing a Cold Backup of the Oracle Database on Linux

    Backing up the server configuration files on Linux


    Server configuration files should be backed up any time configuration changes are made on the Enforce Server or
    detection servers. These changes can be made on the System > Servers and Detectors > Overview > server_name
    > Server/Detector Details page. To make these changes, you can also edit any of the files with a .properties
    extension that reside in the /opt/Symantec/DataLossPrevention/<Enforce Server or Detection
    Server>/16.0.10000/Protect/config directory.
    1. On the computer that hosts the Enforce Server or detection server on which configuration changes were made, copy
    the /opt/Symantec/DataLossPrevention/<Enforce Server or Detection Server>/16.0.10000/
    Protect/config directory. Copy it to the /opt/Symantec/DataLossPrevention_Backup_Files/
    Server_Configuration_Files directory on the computer that hosts the backup files. The file path and the name
    of the computer that hosts the backup files was recorded in the Recovery Information Worksheet for reference.
    Recovery Information Worksheet for Linux
    2. Rename the directory that was copied in the previous step to indicate which server it came from, such as
    config_ServerName.

    This renamed directory is especially important for multi-tier installations, where configuration directories reside on
    multiple servers.

    Performing a Cold Backup of the Oracle Database on Linux

    Backing up Files Stored on the File System on Linux


    Some files that are stored on the file system for the Enforce Server and detection servers should be backed up whenever
    they are changed. These files include:
    • Custom configuration changes
    Backing up custom configuration changes on Linux
    • System logs

    510
    Backing up system logs on Linux
    • Keystore files
    Backing up keystore files on Linux
    • Services
    Backing up services on Linux

    Backing up custom configuration changes on Linux


    The plugins directory may contain custom code, data, or configuration changes. You should back up this directory any
    time you make changes to the default settings in this directory. You should also back it up when you add custom code.
    Custom code is usually added with the help of Symantec Support.
    1. On the computer that hosts the Enforce Server, copy the /opt/Symantec/DataLossPrevention/
    ContentExtractionService/16.0.10000/Plugins/Protect/plugins directory. Copy it into the /opt/
    DataLossPrevention_Backup_Files/File_System directory on the computer that hosts the backup files.
    The file path and the name of the computer that hosts the backup files was recorded in the Recovery Information
    Worksheet for reference.
    Recovery Information Worksheet for Linux
    2. Rename the directory that was copied in the previous step to indicate which server it came from, such as
    plugins_ServerName.

    Backing up Files Stored on the File System on Linux

    Backing up System Logs on Linux


    You should back up server log files any time configuration changes are made on the Enforce Server or detection servers.
    1. On the computer that hosts the server on which configuration changes were made, copy the /var/log/
    Symantec/DataLossPrevention/EnforceServer/16.0.10000/ directory. Copy it into the /opt/
    DataLossPrevention_Backup_Files/File_System directory of the computer that hosts the backup files.
    The file path and the name of the computer that hosts the backup files was recorded in the Recovery Information
    Worksheet for reference.
    Recovery Information Worksheet for Linux
    2. Rename the directory that was copied in the previous step to indicate which server it came from, such as
    logs_ServerName.

    This renamed directory is especially important for multi-tier installations with log directories on multiple servers.

    Backing up Files Stored on the File System on Linux

    511
    Backing up Keystore Files on Linux
    If the administrators in your organization generate their own Tomcat server certificate, back up the keystore file containing
    the certificate.
    1. Copy the /opt/Symantec/DataLossPrevention/EnforceServer/16.0.10000/Protect/tomcat/
    conf/.keystore file from the computer that hosts the Enforce Server for which the certificate was generated.
    2. Copy this file to the /opt/DataLossPrevention_Backup_Files/File_System directory on the computer that
    hosts the backup files.
    The file path and the name of the computer that hosts the backup files was recorded in the Recovery Information
    Worksheet for reference.
    Recovery Information Worksheet for Linux

    Backing up Files Stored on the File System on Linux


    Back up the keystore directory

    1. Copy the /keystore directory from the Enforce Server and the detection servers.
    NOTE
    The /keystore folder is located at both the /var/ and /opt/ locations depending on the features and
    products running in your environment. Copy the contents at both locations to create a complete backup.
    The /keystore directory is at the following paths:
    • Enforce Server:
    – /var/Symantec/DataLossPrevention/EnforceServer/16.0.10000/keystore
    – /opt/Symantec/DataLossPrevention/EnforceServer/16.0.10000/Protect/keystore
    • Detection servers:
    – /var/Symantec/DataLossPrevention/DetectionServer/16.0.10000/keystore
    – /opt/Symantec/DataLossPrevention/DetectionServer/16.0.10000/Protect/keystore
    2. Copy these directories to the /opt/DataLossPrevention_Backup_Files/File_System directory on the
    computer that hosts the backup files.
    The file path and the name of the computer that hosts the backup files was recorded in the Recovery Information
    Worksheet for reference.
    Recovery Information Worksheet for Linux

    Backing up the Network Discover Incremental Scan Index on Linux


    Incremental scanning is a way to let you resume a scan from where you left off. Some Network Discover targets have an
    option for incremental scanning.
    The incremental scan index keeps track of which items have already been scanned. This index is automatically created
    and updated during incremental scans.

    512
    The incremental scan index is in the directory/var/Symantec/DataLossPrevention/
    DetectionServer/16.0.10000/scan/incremental_index.
    1. Pause or stop any incremental scans that are in progress or scheduled to run.
    2. Stop the SymantecDLPDetectionServerControllerService service.
    3. Copy the incremental scan index directory to a backup location.
    4. If you need to restore the incremental scan index, copy the files back into this directory.
    Make sure all the Network Discover targets have the same target identifiers as when the incremental scan index was
    backed up.

    Backing up Services on Linux


    Services are backed up during the migration process at /opt/Symantec/DataLossPrevention/
    EnforceServer/16.0.10000/Protect/backup/service-<date>-<time>.
    Copy this directory to /opt/Symantec/DataLossPrevention_Backup_Files/File_System/services.

    Oracle hot backups on Linux platforms


    If you are an experienced Oracle database administrator accustomed to managing enterprise-level Oracle installation,
    you may choose to perform hot backups. If you perform a hot backup, you should run the Oracle database in archive log
    mode. However, keep in mind that Symantec does not support hot backup procedures and may not be able to provide
    assistance.
    Performing a Cold Backup of the Oracle Database on Linux

    Recovering Your System on Linux


    The recovery process re-creates the part of the system that failed.
    After a successful recovery, you should copy the backup files to their previous location in the system.
    NOTE
    System recovery procedures do not vary according to installation tier. These instructions are appropriate for
    single-tier, two-tier, and three-tier installations.
    If you did not follow the backup procedures as documented in this guide, these recovery steps are not appropriate.
    The following table describes the steps necessary to perform a Linux system recovery:

    Table 219: Performing a Linux system recovery

    Step Action Description

    1 Recover the database. About recovering the database on Linux


    2 Recover the Enforce Server. Recovering the Enforce Server on Linux
    3 Recover the detection server. Recovering a Detection Server on Linux

    Recovery Information Worksheet for Linux


    Use the recovery information worksheet to record important information about your system.
    If you followed the recommended backup instructions, the backup files are on another computer in the directories you
    noted in the Recovery Information Worksheet. Most users choose to create these files under /opt, but the person

    513
    who created the recovery files may use another directory. Store this worksheet in a secure location because it contains
    sensitive data.
    Performing a Cold Backup of the Oracle Database on Linux

    Table 220: Recovery Information Worksheet

    Backup File Information Example Names and Locations Customer Names and Locations

    Name of computer that machine_name


    hosts backup files
    Directory containing opt/Symantec/ ____/DataLossPrevention_Backup_Files
    backup files DataLossPrevention_Backup_Files

    Subdirectory containing opt/Symantec/ ____/DataLossPrevention_Backup_Files/


    file system backup files DataLossPrevention_Backup_Files File_System
    /File_System

    Subdirectory containing opt/Symantec/ ____/DataLossPrevention_Backup_Files/


    enforce and detection DataLossPrevention_Backup_Files Server_Configuration_Files
    server configuration /Server_Configuration_Files
    backup files
    Subdirectory containing opt/Symantec/ ____/DataLossPrevention_Backup_Files/
    database backup files DataLossPrevention_Backup_Files Database
    /Database

    Subdirectory containing opt/Symantec/ ____/DataLossPrevention_Backup_Files/


    database recovery aid DataLossPrevention_Backup_Files Recovery_Aid
    files /Recovery_Aid

    About recovering the database on Linux


    Based on the type of database failure you experienced, choose the appropriate database recovery procedure:
    • If the previous database can no longer be used, create a new database.
    • If the database malfunctioned due to a system failure or user error, restore the previously existing database. For
    example, if an important file was accidentally deleted, you can restore the database to a point in time when the
    important file still existed.
    Restoring an Existing Database on Linux
    Creating a New Database on Linux
    Recovering Your System on Linux

    514
    Restoring an Existing Database on Linux
    Use the following steps to restore a database backup to a Linux server.
    1. Make sure that the database environment is healthy. Check the existing database, the database server that hosts the
    existing database, and the computer that hosts the database server.
    2. On the computer that hosts the Enforce Server, log on as root.
    3. Change directory to /opt/Symantec/DataLossPrevention/EnforceServer/16.0.10000/Protect/bin.
    4. Stop all running Symantec Data Loss Prevention services in the following order:
    • ./SymantecDLPDetectionServerService.sh stop (on the computers that also host a detection server)
    • ./SymantecDLPDetectionServerControllerService.sh stop (on the computers that also host the Enforce
    Server)
    • ./SymantecDLPIncidentPersisterService.sh stop (on the computers that also host the Enforce Server)
    • ./SymantecDLPManagerService.sh stop (on the computers that also host the Enforce Server)
    • ./SymantecDLPNotifierService.sh stop (on the computers that also host the Enforce Server)
    Services can be stopped by changing to the etc directory and running the following command:
    ./init.d/SymantedDLPServiceName stop
    Services can be started by changing to the etc directory and running the following command:
    ./init.d/SymantecDLPServiceName start
    5. On the computer that hosts the database, log on as the oracle user.
    To open Oracle SQL*Plus, enter:
    sqlplus /nolog

    At the SQL> command prompt, to connect as the sysdba user, enter:


    connect sys/password@protect as sysdba

    where password is the password created for single-tier and two-tier installations.
    6. After receiving the "Connected" message, at the SQL> command prompt, stop all of the Oracle services by entering:
    shutdown immediate

    7. To exit Oracle SQL*Plus, enter:


    exit

    8. Copy the contents of the /DataLossPrevention_Backup_Files/Database directory to the opt/oracle/


    oradata/protect directory on the computer that hosts the new database. The file path and the name of the
    computer that hosts the backup files should have been recorded in the Recovery Information Worksheet for reference.
    Recovery Information Worksheet for Linux
    9. To open Oracle SQL*Plus, enter:
    sqlplus /nolog

    10. At the SQL> command prompt, to connect as the sysdba user, enter:
    connect sys/password as sysdba

    where password is the SYS password.


    11. At the SQL> prompt, enter:
    startup

    515
    Recovering Your System on Linux

    Creating a New Database on Linux


    1. Make sure that the database environment is healthy. Check the existing database, the database server that hosts the
    existing database, and the computer that hosts the database server.
    2. Follow the instructions in the Symantec Data Loss Prevention Installation Guide to install an Oracle database.
    3. This step assumes that the drive structure of the new database is the same as the drive structure of the old database.
    Perform the following tasks in the order that is presented:
    • Copy the contents of the /DataLossPrevention_Backup_Files/Database directory to the opt/oracle/
    oradata/protect directory on the computer that hosts the new database. The information about the computers
    and directories is located on the Recovery Information Worksheet
    Recovery Information Worksheet for Linux
    • To open Oracle SQL*Plus, enter:
    sqlplus /nolog
    • At the SQL> command prompt, to connect as the sysdba user, enter:
    connect sys/password as sysdba
    Where password is the SYS password.
    • At the SQL> prompt, enter:
    startup

    The following step assumes that the drive structure of the new database is different from the drive structure of the old
    database.
    4. Perform the following tasks in the order presented:
    • Edit the inittemp.ora file in the \DataLossPrevention_Backup_Files\Recovery_Aid directory to
    reflect the drive structure of the new database. The information about this computer is in the Recovery Information
    Worksheet.
    Recovery Information Worksheet for Linux
    The following parameters might need to be modified to accommodate differences in directory structure:
    *.background_dump_dest
    *.control_files
    *.core_dump_dest
    *.user_dump_dest
    • Rename the edited inittemp.ora file to initprotect.ora.
    • Copy the edited initprotect.ora file to the $ORACLE_HOME/dbs directory on the computer that hosts the new
    database.
    • Copy the contents of the /DataLossPrevention_Backup_Files/Database directory to the opt/oracle/
    oradata/protect directory on the computer that hosts the new database. The information about this computer is
    in the Recovery Information Worksheet.
    Recovery Information Worksheet for Linux
    • To open Oracle SQL*Plus, enter:
    sqlplus /nolog
    • At the SQL> command prompt, to connect as the sysdba user, enter:
    connect sys/password@protect as sysdba
    Where password is the password created for single- and two-tier installations.
    • At the SQL> prompt, enter:
    create spfile from pfile='$ORACLE_HOME/dbs/initprotect.ora';
    • To shut down, enter:

    516
    shutdown
    • To start, enter:
    startup

    Recovering Your System on Linux

    Recovering the Enforce Server on Linux


    Recover the Enforce Server by confirming your environment and database are healthy and installing installing a new
    Enforce Server instance.
    1. Make sure that the Enforce Server application and the computer hosting it are in a healthy state.
    2. Make sure that the Oracle database is intact and running correctly.
    About recovering the database on Linux
    3. Reinstall the Enforce Server.
    See Installing on Linux.
    4. When you get to the Final Confirmation window in the installation procedure, make sure that the Initialize Enforce
    Data box is not checked.
    5. Continue with the installation procedure as described in Installing on Linux.
    6. Restore the server files listed in the following table.

    Description Copy from Copy to

    Server configuration files /DataLossPrevention_Backup_Files /opt/Symantec/DataLossPrevention/


    /Server_Configuration_Files EnforceServer
    /config /16.0.10000/Protect/config on the
    computer that hosts the new Enforce Server
    Customized changes /DataLossPrevention_Backup_Files /opt/Symantec/DataLossPrevention/
    /File_System/plugins ContentExtractionService
    /16.0.10000/Plugins/Protect/plugins
    on the computer that hosts the new Enforce Server
    Tomcat keystore file /DataLossPrevention_Backup_Files /opt/Symantec/DataLossPrevention/
    /File_System/.keystore EnforceServer
    /16.0.10000/Protect/tomcat/conf on
    the computer that hosts the new Enforce Server
    Keystore directories /var/ and /opt/ locations at / /var/Symantec/DataLossPrevention/
    DataLossPrevention_Backup_Files EnforceServer
    /File_System/keystore /16.0.10000/keystore and /opt/
    Symantec/DataLossPrevention/
    EnforceServer
    /16.0.10000/Protect/keystore
    directories on the computer that hosts the new
    Enforce Server

    Related Links
    Recovery Information Worksheet for Linux on page 513
    Use the recovery information worksheet to record important information about your system.
    Recovering Your System on Linux on page 513

    517
    Recovering a Detection Server on Linux
    Recover a detection server by confirming that server host is healthy and installing installing a new detection server
    instance.
    1. Make sure the server to host the recovered detection server application and the computer that hosts the server are in
    a healthy state.
    2. Reinstall the detection server.
    See Installing a detection server on Linux.
    3. Restore the server files listed in the following table.

    Description Copy from Copy to

    Server configuration files /DataLossPrevention_Backup_Files /opt/Symantec/DataLossPrevention/


    /Server_Configuration_Files/config DetectionServer
    /16.0.10000/Protect/config on the
    computer that hosts the new detection server
    Customized changes /DataLossPrevention_Backup_Files /opt/Symantec/DataLossPrevention/
    /File_System/plugins ContentExtractionService
    /16.0.10000/Plugins/Protect/plugins
    directory on the computer that hosts the new
    detection server
    Keystore directories /var/ and /opt/ locations at / /var/Symantec/DataLossPrevention/
    DataLossPrevention_Backup_Files / EnforceServer
    File_System/keystore /16.0.10000/keystore and /opt/
    Symantec/DataLossPrevention/
    EnforceServer
    /16.0.10000/Protect/keystore
    directories on the computer that hosts the new
    detection server

    Related Links
    Recovery Information Worksheet for Linux on page 513
    Use the recovery information worksheet to record important information about your system.
    Recovering Your System on Linux on page 513

    Log files
    Symantec Data Loss Prevention provides a number of different log files that record information about the behavior of the
    software. Log files fall into these categories:
    • Operational log files record detailed information about the tasks the software performs and any errors that occur while
    the software performs those tasks. You can use the contents of operational log files to verify that the software functions
    as you expect it to. You can also use these files to troubleshoot any problems in the way the software integrates with
    other components of your system.
    For example, you can use operational log files to verify that a Network Prevent for Email Server communicates with a
    specific MTA on your network.
    Operational Log Files
    • Debug log files record fine-grained technical details about the individual processes or software components that
    comprise Symantec Data Loss Prevention. The contents of debug log files are not intended for use in diagnosing
    system configuration errors or in verifying expected software functionality. You do not need to examine debug log files
    to administer or maintain an Symantec Data Loss Prevention installation. However, Symantec Support may ask you to

    518
    provide debug log files for further analysis when you report a problem. Some debug log files are not created by default.
    Symantec Support can explain how to configure the software to create the file if necessary.
    Debug Log Files
    • Installation log files record information about the Symantec Data Loss Prevention installation tasks that are performed
    on a particular computer. You can use these log files to verify an installation or troubleshoot installation errors.
    Installation log files reside in the following locations:
    – installdir\SymantecDLP\.install4j\installation.log stores the installation log for Symantec Data
    Loss Prevention.
    – installdir\oracle_home\admin\protect\ stores the installation log for Oracle.
    Operational Log Files
    The Enforce Server and the detection servers store operational log files in the c:\ProgramData\Symantec
    \DataLossPrevention\<EnforceServer or DetectionServer>logs\ directory on Windows installations and
    in the /var/log/Symantec/DataLossPrevention/<EnforceServer or DetectionServer>/16.0.10000/
    directory on Linux installations. A number at the end of the log file name indicates the count (shown as 0 in Operational
    log files).
    Operational log files lists and describes the Symantec Data Loss Prevention operational log files.

    Table 221: Operational log files

    Log file name Description Server

    agentmanagement_webservices_access_0.log Logs successful and failed attempts to Enforce Server


    access the Agent Management API web
    service.
    agentmanagement_webservices_soap_0.log Logs the entire SOAP request and Enforce Server
    response for most requests to the Agent
    Management API web Service.
    boxmonitor_operational_0.log The BoxMonitor process oversees the All detection
    detection server processes that pertain to servers
    that particular server type.
    For example, the processes that run on
    Network Monitor are file reader and packet
    capture.
    The BoxMonitor log file is typically very
    small, and it shows how the application
    processes are running.
    detection_operational_0.log The detection operation log file provides All detection
    details about how the detection server servers
    configuration and whether it is operating
    correctly.
    detection_operational_trace_0.log The detection trace log file provides details All detection
    about each message that the detection servers
    server processes. The log file includes
    information such as:
    • The policies that were applied to the
    message
    • The policy rules that were matched in
    the message
    • The number of incidents the message
    generated.

    519
    Log file name Description Server

    machinelearning_training_operational_0.log This log records information about the Enforce Server


    tasks, logs, and configuration files called
    on startup of the VML training process.
    manager_operational_0.log. Logs information about the Symantec Enforce Server
    Data Loss Prevention manager process,
    which implements the Enforce Server
    administration console user interface.
    monitorcontroller_operational_0.log Records a detailed log of the connections Enforce Server
    between the Enforce Server and all
    detection servers. It provides details about
    the information that is exchanged between
    these servers including whether policies
    have been pushed to the detection servers
    or not.
    SmtpPrevent_operational0.log This operational log file pertains to SMTP Prevent
    SMTP Prevent only. It is the primary detection servers
    log for tracking the health and activity
    of a Network Prevent for Email system.
    Examine this file for information about the
    communication between the MTAs and the
    detection server.
    WebPrevent_Access0.log This access log file contains information Network Prevent
    about the requests that are processed for Web detection
    by Network Prevent for Web detection servers
    servers. It is similar to web access logs for
    a proxy server.
    WebPrevent_Operational0.log This operational log file reports on the Network Prevent
    operating condition of Network Prevent for for Web detection
    Web, such as whether the system is up or servers
    down and connection management.

    Network Prevent for Web operational log files and event codes
    Network Prevent for Web access log files and fields
    Network Prevent for Email log levels
    Network Prevent for Email operational log codes
    Network Prevent for Email originated responses and codes

    Debug Log Files


    The Enforce Server and the detection servers store debug log files in the c:\ProgramData\Symantec
    \DataLossPrevention\<Enforce Server or Detection Server>\16.0.10000\logs\ directory on
    Windows installations and in the /var/log/Symantec/DataLossPrevention/<Enforce Server or Detection
    Server>/16.0.10000/ directory on Linux installations. A number at the end of the log file name indicates the count
    (shown as 0 in debug log files).
    The following table lists and describes the Symantec Data Loss Prevention debug log files.

    520
    Table 222: Debug log files

    Log file name Description Server

    Aggregator0.log This file describes communications between the Endpoint detection


    detection server and the agents. servers
    Look at this log to troubleshoot the following problems:
    • Connection to the agents
    • To find out why incidents do not appear when they
    should
    • If unexpected agent events occur
    BoxMonitor0.log This file is typically very small, and it shows how the All detection servers
    application processes are running. The BoxMonitor
    process oversees the detection server processes that
    pertain to that particular server type.
    For example, the processes that run on Network
    Monitor are file reader and packet capture.
    ContentExtractionAPI_FileReader.log Logs the behavior of the Content Extraction API file Detection Server
    reader that sends requests to the plug-in host. The
    default logging level is "info" which is configurable
    using log4cxx_config_filereader.xml in a
    location based on your platform:
    • Windows: \ProgramData\Symantec
    \DataLossPrevention\
    DetectionServer\16.0.10000\logs
    • Linux: /var/log/Symantec/
    DataLossPrevention/
    DetectionServer/16.0.10000/logs
    ContentExtractionAPI_Manager.log Logs the behavior of the Content Extraction API Enforce Server
    manager that sends requests to the plug-in host. The
    default logging level is "info" which is configurable
    using log4cxx_config_manager.xml in a
    location based on your platform:
    • Windows: \ProgramData\Symantec
    \DataLossPrevention\
    DetectionServer\16.0.10000\logs
    • Linux: /var/log/Symantec/
    DataLossPrevention/
    DetectionServer/16.0.10000/logs
    ContentExtractionHost_FileReader.log Logs the behavior of the Content Extraction Detection Server
    File Reader hosts and plug-ins. The default
    logging level is "info" which is configurable using
    log4cxx_config_filereader.xml in a
    location based on your platform:
    • Windows:
    \ProgramData\Symantec
    \DataLossPrevention\
    DetectionServer\16.0.10000\logs
    • Linux: /var/log/Symantec/
    DataLossPrevention/
    DetectionServer/16.0.10000/logs

    521
    Log file name Description Server

    ContentExtractionHost_Manager.log Logs the behavior of the Content Extraction Enforce Server


    Manager hosts and plug-ins. The default
    logging level is "info" which is configurable using
    log4cxx_config_manager.xml in a location
    based on your platform:
    • Windows: \ProgramData\Symantec
    \DataLossPrevention\
    DetectionServer\16.0.10000\logs
    • Linux: /var/log/Symantec/
    DataLossPrevention/
    DetectionServer/16.0.10000/logs
    DiscoverNative.log.0 This log file is located in Discover detection
    \ProgramData\Symantec servers
    \DataLossPrevention\DetectionServer
    \16.0.10000\logs\debug
    This log file contains the log statements that the
    Network Discover native code emits. Currently contains
    the information that is related to .pst scanning. This
    log file applies only to the Network Discover servers
    that run on Windows platforms.
    You can configure this log in the c:
    \Program Files\Symantec
    \DataLossPrevention\DetectionServer
    \16.0.10000\Protect\config\
    DiscoverNativeLogging.properties file.
    FileReader0.log This log file pertains to the file reader process and All detection servers
    contains application-specific logging, which may be
    helpful in resolving issues in detection and incident
    creation. One symptom that shows up is content
    extractor timeouts.
    SymantecDLPDetector.log These log files list file reader process and application- All Network
    SymantecDLPDetector0.log specific details. Discover clusters
    SymantecDLPEnforceConnector.log
    SymantecDLPEnforceConnector0.log
    flash_client_0.log Logs messages from the Adobe Flex client that is used Enforce Server
    for folder risk reports by Network Discover.
    flash_server_remoting_0.log Contains log messages from BlazeDS, an open-source Enforce Server
    component that responds to remote procedure calls
    from an Adobe Flex client. This log indicates whether
    the Enforce Server has received messages from the
    Flash client. At permissive log levels (FINE, FINER,
    FINEST), the BlazeDS logs contain the content of the
    client requests to the server and the content of the
    server responses to the client
    IncidentPersister0.log This log file pertains to the Incident Persister process. Enforce Server
    This process reads incidents from the incidents
    folder on the Enforce Server, and writes them to
    the database. Look at this log if the incident queue
    on the Enforce Server (manager) grows too large.
    This situation can be observed also by checking
    the incidents folder on the Enforce Server to see if
    incidents have backed up.

    522
    Log file name Description Server

    Indexer0.log This log file contains information when an EDM Enforce Server (or
    profile or IDM profile is indexed. It also includes the computer where the
    information that is collected when the external indexer external indexer is
    is used. If indexing fails, then this log should be running)
    consulted.
    jdbc.log This log file is a trace of JDBC calls to the database. By Enforce Server
    default, writing to this log is turned off.
    machinelearning_native_filereader.log This log file records the runtime category Detection Server
    classification (positive and negative) and
    associated confidence levels for each message
    that is detected by a VML profile. The default
    logging level is "info" which is configurable using
    \log4cxx_config_filereader.xml in a
    location based on your platform:
    • Windows: \ProgramData\Symantec
    \DataLossPrevention\
    DetectionServer\16.0.10000\logs
    • Linux: /var/log/Symantec/
    DataLossPrevention/
    DetectionServer/16.0.10000/logs
    machinelearning_training_0_0.log This log file records the design-time base accuracy Enforce Server
    percentages for the k-fold evaluations for all VML
    profiles.
    machinelearning_training_native_manager.log
    This log file records the total number of features Enforce Server
    that are modeled at design-time for each
    VML profile training run. The default logging
    level is "info" which is configurable using
    log4cxx_config_manager.xml in a location
    based on your platform:
    • Windows: \ProgramData\Symantec
    \DataLossPrevention\
    DetectionServer\16.0.10000\logs
    • Linux: /var/log/Symantec/
    DataLossPrevention/
    DetectionServer/16.0.10000/logs
    MonitorController0.log This log file is a detailed log of the connections Enforce Server
    between the Enforce Server and the detection
    servers. It gives details around the information that is
    exchanged between these servers including whether
    policies have been pushed to the detection servers or
    not.
    PacketCapture.log This log file pertains to the packet capture process that Network Monitor
    reassembles packets into messages and writes to the
    drop_pcap directory. Look at this log if there is a
    problem with dropped packets or traffic is lower than
    expected. PacketCapture is not a Java process, so
    it does not follow the same logging rules as the other
    Symantec Data Loss Prevention system processes.
    PacketCapture0.log This log file describes issues with PacketCapture Network Monitor
    communications.

    523
    Log file name Description Server

    RequestProcessor0.log This log file pertains to SMTP Prevent only. SMTP Prevent
    The log file is primarily for use in cases where detection servers
    SmtpPrevent_operational0.log is not
    sufficient.
    ScanDetail-target-0.log Where target is the name of the scan target. All white Discover detection
    spaces in the target's name are replaced with hyphens. servers
    This log file pertains to Discover server scanning. It is
    a file by file record of what happened in the scan. If the
    scan of the file is successful, it reads success, and then
    the path, size, time, owner, and ACL information of the
    file scanned. If it failed, a warning appears followed by
    the file name.
    tomcat\localhost.date.log These Tomcat log files contain information for any Enforce Server
    action that involves the user interface. The logs include
    the user interface errors from red error message box,
    password failures when logging on, and Oracle errors
    (ORA –#).
    SymantecDLPIncidentPersister.log This log file contains minimal information: stdout and Enforce Server
    stderr only (fatal events).
    SymantecDLPManager.log This log file contains minimal information: stdout and Enforce Server
    stderr only (fatal events).
    SymantecDLPMonitor.log This log file contains minimal information: stdout and All detection servers
    stderr only (fatal events).
    SymantecDLPMonitorController.log This log file contains minimal information: stdout and Enforce Server
    stderr only (fatal events).
    SymantecDLPNotifier.log This log file pertains to the Notifier service and its Enforce Server
    communications with the Enforce Server and the
    MonitorController service. Look at this file to
    see if the MonitorController service registered
    a policy change.
    SymantecDLPUpdate.log This log file is populated when you update Symantec Enforce Server
    Data Loss Prevention.

    Network Prevent for Web protocol debug log files


    Network Prevent for Email Log Levels

    Log collection and configuration screen


    Use the System > Servers and Detectors > Logs screen to collect log files or to configure logging behavior for any
    Symantec Data Loss Prevention server. The Logs screen contains two tabs that provide the following features:
    • Collection—Use this tab to collect log files and configuration files from one or more Symantec Data Loss Prevention
    servers.
    Collecting server logs and configuration files
    • Configuration—Use this tab to configure basic logging behavior for a Symantec Data Loss Prevention server, or to
    apply a custom log configuration file to a server.
    Configuring server logging behavior
    About log files

    524
    Configuring Server Logging Behavior
    Use the Configuration tab of the System > Servers and Detectors > Logs screen to change logging configuration
    parameters for any server in the Symantec Data Loss Prevention deployment. The Select a Diagnostic Log Setting
    menu provides preconfigured settings for Enforce Server and detection server logging parameters. You can select an
    available preconfigured setting to define common log levels or to enable logging for common server features. The Select
    a Diagnostic Log Setting menu also provides a default setting that returns logging configuration parameters to the
    default settings used at installation time.
    Preconfigured log settings for the Enforce Server describes the preconfigured log settings available for the Enforce
    Server.
    Optionally, you can upload a custom log configuration file that you have created or modified using a text editor. (Use the
    Collection tab to download a log configuration file that you want to customize.) You can upload only those configuration
    files that modify logging properties (file names that end with Logging.properties). When you upload a new log
    configuration file to a server, the server first backs up the existing configuration file of the same name. The new file is then
    copied into the configuration file directory and its properties are applied immediately.
    You do not need to restart the server process for the changes to take effect, unless you are directed to do so.
    As of the current software release, only changes to the PacketCaptureNativeLogging.properties and
    DiscoverNativeLogging.properties files require you to restart the server process.
    Server controls
    Make sure that the configuration file that you upload contains valid property definitions that are applicable to the type
    of server you want to configure. If you make a mistake when uploading a log configuration file, use the preconfigured
    Restore Defaults setting to revert the log configuration to its original installed state.
    The Enforce Server administration console performs only minimal validation of the log configuration files that you upload.
    It ensures that:
    • Configuration file names correspond to actual logging configuration file names.
    • Root level logging is enabled in the configuration file. This configuration ensures that some basic logging functionality
    is always available for a server.
    • Properties in the file that define logging levels contain only valid values (such as INFO, FINE, or WARNING).
    If the server detects a problem with any of these items, it displays an error message and cancels the file upload.
    If the Enforce Server successfully uploads a log configuration file change to a detection server, the administration console
    reports that the configuration change was submitted. If the detection server then encounters any problems when it tries to
    apply the configuration change, it logs a system event warning to indicate the problem.

    Table 223: Preconfigured log settings for the Enforce Server

    Select a Diagnostic
    Description
    Log Setting value
    Restore Defaults Restores log file parameters to their default values.
    Custom Attribute Lookup Logs diagnostic information each time the Enforce Server uses a lookup plug-in to populate
    Logging custom attributes for an incident. Lookup plug-ins populate custom attribute data using
    LDAP, CSV files, or other data repositories. The diagnostic information is recorded in the
    IncidentPersister_0.log file and Tomcat log file. The Tomcat log file is located at the
    following locations:
    • Windows: c:\ProgramData\Symantec\DataLossPrevention\EnforceServer\
    16.0.10000\logs\tomcat\localhost.date.log
    • Linux: /var/log/Symantec/DataLossPrevention/
    EnforceServer/16.0.10000/logs/tomcat/localhost.date.log

    525
    Table 224: Preconfigured log settings for detection servers

    Select a Diagnostic
    Detection server uses Description
    Log Setting value
    Restore Defaults All detection servers Restores log file parameters to their default values.
    Discover Trace Logging Network Discover Servers Enables informational logging for Network Discover scans. These
    log messages are stored in FileReader0.log.
    Detection Trace Logging All detection servers Logs information about each message that the detection server
    processes. This includes information such as:
    • The policies that were applied to the message
    • The policy rules that were matched in the message
    • The number of incidents that the message generated.
    When you enable Detection Trace Logging,
    the resulting messages are stored in the
    detection_operational_trace_0.log file.
    Note: Trace logging can produce a large amount of data, and the
    data is stored in clear text format. Use trace logging only when
    you need to debug a specific problem.

    Packet Capture Debug Network Monitor Servers Enables basic debug logging for packet capture with
    Logging Network Monitor. This setting logs information in the
    PacketCapture.log file.
    While this type of logging can produce a large amount of data, the
    Packet Capture Debug Logging setting limits the log file size to
    50 MB and the maximum number of log files to 10.
    If you apply this log configuration setting to a server, you must
    restart the server process to enable the change.
    Email Prevent Logging Network Prevent for Email Enables full message logging for Network Prevent for Email
    servers servers. This setting logs the complete message content and
    includes execution and error tracing information. Logged
    information is stored in the RequestProcessor0.log file.
    Note: Trace logging can produce a large amount of data, and the
    data is stored in clear text format. Use trace logging only when
    you need to debug a specific problem.
    Network Prevent for Email operational log codes
    Network Prevent for Email originated responses and codes
    ICAP Prevent Message Network Prevent for Web Enables operational and access logging for Network Prevent for
    Processing Logging servers Web. This setting logs information in the FileReader0.log
    file.
    Network Prevent for Web operational log files and event codes
    Network Prevent for Web access log files and fields

    526
    Table 225: Preconfigured log settings for the Network Discover Cluster

    Select a Diagnostic Log Setting value Description

    Restore Defaults Restores log file parameters to their default values.


    When you select Restore Defaults, the zip file containing the
    default configuration logs is copied from the Enforce Server (C:
    \Program Files\Symantec\DataLossPrevention
    \EnforceServer\<product_version>\Protect
    \config\logpreconfig detection_trace.zip,
    discover_trace.zip ) and unzipped on the data node and
    all the worker nodes at the following location:
    C:\ProgramData\Symantec\DataLossPrevention
    \DetectionServer\<product_version>
    \LoggingConfigurationOverwrite

    Detection Trace Logging Enables informational logging for Network Discover scans. These
    log messages are stored in FileReader0.log .
    When you select Detection Trace Logging, the zip file containing
    the debug logs for the detection service are copied to the data
    node and all the worker nodes at the following location:
    C:\ProgramData\Symantec\DataLossPrevention
    \DetectionServer\<product_version>
    \LoggingConfigurationOverwrite
    The following properties are used to enable trace logging:
    • com.symantec.dlp.clouddetectionserver.logging.Uni
    in UDSDetectorLogging.properties .
    • UDSEnforceConnectorLogging.properties for the
    enforce connector process in data node

    Change the Log Configuration for a Symantec Data Loss Prevention Server
    Follow this procedure to change the log configuration for a Symantec Data Loss Prevention server.
    1. Click the Configuration tab if it is not already selected.
    2. If you want to configure logging properties for a detection server, select the server name from the Select a Detection
    Server menu.
    3. If you want to apply preconfigured log settings to a server, select the configuration name from the Select a Diagnostic
    Configuration menu next to the server you want to configure.
    See Preconfigured log settings for the Enforce Server and Preconfigured log settings for detection servers for a
    description of the diagnostic configurations.
    4. To customize log configuration, do one of the following:
    • If you instead want to use a customized log configuration file, click Choose File next to the server you want to
    configure. Then select the logging configuration file to use from the File Upload dialog, and click Open. You upload
    only logging configuration files, and not configuration files that affect other server features.
    • For the Network Discover Cluster, you can customize the following files and upload them by choosing Choose file
    in the Log Configuration File section and then the customized files are downloaded to the data node and worker
    nodes. Based on the customization done, the logs are collected for the data node and worker nodes:
    – UDSDetectorLogging.properties
    – UDSEnforceConnectorLogging.properties

    527
    NOTE
    For the customization of the UDSEnforceConnectorLogging.properties file to take
    effect, restart the Enforce Connector Service.
    NOTE
    If the Choose File button is unavailable because of a previous menu selection, click Clear Form.
    5. Click Configure Logs to apply the preconfigured setting or custom log configuration file to the selected server.
    6. Check for any system event warnings that indicate a problem in applying configuration changes on a server.

    Log collection and configuration screen


    NOTE
    The following debug log files are configured manually outside of the logging framework available
    through the Enforce Server administration console: ContentExtractionAPI_FileReader.log,
    ContentExtractionAPI_Manager.log, ContentExtractionHost_FileReader.log,
    ContentExtractionHost_Manager.log, machinelearning_native_filereader.log, and
    machinelearning_training_native_manager.log. Refer to the entry for each of these log files in the
    debug log file list for configuration details. Debug log files

    Collecting Server Logs and Configuration Files


    Use the Collection tab of the System > Servers and Detectors > Logs screen to collect log files and configuration files
    from one or more Symantec Data Loss Prevention servers. You can collect files from a single detection server or from
    all detection servers, the Enforce Server computer and Network Discover Cluster. You can limit the collected files to only
    those files that were last updated in a specified range of dates.
    Following are the details for log collection for all the Detection Servers (except Network Discover Cluster) and Network
    Discover Cluster:

    Table 226: Details of log collection

    Location/Targets Description
    All Detection Servers, except Network Discover Cluster The Enforce Server administration console stores all log and
    configuration files that you collect in a single ZIP file on the
    Enforce Server computer. If you retrieve files from multiple
    Symantec Data Loss Prevention servers, each server's files are
    stored in a separate subdirectory of the ZIP file.
    Network Discover Cluster For Network Discover Cluster log collection, when you select the
    Operational Logs, Debug and Trace Logs, or Configuration
    Files checkbox, the File Path and Credentials fields are
    displayed. Enter the file share path and credentials for a file share
    folder where you want to upload the cluster log files. You must
    have read and write permissions for this file share folder. The
    cluster logs are uploaded to this file share and they are not stored
    on the Enforce Server. The data node and all the worker nodes in
    the cluster upload their logs to this file share.

    Checkboxes on the Collection tab enable you to collect different types of files from the selected servers. File types for
    collection describes each type of file.

    528
    Table 227: File types for collection

    File type Description

    Operational Logs Operational log files record detailed information about the tasks the software performs
    and any errors that occur while the software performs those tasks. You can use the
    contents of operational log files to verify that the software functions as you expect it
    to. You can also use these files to troubleshoot any problems in the way the software
    integrates with other components of your system.
    For example, you can use operational log files to verify that a Network Prevent for Email
    Server communicates with a specific MTA on your network.
    Debug and Trace Logs Debug log files record fine-grained technical details about the individual processes or
    software components that comprise Symantec Data Loss Prevention. The contents
    of debug log files are not intended for use in diagnosing system configuration errors
    or in verifying expected software functionality. You do not need to examine debug log
    files to administer or maintain a Symantec Data Loss Prevention installation. However,
    Symantec Support may ask you to provide debug log files for further analysis when you
    report a problem. Some debug log files are not created by default. Symantec Support
    can explain how to configure the software to create the file if necessary.
    Configuration Files Use the Configuration Files option to retrieve both logging configuration files and server
    feature configuration files.
    Logging configuration files define the overall level of logging detail that is recorded in
    server log files. Logging configuration files also determine whether specific features or
    subsystem events are recorded to log files.
    You can modify many common logging configuration properties by using the presets that
    are available on the Configuration tab.
    If you want to update a logging configuration file by hand, use the Configuration Files
    checkbox to download the configuration files for a server. You can modify individual
    logging properties using a text editor and then use the Configuration tab to upload the
    modified file to the server.
    Configuring server logging behavior
    The Configuration Files option retrieves the active logging configuration files and also
    any backup log configuration files that were created when you used the Configuration
    tab. This option also retrieves server feature configuration files. Server feature
    configuration files affect many different aspects of server behavior, such as the location
    of a syslog server or the communication settings of the server. You can collect these
    configuration files to help diagnose problems or verify server settings. However, you
    cannot use the Configuration tab to change server feature configuration files. You can
    only use the tab to change logging configuration files.
    Agent Logs Use the Agent Logs option to collect DLP agent service and operational log files from
    an Endpoint Prevent detection server. This option is available only for Endpoint Prevent
    servers. To collect the DLP Agent logs, you must have already pulled the log files from
    individual agents to the Endpoint Prevent detection server using a Pull Logs action.
    Use the Agent List screen to select individual agents and pull selected log files to the
    Endpoint Prevent detection server. Then use the Agent Logs option on this page to
    collect the log files.
    When the logs are pulled from the endpoint, they are stored on the Endpoint Server in
    an unencrypted format. After you collect the logs from the Endpoint Server, the logs are
    deleted from the Endpoint Server and are stored only on the Enforce Server. You can
    only collect logs from one endpoint at a time.

    Operational, debug, trace log files are stored in the server_identifier/logs subdirectory of the ZIP file.
    server_identifier identifies the server that generated the log files, and it corresponds to one of the following values:

    529
    • If you collect log files from the Enforce Server, Symantec Data Loss Prevention replaces server_identifier with the
    string Enforce. Note that Symantec Data Loss Prevention does not use the localized name of the Enforce Server.
    • If a detection server’s name includes only ASCII characters, Symantec Data Loss Prevention uses the detection server
    name for the server_identifier value.
    • If a detection server’s name contains non-ASCII characters, Symantec Data Loss Prevention uses the string
    DetectionServer-ID-id_number for the server_identifier value. id_number is a unique identification number for
    the detection server.
    If you collect agent service log files or operational log files from an Endpoint Prevent server, the files are placed in the
    server_identifier/agentlogs subdirectory. Each agent log file uses the individual agent name as the log file prefix.
    Follow this procedure to collect log files and log configuration files from Symantec Data Loss Prevention servers.
    To collect log files from one or more servers
    1. Click the Collection tab if it is not already selected.
    2. Use the Date Range menu to select a range of dates for the files you want to collect. Note that the collection process
    does not truncate downloaded log files in any way. The date range limits collected files to those files that were last
    updated in the specified range.
    3. To collect log files from the Enforce Server, select one or more of the checkboxes next to the Enforce Server entry to
    indicate the type of files you want to collect.
    4. To collect log files from one or all detection servers, use the Select a Detection Server menu to select either the
    name of a detection server or the Collect Logs from All Detection Servers option. Then select one or more of the
    checkboxes next to the menu to indicate the type of files you want to collect.
    5. Click Collect Logs to begin the log collection process.
    • For the Enforce Server log collection, the administration console adds a new entry for the log collection process in
    the Previous Log Collections list at the bottom of the screen. If you are retrieving many log files, you may need to
    refresh the screen periodically to determine when the log collection process has completed.
    • For Network Discover Cluster log collection, when the logs are successfully collected, the success message is
    added in the Previous Log Collections list at the bottom of the screen. Navigate to the file share folder where the
    cluster logs were uploaded. The file share folder has subfolders for each data node (DN) and worker node (WN),
    that contain the logs for each of these nodes.
    A system event is generated in case there is a failure for Network Discover Cluster log collection.
    The default timeout interval for the log collection command is 30 minutes.
    NOTE
    You can run only one log collection process at a time.
    6. To cancel an active log collection process, click Cancel next to the log collection entry. You may need to cancel log
    collection if one or more servers are offline and the collection process cannot complete.
    When you cancel the Enforce Server log collection, the ZIP file contains only those files that were successfully
    collected.
    7. To download the Enforce Server collected logs to your local computer, click Download next to the log collection entry.
    The Download option is not available for Network Discover Cluster log collection.
    8. For the Enforce Server collected logs, to remove ZIP files stored on the Enforce Server, click Delete next to a log
    collection entry.
    The Delete option is not available for Network Discover Cluster log collection.

    Log collection and configuration screen


    About log files

    530
    About log event codes
    Operational log file messages are formatted to closely match industry standards for the various protocols involved.
    These log messages contain event codes that describe the specific task that the software was trying to perform when the
    message was recorded. Log messages are generally formatted as:
    Timestamp [Log Level] (Event Code) Event description [event parameters]

    • Network Prevent for Web operational log files and event codes
    • Network Prevent for Email operational log codes
    • Network Prevent for Email originated responses and codes

    Network Prevent for Web Operational Log Files and Event Codes
    Network Prevent for Web log file names use the format of WebPrevent_OperationalX.log (where X is a
    number). The number of files that are stored and their sizes can be specified by changing the values in the
    FileReaderLogging.properties file. This file is in the c:\Program Files\Symantec\DataLossPrevention
    \DetectionServer\16.0.10000\Protect\config (Windows) or /opt/Symantec/DataLossPrevention/
    DetectionServer/16.0.10000/Protect/config (Linux) directory. By default, the values are:
    • com.vontu.icap.log.IcapOperationalLogHandler.limit = 5000000
    • com.vontu.icap.log.IcapOperationalLogHandler.count = 5
    Status codes for Network Prevent for Web operational logs lists the Network Prevent for Web-defined operational logging
    codes by category. The italicized part of the text contains event parameters.

    Table 228: Status codes for Network Prevent for Web operational logs

    Code Text and Description

    Operational Events
    1100 Starting Network Prevent for Web

    1101 Shutting down Network Prevent for Web

    Connectivity Events
    1200 Listening for incoming connections at icap_bind_address:icap_bind_port
    Where:
    • icap_bind_address is the Network Prevent for Web bind address to which the server listens. This address is specified
    with the Icap.BindAddress Advanced Setting.
    • icap_bind_port is the port at which the server listens. This port is set in the Server > Configure page.
    1201 Connection (id=conn_id) opened from host(icap_client_ip:icap_client_port)
    Where:
    • conn_id is the connection ID that is allocated to this connection. This ID can be helpful in doing correlations between
    multiple logs.
    • icap_client_ip and icap_client_port are the proxy's IP address and port from which the connect operation to Network
    Prevent for Web was performed.
    1202 Connection (id=conn_id) closed (close_reason)
    Where:
    • conn_id is the connection ID that is allocated to the connect operation.
    • close_reason provides the reason for closing the connection.

    531
    Code Text and Description

    1203 Connection states: REQMOD=N, RESPMOD=N,


    OPTIONS=N, OTHERS=N
    Where N indicates the number of connections in each state, when the message was logged.
    This message provides the system state in terms of connection management. It is logged whenever a connection is
    opened or closed.
    Connectivity Errors
    5200 Failed to create listener at icap_bind_address:icap_bind_port
    Where:
    • icap_bind_address is the Network Prevent for Web bind address to which the server listens. This address can be
    specified with the Icap.BindAddress Advanced Setting.
    • icap_bind_port is the port at which the server listens. This port is set on the Server > Configure page.
    5201 Connection was rejected from unauthorized host (host_ip:port)
    Where host_ip and port are the proxy system IP and port address from which a connect attempt to Network Prevent for
    Web was performed. If the host is not listed in the Icap.AllowHosts Advanced setting, it is unable to form a connection.

    About log files

    Network Prevent for Web Access Log Files and Fields


    Network Prevent for Web log file names use the format of WebPrevent_AccessX.log (where X is a
    number). The number of files that are stored and their sizes can be specified by changing the values in the
    FileReaderLogging.properties file. By default, the values are:
    • com.vontu.icap.log.IcapAccessLogHandler.limit = 5000000
    • com.vontu.icap.log.IcapAccessLogHandler.count = 5
    A Network Prevent for Web access log is similar to a proxy server’s web access log. The “start” log message format is:
    # Web Prevent starting: start_time

    Where start_time format is date:time, for example: 13/Aug/2018:03:11:22:015-0700.


    The description message format is:
    # host_ip "auth_user" time_stamp "request_line" icap_status_code
    request_size "referer" "user_agent" processing_time(ms) conn_id client_ip
    client_port action_code icap_method_code traffic_source_code

    Network Prevent for Web access log fields lists the fields. The values of fields that are enclosed in quotes in this example
    are quoted in an actual message. If field values cannot be determined, the message displays - or "" as a default value.

    Table 229: Network Prevent for Web access log fields

    Field Explanation

    host_ip IP address of the host that made the request.


    auth_user Authorized user for this request.
    time_stamp Time that Network Prevent for Web receives the request.
    request_line Line that represents the request.
    icap_status_code ICAP response code that Network Prevent for Web sends by for this request.
    request_size Request size in bytes.

    532
    Field Explanation

    referrer Header value from the request that contains the URI from which this request came.
    user_agent User agent that is associated with the request.
    processing_time (milliseconds) Request processing time in milliseconds. This value is the total of the receiving, content
    inspection, and sending times.
    conn_id Connection ID associated with the request.
    client_ip IP of the ICAP client (proxy).
    client_port Port of the ICAP client (proxy).
    action_code An integer representing the action that Network Prevent for Web takes. Where the action code is
    one of the following:
    • 0 = UNKNOWN
    • 1 = ALLOW
    • 2 = BLOCK
    • 3 = REDACT
    • 4 = ERROR
    • 5 = ALLOW_WITHOUT_INSPECTION
    • 6 = OPTIONS_RESPONSE
    • 7 = REDIRECT
    icap_method_code An integer representing the ICAP method that is associated with this request. Where the ICAP
    method code is one of the following:
    • -1 = ILLEGAL
    • 0 = OPTIONS
    • 1 = REQMOD
    • 2 = RESPMOD
    • 3 = LOG
    traffic_source_code An integer that represents the source of the network traffic. Where the traffic source code is one
    of the following:
    • 1 = WEB
    • 2 = UNKNOWN

    About log files

    Network Prevent for Web protocol debug log files


    To enable ICAP trace logging, set the Icap.EnableTrace advanced setting to true and use the Icap.TraceFolder
    advanced setting to specify a directory to receive the traces. Symantec Data Loss Prevention service must be restarted
    for this change to take effect.
    Trace files that are placed in the specified directory have file names in the format: timestamp-conn_id. The first line of a
    trace file provides information about the connecting host IP and port along with a timestamp. File data that is read from the
    socket is displayed in the format <<timestamp number_of_bytes_read. Data that is written to the socket is displayed in the
    format >>timestamp number_of_bytes_written. The last line should note that the connection has been closed.
    NOTE
    Trace logging produces a large amount of data and therefore requires a large amount of free disk storage
    space. Trace logging should be used only for debugging an issue because the data that is written in the file is in
    clear text.
    About log files

    533
    Network Prevent for Email Log Levels
    Network Prevent for Email log file names use the format of EmailPrevent_OperationalX.log (where X is a
    number). The number of files that are stored and their sizes can be specified by changing the values in the
    FileReaderLogging.properties file. By default, the values are:
    • com.vontu.mta.log.SmtpOperationalLogHandler.limit = 5000000
    • com.vontu.mta.log.SmtpOperationalLogHandler.count = 5
    At various log levels, components in the com.vontu.mta.rp package output varying levels of detail. The
    com.vontu.mta.rp.level setting specifies log levels in the RequestProcessorLogging.properties file
    which is stored in the FileReaderLogging.properties file. This file is in the c:\Program Files\Symantec
    \DataLossPrevention\DetectionServer\16.0.10000\Protect\config (Windows) or /opt/Symantec/
    DataLossPrevention/DetectionServer/16.0.10000/Protect/config (Linux) directory. For example,
    com.vontu.mta.rp.level = FINE specifies the FINE level of detail.
    Network Prevent for Email log levels describes the Network Prevent for Email log levels.

    Table 230: Network Prevent for Email log levels

    Level Guidelines

    INFO General events: connect and disconnect notices, information on the messages that are processed per connection.
    FINE Some additional execution tracing information.
    FINER Envelope command streams, message headers, detection results.
    FINEST Complete message content, deepest execution tracing, and error tracing.

    About log files

    Network Prevent for Email operational log codes


    Status codes for Network Prevent for Email operational log lists the defined Network Prevent for Email operational
    logging codes by category.

    Table 231: Status codes for Network Prevent for Email operational log

    Code Description

    Core Events
    1100 Starting Network Prevent for Email

    1101 Shutting down Network Prevent for Email

    1102 Reconnecting to FileReader (tid=id)


    Where id is the thread identifier.
    The RequestProcessor attempts to re-establish its connection with the FileReader for detection.
    1103 Reconnected to the FileReader successfully (tid=id)
    The RequestProcessor was able to re-establish its connection to the FileReader.
    Core Errors
    5100 Could not connect to the FileReader (tid=id timeout=.3s)
    An attempt to re-connect to the FileReader failed.

    534
    Code Description

    5101 FileReader connection lost (tid=id)


    The RequestProcessor connection to the FileReader was lost.
    Connectivity Events
    1200 Listening for incoming connections (local=hostname)
    Hostnames is an IP address or fully-qualified domain name.
    1201 Connection accepted (tid=id cid=N
    local=hostname:port
    remote=hostname:port)
    Where N is the connection identifier.
    1202 Peer disconnected (tid=id cid=N
    local=hostname:port
    remote=hostname:port)

    1203 Forward connection established (tid=id cid=N


    local=hostname:port
    remote=hostname:port)

    1204 Forward connection closed (tid=id cid=N


    local=hostname:port
    remote=hostname:port)

    1205 Service connection closed (tid=id cid=N


    local=hostname:port
    remote=hostname:port messages=1 time=0.14s)

    Connectivity Errors
    5200 Connection is rejected from the unauthorized host (tid=id
    local=hostname:port
    remote=hostname:port)

    5201 Local connection error (tid=id cid=N


    local=hostname:port
    remote=hostname:port reason=Explanation)

    5202 Sender connection error (tid=id cid=N


    local=hostname:port
    remote=hostname:port reason=Explanation)

    5203 Forwarding connection error (tid=id cid=N


    local=hostname:port
    remote=hostname:port reason=Explanation)

    5204 Peer disconnected unexpectedly (tid=id cid=N


    local=hostname:port
    remote=hostname:port reason=Explanation)

    5205 Could not create listener (address=local=hostname:port


    reason=Explanation)

    5206 Authorized MTAs contains invalid hosts: hostname,


    hostname, ...

    5207 MTA restrictions are active, but no MTAs are authorized


    to communicate with this host

    535
    Code Description

    5208 TLS handshake failed (reason=Explanation tid=id cid=N


    local=hostname remote=hostname)

    5209 TLS handshake completed (tid=id cid=N


    local=hostname remote=hostname)

    5210 All forward hosts unavailable (tid=id cid=N


    reason=Explanation)

    5211 DNS lookup failure (tid=id cid=N


    NextHop=hostname reason=Explanation)

    5303 Failed to encrypt incoming message (tid=id cid=N


    local=hostname remote=hostname)

    5304 Failed to decrypt outgoing message (tid=id cid=N


    local=hostname remote=hostname)

    Message Events
    1300 Message complete (cid=N message_id=3 dlp_id=message_identifier
    size=number sender=email_address recipient_count=N
    disposition=response estatus=statuscode rtime=N
    dtime=N mtime=N
    Where:
    • Recipient_count is the total number of addressees in the To, CC, and BCC fields.
    • Response is the Network Prevent for Email response which can be one of: PASS, BLOCK,
    BLOCK_AND_REDIRECT, REDIRECT, MODIFY, or ERROR.
    • Thee status is an Enhanced Status code.
    Network Prevent for Email originated responses and codes
    • The rtime is the time in seconds for Network Prevent for Emailto fully receive the message from the sending MTA.
    • The dtime is the time in seconds for Network Prevent for Email to perform detection on the message.
    • The mtime is the total time in seconds for Network Prevent for Email to process the message Message Errors.
    Message Errors
    5300 Error while processing message (cid=N message_id=header_ID
    dlp_id=message_identifier size=0 sender=email_address
    recipient_count=N disposition=response estatus=statuscode
    rtime=N dtime=N mtime=N reason=Explanation
    Where header_ID is an RFC 822 Message-Id header if one exists.
    5301 Sender rejected during re-submit

    5302 Recipient rejected during re-submit

    About log files

    Network Prevent for Email Originated Responses and Codes


    Network Prevent for Email originates the following responses. Other protocol responses are expected as Network Prevent
    for Email relays command stream responses from the forwarding MTA to the sending MTA. Network Prevent for Email
    originated responses shows the responses that occur in situations where Network Prevent must override the receiving
    MTA. It also shows the situations where Network Preventgenerates a specific response to an event that is not relayed
    from downstream.
    “Enhanced Status” is the RFC1893 Enhanced Status Code associated with the response.

    536
    Table 232: Network Prevent for Email originated responses

    Enhanced
    Code Text Description
    Status
    250 2.0.0 Ok: Carry on. Success code that Network Prevent for Email uses.

    221 2.0.0 Service The normal connection termination code that Network Prevent for Email
    closing. generates if a QUIT request is received when no forward MTA connection is
    active.
    451 4.3.0 Error: This “general, transient” error response is issued when a (potentially)
    Processing recoverable error condition arises. This error response is issued when a more
    error. specific error response is not available. Forward connections are sometimes
    closed, and their unexpected termination is occasionally a cause of a code 451,
    status 4.3.0. However sending connections should remain open when such a
    condition arises unless the sending MTA chooses to terminate.
    421 4.3.0 Fatal: This “general, terminal” error response is issued when a fatal, unrecoverable
    Processing error condition arises. This error results in the immediate termination of any
    error. sender or receiver connections.
    Closing
    connection.

    421 4.4.1 Fatal: That an attempt to connect the forward MTA was refused or otherwise failed to
    Forwarding establish properly.
    agent
    unavailable.

    421 4.4.2 Fatal: Closing connection. The forwarded MTA connection is lost in a state where
    Connection further conversation with the sending MTA is not possible. The loss usually
    lost to occurs in the middle of message header or body buffering. The connection is
    terminated immediately.
    forwarding
    agent.

    451 4.4.2 Error: The forward MTA connection was lost in a state that may be recoverable if the
    Connection connection can be re-established. The sending MTA connection is maintained
    lost to unless it chooses to terminate.
    forwarding
    agent.

    421 4.4.7 Error: The last command issued did not receive a response within the time window
    Request that is defined in the RequestProcessor.DefaultCommandTimeout. (The time
    timeout window may be from RequestProcessor.DotCommandTimeout if the command
    issued was the “.”). The connection is closed immediately.
    exceeded.

    421 4.4.7 Error: The connection was idle (no commands actively awaiting response) in excess of
    Connection the time window that is defined in RequestProcessor.DefaultCommandTimeout.
    timeout
    exceeded.

    501 5.5.2 Fatal: A fatal violation of the SMTP protocol (or the constraints that are placed
    Invalid on it) occurred. The violation is not expected to change on a resubmitted
    transmission message attempt. This message is only issued in response to a single
    command or data line that exceeds the boundaries that are defined in
    request.
    RequestProcess.MaxLineSize.

    537
    Enhanced
    Code Text Description
    Status
    502 5.5.1 Error: Defined but not currently used.
    Unrecognized
    command.

    550 5.7.1 User This combination of code and status indicates that a Blocking response rule has
    Supplied. been engaged. The text that is returned is supplied as part of the response rule
    definition.

    Note that a 4xx code and a 4.x.x enhanced status indicate a temporary error. In such cases the MTA can resubmit the
    message to the Network Prevent for Email Server. A 5xx code and a 5.x.x enhanced status indicate a permanent error. In
    such cases the MTA should treat the message as undeliverable.
    About log files

    Uninstalling Data Loss Prevention components


    You can create a Enforce Reinstallation Resources and uninstall Data Loss Prevention server components.
    This section includes the following topics:
    Uninstalling a server
    Creating the Enforce Reinstallation Resources file
    Uninstalling a server from a Windows system
    Uninstalling a Server from a Linux system
    About Symantec DLP Agent removal

    Uninstalling a server
    You can uninstall Symantec Data Loss Prevention components (Enforce Server or detection server) from servers.
    Uninstalling removes all Symantec Data Loss Prevention data, including the following:
    • Incremental scan index that is used with Network Discover. If you want to preserve the incremental scan index,
    back it up before you uninstall Symantec Data Loss Prevention. See the Symantec Data Loss Prevention System
    Maintenance Guide for information about backing up the incremental scan index.
    • Enforce Schema and keystore files encrypted in the CryptoMasterKey.properties file. Symantec recommends
    that you create a backup of this data before you uninstall a Symantec Data Loss Prevention server component. You
    can use the backup for disaster recovery and to reinstall Symantec Data Loss Prevention.
    Run the Reinstallation Resources Utility to create a backup.
    Creating the Enforce Reinstallation Resources file
    • Keystore files that are used for encrypting communication to DLP Agents. These keystore files are not backed
    up by the Reinstallation Resources Utility. Symantec recommends that you create a backup of this data before
    you uninstall a Symantec Data Loss Prevention server component. You back up these keystore files for disaster
    recovery for connecting DLP Agents to a recovered system.
    Backing up keystore files on Windows
    Backing up Keystore Files on Linux
    See the Symantec Data Loss Prevention System Maintenance Guide for details on backing up your system and
    uninstalling servers.

    538
    Creating the Enforce Reinstallation Resources file
    Before you uninstall Symantec Data Loss Prevention, create an EnforceReinstallationResources.zip file
    using the Reinstallation Resources Utility. This file includes files such as the CryptoMasterKey.properties file and
    keystore files, which are required to connect Symantec Data Loss Prevention to an existing DLP database.
    Each Symantec Data Loss Prevention installation encrypts its database using a unique
    CryptoMasterKey.properties file. An exact copy of this file is required if you intend to reuse the existing Symantec
    Data Loss Prevention database. If the CryptoMasterKey.properties file becomes lost or corrupted and you do not
    have a backup, contact Symantec Technical Support to recover the file.
    Complete the following procedure to create the EnforceReinstallationResources.zip file required by the
    Symantec Data Loss Prevention 16.0.1 installer.

    Creating the Enforce Reinstallation Resources file on Windows


    Complete the following procedure to create the Enforce Reinstallation Resources file on Windows.
    1. Switch to the \EnforceServer\16.0.10000\Protect\bin directory by running the following command:
    cd C:\Program Files\Symantec\DataLossPrevention\EnforceServer\16.0.10000\Protect\bin

    2. Generate an Enforce Reinstallation Resources file by running the following command:


    "C:\Program Files\Symantec\DataLossPrevention\EnforceServer\16.0.10000\Protect\bin
    \ReinstallationResourcesUtility.exe"
    export "C:\Program Files\Symantec\DataLossPrevention\EnforceServer\16.0.10000\Protect
    C:\EnforceReinstallationResources.zip"
    3. Identify this new EnforceReinstallationResources.zip when reinstalling Symantec Data Loss Prevention from
    your backup version.
    If you reinstall using Silent Mode, you include the following parameters (in addition to other required parameters):
    REINSTALLATION_RESOURCE_FILE="c:\EnforceReinstallationResources.zip"

    If you choose to run the EnforceServer.msi file to complete the installation, on the Initialize Database panel
    select Preserve Database Data and specify the EnforceReinstallationResources.zip file.

    Creating the Enforce Reinstallation Resources file on Linux


    Complete the following procedure to create the Enforce Reinstallation Resources file on Linux.
    1. Locate the ReinstallationResourcesUtility at /opt/Symantec/DataLossPrevention/
    EnforceServer/16.0.10000/Protect/bin.
    2. Generate an Enforce Reinstallation Resources file by running the following command:
    ./ReinstallationResourcesUtility export /opt/Symantec/DataLossPrevention/EnforceServer/16.0.10000/Protect/
    opt/EnforceReinstallationResources.zip

    3. Identify this new EnforceReinstallationResources.zip when reinstalling Symantec Data Loss Prevention from
    your backup version.
    Include the following parameters (in addition to other required parameters):
    reinstallationResourceFile="/opt/EnforceReinstallationResources.zip"

    Uninstalling a server from a Windows system


    The uninstallation process deletes all files and directories created by the installer. Complete the following backup tasks
    before uninstalling a server or a node:

    539
    • Ensure that you have backed up all keystore files.
    See Backing up keystore files on Windows.
    • Run the Reinstallation Resources Utility to create a backup of the CryptoMasterKey.properties file and Enforce
    Server keystore files.
    See Creating the Enforce Reinstallation Resources file.
    • Shut down services to ensure that all Symantec Data Loss Prevention components are removed.
    See Starting and Stopping Services on Windows.
    NOTE
    If you are uninstalling Network Discover clusters, uninstall worker nodes before uninstalling data nodes.

    Uninstalling Using a Graphical User Interface


    1. Open the Add or Remove Programs control from the Windows Control Panel, select the Symantec Data Loss
    Prevention entry, and then click Change/Remove.
    The Symantec Data Loss Prevention Uninstall panel appears.
    2. Click Next to uninstall Symantec Data Loss Prevention.
    3. Click Finish to complete the uninstall process.
    NOTE
    The uninstall process automatically generates log information saved to a file MSI*.log (* is replaced with
    random characters) in the %TEMP% folder.

    Uninstalling Silently
    You can also use the following commands to uninstall Symantec Data Loss Prevention in Silent Mode:
    • Run the following command to uninstall the Enforce Server:
    C:\msiexec /x EnforceServer.msi /qn /L*v c:\uninstall.log
    • Run the following command to uninstall a detection server or node:
    C:\msiexec /x DetectionServer.msi /qn /L*v c:\uninstall.log

    Uninstalling a Server from a Linux system


    The uninstallation process deletes all files and directories that are created by the installer. Complete the following backup
    tasks before uninstalling a server or a node:
    • See Backing up Keystore Files on Linux.
    • Run the Reinstallation Resources Utility to create a backup of the CryptoMasterKey.properties file and Enforce
    Server keystore files.
    See Creating the Enforce Reinstallation Resources file.
    NOTE
    If you are uninstalling Network Discover clusters, uninstall worker nodes before uninstalling data nodes.
    1. Go to the command line.
    2. Choose an uninstallation command:
    • Run the following uninstallation command to remove all servers, nodes, and components for version 16.0.1:
    rpm -e $(rpm -qa "symantec-dlp-16-0-1*")
    NOTE
    You can replace 16-0-1 with any DLP version you plan to uninstall. For example, enter 16-0 to
    uninstall version 16.0.

    540
    Running this command leaves dependencies on the server. You can remove symantec-dlp-
    keyview-12-5-12.5.0.0-19012.x86_64 if you are running version 16.0; version 16.0 uses a
    different KeyView version. KeyView 12.5 is required for version 15.8, so leave this dependency if you are running a
    15.8 system on the server.
    Do not remove the following required dependencies if you are running a version of Symantec Data Loss
    Prevention on the server:
    • symantec-dlp-enforce-server-system-dependencies-1.0.0-1.el7.x86_64
    • symantec-dlp-enforce-server-services-1.0.0-1.el7.x86_64
    • Run the following uninstallation command to remove all servers, nodes, and components for all versions that exist
    on the server:
    rpm -e $(rpm -qa "symantec-dlp-*")

    About Symantec DLP Agent removal


    You may need to uninstall the Symantec DLP Agent from your endpoints. You can uninstall Symantec DLP Agents in the
    following ways:

    Table 233: Removing the Symantec DLP Agent

    Removing a DLP Agent from a Windows endpoint


    Removing DLP Agents from Windows Endpoints Using System Management Software
    Removing DLP Agents from Mac endpoints Using System Management Software
    Removing a DLP Agent from a Mac Endpoint
    Removing a DLP Agent from a Linux Endpoint

    Removing a DLP Agent from a Windows endpoint


    You can uninstall Symantec DLP Agents manually. Manual uninstallation is only possible if you configured the Symantec
    DLP Agent to appear in the endpoint Add or Remove Programs list during deployment.
    Process to install the DLP Agent on Windows
    To uninstall the agent manually
    1. Go to Start > Control Panel and double-click Add or Remove Programs.
    2. Select Agent Install.
    3. Click Remove.

    About Symantec DLP Agent removal

    Removing DLP Agents from Windows Endpoints Using System Management Software
    Follow this procedure if you hid the Symantec Data Loss Prevention service from the Add or Remove Programs list (ARP)
    during installation.
    Because the Symantec DLP Agent does not appear in the ARP, you cannot use the ARP list for the uninstallation process.
    You must use the MSI command to remove the Symantec DLP Agent. Only use the MSI command uninstallation if you
    have hidden the Symantec DLP Agent from the ARP during installation.
    To remove the agent with the MSI command

    541
    1. Open the command prompt window.
    2. Enter the string:
    msiexec /x AgentInstall_16_0_1.msi

    You can add several different options to this command prompt.


    3. Click OK.
    The Symantec DLP Agent uninstalls.
    To remove the agent manually if the agent does not appear in the ARP
    4. Open the command prompt window.
    5. Enter the following command where [guid] is the product code. You can locate the GUID from the Windows registry or
    in the uninstall_agent.bat file.
    You can add several other options to this command prompt:
    msiexec /x {guid}

    6. Enter any optional commands to the end of the command:


    msiexec /x AgentInstall_16_0_1.msi

    7. Click OK.
    You can add options to the uninstall command such as SilentMode or Logname. SilentMode allows the Symantec
    DLP Agent to uninstall without displaying a user interface on the desktop. The installation takes place in the
    background of the workstation and is not visible to the user. Logname Lets you set any log file you want. However, this
    option is only available if you have the original installer present. If you do not have the original installer, you must use
    the product code.
    The code for a silent install is:
    /QN:silentmode

    The code for Logname is:


    /Lv _logname

    msi.exe has several other options. For further options, see your MSI guide.

    About Symantec DLP Agent removal

    Removing DLP Agents from Mac endpoints Using System Management Software
    Use the following steps to remove DLP Agents from Mac endpoints using your system management software (SMS).
    1. Locate the uninstall_agent command and copy it to a temporary location on the endpoint.
    This tool is located in the Symantec_DLP_16.0.1_Agent_Mac-IN.zip file.
    2. Add the uninstall command to your SMS.
    sudo / /tmp/uninstall_agent -prompt=n
    /rm -f /tmp/uninstall_agent
    Replace /tmp with the location where the uninstall_agent command is located.

    542
    3. Identify agents to be uninstalled and run the uninstallation.

    Removing a DLP Agent from a Mac Endpoint


    You can uninstall the Mac DLP Agent by running the uninstaller tool from the default agent installation location: /
    Library/Manufacturer/Endpoint Agent.
    1. Locate the uninstall_agent command and copy it to a temporary location on the endpoint.
    This tool is located in the Symantec_DLP_16.0.1_Agent_Mac-IN.zip file.
    Open the Terminal app.
    2. Run this command:

    $sudo ./uninstall_agent
    NOTE
    You can review uninstall logs on the Terminal application by running this command: sudo ./uninstall_agent
    -prompt=no -log=console. By default, logs are saved to the uninstall_agent.log file.

    Removing a DLP Agent from a Linux Endpoint


    Uninstall the DLP Agent from Linux and Ubuntu distributions by running the uninstaller tool from the default agent
    installation location: /opt/Manufacturer/EndpointAgent.
    Run the uninstall tool as sudo.
    1. Locate the uninstall_agent command and copy it to a temporary location on the endpoint.
    This tool is located in the Symantec_DLP_16.0.1_Agent_Lin-IN.zip file.
    2. Run the following command using executable definitions.
    sudo chmod +x ./uninstall_agent.sh

    The command removes files and folders that are associated with the agent.
    3. Review uninstallation logs at /var/log/AgentUninstall.log.

    About High Availability and Disaster Recovery for Symantec Data Loss
    Prevention
    Use this content to optimize your Symantec Data Loss Prevention implementation high availability (HA) and disaster
    recovery (DR) plan and policies.
    These high availability and disaster recovery considerations and recommended best practices for Symantec Data Loss
    Prevention (DLP) components are provided so that your organization can assess successful implementations. Your
    assessment can help you to tune and optimize your DLP implementation for HA and DR.
    NOTE
    This document does not provide a comprehensive high availability and disaster recovery plan.
    Every DLP deployment is unique to the security and compliance needs of an organization. These recommendations may
    not exactly meet with the HA and DR requirements of your organization. The HA/DR plan that you use for DLP should fit
    with the IT plan your organization uses.

    543
    Testing and Qualification Disclaimer
    Not all products and configurations that are mentioned in this document have been tested or fully qualified by Symantec.
    The document also references third-party tools, products, and configurations that are not tested or officially certified
    by Symantec. Before you implement an HA and DR plan, see DLP System Requirements.

    Governance Considerations
    Organizations strive to meet multiple regulations in the current regulatory environment. When considering a high
    availability (HA) and disaster recovery (DR) solution for Symantec Data Loss Prevention, consider the following items:
    • What type of data is captured
    • Where is data stored
    • How long is data retained at each point along the communication path
    First, an understanding of the architecture and data communication flow can help you to decide on the most effective
    approach.
    Second, it is important to consider HA/DR solutions from an information and data governance and response perspective.
    Answer the following questions to form as a basis for how your organization determines a need for HA and DR for
    Symantec Data Loss Prevention:
    • What is the acceptable period of time between a data event and the notification? The acceptable period may be based
    on the data governance standards of your organization (for example, breach and investigations and policies and
    processes).
    • How much time can be allowed to pass between incident creation to notification within the Enforce Server
    administration console?

    Related Links
    General Considerations for DLP Data Flow and Incident Data Storage on page 544
    Familiarize yourself with the DLP data flow and incident storage and how each relates to different DLP components.
    Best-Practice Considerations for Optimizing Symantec Data Loss Prevention for High Availability and Disaster
    Recovery on page 545
    Meet governance and regulatory requirements by configuring your DLP environment to meet your business needs while
    balancing server resources.
    Regulatory Requirements Affecting High Availability and Disaster Recovery on page 545
    Cybersecurity Control Frameworks on page 545
    Review cybersecurity control framework requirements for disaster recovery, contingencies, continuity, planning, alternate
    storage, and processing capabilities.
    Control Categories on page 546
    Review the cybersecurity control frameworks that may be implicated in regulatory requirements and cybersecurity control
    frameworks.

    General Considerations for DLP Data Flow and Incident Data Storage
    Familiarize yourself with the DLP data flow and incident storage and how each relates to different DLP components.
    For DLP Agents, the Symantec Data Loss Prevention data flow stores incident data on the endpoint where
    the DLP Agent is installed. The data is saved until the agent connects to the Endpoint Server. You can configure the
    agents to store incidents for a predetermined period or based on the available disk space.
    All detection servers store the incident and log data locally until they connect to the Enforce Server. You can configure the
    detection servers to store incidents for a predetermined period or based on the available disk space.

    544
    If your organization has a Recovery Time Objective (RTO) for the Enforce Server and the Oracle database of up to
    8 hours, then you must configure your agents and servers to accommodate incident data up to 24 hours. This period
    provides substantial flexibility for the RTO. This approach ensures that you do not lose any incident data and alleviates
    the need for advanced HA/DR programs, software, and hardware expenditures. However, you may not have access to
    incident data until the Enforce Server and Oracle server connections are reestablished. Symantec recommends that you
    review these scenarios with your risk, legal, and compliance teams to determine an appropriate recovery objective for
    Symantec Data Loss Prevention.

    Best-Practice Considerations for Optimizing Symantec Data Loss Prevention for High
    Availability and Disaster Recovery
    Meet governance and regulatory requirements by configuring your DLP environment to meet your business needs while
    balancing server resources.
    When apportioning server size and resources, consider the size of the local disk. If the Enforce Server or database goes
    down, each server and DLP Agent stores all incidents locally until the Enforce Server and DLP services come back online.

    Regulatory Requirements Affecting High Availability and Disaster Recovery


    Take regulatory requirements and audits into account when creating your HA/DR plan.
    The following regulatory mandates require specific high-availability practices:
    • Sarbanes-Oxley Act (SOX)
    • Federal Information Security Management Act of 2002 (FISMA)
    • Health Insurance Portability and Accountability Act (HIPAA)
    • General Data Protection Regulation (GDPR)
    These regulatory mandates require a disaster recovery or contingency plan and alternative processing and storage sites.
    Each specifically identifies information data protection.

    Cybersecurity Control Frameworks


    Review cybersecurity control framework requirements for disaster recovery, contingencies, continuity, planning, alternate
    storage, and processing capabilities.
    The following cybersecurity control frameworks require specific planning:
    • CAS Cloud Controls Matrix
    • CMS Information Security ARS
    • Control Objectives for Information and Related Technology (COBIT)
    • COSO
    • FEDRAMP
    • NIST CyberSecurity Framework
    • NIST 800-30
    • NIST 800-53r4
    • NERC - CIP
    NOTE
    SOX, COBIT, CSA, and NIST 800 53r4 specifically address software availability.

    545
    Control Categories
    Review the cybersecurity control frameworks that may be implicated in regulatory requirements and cybersecurity control
    frameworks.
    Review the following list of control categories:
    • Contingency Planning
    – Alternate Processing Site
    • Alternate Information Processing Site
    • Alternate Information Processing Site Agreements
    • Technology Services Continuity Recovery Site Identification
    – Alternate Storage Site
    • Alternate Information Storage Site
    • Alternate Information Storage Site Agreements
    • Business Continuity Plan Offsite Documentation Storage
    • Continuity Plan Off-Site Storage
    • Technology Continuity Off-Site Materials Backup Storage Selection
    • Technology Recovery Hardware Location
    • Contingency Plan
    • Contingency Plan Testing and Exercises
    • Contingency Planning Policy and Procedures
    • Contingency Training
    • Information System Recovery and Reconstitution
    – Data Restoration Procedures
    – Data Restoration Testing
    – IT Resource Recovery Prioritization
    – Standby System Component Role Assumption
    – System Restoration Asset Protection
    – System Restoration Procedures
    – System Transaction Recovery Mechanisms

    Architectural Considerations
    Review the following HA/DR considerations as they relate to your system architecture.
    Enterprise customers most commonly deploy Symantec Data Loss Prevention to a three-tier environment. A three-tiered
    environment is represented by components that are listed in the following table.

    546
    Table 234: Three-tier environment components

    Component Description More information

    Oracle database Symantec Data Loss Prevention supports Enterprise See Oracle Architectural
    Edition. Symantec recommends that customers use this Considerations.
    edition if they have a strong Oracle presence. In general,
    Enterprise Edition provides options that are more robust
    for HA and DR.
    Symantec Data Loss Prevention also supports Standard
    Edition. Symantec recommends that customers use this
    edition if they rely on Oracle less frequently. This edition is
    common if the database has been licensed directly from
    Symantec as part of the overall DLP license acquisition.
    Enforce Server administration The Enforce Server serves as the primary user interface See Enforce Server Architectural
    console for Symantec Data Loss Prevention and is the method Considerations.
    for writing and deploying policy, as well as aggregating
    and storing incidents in the database. Only one Enforce
    Server administration console can be active in a deployed
    Symantec Data Loss Prevention instance, which is the
    most important consideration for HA and DR purposes.
    Detection servers Most detection servers are responsible for analyzing See Detection Server Architectural
    content and generating incidents. This type of detection Considerations.
    server includes the following: See Cloud Architectural
    Considerations.
    • Network Monitor
    • Network Prevent for Web
    • Network Prevent for Email
    • Network Discover
    • Network Discover clusters
    The Endpoint Prevent server, which provides
    server support for Endpoint Prevent and Endpoint
    Discover, typically acts as a relay, sending policies down
    to DLP Agents and retrieving incidents generated from
    agents.
    You can use cloud servers to replace on-premises
    detection servers.
    Symantec offers several services for cloud-based
    detection and integrations.

    Each tier represents different functionality as part of the whole Symantec Data Loss Prevention system. Because of the
    multiple tiers, HA and DR considerations should be evaluated independently for each tier rather than treating the entire
    system as a homogenous whole.

    Oracle Architectural Considerations


    Review the Oracle database architecture to best tailor your HA/DR plan.
    When the Oracle database is not available, the following occurs:
    • Users do not have access to the Enforce Server administration console
    • Enforce Server response rules are not triggered (for example, email notifications).
    • New policies and policy changes are not deployed
    • Incidents are not written to the database
    • DLP APIs are not available

    547
    NOTE
    Incident detection and blocking that uses response rules that the detection server applies should continue on
    detection servers and agents.
    Loss of the Oracle database is significant for the system, but does not stop DLP from running. Detection servers and
    agents use the cached version of the last used policy set to trigger incidents (and execute block rules, if configured).
    Lack of access to the Enforce Server administration console is typically the biggest impact from an Oracle outage.
    Configuring HA and DR for the Oracle database generally depends on the edition of Oracle that you use:
    • Enterprise Edition
    Multiple options exist for near real-time high availability (for example, Oracle RAC) and site recovery (for example,
    Data Guard). These options can typically be highly automated to achieve mostly transparent fail over with minimal user
    intervention.
    • Standard Edition
    The options for backup and recovery are manual and can often be automated through custom scripting. Cold or warm
    backups using Oracle Recovery Manager ( RMAN) provide the pathway to availability and recovery.

    Questions to Ask When Planning for the Oracle HA and DR


    Consider the following questions when planning for HA and DR:
    Question Detail
    How long can an outage be tolerated? Identifying enterprise availability and recovery tiers for the
    Oracle database can help drive the architectural requirements or
    operational strategies that are required to restore service. Smaller
    tolerances require more automated solutions and dedicated
    standby recovery target hardware. Larger tolerances allow
    systems to be rebuilt and restored in a more manual fashion,
    sacrificing recovery speed for lower infrastructure costs.
    What amount of data loss (for example, incidents and policies) can Enterprise Edition features like Data Guard can help preserve
    be tolerated? data in near real-time versus manual or scheduled cold backups
    or RMAN backups.
    Is there a possibility to invest in alternate site standby hardware? Regardless of the choice of Enterprise or Standard
    Edition, standby alternate recovery target platforms are an
    option. Consider whether you can invest in warm/cold alternate
    site hardware, or have other available options (on-demand
    hardware-rush services, on-demand cloud hosts, etc.).

    Enforce Server Architectural Considerations


    Review these issues that occur when the Enforce Server is not available and understand methods to minimize downtime.
    When the Enforce Server is not available, the following occurs:
    • Users lose access to the Enforce Server administration console
    • Enforce Server-level response rules are not triggered (for example, email notifications)
    • New policy or policy changes cannot be deployed
    • Incidents are not written to the database
    • Integrations with Data Insight, ICA, and other products that depend on APIs that connect to the Enforce Server will not
    function.
    Incident detection and blocking proceeds normally for detection servers and DLP Agents. Incidents are stored locally
    on detection servers and endpoints until the Enforce Server is available. If the Enforce Server is down for an extended

    548
    period, there is a potential for new incidents to not be recorded. New incidents are not recorded if the detection server or
    endpoint does not have sufficient disk space available.
    The Enforce Server presents a unique challenge among the tiered components; only one Enforce Server can be active
    in a Symantec Data Loss Prevention deployment. You can create a secondary Enforce Server; however, ensure that the
    DLP Services on secondary or standby Enforce Server are stopped. Because of this limitation, most strategies regarding
    Enforce Server availability and disaster recovery are centered on creation of an active-passive architecture where a
    second Enforce Server is located in an alternate site (or same site, if availability is a chief concern) with services stopped.
    While most configuration data is kept in the Oracle database, a key set of files must be automatically or manually synced
    to the secondary/recovery Enforce Server to ensure operational continuity. See Configure the Enforce Server for High
    Availability and Disaster Recovery for additional information on what files are necessary. Failover to the secondary server
    does not have to be manual. You can use custom scripts that are triggered by monitoring software to automate the failover
    process.
    Backup and recovery options for an Enforce Server are not limited to physical hardware. Many excellent solutions exist for
    server virtualization (for example, VMware VMotion) which provides protection against host failure and for server mirroring
    or replication (either using snapshots or automated replication). When considering these solutions, keep in mind the
    requirement that only one Enforce Server can be active.

    Questions to Ask When Planning for the Enforce Server HA and DR


    Consider the following questions when planning for the Enforce Server HA and DR:

    Table 235: Planning questions for the Enforce Server HA and DR

    Question Details

    How long can an outage be tolerated? Identifying enterprise availability and recovery tiers for the Enforce
    Server helps drive the architectural requirements or operational
    strategies that are required to restore the service. Smaller
    tolerances require more automated solutions and dedicated
    standby recovery target hardware. Larger tolerances allow
    systems to be rebuilt and restored in a more manual fashion,
    sacrificing recovery speed for lower infrastructure costs.
    Is the Enforce Server Virtualized? Virtualization presents many advantages over physical hardware
    for HA and DR of the Enforce Server.
    Is there a possibility to invest in alternate site standby hardware? Many customers have a passive standby Enforce Servers
    in an alternate site, but an agile organization may be able to
    quickly install the Enforce Server software on a new server
    and copy necessary configuration files to the new server. This
    method trades infrastructure costs for a delay in the recovery
    time. Understanding your organization’s Recovery Point Objective
    (RPO) is important to determine the need for dedicated recovery
    targets.

    Detection Server Architectural Considerations


    Review issues that occur when detection servers are not available and understand methods to minimize downtime.
    If a detection server goes down, the effects vary based on the server type. Review the following table for details.

    549
    Table 236: Detection server outage summary

    Detection server type Outage description

    Network Monitor, Network Prevent for Web, Network Prevent for Detection and incident logging stops.
    Email
    Network Discover: Active or scheduled scans stop and no incidents are logged.
    Endpoint Prevent/Endpoint Discover: Detection on agents continues as usual (including blocking and
    popup notifications).
    Incidents are stored locally on the endpoint until the Endpoint
    Server is available. If the Endpoint Server is down for an extended
    period, new incidents may not be recorded. New incidents are
    not recorded if the endpoint does not have sufficient disk space
    available. These incidents are not visible in the Enforce Server
    until the Endpoint Servers are restored.

    Loss of detection servers has a significant impact on the Symantec Data Loss Prevention solution. Depending on the
    type of detection server, traffic inspection can fail. Fortunately, most detection servers are horizontally scalable. Strong
    availability is achieved by using load-balancing solutions that are coupled with N+1 or N+2 server deployments. As loss
    of each type of detection server has different impacts on operations, different considerations can be given to each for HA/
    DR.

    Network Prevent for Email and Network Prevent for Web

    Companies often use Network Prevent for Email and Network Prevent for Web detection servers as a primary line of
    defense for data loss prevention, especially due to their ability to block content. For high availability purposes, deploying
    these servers in an N+1 or N+2 allotment provides an excellent guard against single-server failure when accompanied by
    load-balancing technologies.
    The critical nature of these two detection server types means that customers often have active or warm standby
    infrastructure at an alternate site for disaster recovery purposes.

    Endpoint Prevent and Endpoint Discover

    Endpoint Servers do not directly inspect most traffic and merely serve as a relay for policies and incidents
    to DLP Agents. These servers relay data, so the loss of a single or multiple Endpoint Servers temporarily is acceptable.
    NOTE
    However, Endpoint Servers detect data when two-tier detection is used with EDM and IDM profiles.
    Consider implementing one of the following architectural scenarios for Endpoint Prevent and Endpoint Discover servers:
    • Load-balance Endpoint Servers in an N+1 configuration. This configuration improves availability for agents because
    one URL/virtual IP address can be used to represent all Endpoint Servers
    • Locate Endpoint Servers in a DMZ or public-facing private cloud instance. This configuration provides availability to
    agents even when they are not connected to the corporate network

    Failover Considerations for Agents


    Plan the agent failover to account for agent connection requirements. When generating the agent installation package,
    you can desginate secondary servers to provide backup if the primary is down.
    Agents cannot easily fail over to an environment consisting of a different database. If you use a failover site that includes a
    separate Enforce Server and separate database, review the following agent communication considerations:

    550
    • Change the endpoint keystore password on the Enforce Server.
    • Apply the same password on the backup Enforce Server.
    • Restart Endpoint Servers to ensure that the keystore password is applied.
    • Create an agent installation package using the new endpoint keystore password. The backup Enforce Server can then
    communicate to agents using certificates that use the same keystore password.
    NOTE
    The above failover plan has not been tested with third-party certificates.

    Network Monitor

    Network Monitor uses a SPAN or TAP connection, and therefore needs special consideration for high availability and
    disaster recovery.
    Consider implementing the following architectural scenarios for Network Monitor servers:
    • If you virtualize servers, dedicate a host to the virtual machine so that it can take full advantage of the physical network
    cards in the host.
    • If you use physical hardware, deploy in an N+1 configuration where “load balancing” is performed by way of traffic
    steering on advanced edge network appliances. Customers typically have a standby/active infrastructure that is
    deployed in an alternate site location. The infrastructure is not merely for failover purposes. It also monitors traffic in
    the alternate site.

    Network Discover

    Owing to the nature of planned, scheduled scans, Network Discover is often the lowest priority in a high availability
    and disaster recovery plan. Most customers rebuild a new Network Discover server upon failure of an existing server,
    rather than keeping dedicated failover hardware. Documents generating incidents from Network Discover are often not
    generated in real time, but over the course of days, weeks, months, or even years. The recovery point objective is usually
    measured in a longer time frame that allows for a more casual plan to rebuild the servers.

    Cloud Architectural Considerations


    Symantec offers several services for cloud-based detection and integrations (for example, cloud email, and WSS for cloud
    web protection). These services already provide built-in availability and disaster recovery. See Configure the Symantec
    Data Loss Prevention Cloud Service for Disaster Recovery.
    Private clouds also provide an option for failover/high availability as an alternative site location for some components of
    on-premises DLP infrastructure. Symantec customers have placed the Oracle database, Enforce Server, and Endpoint
    Servers in private cloud instances, both as primary servers and recovery targets.
    When setting up an Enforce Server as a recovery target, confirm that it uses the same universally unique identifier (UUID)
    as the production server. Cloud services use the UUID to identify the Enforce Server.
    The UUID is stored in the database.

    Related Links
    Performing a cold backup of the Oracle database on Windows on page 487
    Performing a Cold Backup of the Oracle Database on Linux on page 505
    Configure the Symantec Data Loss Prevention Cloud Service for Disaster Recovery on page 561

    Best Practices

    551
    Go to the following sections to learn how to optimize these components in your Symantec Data Loss Prevention
    environment for high availability and disaster recovery:
    • Configure Oracle 19c Enterprise Edition for High Availability and Disaster Recovery
    • Configure Oracle 19c Standard Edition for High Availability and Disaster Recovery
    • Configure the Enforce Server for High Availability and Disaster Recovery
    • Configure Detection Servers for High Availability and Disaster Recovery
    • Configure Information Centric Analytics for High Availability and Disaster Recovery

    Configure Oracle 19c Enterprise Edition for High Availability and Disaster Recovery

    Apply the recommendations and best practices to optimize the Oracle Enterprise Edition database for high availability and
    disaster recovery.

    Table 237: Best practices for Oracle 19c Enterprise Edition

    Best practice Description

    Use Oracle Real Application Clusters (RAC). RAC enables you to run a single Oracle Database across multiple servers. This
    maximizes availability and enables horizontal scalability, while accessing shared
    storage. If one node of the cluster fails, other nodes enable continued function of the
    database.
    Use Oracle Data Guard. Oracle Data Guard can replicate each database record and save them to a secondary
    database or cluster. If a catastrophic database or database server failure occurs, Data
    Guard minimizes data loss.
    See the Oracle Data Guard documentation for details on the Data Guard architecture
    and implementation.
    https://docs.oracle.com/en/database/oracle/oracle-database/19/sbydb/index.html
    Use ARCHIVELOG mode for backups. To use Data Guard, you must run the database in ARCHIVELOG mode. This setting
    enables the use of a flashback database. A flashback database allows for reverting the
    database to a moment in time before failure occurred.
    Use ARCHIVELOG mode for backups.
    The flashback database feature can take a large amount of disk space.
    See the following Oracle resources for backup scenarios:
    • Use flashback for RMAN backups.
    https://docs.oracle.com/en/database/oracle/oracle-database/19/bradv/rman-
    performing-flashback-dbpitr.html
    • Use RMAN for hot and incremental backups.
    https://docs.oracle.com/en/database/oracle/oracle-database/19/bradv/index.html

    Verify the failover, backup, and restore Symantec recommends that you verify the failover, backup, and restore procedure at
    procedure. least once a year. Testing failover at this frequency ensures that you can resolve
    problems before failover issues occur.
    Create and maintain a testing environment. Create a testing environment that is a full copy of the production environment. You
    use this environment to test all major Enforce Server changes without impacting the
    production environment. The complete DR processes should be documented and
    tested quarterly at most, and yearly at a minimum. Make sure that each member of the
    team can perform the entire process.
    Synchronize the Oracle wallet certificates. Update the connection wallet and connection strings in the jdbc.properties
    and tnsnames.ora files as needed. Synchronizing ensures that communication
    between the primary and secondary nodes remains operational.

    552
    Architecture for Oracle 19c Enterprise Edition HA/DR

    The following diagram provides an example of an Oracle 19c Enterprise Edition implementation that is optimized for HA/
    DR.
    Figure 7: Oracle HA/DR Configuration

    Configure Oracle 19c Standard Edition for High Availability and Disaster Recovery
    Apply the recommendations listed in the following table to optimize the Oracle Standard Edition database for high
    availability and disaster recovery.

    Table 238: Best practices for Oracle 19c Standard Edition

    Best practice Description

    Use Oracle Fail Safe (for Windows servers). Oracle Fail Safe provides failover services.
    See Oracle documentation for feature and setup information:
    https://docs.oracle.com/cd/E27731_01/doc.41/e24699/intro.htm#OFSCN109
    Use RMAN for backups. You can use RMAN for hot and incremental backups.
    See the Oracle documentation for feature and setup information:
    https://docs.oracle.com/en/database/oracle/oracle-database/19/bradv/index.html
    Verify the failover, backup, and restore procedure. Symantec recommends that you verify the failover, backup, and restore
    procedure at least once per year. Testing failover at this frequency ensures that
    you can resolve problems before failover issues occur.

    553
    Best practice Description

    Create and maintain a testing environment. Review the following recommendations before creating the testing encironment:
    • Create a testing environment that is a full copy of the production
    environment. You use this environment to test all major Enforce Server
    changes without impacting the production environment.
    • Document the complete DR processes. Test quarterly at most and yearly at
    a minimum. Make sure that each member of the team can perform the entire
    process.
    • If the Enforce Server is connected to a cloud service, ensure that the
    production environment UUID is different from the backup environment
    UUID. Using different IDs ensures that DLP Cloud points to the production
    environment. See Configure the Symantec Data Loss Prevention Cloud
    Service for Disaster Recovery.
    • Ensure that Enforce server in the test environment does not attempt to
    connect to the production detection servers. You can do this by changing
    the IP or host names of the connected detection servers to prevent the test
    Enforce Server from connecting to the production detection servers.

    Synchronize the Oracle wallet certificates. Synchronize the Oracle wallet for use with the TLS wrapper for
    the JDBC connection. Synchronizing ensures that communication between the
    primary and secondary nodes remains operational.

    Configure the Enforce Server for High Availability and Disaster Recovery
    Apply the recommendations listed in the following table to optimize the Symantec Data Loss Prevention Enforce Server
    for high availability and disaster recovery.
    See the following best practices for configuring the Enforce Server for HA/DR
    • Prevent Database Corruption During Failover Events
    • Use a DNS Alias for the Enforce Server
    • Use an Active/Passive Strategy
    • Use Server Virtualization for the Enforce Server
    • Create a Password Update Plan
    • Back up Licenses
    • Back up Configuration Files
    • Back up the Tomcat Certificates
    • Back up the AD Integration
    • Back up Plug-ins
    • Back up Indexed Content
    • Back up the Derby DB
    • Back up LOB Externalization
    • Test Failover and Validation
    • Run the Update Readiness Tool
    • Back up the CA Root Certificate
    • Configure the Symantec Data Loss Prevention Cloud Service for Disaster Recovery

    Prevent Database Corruption During Failover Events

    During failover, you can switch the database connection from the primary Enforce Server to the secondary Enforce Server.

    554
    NOTE
    Do not run Enforce Server instances simultaneously. Connecting both Enforce Server instances to the
    database can corrupt the database.
    Prevent database corruption by completing the following procedure:
    1. Stop all DLP services on the primary Enforce Server.
    NOTE
    Set the startup type to Disabled to ensure that the services on the primary Enforce Server cannot start.
    2. On the secondary Enforce Server, update the jdbc.properties file to point to the Oracle database previously used
    by the primary Enforce Server.
    3. Start all DLP services on the secondary Enforce Server.
    NOTE
    You can set the startup type to Automatic to start the services automatically if the Enforce Server is
    rebooted.

    Use a DNS Alias for the Enforce Server

    Use a DNS alias for the Enforce Server name. Using an alias speeds recovery because you are not required to change
    the Enforce Server DNS name. You only change the alias pointer.

    Use an Active/Passive Strategy

    When designing an HA configuration, the biggest problem is downtime. You can minimize downtime by having a warm
    standby/passive server ready for action. If a disaster or a failover event occurs, a warm standby/passive server minimizes
    the downtime.
    You can clone the Enforce Server (with all services stopped and disabled) for use in the warm standby/passive instance.
    Keep the services stopped and disabled until the server activates.

    Use Server Virtualization for the Enforce Server

    You can use virtual machines for primary and secondary instances of the Enforce Server with a full clone of the primary.
    Whether you use dedicated or non-dedicated resources for the Enforce Server and detection server depends on several
    factors. Consider the following items when choosing resource allocation:
    • Number of CPUs
    • Amount of dedicated RAM
    • Resource reservations for CPU cycles and RAM
    The virtualization overhead and guest operating system overhead can lead to a performance degradation in throughput
    for large datasets compared to a system running on physical hardware. Use your own test results as a basis for sizing
    deployments to virtual machines. For HA purposes, choose a server virtualization environment that is configured to
    prevent over-subscription on host machines. Over-subscription is detrimental to DLP performance.
    You can clone DLP using virtualization tools. DLP install files are synced up hourly with rsync (or similar application)
    between primary and secondary. You must clone the secondary Enforce Server when the primary DLP services are not
    running.

    555
    Create a Password Update Plan

    Set up a sync that matches the cadence of the password rotation. Create scheduled tasks to create the
    EnforceResinstallationResources.zip file and all the java keystore (*.jks) files in the JRE, Tomcat paths, and
    custom command and control certs.
    You can confirm the cryptographic key rotation by reviewing log entries. For example, the log
    manager_operational_X.log may list the following log:
    (MANAGER.2) The Manager is now running26/Apr/21:16:05:14:259-0400 [INFO]
    (MANAGER.805) Checking if cryptographic keys require rotation26/Apr/21:16:05:14:312-0400 [INFO]
    (MANAGER.806) The System cryptographic keystore has been rotated. Next rotation will occur in 30 days26/
    Apr/21:16:05:14:325-0400 [INFO]
    (MANAGER.807) The External cryptographic keystore has been rotated. Next rotation will occur in 30 days

    Consider the scenarios listed in the following table when managing DLP passwords:

    Table 239: DLP password scenarios

    If... Do

    You change the Endpoint and Network Discover communications Sync the Endpoint and Network Discover communications
    password, a new .jks file is created (for example, password and all other keystore files at the following location
    certificate_authority_v#.jks, where # signifies the (depending on your platform):
    number of times the password is changed).
    • Windows: C:\ProgramData\Symantec
    \DataLossPrevention\EnforceServer
    \vv.u\keystore\
    • Linux: /var/Symantec/DataLossPrevention/
    EnforceServer/vv.u/keystore/
    You update the database password (when you run Sync the DatabasePassword.properties file that is
    the DBPasswordChanger.exe utility.), the located in the config folder based on the server and platform:
    DatabasePassword.properties file is updated. • Windows:
    – Enforce Server: C:\Program Files\Symantec
    \DataLossPrevention\ EnforceServer
    \vv.u\Protect\config\
    – Detection server: C:\Program Files\Symantec
    \DataLossPrevention\DetectionServer
    \vv.u\Protect\config\
    • Linux:
    – Enforce Server: /opt/Symantec/
    DataLossPrevention/EnforceServer/ vv.u/
    Protect/config/
    Detection server: /opt/Symantec/
    DataLossPrevention/
    DetectionServer /vv.u/Protect/config/

    556
    If... Do

    Your organization uses an internal Certificate Authority. Sync the cacerts file from the ServerJRE, or reinstall the
    root CA certificate for your organization. The file is at one of the
    following locations, depending on your platform and JRE type:
    • Windows:
    – OpenJRE: C:\Program Files\AdoptOpenJRE
    \jdk8u<version>-jre\lib\<version>
    – Symantec-provided: C:\Program Files
    \Symantec\DataLossPrevention\ServerJRE
    \<version>\lib\security
    • Linux:
    – OpenJRE: /opt/AdoptOpenJRE/
    jdk8u<version>-jre/lib/security/
    – Symantec-provided JRE: /opt/Symantec/
    DataLossPrevention/ServerJRE/<version>/
    lib/security/

    Back up Licenses

    Back up each of the license files (*.slf). The file is at one of the following locations, depending on your platform:
    • Windows: C:\ProgramData\Symantec\DataLossPrevention\EnforceServer\<DLP Version>\Protect
    \license\
    • Linux: /var/Symantec/DataLossPrevention/EnforceServer/<DLP Version>/Protect/license/

    Back up Configuration Files

    Back up all configuration files to the secondary server to ensure that any edits are also active. Configuration files include
    settings for OCR servers, DB connections, and all other Enforce Server-specific configurations that may have been
    adjusted in your environment.
    Configuration files are at one of the following locations, depending on your platform:
    • Windows: C:\Program Files\Symantec\DataLossPrevention\EnforceServer\<DLP Version>
    \Protect\config\
    • Linux: /opt/Symantec/DataLossPrevention/EnforceServer/<DLP Version>/Protect/config/

    Back up the Tomcat Certificates

    Back up the Tomcat certificate. The certificate is located at one of the following locations, depending on your platform:
    • Windows: C:\Program Files\Symantec\DataLossPrevention\EnforceServer\<DLP Version>
    \Protect\Tomcat\conf\server.xml
    • Linux: /opt/Symantec/DataLossPrevention/EnforceServer/<DLP Version>/Protect/Tomcat/conf/
    server.xml
    If you do not back up the files, you can reinstall the Tomcat certificate for the Enforce Server. The following table lists the
    file locations.

    557
    Table 240: Tomcat certificate locations on the Enforce Server

    Platform Path Files

    Windows C:\Program Files\Symantec .keystore


    \DataLossPrevention truststore.jks
    \EnforceServer\<DLP Version>
    \Protect\Tomcat\conf\
    Note: The .keystore files may be
    hidden depending on OS settings. See the
    documentation for your OS to show hidden
    files.

    Linux /opt/Symantec/ .keystore


    DataLossPrevention/ truststore.jks
    EnforceServer/<DLP Version>/
    Protect/Tomcat/conf/

    Back up the AD Integration

    Back up the AD files (used for AD Realms and AD login to the Enforce Server) at the following locations, depending on
    your platform:
    • Windows:
    – C:\Program Files\Symantec\DataLossPrevention\EnforceServer\<DLP Version>\Protect
    \Tomcat\webapps\ProtectManager\WEB-INF\SpringSecurityContext.xml
    – C:\Program Files\Symantec\DataLossPrevention\EnforceServer\<DLP Version>\Protect
    \config\krb5.ini
    • Linux:
    – /opt/Symantec/DataLossPrevention/EnforceServer/<DLP Version>/Protect/Tomcat/webapps/
    ProtectManager/WEB-INF/SpringSecurityContext.xml
    – /opt/Symantec/DataLossPrevention/EnforceServer/<DLP Version>/Protect/config/krb5.conf

    Back up Plug-ins

    Back up any plug-ins that have been updated or added since the installation.
    NOTE
    Also back up LDAP Lookup plug-ins and scripts wherever the scripts are located.
    Back up all the files at the following locations, depending on your platform:
    • Windows: C:\Program Files\Symantec\DataLossPrevention\EnforceServer\<DLP Version>
    \Protect\plugins\
    • Linux: /opt/Symantec/DataLossPrevention/EnforceServer/<DLP Version>/Protect/plugins/

    Back up Indexed Content

    Backup or re-index all indexed content (*.rdx). This content is at one of the following locations, depending on your
    platform:

    558
    • Windows: C:\ProgramData\Symantec\DataLossPrevention\ServerPlatformCommon\<DLP Version>
    \index\
    • Linux: /var/Symantec/DataLossPrevention/ServerPlatformCommon/<DLP Version>/index/

    Back up the Derby DB

    Derby databases save incremental scan data that is generated after Discover scanning. Back up these databases to
    prevent duplicate incidents from being logged in the event that the database is corrupted.
    Shut down the Symantec DLP Manager service before backing up the Derby databases.
    NOTE
    If you do not shut down the service, you risk corrupting the database, which renders it useless.
    The database is at one of the following locations, depending on your platform:
    • Windows: C:\ProgramData\Symantec\DataLossPrevention\EnforceServer\<DLP Version>\Protect
    \scan\catalog\
    • Linux: /var/Symantec/DataLossPrevention/EnforceServer/<DLP Version>/scan/catalog

    Back up LOB Externalization

    If you use LOB externalization, consider backing it up. Ensure that both primary and secondary write to the same external
    storage. If writing to the same external storage is not possible, disable LOB externalization.
    NOTE
    If you disable LOB externalization, the Oracle database is used for storage.
    Keep in mind that this process is time consuming and difficult, especially if your environment has a large data
    set. Symantec recommends that you implement an incremental backup strategy to cut down on overhead. Consider
    using RAID 5, 6, or 10 to store the backup.
    Several strategies exist for keeping a secondary LOB externalization backup. For example, use a high
    availability NAS with a built-in redundancy, run a scheduled rsync, maintain a Windows file system HA, use a block level
    mirrored storage replication, and so on.

    Test Failover and Validation

    Document the entire failover process and ensure that it can be followed by any member of your infrastructure team.
    Complete the items listed in the following table when testing failover and validation.

    559
    Table 241: Failover and validation checklist

    Item to complete Description

    Change the JDBC.properties file to point to the new Point to the new Enforce Server, which means adjusting the host, port, and
    Enforce Server DB. service_name to point to the new database instance.
    Note: You also adjust the host, port, and service_name values on the
    server.
    Note: For Windows, update the registry key: HKEY_LOCAL_MACHINE >
    Software > Symantec > Data Loss Prevention > Enforce Server > vv.u
    > Installation.
    Note: For Linux, update values at /etc/Symantec/
    DataLossPrevention/EnforceServer/<DLP Version>/
    Installation/
    Disable DLP services on the primary server. Errors occur Prior to performing the failover test, note the oldest and newest incidents.
    if services start up during the failover test. After failover, confirm that the oldest and newest incidents are present.
    Disable LOB externalization in the Confirm that you can see all tabs and that no data is garbled. Also
    Protect.properties file to test new incidents confirm that the highlighted data is present. Once you have validated the
    coming in. incident highlights, you can trigger the LOB Migration, which moves the
    incident LOB details to the External Storage location.

    Run the Update Readiness Tool

    During the upgrade preparation period, you can run the Update Readiness Tool (URT) to analyze data and table structure
    in the database. The process lists the potential database issues that you address before migrating.
    The URT identifies data that is no longer compatible with the new schema. Analyzing data helps identify potential
    problems before the migration process is started. If you find problems with the database, you can fix them while keeping
    the previous version of the Enforce Server up and running.
    Issues that are related to LOB data (for example, scan failures or deprecated features that are remaining in LOB data)
    cause the migration to fail. During this time, the Enforce Server is not up and running.

    Related Links
    Checking the database update readiness on page 354

    Back up the CA Root Certificate

    If your company uses an internal Certificate Authority (for example, you use your own CA server and your own
    certificates), Symantec recommends that you back up the CA root certificate as part of your disaster recovery plan.
    Complete the following steps to back up the CA root certificate:
    1. Open a command prompt.
    2. Change the directory to where the CA root certificate file is located.
    3. Run the following command to export the certificate in .crt format.
    keytool -exportcert -keystore CARoot.jks -alias [exampledomain].com -file CA.crt
    4. Import the .crt file into the cacerts file by completing the following steps.
    1. Run one of the following commands based on your server platform:
    – Windows:
    cd: C:\Program Files\AdoptOpenJRE\jdk8u<version>-b10-jre\lib\security

    560
    keytool -importcert -alias [exampledomain].com -keystore cacerts -file \path\to\CA.crt
    – Linux:
    cd /opt/AdoptOpenJRE/jdk8u<version>-b10-jre/lib/security/
    keytool -importcert -alias [exampledomain].com -keystore cacerts -file /path/to/CA.crt
    2. Enter the cacerts password: changeit.
    5. Locate the Intermediate.crt file, root CA, and SSL cert files.
    6. Import the certificates into the cacerts by completing the following steps:
    1. Run one of the following commands based on your server platform:
    • Windows:
    keytool -importcert -alias SSL -keystore cacerts -file \path\to\SSL.crt
    • Linux:
    keytool -importcert -alias SSL -keystore cacerts -file /path/to/SSL.crt
    2. Enter the password for cacerts: changeit.
    7. Restart the SymantecDLPManagerService.

    Configure the Symantec Data Loss Prevention Cloud Service for Disaster Recovery

    The following table lists recommendations for configuring the Symantec Data Loss Prevention cloud service for high
    availability and disaster recovery.

    Table 242: Best practices for configuring Symantec Data Loss Prevention cloud service

    Best practice More information

    Clone the Enforce Server. See Use Server Virtualization for the Enforce Server.
    Record the Enforce Server UUID (also identified as the EnforceID The UUID is the randomly generated GUID. You restore
    and UUID). the UUID from the previous system to restore a new system. If
    the UUID does not match, then you must re-enroll each of
    the CDS bundles that you have.
    See article 258252 for additional information.
    Synchronize and back up the cryptography certificates in The file is located at one of the following locations, depending on
    enforce_keystore.jks. your platform:
    • Windows: C:\ProgramData\Symantec
    \DataLossPrevention\EnforceServer\<DLP
    Version>\keystore\
    • Linux: /var/Symantec/DataLossPrevention/
    EnforceServer/<DLP Version>/keystore/
    This file contains one or more cloud certificates for communication
    with one or more Cloud Detection Services (CDS). If you do
    not have the jks file, then you can obtain another enrollment
    bundle from the Cloud Management Portal (CMP). Use the bundle
    to connect back up to the CDS. If you have more than one CDS,
    they will all be reconnected after applying the first bundle.

    Configure Detection Servers for High Availability and Disaster Recovery


    Review the following list of recommendations for configuring the detection servers to optimize for high availability and
    disaster recovery.

    561
    • Configure Detection Servers
    • Use Server Virtualization for Detection Servers
    • Configure Network Prevent for Email
    • Configure Detection Servers
    • Use Server Virtualization for Detection Servers

    Configure Detection Servers

    Backing up Network Discover servers is not necessary. Reinstall the servers using the same DNS alias/name as the
    previous server to re-use the Derby DB (used for scan tracking). Upon reinstallation, the Enforce Server pushes the Derby
    DB to new servers.

    Use Server Virtualization for Detection Servers

    As a best practice, configure the server virtualization to prevent over subscription. If over subscription occurs for host
    machines, DLP performance is degraded.
    Whether you use dedicated or non-dedicated resources for the detection servers depends on several factors. Consider
    the following items when choosing resource allocation:
    • Number of CPUs
    • Amount of dedicated RAM
    • Resource reservations for CPU cycles and RAM
    The following table lists recommendations and best practices for configuring a virtualized detection server environment:

    Table 243: Recommendations for configuring server virtualization for detection servers

    Recommendation More information

    Clone virtual machines with DLP up and running. Use the virtualization tools that are provided by
    your virtualization hosting solution.
    Clone the secondary detection server when the To restore detection servers, you are not required to use a cloned
    primary DLP services are not running. version. You can install fresh detection servers without losing data.
    Use active and passive groups. The number of groups depends on the organizational priority. The
    priority is based on how many passive servers the environment
    requires.

    Configure Network Prevent for Email

    The following table lists recommendations for configuring Network Prevent for Email for high availability and
    disaster recovery.

    562
    Table 244: Recommendations for configuring Network Prevent for Email

    Recommendation More information

    Use DNS MX records for the mail flow. Mail flow high availability should be configured with DNS
    MX records. If the detection servers are down, this setting ensures
    that mail is delivered by going to the next hop in the MX record.
    Use a load balancer. In email flow, a load balancer can be configured with a many-to-
    many configuration. The number of upstream MTA connections,
    detection server connections, and downstream MTA connections
    must be the same in each location. If they do not match, mail
    queuing up or performance issues may occur. The load balancer
    can be inline between the upstream MTA and the detection
    servers. You can also use load balancers between the detection
    servers and downstream MTAs.
    Run Network Prevent for Email in the cloud. Running Network Prevent for Email in the cloud can provide a
    more reliable platform. The cloud can also provide an improved
    email flow for Network Prevent for Email monitoring. Use
    the DLP Cloud Detection Service.
    Validate the TLS certificates. Rotate the certificates at least once per year if not
    more. TLS issues are a common problem with the email flow.
    Deploy for spike traffic. Calculate the mail flow at 1.2x the normal flow so that spikes can
    be absorbed in the current deployment.
    Account for Symantec Mail Gateway files and synchronizations. Confirm the files that are in use for quarantine.
    If you have a non-CA issued certificate, then you sync the
    Protect\plugins\EmailQuarantineConnect
    \keystore.jks to all Network Prevent for Email servers.

    Architecture for Network Prevent for Email with a Load Balancer


    The following diagram provides an example of Network Prevent for Email with a load balancer implementation that is
    optimized for HA/DR.

    563
    Figure 8: Network Prevent for Email with a load balancer

    Configure Network Prevent for Web

    In the web flow, there can be a many-to-many configuration between the proxy and the detection server. See Architecture
    for Network Prevent for Web with a Load Balancer.
    The load balancer can be configured to distribute the outbound http requests to the configured proxy and detection server.

    Architecture for Network Prevent for Web with a Load Balancer


    The following diagram provides an example of Network Prevent for Web with a load balancer implementation that is
    optimized for HA/DR.

    564
    Figure 9: Network Prevent for Web with a load balancer

    Configure Endpoint Servers

    The following table lists recommendations for configuring Endpoint Servers for high availability and disaster recovery.

    Table 245: Recommendations for configuring Endpoint Servers

    Recommendations More information

    Use DNS aliases for each endpoint server. You can easily build a new Endpoint Server by using the
    same DNS alias. The process to recreate all the packages with
    new DNS names takes much longer.
    Use a load balancer. Endpoint servers can be placed behind a load balancer for agent
    communication. The load balancer apportions communication
    between DLP Agents and endpoint servers equally. In general,
    apply the following capabilities and settings to ensure that load
    balancers work best with Symantec Data Loss Prevention:
    • 1 Gbps throughput
    • Source IP persistence
    Set the persistence time to be greater than the agent polling
    period.
    • 24-hour SSL session timeout period
    See Architecture for Endpoint Servers with a Load Balancer.
    Use DNS aliases for each endpoint server. New agent packages are generated with the load
    balancer DNS name in the Endpoint Server Host field. The agents
    contact the load balancer, which passes the connection request
    to the Endpoint Server to perform the SSL handshake for the
    agent. Once connected, the load balancer continues the normal
    communication protocol.

    565
    Recommendations More information

    Back up the Endpoint Server certificates. The certificates are at C:\Program Files\Symantec
    \DataLossPrevention\DetectionServer\<DLP
    version>\Protect\keystore.
    Deploy an Endpoint Server in the DMZ. For organizations that need agent awareness without the need
    for users to log in through a VPN, deploy an Endpoint Server in
    the DM. This configuration allows agents to check in when they
    are connected to the Internet.
    See Architecture for Endpoint Servers in the DMZ.

    Architecture for Endpoint Servers with a Load Balancer


    The following diagram shows an example of Endpoint Servers that use a load balancer implementation that is optimized
    for HA/DR.

    566
    Figure 10: Endpoint Load Balancer setup

    Architecture for Endpoint Servers in the DMZ


    The following diagram shows an example of Endpoint Servers that reside in the DMZ optimize for HA/DR.

    567
    Figure 11: Endpoint Servers in the DMZ Setup

    Configure Network Discover Clusters for High Availability and Disaster Recovery
    Prepare your Network Discover clusters for disaster recovery scenarios and for high availability by backing up the data
    node after the initial installation and performing a periodic backup of the data node.
    Use the initial backup to define the detector ID. You use the detector ID to connect a new Network Discover Cluster.

    568
    Create a Backup of the Data Node After Installation

    Create a backup of the data node after installation to ensure transient information is available in the event you must install
    a new Network Discover Cluster.
    Target the following locations for backup, based on the platform:

    Table 246: Transient information backup locations

    Platform Location

    Windows C:\Program Files\Symantec\DataLossPrevention\DetectionServer


    \16.0.10000\Protect\config\DetectionServerSettings.properties
    Linux /opt/Symantec/DataLossPrevention/DetectionServer/16.0.10000/Protect/
    config/DetectionServerSettings.properties

    Back up the Data Node

    Create a periodic backup of the following storage locations on the data node. You use this backup in case that you must
    recover a cluster.
    Target the following locations for backup, based on the platform:

    Table 247: Data node backup locations

    Platform Location

    Windows • C:\ProgramData\Symantec\DataLossPrevention
    \DetectionServer\IgniteStorage
    • C:\ProgramData\Symantec\DataLossPrevention
    \DetectionServer\IgniteWork
    Linux • /var/data/Symantec/DataLossPrevention/DetectionServer/
    IgniteStorage
    • /var/data/Symantec/DataLossPrevention/DetectionServer/
    IgniteWork

    Setting up a New Network Discover Cluster

    If a data node is irrecoverable or has been hit by a disaster, it is considered a catastrophic failure for any on-going scans.
    In this case, the scan information that is maintained in the local database is not accessible and the cluster health displays
    as Critical on the Discover Cluster Details screen.
    If the server goes down, complete the following reinstallation steps:
    1. Install a new Network Discover cluster. Ensure that the cluster uses the following configurations:
    – The same IP/Network and hardware configuration that was used for the previous cluster.
    – The authentication package located on the Enforce Server.
    See Network Discover Clusters.
    2. Reinstate the default storage directory by completing the following steps:
    a. Stop the Symantec DLP Enforce Connector Service and Symantec DLP Detector Server Service on the data node.
    See Stopping a Detection Server on Windows or Stopping a Detection Server on Linux.
    b. Overwrite the default storage directory with the data node backup.
    See "Backup the Data Node" above.

    569
    c. Start the Symantec DLP Enforce Connector Service and the Symantec DLP Detector Server Service on the data
    node.
    See Starting a Detection Server on Windows or Starting a Detection Server on Linux
    3. Replace the detector ID in the new cluster with the previous. Use the detector ID from the backup that you created in
    "Create a Backup of the Data Node After installation."
    4. Review the Network Discover cluster on the System > Servers and Detectors > Overview screen. If scans are
    running, stop then restart them.
    NOTE
    Statistical inaccuracies may exist between the previously running and the scans that were started after
    the recovery. Symantec recommends that the DLP Administrator starts fresh scans on the newly installed
    Network Discover cluster.

    Configure Information Centric Analytics for High Availability and Disaster Recovery
    The following table lists architecture details and recommendations for configuring Information Centric Analytics (ICA) to
    optimize for high availability and disaster recovery.

    Table 248: List of architecture details and best practices for configuring ICA

    See the following

    About ICA Architecture


    Configuring the ICA Database for High Availability (tier 2)
    Configuring the ICA MS SQL Analysis Services (tier 2 or 3)
    Extra ICA High Availability Considerations
    Architecture for ICA High Availability and Disaster Recovery

    About ICA Architecture

    ICA is typically deployed in a two- or three-server environment. The main components of a deployment include a
    Web Server (Microsoft IIS), Database Server (SQL Enterprise), and an Analysis Server (SQL Analysis Services).
    Because ICA is implemented with industry standard technologies, setting up HA/DR is straightforward.

    570
    Figure 12: Endpoint Load Balancer Setup

    On the web server component, an IIS website hosts two applications, all built into a single directory folder. Two
    approaches can be taken for resiliency on the web tier: simple load balancing or a Windows Failover Cluster (WFC). See
    the following table for more details.

    Table 249: ICA architecture methods

    Method More information

    Load balancing Load balancing ensures cut-over if there is failure, but users may
    lose session data. However, generally, losing session data is
    acceptable in ICA.
    If you deploy load balancing, replicate the file system
    and IIS configuration to an extra server and configure the Network
    Load Balancing (NLB) feature. You can find documentation at the
    following location:
    WFC follow the standard documentation that is provided by Microsoft.
    The application files are shared between the failover cluster
    servers.
    See the following information on configuring failover clusters
    and IIS:
    • See the Failover Cluster Deployment Guide: https://
    docs.microsoft.com/en-us/windows-server/failover-clustering/
    create-failover-cluster
    • Configuring IIS in a Windows Server failover cluster: https://
    docs.microsoft.com/en-us/troubleshoot/iis/configure-w3svc-
    wsfc
    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/
    windows-server-2012-r2-and-2012/hh831698(v=ws.11)

    571
    Configuring the ICA Database for High Availability (tier 2)

    The database tier has two main components: the SQL Data Warehouse and the ICA Database Utilities. There may also
    be other data warehouses present if you are using API base integrations like CloudSOC, EDR, Email Security.Cloud, or
    Vulnerability Scanners. For those cases, configure HA/DR, and at minimum create standard database backups.
    For the main Data Warehouse, you can use SQL Server Always On Availability Groups. The configuration is built on top of
    the WFC configuration that is mentioned in the Web Server section.
    See the documentation at https://docs.microsoft.com/en-us/sql/database-engine/availability-groups/windows/getting-
    started-with-always-on-availability-groups-sql-server?view=sql-server-ver15.
    Deploy the database utilities to a clustered file server. This configuration provides access to the integration binaries
    if SQL fails over.
    See the documentation at https://docs.microsoft.com/en-us/windows-server/failover-clustering/deploy-two-node-clustered-
    file-server.

    Configuring the ICA MS SQL Analysis Services (tier 2 or 3)

    For MS SQL Analysis Services (MSSAS) component, you synchronize a single ‘cube’ with the ICA data warehouse. The
    MSSAS component may be combined with the SQL Server or it may be a standalone server for scalability.
    Managing the synchronization can be done in a few different ways depending on your objective. Either an NLB can be
    used to manage the failover of redundant MSSAS instances or WSFC can be used, or both. With ICA, there is only a
    single server of MSSAS used.
    See the Microsoft documentation at https://docs.microsoft.com/en-us/analysis-services/instances/high-availability-and-
    scalability-in-analysis-services?view=asallproducts-allversions.

    Extra ICA High Availability Considerations

    ICA is fully dependent on external integrations. If those controls or applications go down, ICA is no longer up to date. With
    many of the database-to-database integrations, you can place a network load balancer (NLB) between integrations if HA/
    DR is configured correctly.
    Alternatively, you can configure ICA to integrate with both instances of another application. If ICA goes down, you can
    manually turn off the old integration and turn on the new integration. Usually ICA back loads data from another data
    source after it comes back up. ICA back loads data because it tracks a watermark on each integration. As long as the
    data source is not purged, ICA catches up automatically, though there may be a one-time spike in the length of processing
    time.

    Architecture for ICA High Availability and Disaster Recovery

    The following diagram provides an example of an ICA high availability and disaster recovery implementation that is
    optimized for HA/DR.

    572
    Figure 13: ICA high availability and disaster recovery

    573
    Managing the Enforce Server
    Use the Enforce Server administration console.
    Managing Enforce Server services and settings
    Managing roles and usersManaging roles and users
    Connecting to group directories
    Credential Store
    Managing System Events and Messages
    Managing the Symantec Data Loss Prevention database
    Adding a new product module
    Applying a server Maintenance Pack

    Managing Enforce Server services and settings


    This section includes the following topics:
    Symantec Data Loss Prevention Services
    Starting and Stopping Services on Windows
    Starting and Stopping Services on Linux
    Working with General Settings
    About protocol filtering
    About Enforce Server screen load performance
    About the Endpoint and Network Discover communications settings

    Symantec Data Loss Prevention Services


    Stop or start Symantec Data Loss Prevention services to perform administrative tasks.
    The Symantec Data Loss Prevention services for the Enforce Server are described in the following table:

    Table 250: Symantec Data Loss Prevention Enforce Server services

    Service Name Description

    Symantec DLP Provides the centralized reporting and management services for Symantec Data Loss Prevention.
    Manager
    Symantec DLP Controls the detection servers.
    Detection Server
    Controller
    Symantec DLP Notifier Manages communications between other DLP services and prevents transactional conflicts between the
    services and the database.
    Symantec DLP Incident Writes the incidents to the database.
    Persister

    574
    Service Name Description

    Symantec DLP Enforce This service is hosted and runs on the data node of a Network Discover Cluster. The data node
    Connector communicates with the Monitor Controller through the Enforce Connector Service.
    See Network Discover Cluster.
    Symantec DLP This service is hosted and runs on the data node and worker nodes of a Network Discover Cluster. The data
    Detection Server node communicates with worker nodes through the Detector Connector Service. This service also helps
    with the entire scanning activity.
    When this service is hosted on the data node, you must ensure that this service is never shutdown
    instantaneously by aborting its process.

    Increase the Max Memory


    If you have more than 50 policies, 50 detection servers, or 50,000 agents, increase the Max Memory for this service from
    2048 to 4096. Adjust Max Memory to ensure Symantec Data Loss Prevention performance.
    You adjust the Max Memory setting in the SymantecDLPManager.conf file.
    1. Open the SymantecDLPManager.conf file in a text editor.
    You can find this configuration file in one of the following locations:
    • Windows: \Program Files\Symantec\DataLossPrevention\EnforceServer\Services
    • Linux: /opt/Symantec/DataLossPrevention/EnforceServer/Services
    You can find this configuration file at /opt/Symantec/DataLossPrevention/EnforceServer/Services.
    2. Change the value of the wrapper.java.maxmemory parameter to 4096.
    wrapper.java.maxmemory = 4096

    3. Save and close the file.

    Starting and Stopping Services on Windows


    Stop or start Symantec Data Loss Prevention services on Windows servers to perform administrative tasks.
    The procedures for starting and stopping services vary according to installation configurations and between Enforce and
    detection servers.
    • Starting an Enforce Server on Windows
    • Stopping an Enforce Server on Windows
    • Starting a Detection Server on Windows
    • Stopping a Detection Server on Windows
    • Starting Services on Single-tier Windows Installations
    • Stopping Services on Single-tier Windows Installations

    Starting an Enforce Server on Windows


    Use the following procedure to start the Symantec Data Loss Prevention services on a Windows Enforce Server.
    To start the Symantec Data Loss Prevention services on a Windows Enforce Server

    575
    1. On the computer that hosts the Enforce Server, navigate to Start > All Programs > Administrative Tools > Services
    to open the Windows Services menu.
    2. Start the Symantec Data Loss Prevention services in the following order:
    • SymantecDLPNotifierService
    • SymantecDLPManagerService
    • SymantecDLPIncidentPersisterService
    • SymantecDLPDetectionServerControllerService

    NOTE
    Start the SymantecDLPNotifierService service first before starting other services.
    Related Links
    Stopping an Enforce Server on Windows on page 459

    Stopping an Enforce Server on Windows


    Use the following procedure to stop the Symantec Data Loss Prevention services on a Windows Enforce Server.
    To stop the Symantec Data Loss Prevention services on a Windows Enforce Server
    1. On the computer that hosts the Enforce Server, navigate to Start > All Programs > Administrative Tools > Services
    to open the Windows Services menu.
    2. From the Services menu, stop all running Symantec Data Loss Prevention services in the following order:
    • SymantecDLPDetectionServerControllerService
    • SymantecDLPIncidentPersisterService
    • SymantecDLPManagerService
    • SymantecDLPNotifierService

    Related Links
    Starting an Enforce Server on Windows on page 459

    Starting a Detection Server on Windows


    Use the following procedure to start the Symantec Data Loss Prevention services on a detection server.
    1. On the computer that hosts the detection server, navigate to Start > All Programs > Administrative Tools >
    Services to open the Windows Services menu.
    2. Start the SymantecDLPDetectionServerService service.
    Related Links
    Stopping a Detection Server on Windows on page 460

    Stopping a Detection Server on Windows


    Use the following procedure to stop the Symantec Data Loss Prevention service on a Windows detection server.
    1. On the computer that hosts the detection server, navigate to Start > All Programs > Administrative Tools >
    Services to open the Windows Services menu.
    2. Stop the SymantecDLPDetectionServerService service.
    Related Links
    Starting a Detection Server on Windows on page 459

    576
    Starting Services on Single-tier Windows Installations
    Use the following procedure to start the Symantec Data Loss Prevention services on a single-tier installation on Windows.
    1. On the computer that hosts the Symantec Data Loss Prevention server applications, navigate to Start > All Programs
    > Administrative Tools > Services to open the Windows Services menu.
    2. Start the Symantec Data Loss Prevention in the following order:
    • SymantecDLPNotifierService
    • SymantecDLPManagerService
    • SymantecDLPIncidentPersisterService
    • SymantecDLPDetectionServerControllerService
    • SymantecDLPDetectionServerService
    NOTE
    Start the SymantecDLPNotifierService service before starting other services.
    Related Links
    Stopping Services on Single-tier Windows Installations on page 461

    Stopping Services on Single-tier Windows Installations


    Use the following procedure to stop the Symantec Data Loss Prevention services on a single-tier installation on Windows.
    1. On the computer that hosts the Symantec Data Loss Prevention server applications, navigate to Start > All Programs
    > Administrative Tools > Services to open the Windows Services menu.
    2. From the Services menu, stop all running Symantec Data Loss Prevention services in the following order:
    • SymantecDLPDetectionServerService
    • SymantecDLPDetectionServerControllerService
    • SymantecDLPIncidentPersisterService
    • SymantecDLPManagerService
    • SymantecDLPNotifierService

    Related Links
    Starting Services on Single-tier Windows Installations on page 460

    Starting and Stopping Services on Linux


    Stop or start Symantec Data Loss Prevention services to perform administrative tasks.
    The procedures for starting and stopping services vary according to installation configurations and between the Enforce
    Server and detection servers.
    • Starting an Enforce Server on Linux
    • Stopping an Enforce Server on Linux
    • Starting a Detection Server on Linux
    • Stopping a Detection Server on Linux
    • Starting services on single-tier Linux installations
    • Stopping Services on Single-tier Linux Installations

    577
    Starting an Enforce Server on Linux
    Use the following procedure to start the Symantec Data Loss Prevention services on a Linux Enforce Server.
    1. On the computer that hosts the Enforce Server, log on as root.
    2. Start the Symantec DLP Notifier service by running the following command:
    service SymantecDLPNotifierService start

    3. Start the remaining Symantec Data Loss Prevention services, by running the following commands:
    service SymantecDLPManagerService start
    service SymantecDLPIncidentPersisterService start
    service SymantecDLPDetectionServerControllerService start

    Related Links
    Stopping an Enforce Server on Linux on page 462

    Stopping an Enforce Server on Linux


    Use the following procedure to stop the Symantec Data Loss Prevention services on a Linux Enforce Server.
    1. On the computer that hosts the Enforce Server, log on as root.
    2. Stop all running Symantec Data Loss Prevention services by running the following commands:
    service SymantecDLPDetectionServerControllerService stop
    service SymantecDLPIncidentPersisterService stop
    service SymantecDLPManagerService stop
    service SymantecDLPNotifierService stop

    Related Links
    Starting an Enforce Server on Linux on page 461

    Starting a Detection Server on Linux


    Use the following procedure to start the Symantec Data Loss Prevention service on a Linux detection server.
    1. On the computer that hosts the detection server, log on as root.
    2. Start the Symantec Data Loss Prevention service by running the following command:
    service SymantecDLPDetectionServerService start

    Related Links
    Stopping a Detection Server on Linux on page 462

    Stopping a Detection Server on Linux


    Use the following procedure to stop the Symantec Data Loss Prevention service on a Linux detection server.
    1. On the computer that hosts the detection server, log on as root.
    2. Stop the Symantec Data Loss Prevention service by running the following command:
    service SymantecDLPDetectionServerService stop

    Related Links
    Starting a Detection Server on Linux on page 462

    578
    Starting services on single-tier Linux installations
    Use the following procedure to start the Symantec Data Loss Prevention services on a single-tier installation on Linux.
    1. On the computer that hosts the Symantec Data Loss Prevention server applications, log on as root.
    2. Start the Symantec DLP Notifier service by running the following command:
    service SymantecDLPNotifierService start

    3. Start the remaining Symantec Data Loss Prevention services by running the following commands:
    service SymantecDLPManagerService start
    service SymantecDLPIncidentPersisterService start
    service SymantecDLPDetectionServerControllerService start
    service SymantecDLPDetectionServerService start

    Related Links
    Stopping Services on Single-tier Linux Installations on page 463

    Stopping Services on Single-tier Linux Installations


    Use the following procedure to stop the Symantec Data Loss Prevention services on a single-tier installation on Linux.
    1. On the computer that hosts the Symantec Data Loss Prevention servers, log on as root.
    2. Stop all running Symantec Data Loss Prevention services by running the following commands:
    service SymantecDLPDetectionServerService stop
    service SymantecDLPDetectionServerControllerService stop
    service SymantecDLPIncidentPersisterService stop
    service SymantecDLPManagerService stop
    service SymantecDLPNotifierService stop

    Related Links
    Starting services on single-tier Linux installations on page 463

    Working with General Settings


    The System > Settings > General screen lets you view and configure general system settings. You can configure
    the distribution of reports and alerts by email, update your Symantec Data Loss Prevention license key, and configure
    advanced authentication features such as strong passwords and Active Directory authentication.
    When you first navigate to the screen General settings screen, it appears in view mode. To modify a setting, click
    Configure.
    Select the appropriate link in General Settings for help with configuring a particular general setting.

    Table 251: General Settings

    Setting More information

    Configure Reports and Alerts & SMTP settings. Configuring the Enforce Server to send email alerts
    Identify the SMTP Server to use for sending out alerts and Configuring the Enforce Server to send email alerts
    reports.
    Install a new License file. Installing a new license file
    View Process Control status. Enabling Advanced Process Control
    Configure the Agent Connection Status. Configuring the agent connection status

    579
    Setting More information

    Configure DLP User Authentication. About authenticating users


    Configure Credential Management. Configuring endpoint credentials
    View the System Default Language. The Symantec Data Loss Prevention administrator specifies the
    default language for the system.
    Change the Endpoint and Network Discover Communications About the Endpoint and Network Discover communications
    Keystore Password. settings
    Install a Cloud Certificate. Installing certificates for cloud detectors
    Configure Enforce to Cloud Proxy Settings. Configuring the Enforce Server to use a proxy to connect to cloud
    services
    Configure End User Remediation Portal Settings. Configuring End User Remediation Portal Settings
    Configure Email Quarantine Settings. Configuring the Enforce Server to sync with Email Security.cloud
    Email Quarantine
    Configure General Detection Settings. Set the policy size limit for legacy agents.

    About protocol filtering


    Symantec Data Loss Prevention provides filtering capabilities at multiple levels to ensure optimal system performance.
    For example, an email marketing server can generate a large number of email messages that are not relevant to you.
    Filter those email messages from detection. Use the Configure Protocol page to achieve the desired functional and
    performance goals.
    Configure a protocol
    Protocol configuration examples

    Traffic screen (Traffic report)


    The Traffic report (System > Servers > Traffic) screen provides statistical data about network traffic for each server.
    You can display statistics by protocol for Network Monitor Server and Network Prevent by clicking on the server's graph.
    Traffic screen (Traffic detail)
    The Traffic report screen displays information about the volume of data and the number of messages and files that were
    processed during a specified time period. The default time period is the last 30 days. You can select a different time period
    from the View drop-down list (near top right).
    Information in the report is divided into the columns that are described in the following table.

    580
    Table 252: Traffic report screen columns

    Column Description

    Server The name of the server that is associated with the statistics.
    For Network Monitor Servers and Network Prevent Servers, click the server name to see a Traffic
    Detail screen that shows traffic by protocol.
    Cumulative Statistics A breakdown of data statistics for the selected time period. Data fields vary depending on detection
    server type. The possible fields are:
    • Data—The quantity of data that is processed during the selected time period.
    • Files—The number of files that a Discover Server scanned.
    • Messages—The number of message components (email message components, Web post
    components, and so on) that were processed.
    • Incidents—The number of incidents Symantec Data Loss Prevention has captured.
    • Encrypted Attachments—The number of encrypted attachments. Symantec Data Loss
    Prevention cannot analyze encrypted attachments.
    • Unprocessable Files or Unprocessable Components—An item is reported as Unprocessable
    if the file cannot be opened for unknown reasons. Files that do not contain text or that cannot
    be opened for a known reason (such as graphics or password-protected files) are not labeled
    Unprocessable.
    The following events can cause Unprocessable files and components:
    – A corrupted network stream
    – A long timeout or short timeout occurs when Symantec Data Loss Prevention waits to receive
    extracted content (ContentExtraction.LongTimeout or ContentExtraction.ShortTimeout)
    – An extraction size that is larger than the limit that is specified in FileReader.MaxFileSize
    – A file that is larger than the size limit that is set in ContentExtraction.MaxContentSize (30MB
    default).
    Note: “Components” include the individual items that comprise an archive, or compressed file.
    • Discarded Packets—The number of packets Symantec Data Loss Prevention copied (for
    analysis) but then discarded before they were analyzed.
    Messages or Files/Incidents A graph representing the data processed. Graphs show the following types of information:
    Over Time • Messages—The number of messages (files, email message components, Web post components,
    and so on) that were processed.
    • Incidents—The number of incidents Symantec Data Loss Prevention has captured.
    • Data—The amount of data processed (in gigabytes).
    • Discards—The number of packets Symantec Data Loss Prevention copied (for analysis) but then
    discarded before they were analyzed.

    Traffic screen (Traffic detail)


    The Traffic detail screen provides traffic data by protocol for an individual Network Monitor Server, Network Prevent for
    Email Server, or Network Prevent for Web Server.
    For each protocol, the Traffic detail screen displays:
    • Amount of data in bytes
    • Number of messages
    • Number of incidents
    • Number of encrypted attachments
    • Number of Unprocessable Components
    The Traffic detail screen includes an Errors row that shows the number of copied packets that Symantec Data Loss
    Prevention discarded. A Network Monitor Server copies packets moving across your network and then analyzes those

    581
    copies. Symantec Data Loss Prevention is sometimes forced to discard packet copies before it can analyze them. For
    example, packets may be discarded when there is a large spike in traffic.
    If you see a spike in discarded packets, go to the View drop-down list (near top right). Then select the shortest time period
    in which the spike is still visible. For example, if a spike in discarded packets occurred today, set the View time period to
    Today.
    If a spike in discarded packets corresponds with a spike in protocol traffic, it may indicate that the server cannot process
    all of the traffic at once. Try to use IP filters to filter out some of the traffic over the relevant protocol(s). To set up IP filters,
    select System > Servers > Protocols and view the associated online Help . You can also use a traffic sniffer to capture
    and analyze traffic to determine what to filter out.
    Symantec Data Loss Prevention may also discard packets when there is not enough memory in the system to store them
    until they can be reconstructed. Such discards may result from bad network conditions or malfunctioning servers that
    leave many connections open over a period of time.
    Traffic screen (Traffic report)

    Protocols screen
    The Protocols screen displays the list of protocols that you can monitor with Symantec Data Loss Prevention. Each
    protocol lists the following information:

    Column Description

    Icon An icon designates each protocol.


    Network incident list
    Name The protocol name.
    Recognition The method that is used to recognize the protocol. Symantec Data
    Loss Prevention uses signature-based protocol recognition on
    system-configured protocols (such as SMTP and HTTP). It uses
    port-based protocol recognition on user-configured TCP protocols.
    Low Ports Monitored Ports numbered less than 1024 that you have configured
    Symantec Data Loss Prevention to monitor. Cumulatively, ports
    you specify for any protocols serve as a positive filter. The
    ports tell Symantec Data Loss Prevention to monitor traffic of
    all protocol types on each of the specified ports. For example,
    if you specify port 25 for the SMTP entry, Symantec Data Loss
    Prevention monitors that port for traffic of all listed protocol types.
    Note that Symantec Data Loss Prevention does not monitor
    ports lower than 1024 if you do not specify them for at least one
    protocol. By default, Symantec Data Loss Prevention monitors all
    traffic on ports equal to or greater than 1024.
    Processing Order Click Up or Down to change its position in the list.
    The order in which the incident attributes appear on this screen
    reflects the order that Symantec Data Loss Prevention recognizes
    them.

    Click anywhere in a protocol’s row to view or edit its settings. Add, edit, or delete a protocol using the controls:

    Control Action

    Add Protocol Click Add Protocol to add a new protocol.


    Click this icon next to a protocol to display the Edit Protocol
    screen and modify its definition.

    582
    Control Action

    Click this icon next to a protocol to delete that protocol from the
    Symantec Data Loss Prevention system. A dialog box confirms
    the deletion.

    Configure a protocol
    Configure Server - Edit Protocol Filtering

    Configure a protocol
    Use this screen to configure a new protocol or to modify the options for a system-configured protocol. Symantec Data
    Loss Prevention handles protocols differently, depending on whether they are system-configured (preconfigured in
    the Symantec Data Loss Prevention system) or user-configured. Symantec Data Loss Prevention recognizes system-
    configured protocols (such as SMTP and HTTP) based on protocol signature. It recognizes user-configured TCP protocols
    (such as Telnet) based on the port over which the traffic travels.
    Many application protocols are supported under both IPv4 and IPv6 including:
    • SMTP
    • HTTP
    • FTP
    • Telnet
    • VLAN
    • Custom
    The following protocols are supported under IPv4, but not supported under IPv6:
    • NNTP
    • GRE
    • IM:MSN
    • IM:Yahoo
    • IM:AOL
    Entering IPv6 addresses in fully-normalized formats is a best practice, when specifying an IPv6 address in the Symantec
    Data Loss Prevention user interface, unless otherwise noted. In a fully-normalized IPv6 address, leading zeros are
    trimmed and sequences of zeros are compressed with colons. When you enter a normalized address, it is generally
    displayed in that format.
    The preferred input format for IPv6 addresses is either fully compressed or trimmed, in most cases. The following
    examples are accepted as input for IPv6 addresses in Symantec Data Loss Prevention, depending on the usage:
    • Long - 128 bits commonly portrayed as eight 4-digit hexadecimal fields, for example:
    1000:0200:0003:0000:0000:0000:0000:abcd
    • Fully compressed (also called "double colon") - internal zero fields are replaced with a double colon, for example:
    1000:200:3::abcd
    • Trimmed - leading zeros are removed, for example:
    1000:200:3:0:0:0:0:abcd

    When IPv6 addresses appear in URLs or email addresses, the addresses are presented as the HTTP client (usually a
    web browser) transmits them. An IPv6 address appearing in a URL is not a common case, as URLs and email addresses
    usually use hostnames rather than explicit IP addresses. This behavior is also true for IPv4 addresses.
    You can enter a mixture of IPv4 and IPv6 addresses separated by semicolons on the Configure Protocol screen.

    583
    Click the right arrow to view the options for each section. Enter or modify information about the protocol in the available
    fields.

    Table 253: Protocol fields

    Field Description

    Name Enter or modify the protocol name. You can use up to 256 characters. The
    protocol name appears in a number of places in the system, so be sure to
    provide a user-friendly name.
    This value is required.
    Ports This field appears only for user-configured TCP protocols. Enter one or
    more port numbers that are associated with the protocol. Separate port
    numbers with commas or hyphens. For example: 18, 23, 25-29, 82. If you
    configure a Telnet protocol, enter 23 as the port number.
    Low Ports Monitored This field appears only for system-configured protocols, such as HTML and
    SMTP. Enter port numbers lower than 1024 that you want Symantec Data
    Loss Prevention to monitor. Cumulatively, ports you specify for any protocols
    serve as a positive filter. The ports tell Symantec Data Loss Prevention
    to monitor traffic of all protocol types on each of the specified ports. For
    example, if you specify port 25 for the SMTP entry, that port is monitored
    for traffic of all listed protocol types. Note that ports lower than 1024 are not
    monitored if you do not specify them for at least one protocol. By default,
    Symantec Data Loss Prevention monitors traffic on ports equal to or greater
    than 1024.

    584
    Field Description

    IP Enter any IP-based filters you want to use. If you leave this field blank,
    Symantec Data Loss Prevention matches and stores all streams. You can
    enter a mixture of IPv4 and IPv6 addresses separated by semicolons on the
    Configure Protocol screen.
    When configuring protocol filters with IPv6 addresses, note that:
    • Filters are specified with CIDR (classless inter-domain routing) blocks.
    Subnet bitmasks the size of the address indicate that the entry must
    match the exact network address. The bitmask limit is 32 bits for IPv4
    addresses and 128 bits for IPv6 addresses.
    • IPv4 and IPv6 filters are completely independent.
    • All valid formats are supported.
    • As with IPv4 filters, IPv6 filters can be overridden per detection server.
    • Limit of the protocol IP filter list in the user interface is 2800 bytes.
    The format of the IP protocol filters (found in the protocol definitions and
    protocol filter definitions) is:

    IP Protocol Filter := protocol_filter_entry


    [;
    protocol_filter_entry
    ]
    Protocol Filter Entry := -|+,
    destination_subnetwork_description
    ,
    source_ subnetwork_description
    Subnetwork description := network_address
    /
    subnet_bitmask_size | *
    Each stream is evaluated in order against the filter entries until an entry
    matches the stream's IP parameters.
    A minus sign (-) at the start of the entry indicates that the stream is dropped.
    A plus sign (+) at the start of the entry indicates that the stream is kept.
    A subnet network description of * means that any packet matches this entry.
    A subnet bitmask the size of the address indicates that the entry must match
    the exact network address. This limit is 32 bits for IPv4 addresses and 128
    bits for IPv6 addresses.
    For example, for IPv4, the filter +,10.67.0.0/16,*;-,*,* matches all streams
    going to network 10.67.x.x but does not match any other traffic.
    IPv6 addresses are supported for network monitoring; however, IPv4 filters
    and IPv6 filters are completely independent of each other.
    Both IPv4 and IPv6 blocks are specified with <address>/<mask size>
    CIDR notation. For example,
    fdda:e808::/32 - where fdda:e808:: is the address and 32 is the
    mask size, or
    10.0.2.0/24 where 10.0.2.0 is the address and 24 is the mask size.
    Note: The more specific you are when you define the recognition
    characteristics, the more specific your results. For example, if you define
    only one specific IP address, only incidents involved that IP address are
    captured. If you do not define any IP addresses, or if you define a wide
    range of IP addresses, you achieve broader results.

    Filtering (may override at server level) The Filtering fields enable you to specify details about the traffic you want to
    ignore to reduce the load and improve system performance. This section is
    also included in the Protocol Filter menu for individual Servers.

    585
    Field Description

    IP Filter Filters out unwanted traffic in the protocol; uses the same IP Protocol Filter
    format as for IP.
    L7 Sender Filter Specify any of the following items to evaluate:
    • The sender email (for SMTP/MSN IM)
    • IP addresses (for UTCP)
    • Proxy-authenticated user names (for proxied HTTP/FTP)
    • User names (for AIM/Yahoo IM)
    When configuring L7 filters with IPv6 addresses, note that:
    • Filters are specified with wildcards
    • Only long-format IPv6 addresses are acceptable; do not use normalized
    (fully compressed or trimmed) IPv6 addresses. For example, the
    following IPv6 address is valid:
    fdda:*:*:*:*:*:*:*
    Only long-format IPv4 and IPv6 addresses are valid.
    For IPv4, four fields separated by dots is a long format valid address; for
    example:
    1.2.*.*
    For IPv6, eight fields separated by colons is a long-format valid address; for
    example:
    1:2:3:4:*:*:*:*
    For both IPv4 and IPv6, filters are specified with wildcards and filtering only
    applies to custom protocols.
    See the L7 Recipient Filter description for more information about the
    format of filter entries.

    586
    Field Description

    L7 Recipient Filter Any recipient email (for SMTP/MSN IM/FTP) or IP addresses (for UTCP),
    user names (for Yahoo IM/AIM), or URLs (for HTTP) to be evaluated.
    When using IPv6 addresses with Sender/Recipient rules, note that:
    • Filters are specified with wildcards.
    • Only long-format IPv6 addresses are acceptable, do not use normalized
    addresses.
    • Inline and reusable patterns are supported.
    You can use filters to include (inspect) or exclude (ignore) messages from
    specific senders or to specific recipients. You must precede each entry with
    a plus sign (+) or minus sign (-) to include or exclude matching results. For
    example:
    • Any email address mask that starts with a plus sign (+) keeps matching
    messages for inspection. If you add the sender filter +*@abc.com,
    all messages that are sent from anyone in the abc.com domain are
    inspected.
    • Any email address mask that starts with a minus sign (-) excludes
    matching messages from inspection. If you add the recipient filter
    -*@xyz.com, all messages that are sent to anyone in the xyz.com
    domain are not inspected.
    If you add an asterisk (*) to the end of the filter expression, any message not
    explicitly matching any of the filter masks is ignored. For example, if you add
    the sender filter +*@abc.com,*, all messages from anyone in the abc.com
    domain are inspected, but all other messages are ignored.
    You can also include asterisk wildcards elsewhere in the address strings.
    The specific filter syntax depends on the protocol. For example, for email
    addresses you can use wildcards anywhere in the filter string as follows:
    • +*@symantec.com inspects all email to/from symantec.com.
    • +*.symantec.com inspects all email to/from any subdomains of
    symantec.com.
    • -*symantec.com excludes all email to/from any email address ending in
    symantec.com.
    • -phil@fakedomain.com excludes all email to/from
    phil@fakedomain.com.
    The order in which filters are evaluated is from left to right. For example, if
    you add the recipient filter
    -ceo@xyz.com, +*@xyz.com,*,
    all messages that are sent to ceo@xyz.com are ignored, and all messages
    that are sent to anyone in the xyz.com domain are inspected. The last
    asterisk tells the filter to ignore all other messages.
    If the sender and recipient filters conflict, the resulting message is ignored.
    For example, this situation can happen if the sender filter for a particular
    message evaluates as “inspect” and the recipient filter evaluates as “ignore.”
    If a recipient filter has multiple exclusion masks, recipients can match
    any of the exclusion masks and the message is excluded. For example, if
    the recipient filter is -*@xyz.com, -*@abc.com, all the messages that are
    sent to xyz.com and abc.com domains are ignored. Also, the messages
    that are sent to either xyz.com or abc.com (but not both) are ignored. If
    messages have any additional recipients in other domains, the messages
    are inspected.
    You can monitor messages sent from the xyz.com domain but ignore
    message sent to that domain by adding the following filters:

    L7 Sender Filter: +*@xyz.com, *


    L7 Recipient Filter: -*@xyz.com

    587
    Field Description

    Content An inclusion-based approach to filter out unwanted messages using text


    matching against the captured stream of packets. Every content filter entry
    must be matched or the stream is dropped. The format of the content filter
    is:

    Content Filter := content_filter_entry


    [;
    content_filter_entry
    ]
    Content Filter Entry := I,
    heading_name
    ,
    heading_value
    [,
    heading_ value
    ]
    The process traverses the stream looking for the heading name. One
    of the heading values must match the text following the heading name.
    Whitespace is ignored between the heading and the value. Capitalization is
    ignored.
    For example, a filter of I,user-agent:,mozilla,opera;I,content-
    type:,multipart matches only those streams that have the text
    user-agent: followed immediately by mozilla or opera and the text
    content-type: followed immediately by the text multipart.
    Another example is a stream with user-agent:mozilla and content-
    type:multipart is retained; a stream with user-agent:mozilla and
    content-type:text/plain is dropped.
    Search Depth (packets) How many packets deep to search for the specified text string. The value
    must be positive and less than or equal to 65000.
    This value is required.
    Note: The deeper the search, the longer it takes.

    Sampling (Processed/10000) The number out of each 10,000 messages you want to monitor as a
    representative sampling. For example, enter 10000 to have Symantec Data
    Loss Prevention search every message in this protocol. If you enter 200, it
    searches 200 out of every 10,000 messages. The value must be positive
    and less than or equal to 17280.
    This value is required.
    Content Processing Use the Content Processing section to specify how to handle the messages
    in this protocol.
    Select one of the following options:
    • Generic String Extraction—Evaluate the entire message against all
    applicable policies.
    • Don’t Process Content—Do not evaluate the content at all; count every
    message as an incident.

    588
    Field Description

    Incident Representation Select one of the following options:


    • Uni-Directional—Evaluate only outgoing traffic.
    • Bi-Directional—Evaluate one character at a time from both directions
    of the connection. Represent them as two separate blocks of text, one
    for each direction. This option is generally used for Telnet and similar
    protocols.
    • Bi-Directional Interlaced—Evaluate a text block at a time from both
    directions of the connection. Try to put the blocks back in the order
    in which they were transmitted. They are intermingled. There may
    be multiple blocks of text. This option is generally used for instant
    messaging and similar protocols.
    Maximum wait until written The maximum number of 5-second intervals a stream remains active
    without traffic before the stream is written to disk. The default value is 6.
    Value must be positive and less than or equal to 17280.
    This value is required.
    Maximum wait until dropped The maximum number of 5-second intervals a stream remains in memory
    after the stream content is dumped to disk. The default value is 10. Value
    must be positive and less than or equal to 17280.
    This value is required.
    Maximum stream packets The maximum number of packets in a stream before that stream is spooled
    to disk. The default value is 20000. Value must be positive and less than or
    equal to 100000.
    This value is required.
    Minimum stream size The minimum size of the stream. The default value is 0. Value must be non-
    negative.
    This value is required.
    Maximum stream size The maximum size of the stream. The default value is 30000000. Value
    must be non-negative.
    This value is required.
    Segment Interval The number of 5-second intervals between attempts to segment persistent
    streams into individual messages. The default value is 12. Value must be
    positive and less than or equal to 3600.
    This value is required.
    No Traffic Notification Timeout (in seconds) The number of seconds that no new packets are seen on the protocol
    before a system warning is posted. The default value is 600. Value must be
    greater than or equal to 60 and less than or equal to 604800.
    This value is required.
    Is terminated on FIN If you select this option, a FIN packet or RST packet causes the stream to
    be written to disk immediately.

    After you have completed adding values:


    1. Click Save to save all changes to the protocol.
    2. Restart all affected Monitor Servers if you have made changes to IP filters.
    3. Restart all affected Monitor and Prevent Servers if you have made changes to L7 filters.
    4. Or, click Cancel to cancel all changes to the protocol.
    Configure Server - Edit Protocol Filtering

    Protocols screen
    About protocol filtering

    589
    Protocol configuration examples
    You configure protocols to indicate which network traffic the system captures, processes, and presents to you. Protocols
    are divided into two categories:
    • System protocols are the protocols that Symantec Data Loss Prevention fully supports.
    • Custom protocols let you define and monitor network communication that Symantec Data Loss Prevention does not
    fully support. Symantec Data Loss Prevention also provides a number of well known protocols as custom protocols.
    The following examples show common protocol configurations:
    • Filtering HTTP for browser-generated traffic
    • Monitoring only outbound email
    • Monitoring for the existence of prohibited traffic
    • Monitoring for high port incidents
    For information about protocol support:
    Configure a protocol

    Filtering HTTP for browser-generated traffic

    HTTP has a wide variety of encapsulated content. HTTP header values often define the type of content in the stream. The
    header values are name value pairs. For example the program that launched an HTTP request is often described after the
    header name User-agent.
    This example filters HTTP headers based on the User-agent to capture data from browsers. These browsers contain
    User-agent values of Mozilla or Opera.
    To filter HTTP headers based on the User-agent
    1. Select System > Settings > Protocols from the navigation bar.
    2. Select the HTTP protocol.
    3. In the Filtering (may override at server level) section of the page, enter the following in the Content field:
    I,user-agent:,mozilla,opera

    4. Click Save, and then restart the servers.

    If you use a custom configuration, you must make the same change in every server’s HTTP configuration.
    Monitoring only outbound email

    Symantec Data Loss Prevention can capture inbound email and outbound email at an organization. Outbound email is
    often identified as the most important email to monitor. In most organizations, the email servers are located in a set of
    subnets.
    To set up SMTP to monitor only a certain set of subnets
    1. Select System > Settings > Protocols from the navigation bar.
    2. Select the SMTP protocol.
    3. In the Filtering (may override at server level) section of the page, enter the following in the Content field:
    +,*,10.1.0/16;-,*,*

    This example assumes that the source net where your Servers are located is 10.1.0.0 with a subnet mask of
    255.255.0.0. The rule filters out any SMTP traffic not coming from the 10.1 subnet.

    590
    4. Click Save, and then restart the monitors.

    You must make the same change in local Server configurations.


    Monitoring for the existence of prohibited traffic

    In some cases, it is helpful to know if traffic occurs for a certain protocol or destination. For instance, traffic to address
    10.1.2.3 on ports 5000 thru 5010 may indicate the existence of an online service that is prohibited in any organization.
    The traffic may be encrypted or otherwise unreadable and may create many incidents, so you might want to record its
    existence only.
    To record only the existence of traffic
    1. Select System > Settings > Protocols from the navigation bar.
    2. Click Add Protocol.
    3. Enter a name for the protocol in the Name field.
    4. In the Recognition section of the page, enter the following information:

    Field name Entry

    Ports 5000-5010

    IP +,10.1.2.3/32 ,*;-,*,*

    5. Click Save.

    The new protocol appears at the end of the protocol list. You can use the new protocol in policies and report filters.
    Monitoring for high port incidents

    In some organizations, firewalls allow connections between high port applications like p2p. This traffic can occur over
    any port and may be interspersed with a great deal of random data. To identify potential areas of investigation without
    overwhelming the Server with traffic, you can create a sampling protocol.
    To create a sampling protocol
    1. Select System > Settings > Protocols from the navigation bar.
    2. Click Add Protocol.
    3. Enter a name for the protocol in the Name field.
    4. In the Recognition section of the page, enter the following into the Ports field:
    1025-36355

    This entry instructs the protocol to match any high port traffic.
    5. In the Filtering section of the page, enter the following into the Sampling field:
    100

    This value reduces the number of streams created that Symantec Data Loss Prevention inspects. Adjust this number
    based on the server’s ability to process the new traffic in a timely fashion.

    591
    6. Click Save.
    7. Look for the new protocol at the end of the protocol list. If the protocol is not at the bottom of the list, move it there.
    Moving it ensures that more well-defined traffic is not mistakenly defined as this generic traffic.

    About Enforce Server screen load performance


    This section provides information that you can use to determine whether screen load times fall within the tested normal
    range. The test results apply to screens that return a list of items derived from the database.
    NOTE
    For some screens, all items are listed, and for other screens, up to 100 results are listed.

    Test platform and configurations


    Screen load times in the Enforce Server can be affected by a number of different factors. Table 254: Enforce Server
    screen load test platforms and configurations describes the operating systems, memory configuration, and Symantec
    Data Loss Prevention configurations that were used for the Enforce Server screen load performance tests.

    Table 254: Enforce Server screen load test platforms and configurations

    Platform Configuration

    Symantec Data Loss Prevention versions tested 15.8


    Database application version tested Oracle 12c Release 1 Enterprise Edition
    Server tier configuration Two-tier with the Oracle database and the Enforce Server running on the same
    server
    Server OS Windows 2016
    Server memory 16 GB of RAM
    Server memory configuration The default memory configuration was used during testing, which includes the
    following:
    • 256 MB for Symantec DLP Notifier
    • 2 GB for Symantec DLP Manager
    • 2 GB for the Symantec DLP Detection Server Controller
    • 1 GB for Symantec DLP Incident Persister
    Browser used during testing Chrome 79
    Incident counts During testing, the database included the following type and number of incidents:
    • Network: 531,411
    • Discover: 7,449,321
    • Endpoint: 569,496

    Related Links
    About Enforce Server screen load performance on page 592
    About screen load performance testing on page 592
    Enforce Server screen load test results on page 593

    About screen load performance testing


    Screen load testing records the time it takes for a screen to load and items to display on the page. Some screens list all
    items for a given selection or paginate items to reduce load time.
    Related Links

    592
    About Enforce Server screen load performance on page 592
    Test platform and configurations on page 592
    Enforce Server screen load test results on page 593

    Enforce Server screen load test results


    The following tables list results for the Enforce Server screen load test results. The following screens are listed:
    • Incidents
    Table 255: Incidents screen load test results
    • Manage
    Table 256: Manage screen load test results
    • System
    Table 257: System screen load test results
    NOTE
    Empty cells indicate screens that were not tested.

    Table 255: Incidents screen load test results

    Screen Paginated (Y/N) Screen load time for DLP 15.8

    Incidents > All Reports > [saved incident N 15 seconds to display 232 incident links,
    report name here] 50 dashboard reports, 108 saved incident
    reports, and 74 default reports
    Incidents > Network > Incidents - New Y 1 second with 531,410 incidents
    Incidents > Network > Incidents - All 2 seconds for 888,000 incidents
    Incidents > Endpoint > Incidents - New Y 1 second with 569,496 incidents
    Incidents > Endpoint > Incidents - All 6 seconds for 569,000 incidents
    Incidents > Discover > Incidents - New Y 1 second second with 7,449,321 incidents
    Incidents > Discover > Incidents - All 13 seconds for 7,400,000 million incidents
    Scans

    Table 256: Manage screen load test results

    Screen Paginated (Y/N) Screen load time for DLP 15.8

    Manage > Data Profiles > Indexed N 2 minutes with 972 Indexed Document
    Documents profiles
    Manage > Data Profiles > Exact Data N 7 seconds with 504 Exact Data Profiles
    Manage > Data Profiles > Vector Machine N 1 seconds with 25 Vector Machine Learning
    Learning Profiles
    Manage > Policies > Policy List N 1 minute for 2,635 policies
    Manage > Policies > Response N 4 seconds for 503 response rules
    RulesResponse Rule List Page
    Manage > Policies > Data Identifiers N 1 seconds for 295 system data identifiers
    and 50 custom data identifiers

    593
    Table 257: System screen load test results

    Screen Paginated (Y/N) Screen load time for DLP 15.8

    System > Servers and Detectors > N 3 seconds for 300 monitors
    Overview
    System > Login Management > DLP N 1 seconds for 505 users
    Users
    System > Login Management > Y 1 seconds for 51 roles
    RolesDLP Roles List Page
    System > Servers and Detectors > Policy N 1 seconds for 200 policy groups
    Groups
    System > System Reports N 27 seconds for 101 saved system reports
    System > Incident Data > Attributes, N 1 second for 50 custom incident attributes
    Custom Attributes tab
    System > Servers and Detectors > N 1 second for 100 alerts
    Alerts
    System > Agents > Agent Groups Y 1 seconds for 116 agent groups
    System > Agents > Global Application Y 2 seconds for 375 applications
    Monitoring
    System > Agents > Endpoint Devices N 2 seconds for 50 endpoint devices
    System > Settings > Credentials Y 1 seconds with 150 credentials
    System > Settings > Protocols Y 1 second with 24 protocols
    System > Servers and Detectors > Traffic N 11 seconds with 300 servers
    System > Database > Table Details N 8 seconds with 585 tables

    Related Links
    About Enforce Server screen load performance on page 592
    Test platform and configurations on page 592
    About screen load performance testing on page 592

    About the Endpoint and Network Discover communications settings


    Symantec Data Loss Prevention automatically sets up a Certificate Authority (CA) which issues the certificates needed
    for authentication and secure communications between Network Discover Servers and between the Endpoint Server and
    the DLP Agents. The public key certificates are stored on the Enforce Server file system and their passwords are securely
    stored in the Enforce Server database.
    You can change the password that protects the CA in the Endpoint and Network Discover Communications Settings
    area on the System > Settings > General screen.
    To change the Endpoint and Network Discover communications keystore password
    1. Go to System > Settings > General.
    2. Click Configure.
    3. Locate the Change Endpoint and Network Discover Communications Keystore Password area.
    4. Enter and re-enter a new password.
    5. Save your changes.

    594
    Working with General Settings

    Managing roles and users


    This section includes the following topics:
    About role-based access control
    About authenticating users
    Configuring user authentication
    About configuring roles and users
    About recommended roles for your organization
    Roles included with solution packs
    Configuring Roles
    Configuring user accounts
    Configuring user authentication and role assignment using Active Directory
    Configuring password enforcement settings
    Resetting the Administrator Password
    Manage and add roles
    Manage and add users
    Integrating Active Directory for user authentication
    About certificate authentication configuration

    About role-based access control


    Symantec Data Loss Prevention provides role-based access control to govern how users access product features
    and functionality. For example, a role might let users view reports, but prevent users from creating policies or deleting
    incidents. Or, a role might let users author policy response rules but not detection rules.
    Roles determine what a user can see and do in the Enforce Server administration console. For example, the Report role
    is a specific role that is included in most Symantec Data Loss Prevention solution packs. Users in the Report role can
    view incidents and create policies, and configure Discover targets (if you are running a Discover Server). However, users
    in the Report role cannot create Exact Data or Document Profiles. Also, users in the Report role cannot perform system
    administration tasks. When a user logs on to the system in the Report role, the Manage > Data Profiles and the System
    > Login Management modules in the Enforce Server administration console are not visible to this user.
    You can assign a user to more than one role. Membership in multiple roles allows a user to perform different kinds of work
    in the system. For example, you grant the information security manager user (InfoSec Manager) membership in two roles:
    ISR (information security first responder) and ISM (information security manager). The InfoSec Manager can log on to the
    system as either a first responder (ISR) or a manager (ISM), depending on the task(s) to perform. The InfoSec Manager
    only sees the Enforce Server components appropriate for those tasks.
    You can also combine roles and policy groups to limit the policies and detection servers that a user can configure. For
    example, you associate a role with the European Office policy group. This role grants access to the policies that are
    designed only for the European office.
    Policy deployment
    You can configure roles manually (manually managed roles) or use Active Directory (AD) managed roles. AD-managed
    roles only contain users based on AD groups that you include in a user group.

    595
    Configuring user authentication and role assignment using Active Directory
    You use manually managed roles for users that you create manually.
    About configuring roles and users
    Users who are assigned to multiple roles must specify the desired role at log on. Consider an example where you assign
    the user named "User01" to two roles, "Report" and "System Admin." If "User01" wanted to log on to the system to
    administer the system, the user would log on with the following syntax: Login: System Admin\User01
    Logging On and Off the Enforce Server Administration Console
    The Administrator user (created during installation) has access to every part of the system and therefore is not a member
    of any access-control role.
    About the administrator account

    About authenticating users


    Enforce Server administration console logon authentication options include SAML, forms-based, Active Directory/
    Kerberos, and certificate.
    Enforce Server authentication mechanisms provides the descriptions of these mechanisms for authenticating users to the
    Enforce Server administration console:

    Table 258: Enforce Server authentication mechanisms

    Authentication Sign-on
    Description
    mechanism mechanism
    SAML Single sign-on With SAML authentication, the Enforce Server administration console authenticates each
    authentication user by validating the supplied email, user name, or other user attributes that map to
    attributes the identity provider uses.
    When SAML is enabled, users access the Enforce Server Admin console URL and are
    redirected to the identity provider logon page, where they enter their credentials. After they
    are authenticated with the identity provider, their user attributes are sent to the Enforce
    Server. The Enforce Server attempts to find a user with matching attributes. If the user is
    found, they are logged on to the Enforce Server administration console.
    Configuration template file used: springSecurityContext-SAML.xml
    About SAML authentication
    Password Forms-based sign- With password authentication, the Enforce Server administration console authenticates each
    authentication on user. It determines if the supplied user name and password combination matches an active
    user account in the Enforce Server configuration. An active user account is authenticated if it
    has been assigned a valid role.
    Users enter their credentials into the Enforce Server administration console's logon page and
    submit them over an HTTPS connection to the Tomcat container that hosts the administration
    console.
    With password authentication, you must configure the user name and password of each user
    account directly in the Enforce Server administration console. You must also ensure that each
    user account has at least one assigned role.
    Configuration template file used: springSecurityContext-Form.xml
    Manage and add users

    596
    Authentication Sign-on
    Description
    mechanism mechanism
    Active Directory Forms-based sign- With Microsoft Active Directory authentication, the Enforce Server administration console
    authentication on first evaluates a supplied user name to determine if the name exists in a configured Active
    Directory server. If the user name exists in Active Directory, the supplied password for the
    user is evaluated against the Active Directory password. Any password that is configured in
    the Enforce Server configuration is ignored.
    With Active Directory authentication, you must configure a user account for each new Active
    Directory user in the Enforce Server administration console. When you upgrade to Symantec
    Data Loss Prevention 15, your existing users do not have to be set up again.
    You do not have to enter a password for an Active Directory user account. You can switch to
    Active Directory authentication after you have already created user accounts in the system.
    However, only those existing user names that match Active Directory user names remain
    valid after the switch.
    Configuration template file used: springSecurityContext-Kerberos.xml
    Verifying the Active Directory connection
    Certificate Single sign-on Certificate authentication enables a user to automatically log on to the Enforce Server
    authentication from Public Key administration console using an X.509 client certificate. This certificate is generated by your
    Infrastructure (PKI) public key infrastructure (PKI). To use certificate-based single sign-on, you must first enable
    certificate authentication as described in this section.
    Configuring certificate authentication for the Enforce Server administration console
    The client certificate must be delivered to the Enforce Server when a client's browser
    performs the SSL handshake with the Enforce Server administration console. For example,
    you might use a smart card reader and middleware with your browser to automatically
    present a certificate to the Enforce Server. Or, you might obtain an X.509 certificate from a
    certificate authority. Then you would upload the certificate to a browser that is configured to
    send the certificate to the Enforce Server.
    When a user accesses the Enforce Server administration console, the PKI automatically
    delivers the user's certificate to the Tomcat container that hosts the administration console.
    The Tomcat container validates the client certificate using the certificate authorities that you
    have configured in the Tomcat trust store.
    Configuration template file used: springSecurityContext-Certificate.xml
    Adding certificate authority (CA) certificates to the Tomcat trust store
    The Enforce Server administration console uses the validated certificate to determine whether
    the certificate has been revoked.
    About certificate revocation checks
    If the certificate is valid and has not been revoked, then the Enforce Server uses the common
    name (CN) in the certificate to determine if that CN is mapped to an active user account with
    a role in the Enforce Server configuration. For each user that accesses the Enforce Server
    administration console using certificate-based single sign-on, you must create a user account
    in the Enforce Server that defines the corresponding user's CN value. You must also assign
    one or more valid roles to the user account.

    Here are some important things to note when you set up SAML authentication.
    • You must restart the manager when you change the way you authenticate users in SAML. Changing this mapping
    criteria in the springSecurityContext file for SAML without restarting the manager results in users that are out of

    597
    sync, as the system continues to use previous version of the file. For example, if you change the mapping criteria from
    user name to email address, you must restart the manager.
    • You must remap each user when you change the way you map users in SAML. Changing mapping criteria invalidates
    the existing user's mapping.
    • You must validate the XML syntax before you restart the manager. Some characters such as "&" that can be part of a
    user attribute make the XML invalid. You need to replace these characters with their XML escape string. For example,
    instead of "&" use "&amp".
    • Do not delete any XML nodes in the XML files.
    • Attribute names in XML must exactly match (including case) attribute names in the identity provider.
    • When switching from forms-based to SAML authentication, you must go through each user and disable password
    access for non-Web Services users.
    • When switching from Certificate authentication to SAML authentication, make sure that the ClientAuth value in
    server.xml is set to false.
    Configuring user authentication and role assignment using Active Directory

    Configuring user authentication

    About SAML authentication


    SAML (Security Assertion Markup Language) user authentication is now available for logging on to the Enforce
    Server administration console. SAML is an XML-based open standard data format for exchanging authentication and
    authorization data between service providers and identity providers. DLP is the service provider.
    Before using SAML, you must set up the service provider, the identity provider, and map the user attributes to identify the
    user.
    Three types of mapping are available: by email, by user name, and by custom user attributes. When you use SAML, the
    ROLE\USERNAME logon for local users is not supported.
    Symantec supports the following identity providers, both on-premises and cloud based:
    • SAM (Symantec Access Manager)
    • Okta
    • SSOCircle
    Setting up authentication

    Setting up authentication
    Authentication configuration steps shows a summary of the tasks for the setup with links to more information on each
    step.

    598
    Table 259: Authentication configuration steps

    Step Task More information

    Step 1 Edit the Spring context file for the authentication method. Set up and configure the authentication method
    Step 2 Set up the authentication configuration. For SAML:Set up the SAML authentication configuration
    For Active Directory/Kerberos:
    Configuring Active Directory authentication
    For Forms-based:
    Configuring forms-based authentication
    For Certificate:
    Configuring certificate authentication
    Step 3 Restart the Enforce Server. About Symantec Data Loss Prevention services
    Step 4 For SAML, generate and download the service provider Generate or download Enforce (service providers) SAML
    SAML metadata. The Enforce Server administration metadata
    console is the service provider.
    Step 5 For SAML, configure Enforce as a SAML service Configure the Enforce Server as a SAML service
    provider with the identity provider. provider with the IdP (Create an application in your
    identity provider)
    Step 6 For SAML, download the identity provider metadata. Export the IdP metadata to DLP
    Step 7 Complete the process by restarting the Enforce Server. About Symantec Data Loss Prevention services
    Step 8 Log on to the Enforce Server administration console Administrator Bypass URL
    using the Administrator Bypass URL.

    NOTE
    The Enforce Server administration console (the service provider in SAML) and the IdP exchange messages
    using the settings in the configuration. Ensure that your settings match with your IdP's configuration and
    capabilities. Unmatched settings break the system.
    You must restart the Enforce Server twice: once after you set up the authentication configuration in the
    springSecurityContext.xml file, and once after you download the IdP metadata file and replace the
    contents of idp-metadata.xml in the Enforce install directory with the IdP metadata.
    Administrator Bypass URL

    Administrator Bypass URL


    The administrator bypass URL, https://<hostnameOrlp>/ProtectManager/admin/Logon enables you to bypass
    SAML authentication. You can log on to the Enforce Server administration console and use forms-based authentication
    to set up users. You must enter this URL in your browser; you cannot navigate to this URL through the Enforce Server
    administration console user interface.
    NOTE
    Only one active logon is available with the Bypass URL.
    Set up and configure the authentication method

    Set up and configure the authentication method


    These steps present an overview of the common tasks for setting up and configuring all authentication methods.
    Additional steps or changes for each method are explained in "Final steps" following the initial template file configuration.

    599
    NOTE
    The files that you must modify are commented with details to help you through the update process.
    To set up the authentication method
    1. Delete (or rename) the springSecurityContext.xml file in the [your install directory]/Protect/
    tomcat/webapps/ProtectManager/WEB-INF/.
    2. Go to the [your install directory]/Protect/tomcat/webapps/ProtectManager/security/
    template folder and select the appropriate configuration template file for your authentication method:
    • SpringSecurityContext-SAML.xml for SAML authentication configurations
    • SpringSecurityContext-Form.xml for forms and client certificate-based authentication configurations
    • SpringSecurityContext-Certificate.xmlfor client certificate-based authentication only
    • springSecurityContext-Kerberos.xml for Active Directory/Kerberos authentication configurations
    3. Copy the file you selected into the [your install directory]/Protect/tomcat/webapps/
    ProtectManager/WEB-INF/ folder.
    4. Rename the file to springSecurityContext.xml.
    5. Configure the springSecurityContext.xml file:
    6. Final steps:
    • SAML: For instructions on how to set up the SAML authentication configuration, see Set up the SAML
    authentication configuration.
    • Forms Based: If the template file that you copied is for forms-based authentication, there are no additional
    settings to configure. The DLP User Authentication section of the General Settings now indicates that your user
    authentication method is Forms Based.
    • Client certificate: To enable client certificate authentication, set clientAuth to want or true in
    <InstallDirectory>/Protect/tomcat/config/server.xml. The DLP User Authentication section of
    the General Settings now indicates that your user authentication method is Certificate.
    • Active Directory: To enable Active Directory authentication, replace the value for krbConfLocation in
    [your install directory]/Protect/tomcat/webapps/ProtectManager/WEB-INF/
    springSecurityContext.xml
    with the path to your krb5.ini file.
    The DLP User Authentication section of the General Settings now indicates that your user authentication
    method is Active Directory. You can configure the list of domains in this DLP User Authentication section of the
    General Settings page
    NOTE
    You can no longer perform the initial setup of Active Directory through the Enforce Server administration
    console.
    Configuring the Enforce Server for Active Directory authentication

    Set up the SAML authentication configuration

    Set up the SAML authentication configuration


    Get the information about your IdP, such as its choice of authentication methods, available user identifiers, available user
    attributes, and the required service provider metadata.
    Open [your install directory]/Protect/tomcat/webapps/ProtectManager/WEB-INF/ and set the
    entityBaseURL property to your Enforce URL: https://<host name or IP>/ProtectManager.

    600
    NOTE
    Unless you only want to access the Enforce Server administration console from the host machine, don't use
    localhost as the host name.
    Set the property value of "nameID" by editing the property name ="nameID" value in the Spring file to a name identifier
    such as emailAddress, WindowsDomainQualifiedName, or another nameID that your IdP supports. Here's an example
    for email address:
    <property name="nameID" value=urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" />

    You may want to use a combination of user attributes returned from the IdP to identify a Data Loss Prevention user. In this
    case you can set the userAttributes property. For example:

    <bean id=userLookupService" class="com.vontu.login.spring.VontuSAMLUserDetailsService">


    <!--
    <property name="user Attributes">
    <set>
    <value>UserName</value>
    <value>EmailAddress</value>
    <value>EmployeeID</value>
    </set>
    </property>

    Set Up the IdP Authentication Method


    Set the user authentication method that you expect the IdP to use when users log on to the IdP in the authContexts
    property. If you want the IdP to apply two-factor authentication to validate a user, set TimeSyncToken as the only
    authentication context. Remove or comment out all other authentication context classes in the following list except
    TimeSyncToken.

    <!--One time token or two factor authentication -->


    <value>urn:oasis:names:tc:SAML2.0:ac:classes:TimeSyncToken</value>

    <property name="authnContexts">
    <list>
    <!-- User name and password -->
    <value>urn:oasis:names:tc:SAML2.0:ac:classes:Password</value>
    <!--Password Protected Transport -->
    <value>urn:oasis:names:tc:SAML2.0:ac:classes:PasswordProtectedTransport</value>
    <!--Integrated Windows Authentication -->
    <value>urn:federation:authentication:windows</value>
    <!--One time token or two factor authentication -->
    <value>urn:oasis:names:tc:SAML2.0:ac:classes:TimeSyncToken</value>
    <!--Any authentication method that your IDP supports -->
    <value>urn:oasis:names:tc:SAML2.0:ac:classes:unspecified</value>

    Generate or download Enforce (service providers) SAML metadata

    Generate or download Enforce (service providers) SAML metadata


    To download the Enforce SAML metadata

    601
    1. Restart the Enforce Server.
    2. Log on as Administrator using the Bypass url. This Bypass URL is accessed directly; you don't need to logon to the
    Enforce Server administration console to access this URL.
    3. Go to System > Settings > General and navigate to the DLP User Authentication section.
    4. Click the link to the right of The SAML config file for your IdP is at to download the metadata.

    Configure the Enforce Server as a SAML service provider with the IdP (Create an application in your identity provider)

    Configure the Enforce Server as a SAML service provider with the IdP (Create an application in
    your identity provider)
    These steps vary depending on the IdP that you use. Here is a broad overview of the steps if you use Symantec VIP
    Access Manager as your IdP:
    To configure the Enforce Server as a SAML service provider with the IdP create an application
    1. Log on to the VIP Access Manager administration console as administrator.
    2. Click generic template.
    3. Name the connector.
    4. Select the access policy as SSO (single sign-on).
    5. Configure your portal by selecting an icon for your site (this icon appears on the identity provider's dashboard).
    6. Upload the Enforce Server metadata.

    Export the IdP metadata to DLP

    Export the IdP metadata to DLP


    Download the IdP metadata and replace the contents of the idp-metadata.xml file at <installdirectory>/
    Protect/tomcat/webapps/ProtectManager/security/idp-metadata.xml with the IdP metadata that you
    downloaded.
    Configuring Active Directory authentication

    Configuring Active Directory authentication


    If the template file that you copied is for Active Directory/Kerberos authentication, open the <InstallDirectory>/
    Protect/tomcat/webapps/ProtectManager/WEB-INF/springSecurityContext.xml file in a
    text editor. This is the springSecurityContext-Kerberos.xml file that you previously renamed to
    springSecurityContext.xml. Set the krbConfLocation value to your Kerberos authentication file. For example (line
    breaks added for legibility):

    <!--- Set krbConfLocation in System prooperties -->


    <bean class="org.springframework.security.kerberos.authentication.sun.
    GlobalJunJaasKerberosConfig">
    <!-- krb5 configuration file location.
    For example:
    C:\Program Files\Symantec\DataLossPrevention\EnforceServer\16.0.10000\ Protect
    \config\krb5.ini on Windows
    or
    /opt/Symantec/DataLossPrevention/EnforceServer/16.0.10000/

    602
    Protect/config/krb5.conf on Linux
    -->
    property name="krbConfLocation" value="C:\Program Files\Symantec\
    DataLossPrevention\EnforceServerprotect
    \config\krb5.ini"/>
    </bean>
    Set up and configure the authentication method
    Configuring forms-based authentication
    Integrating Active Directory for user authentication

    Configuring forms-based authentication


    After you copy the template file for forms-based authentication, there are no additional settings to configure.
    Configuring certificate authentication

    Configuring certificate authentication


    After you copy the template file for client certificate-based authentication, go to the <Install Directory>/Protect/
    tomcat/config/server.xml file and set the client auth value to want or true.
    Generate or download Enforce (service providers) SAML metadata

    About configuring roles and users


    When you install the Enforce Server, you create a default Administrator user that has access to all roles. If you import a
    solution pack to the Enforce Server, the solution pack includes several roles and users to get you started.
    About the administrator account
    You may want to add roles and users to the Enforce Server. When adding roles and users, consider the following
    guidelines:
    • Understand the roles necessary for your business users and for the information security requirements and procedures
    of your organization.
    About recommended roles for your organization
    • Review the roles that created when you installed a solution pack. You can likely use several of them (or modified
    versions of them) for users in your organization.
    Roles included with solution packs
    • If necessary, modify the solution-pack roles and create any required new roles.
    Configuring roles
    • Create users and assign each of them to one or more roles.
    Configuring user accounts
    • Manage roles and users and remove those not being used.
    Manage and add roles
    Manage and add users

    About recommended roles for your organization


    To determine the most useful roles for your organization, review your business processes and security requirements.

    603
    Most businesses and organizations find the following roles fundamental when they implement the Symantec Data
    Loss Prevention system:
    • System Administrator
    This role provides access to the System module and associated menu options in the Enforce Server administration
    console. Users in this role can monitor and manage the Enforce Server and detection servers(s). Users in this role
    can also deploy detection servers and run Discover scans. However, users in this role cannot view detailed incident
    information or author policies. All solution packs create a "Sys Admin" role that has system administrator privileges.
    • User Administrator
    This role grants users the right to manage users and roles. Typically this role grants no other access or privileges.
    Because of the potential for misuse, it is recommended that no more than two people in the organization be assigned
    this role (primary and backup).
    • Policy Admininistrator
    This role grants users the right to manage policies and response rules. Typically this role grants no other access or
    privileges. Because of the potential for misuse, it is recommended that no more than two people in the organization be
    assigned this role (primary and backup).
    • Policy Author
    This role provides access to the Policies module and associated menu options in the Enforce Server administration
    console. This role is suited for information security managers who track incidents and respond to risk trends. An
    information security manager can author new policies or modifying existing policies to prevent data loss. All solution
    packs create an "InfoSec Manager" (ISM) role that has policy authoring privileges.
    • Incident Responder
    This role provides access to the Incidents module and associated menu options in the Enforce Server
    administration console. Users in this role can track and remediate incidents. Businesses often have at least two
    incident responder roles that provide two levels of privileges for viewing and responding to incidents.
    A first-level responder may view generic incident information, but cannot access incident details (such as sender or
    recipient identity). In addition, a first-level responder may also perform some incident remediation, such as escalating
    an incident or informing the violator of corporate security policies. A second-level responder might be escalation
    responder who has the ability to view incident details and edit custom attributes. A third-level responder might be an
    investigation responder who can create response rules, author policies, and create policy groups.
    All solution packs create an "InfoSec Responder" (ISR) role. This role serves as a first-level responder. You can use
    the ISM (InfoSec Manager) role to provide second-level responder access.
    Your business probably requires variations on these roles, as well as other roles. For more ideas about these and other
    possible roles, see the descriptions of the roles that are imported with solution packs.
    Roles included with solution packs

    Roles included with solution packs


    The various solution packs offered with Symantec Data Loss Prevention create roles and users when installed. For all
    solution packs there is a standard set of roles and users. You may see some variation in those roles and users, depending
    on the solution pack you import.
    The following table summarizes the Financial Services Solution Pack roles. These roles are largely the same as the roles
    that are found in other Symantec Data Loss Prevention solution packs.
    Financial Services Solution Pack roles

    604
    Table 260: Financial Services Solution Pack roles

    Role Name Description

    Compliance Compliance Officer:


    • Users in this role can view, remediate, and delete incidents; look up attributes; and edit all custom attributes.
    • This comprehensive role provides users with privileges to ensure that compliance regulations are met. It also
    allows users to develop strategies for risk reduction at a business unit (BU) level, and view incident trends and
    risk scorecards.
    Exec Executive:
    • Users in this role can view, remediate, and delete incidents; look up attributes; and view all custom attributes.
    • This role provides users with access privileges to prevent data loss risk at the macro level. Users in this role
    can review the risk trends and performance metrics, as well as incident dashboards.
    HRM HR Manager:
    • Users in this role can view, remediate, and delete incidents; look up attributes; and edit all custom attributes.
    • This role provides users with access privileges to respond to the security incidents that are related to
    employee breaches.
    Investigator Incident Investigator:
    • Users in this role can view, remediate, and delete incidents; look up attributes; and edit all custom attributes.
    • This role provides users with access privileges to research details of incidents, including forwarding incidents
    to forensics. Users in this role may also investigate specific employees.
    ISM InfoSec Manager:
    • Users in this role can view, remediate, and delete incidents. They can look up attributes, edit all custom
    attributes, author policies and response rules.
    • This role provides users with second-level incident response privileges. Users can manage escalated incidents
    within information security team.
    ISR InfoSec Responder:
    • Users in this role can view, remediate, and delete incidents; look up attributes; and view or edit some custom
    attributes. They have no access to sender or recipient identity details.
    • This role provides users with first-level incident response privileges. Users can view policy incidents, find
    broken business processes, and enlist the support of the extended remediation team to remediate incidents.
    Report Reporting and Policy Authoring:
    • Users in this role can view and remediate incidents, and author policies. They have no access to incident
    details.
    • This role provides a single role for policy authoring and data loss risk management.
    Sys Admin System administrator:
    • Users in this role can administer the system and the system users, and can view incidents. They have no
    access to incident details.

    Configuring Roles
    Each Symantec Data Loss Prevention user is assigned to one or more roles that define the privileges and rights that
    user has within the system. The role of user determines system administration privileges, policy authoring rights, incident
    access, access to masked data, and more. If a user is a member of multiple roles, the user must specify the role when
    logging on, for example: Login: Sys Admin/sysadmin01.
    About role-based access control
    About configuring roles and users

    605
    1. Navigate to the System > Login Management > Roles screen.
    2. Click Add Role.
    The Configure Role screen appears, displaying the following tabs: General, Incident Access, Policy Management,
    and Users & Groups.
    3. In the General tab:
    • Enter a unique Name for the role. The name field is case-sensitive and is limited to 30 characters. The name that
    you enter should be short and self-describing. Use the Description field to annotate the role name and explain its
    purpose in more details. The role name and description appear in the Role List screen.
    • Use the User Privileges section to grant user privileges for the role.
    System privileges include the following options:

    User Administration Select the User Administration option to enable users to create more roles and users in the Enforce
    (Superuser) Server.
    Server Administration Select the Server Administration option to enable users to perform the following functions:
    • Configure detection servers.
    • Create and manage Data Profiles for Exact Data Matching (EDM), Form Recognition, Indexed
    Document Matching (IDM), and Vector Machine Learning (VML).
    • Configure and assign incident attributes.
    • Configure system settings.
    • Configure response rules.
    • Create policy groups.
    • Configure recognition protocols.
    • View system event and traffic reports.
    • Import policies.
    Note: Selecting Server Administration also provides Agent Management privileges.

    Agent Management Select the Agent Management option to enable users to perform the following functions:
    • Review agent status
    • Review agent events
    • Manage agents and perform troubleshooting tasks
    • Delete, restart, and shut down agents
    • Change the Endpoint Server to which agents connect
    • Pull agent logs
    • Access agent summary reports
    • View agent group conflicts
    • Review server logs
    • Manage server logs, including canceling log collection, configuring logs, and downloading and
    deleting logs
    End User Remediation Select the End User Remediation Administration option to enable users to manage the following
    Administration functions:
    • End User Remediation - Incident Configurations
    • End User Remediation - Remediation Configurations and Execution

    People privilege includes the following options:

    User Reporting (Risk Select the User Reporting option to enable users to view the user risk summary.
    Summary, User Snapshot)
    Note: The Incident > View privilege is automatically enabled for all incident types for users with the
    User Reporting privilege.

    606
    Incidents privileges allow you to grant users in this role the following incident privileges. These settings apply to
    all incident reports in the system, including the Executive Summary, Incident Summary, Incident List, and Incident
    Snapshots.

    View Select the View option to enable users in this role to view policy violation incidents.
    You can customize incident viewing access by selecting various Actions and Display Attribute
    options as follows:
    • By default the View option is enabled (selected) for all types of incidents: Network Incidents,
    Discover Incidents, and Endpoint Incidents.
    • To restrict viewing access to only certain incident types, select (highlight) the type of incident you
    want to authorize this role to view. (Hold down the Ctrl key to make multiple selections.) If a role
    does not allow a user to view part of an incident report, the option is replaced with "Not Authorized"
    or the option is left blank.
    Note: If you revoke an incident-viewing privilege for a role, the system deletes any saved reports for
    that role that rely on the revoked privilege. For example, if you revoke (deselect) the privilege to view
    network incidents, the system deletes any saved network incident reports associated with the role.

    Actions Select among the following Actions to customize the actions that a user can perform when an incident
    occurs:
    • Remediate Incidents
    This privilege lets users change the status or severity of an incident. You can set a data owner, add
    a comment to the incident history, set the Do Not Hide and Allow Hiding options, and execute
    response rule actions. In addition, if you are using the Incident Reporting and Update API, select
    this privilege to remediate the location and status attributes.
    • Smart Response Rules to execute
    You specify which Smart Response Rules that can be executed on a per role basis. Configured
    Smart Response Rules are listed in the "Available" column on the left. To expose a Smart
    Response Rule for execution by a user of this role, select it and click the arrow to add it to the
    right-side column. Use the CTRL key to select multiple rules.
    • Perform attribute lookup
    Lets a user look up incident attributes from external sources and populate their values for incident
    remediation.
    • Delete incidents
    Lets users delete an incident.
    • Hide incidents
    Lets a user hide an incident.
    • Unhide incidents
    Lets a user restore previously hidden incidents.
    • Export Web archive
    Lets a user export a report that the system compiles from a web archive of incidents.
    • Export XML
    Lets a user export a report of incidents in XML format.
    • Email incident report as CSV attachment
    Lets a user email as an attachment a report containing a comma-separated listing of incident
    details.

    607
    Incident Reporting and Select user privileges to enable access for Web Services clients that use the Incident Reporting and
    Update API Update API:
    • Incident Reporting
    Enables Web Services clients to retrieve incident details.
    • Incident Update
    Enables Web Services clients to update the incident details.
    Note: The Incident Reporting and Update APIs are deprecated. Use the REST-based Incident API
    instead. You do not need to set privileges for using the REST Incident API.

    Display Attributes Select among the following Display Attributes to customize what attributes appear in the Incidents
    view for the policy violations that users of the role can view.
    Shared attributes are common to all types of incidents:
    • History
    The incident history.
    • Body
    The body of the message.
    • Attachments
    The names of any attachments or files.
    • Matches
    The highlighted text of the message that violated the policy appears on the Matches tab of the
    Incident Snapshot screen. You can set masking for matches according to roles. See Setting Up
    Masking for Roles.
    • Sender
    The message sender.
    • Recipients
    The message recipients.
    • Subject
    The subject of the message.
    • Original Message
    Controls whether the original message that caused the policy violation incident is viewable.
    Note: To view an attachment properly, both the "Attachment" and the "Original Message" options must
    be checked.
    Endpoint attributes are specific to Endpoint incidents:
    • Username
    The name of the Endpoint user.
    • Machine name
    The name of the computer where the Endpoint Agent is installed.
    Discover attributes are specific to Discover incidents:
    • File Owner
    The name of the owner of the file being scanned.
    • Location
    The location of the file being scanned.

    608
    Custom Attributes The Custom Attributes list includes all the custom attributes configured by your system administrator,
    if any.
    • Select View All if you want users to be able to view all custom attribute values.
    • Select Edit All if you want users to edit all custom attribute values.
    • To restrict the users to certain custom attributes, clear the View All and Edit All check boxes,
    Then individually select the View or Edit check box for each custom attribute you want viewable or
    editable.
    Note: If you select Edit for any custom attribute, the View check box is automatically selected
    (indicated by being grayed out). If you want the users in this role to be able to view all custom attribute
    values, select View All.

    Discover allows you to grant users in this role the following privileges:

    Folder Risk Reporting This privilege lets users view Folder Risk Reports. For more information, see Using Data Insight .
    Note: The Data Insight page in the Enforce Server administration console is now accessible to
    all Network Discover customers without a license file.

    Content Root Enumeration This privilege lets users configure and run Content Root Enumeration scans. For more information
    about Content Root Enumeration scans,

    4. In the Incident Access tab, configure any conditions (filters) on the types of incidents that users in this role can view.
    NOTE
    You must select the View option on the General tab for settings on the Incident Access tab to have any
    effect.
    • Click Add Condition.
    • Select the type of condition and its parameters from left to right, as if writing a sentence. The first drop-down list in
    a condition contains the alphabetized system-provided conditions that are associated with any custom attributes.
    For example, select Policy Group from the first drop-down list, select Is Any Of from the second list, and then
    select Default Policy Group from the final listbox. These settings would limit users to viewing only those incidents
    that the default policy group detected.
    5. In the Policy Management tab, select one of the following policy privileges for the role:
    • Import Policies
    This privilege lets users import policy files that have been exported from an Enforce Server.
    To enable this privilege, the role must also have the Server Administration, Author Policies, Author Response
    Rules, and All Policy Groups privileges.
    • Author Policies
    This privilege lets users add, edit, and delete policies within the policy groups that are selected.
    Users can also modify system data identifiers, and create custom data identifiers.
    It also lets users create and modify User Groups.
    This privilege does not let users create or manage Data Profiles. This activity requires Enforce Server administrator
    privileges.
    • Discover Scan Control
    Lets the users in this role create Discover targets, run scans, and view Discover Servers.
    • Credential Management
    Lets users create and modify the credentials that the system requires to access target systems and perform
    Discover scans.
    • Policy Groups

    609
    Select All Policy Groups only if users in this role need access to all existing policy groups and any that will be
    created in the future.
    Otherwise you can select individual policy groups or the Default Policy Group.
    NOTE
    These options do not grant the right to create, modify, or delete policy groups. Only the users whose role
    includes the Server Administration privilege can work with policy groups.
    • Author Response Rules
    Enables users in this role to create, edit, and delete response rules.
    NOTE
    Users cannot edit or author response rules for policy remediation unless you select the Author
    Response Rules option.
    Preventing users from authoring response rules does not prevent them from executing response rules. For example, a
    user with no response-rule authoring privileges can still execute smart response rules from an incident list or incident
    snapshot.
    6. In the Users & Groups tab, select one of the following items:
    • Select Users and select any users to which to assign this role. If you have not yet configured any users, you can
    assign users to roles after you create the users.
    • Select User Groups and select a user group to which to assign this role.
    7. Click Save to save your newly created role to the Enforce Server database.

    Configuring user accounts


    User accounts are the means by which users log on to the system and perform tasks. The role that the user account
    belongs to limits what the user can do in the system.
    To configure a user account:
    1. In the Enforce Server Administration Console, select System > Login Management > DLP Users to create a new
    user account or to reconfigure an existing user account. Or, click Profile to reconfigure the user account to which you
    are currently logged on.
    NOTE
    You can add user accounts based on CN names using your company's Active Directory account.
    Configuring user authentication and role assignment using Active Directory
    2. Click Add DLP User to add a new user, or click the name of an existing user to modify that user's configuration.
    3. Enter a name for a new user account in the Name field.
    • The user account name must be between 8 and 30 characters long, is case-sensitive, and cannot contain
    backslashes (\).
    • If you use certificate authentication, the Name field value does not have to match the user's Common Name (CN).
    However, you may choose to use the same value for both the Name and Common Name (CN) so that you can
    easily locate the configuration for a specific CN. The Enforce Server administration console shows only the Name
    field value in the list of configured users.
    • If you use Active Directory authentication, the user account name must match the name of the Active Directory
    user account. Note that all Symantec Data Loss Prevention user names are case-sensitive, even though Active
    Directory user names are not. Active Directory users need to enter the case-sensitive account name when logging
    on to the Enforce Server administration console.
    Integrating Active Directory for user authentication

    610
    4. Configure the Authentication section of the Configure User page. Only options that are enabled are available on this
    page.

    Option Instructions

    Use Single Sign If SAML authentication had been enabled, the user can sign on using Single Sign On Mapping on the Configure
    On Mapping User page.
    Use Password Select this option to use password authentication and allow the user to sign on using the Enforce Server
    access administration console log on page. This option is required if the user account will be used for a Reporting API
    Web Service client.
    If you select this option, also enter the user password in the Password and the Re-enter Password fields. The
    password must be at least eight characters long and is case-sensitive. For security purposes, the password is
    obfuscated and each character appears as an asterisk.
    If you configure advanced password settings, the user must specify a strong password. In addition, the password
    may expire at a certain date and the user has to define a new one periodically.
    Configuring password enforcement settings
    You can choose password authentication even if you also use certificate authentication. If you use certificate
    authentication, you can optionally disable sign on from the Enforce Server administration console log on page.
    Disabling password authentication and forms-based logon
    Symantec Data Loss Prevention authenticates all Reporting API clients using password authentication. If you
    configure Symantec Data Loss Prevention to use certificate authentication, any user account that is used to
    access the Reporting API Web Service must have a valid password. See the Symantec Data Loss Prevention
    Reporting API Developers Guide.
    Note: If you configure Active Directory integration with the Enforce Server, users authenticate using their Active
    Directory passwords. In this case the password field does not appear on the Users screen.
    Note: Integrating Active Directory for user authentication

    Use Certificate Select this option to use certificate authentication and allow the user to automatically single sign-on with a
    authentication certificate that is generated by a separate Private Key Infrastructure (PKI). This option is available only if you
    have manually configured support for certificate authentication.
    About authenticating users
    About certificate authentication configuration
    If you select this option, you must specify the common name (CN) value for the user in the Common Name (CN)
    field. The CN value appears in the Subject field of the user's certificate, which is generated by the PKI. Common
    names generally use the format, first_name last_name identification_number.
    The Enforce Server uses the CN value to map the certificate to this user account. If an authenticated certificate
    contains the specified CN value, all other attributes of this user account, such as the default role and reporting
    preferences, are applied when the user logs on.
    Note: You cannot specify the same Common Name (CN) value in multiple Enforce Server user accounts.

    Account Disabled Select this option to lock the user out of the Enforce Server administration console. This option disables access
    for the user account regardless of which authentication mechanism you use.
    For security, after a certain number of consecutive failed logon attempts, the system automatically disables the
    account and locks out the user. In this case the Account Disabled option is checked. To reinstate the user
    account and allow the user to log on to the system, clear this option by unchecking it.

    5. Optionally enter an Email Address and select a Language for the user in the General section of the page. The
    Language selection depends on the language pack(s) you have installed.
    6. In the Report Preferences section of the Users screen you specify the preferences for how this user is to receive
    incident reports, including Text File Encoding and CSV Delimiter.
    If the role grants the privilege for XML Export, you can select to include incident violations and incident history in the
    XML export.

    611
    7. In the Roles section, select the roles that are available to this user to assign data and incident access privileges.
    You must assign the user at least one role to access the Enforce Server administration console.
    Configuring roles
    8. Select the Default Role to assign to this user at log on.
    The default role is applied if no specific role is requested when the user logs on.
    For example, the Enforce Server administration console uses the default role if the user uses single sign-on with
    certificate authentication or uses the logon page.
    NOTE
    Individual users can change their default role by clicking Profile and selecting a different option from the
    Default Role menu. The new default role is applied at the next logon.
    About authenticating users
    9. Click Save to save the user configuration.
    NOTE
    Once you have saved a new user, you cannot edit the user name.
    10. Manage users and roles as necessary.
    Manage and add roles
    Manage and add users

    Configuring user authentication and role assignment using Active Directory


    Symantec Data Loss Prevention provides user authentication and role assignment based on Microsoft Active Directory
    (AD) groups. You use this feature to designate users to access the Enforce Server administration console. You can add
    users based on AD common names (CN) and can assign these users (or groups of users) to a particular role.
    NOTE
    You can assign CNs related to security groups and distribution lists. However, the Enforce Server does not add
    organizational units or individual users.
    Steps to use AD to provide user access to the Enforce Server administration console
    A role that uses AD is called an AD-managed role. An AD-managed role is based on a User Group that you populate with
    users synchronized from your AD directory server. You can convert a manually managed role to an AD-managed role.
    Upgrading manually managed roles to AD-managed roles

    Steps to use AD to provide user access to the Enforce Server administration console
    The following table lists the process to use AD to provide user access to the Enforce Server.

    Table 261: Steps to use AD to provide user access to the Enforce Server administration console

    Step Action

    1 Create a directory connection from AD to the Enforce Server.


    Create a directory connection from AD to the Enforce Server
    2 Create a User Group that connects to the AD server.
    Create a User Group that connects to the AD server and defines the common names

    612
    Step Action

    3 Create an AD-managed role.


    Create an AD-managed role
    4 Import the AD users using a sync job.
    Import the AD users using a sync job
    5 Review the users that were imported.

    Create a directory connection from AD to the Enforce Server

    Configuring directory server connections


    1. Go to System > Settings > Directory Connections.
    2. Click Add Connection.
    3. Enter a Name for the directory server connection.
    The Connection Name is the user-defined name for the connection. It appears at the Directory Connections home
    page once the connection is configured.
    4. Specify information for the directory server connection in the Network Parameters area.
    Directory connection network parameters
    5. Select Connect with Credentials and enter the AD credentials.
    Directory connection authentication parameters
    6. Save your changes.
    Create a User Group that connects to the AD server and defines the common names

    1. Go to Manage > User Groups.


    2. Click Create New Group.
    3. Select the usage type. Select an option to designate access:
    • Select Policies to only allow the User Group to access policies.
    • Select Roles to only allow the User Group to access roles.
    4. Enter information for the group in the Group Name and Description fields.
    5. Select the AD server in the Directory Server list.
    6. Select common names (CN) to be imported into the Enforce Server in Directory field.
    You can add an entire CN group.

    613
    7. Save your changes.
    Create an AD-managed role

    1. Go to System > Login Management > Roles.


    2. Click Add Role.
    3. Enter a name for the role in the Name field.
    4. Assign permissions under the User Privileges area.
    5. Click the Users & Groups tab.
    6. Select User Groups, and select the User Group you created in Create a User Group that connects to the AD server
    and defines the common names.
    7. Click Save.
    The role displays on the Roles page.

    Configuring roles
    Import the AD users using a sync job

    To import the AD users using a sync job


    1. Go to System > Users > Data Sources to display the Data Source Management screen.
    2. Click Add, AD Login Source to display the Add AD Login User Source dialog.
    Adding an AD login source
    3. Enter a name for the sync job in the Name field and click Submit.
    4. Select the sync job and click Import. The Status column displays Done when the import completes.
    Click Done to display the Import detail dialog. The dialog lists details about the import, including when the import
    completed and how many records were added.

    -
    Create an AD-managed role
    Adding an AD login source

    After you create an AD-managed role, you import the AD users using a sync job. When you create the sync job, you name
    the job and include a custom filter on the Add AD Login User Source dialog.

    Related Links
    Create an AD-managed role on page 614
    Configuring user authentication and role assignment using Active Directory on page 612

    Review the users that were imported


    To review the users that were imported

    614
    1. Go to the System > Login Management > DLP Users screen and review the users.
    2. Click a user name to go to the Roles area to confirm that the correct role is applied.
    NOTE
    The AD role (under the Roles area) cannot be changed, but you can apply other roles that you create.

    Upgrading manually managed roles to AD-managed roles


    You can convert manually managed roles to AD-managed role. To convert a manually managed role, you associate a role
    with a user group that connects to an AD server.
    Configuring user authentication and role assignment using Active Directory
    1. Go to Manage > User Groups and select a user group that connects to the AD server and defines the common
    names.
    Steps to use AD to provide user access to the Enforce Server administration console
    2. Go to System > Login Management > Roles and select the manually managed role to convert.
    3. Associate the user group with the role.

    Configuring password enforcement settings


    At the Systems > Settings > General screen you can require users to use strong passwords. Strong passwords must
    contain at least eight characters, at least one number, and at least one uppercase letter. Strong passwords cannot have
    more than two repeated characters in a row. If you enable strong passwords, the effect is system-wide. Existing users
    without a strong password must update their profiles at next logon.
    You can also require users to change their passwords at regular intervals. In this case at the end of the interval you
    specify, the system forces users to create a new password.
    If you use Active Directory authentication, these password settings only apply to the Administrator password. All other
    user account passwords are derived from Active Directory.
    Integrating Active Directory for user authentication
    To configure advanced authentication settings
    1. Go to System > Settings > General and click Configure.
    2. To require strong passwords, locate the DLP User Authentication section and select Require Strong Passwords.
    Symantec Data Loss Prevention prompts existing users who do not have strong passwords to create one at next
    logon.
    3. To set the period for which passwords remain valid, type a number (representing the number of days) in the Password
    Rotation Period field.
    To let passwords remain valid forever, type 0 (the character for zero).

    Resetting the Administrator Password


    Symantec Data Loss Prevention provides the AdminPasswordReset utility to reset the Administrator's password. There
    is no method to recover a lost password, but you can use this utility to assign a new password. You can also use this
    utility if certificate authentication mechanisms are disabled and you have not yet defined a password for the Administrator
    account.
    To use the AdminPasswordReset utility, you must specify the password to the Enforce Server database. Use the
    following procedure to reset the password.

    615
    To reset the Administrator password for forms-based logon
    1. Log on to the Enforce Server computer using the account that you created during Symantec Data Loss Prevention
    installation.
    NOTE
    Do not change permissions or ownership on any configuration file from another root or Administrator
    account.
    2. Change directory to the /opt/Symantec/DataLossPrevention/EnforceServer /16.0.10000/
    Protect/bin (Linux) or c:\Program Files\Symantec\DataLossPrevention\EnforceServer
    \16.0.10000\Protect\bin (Windows) directory. If you installed Symantec Data Loss Prevention into a different
    directory, substitute the correct path.
    3. Execute the AdminPasswordReset utility using the following syntax:
    AdminPasswordReset -dbpass oracle_password -newpass new_administrator_password
    Replace oracle_password with the password to the Enforce Server database, and replace
    new_administrator_password with the password you want to set.

    Manage and add roles


    The System > Login Management > Roles screen displays an alphabetical list of the roles that are defined for your
    organization.
    Roles listed on this screen display the following information:
    • Name – The name of the role
    • Description – A brief description of the role
    Assuming that you have the appropriate privileges, you can view, add, modify, or delete roles as follows:
    • Add a new role, or modify an existing one.
    Click Add Role to begin adding a new role to the system.
    Click anywhere in a row or the pencil icon (far right) to modify that role
    Configuring roles
    • Click the red X icon (far right) to delete the role; a dialog box confirms the deletion.
    Before editing or deleting roles, note the following guidelines:
    • If you change the privileges for a role, users in that role who are currently logged on to the system are not affected.
    For example, if you remove the Edit privilege for a role, users currently logged on retain permission to edit custom
    attributes for that session. However, the next time users log on, the changes to that role take effect, and those users
    can no longer edit custom attributes.
    • If you revoke an incident-viewing privilege for a role, the Enforce Server automatically deletes any saved reports that
    rely on the revoked privilege. For example, if you revoke the privilege to view network incidents, the system deletes
    any saved network incident reports associated with the newly restricted role.
    • Before you can delete a role, you must make sure there are no users associated with the role.
    • When you delete a role, you delete all shared saved reports that a user in that role saved.
    Manage and add users

    Manage and add users


    The System > Login Management > DLP Users screen lists all the active user accounts in the system.
    For each user account, the following information is listed:

    616
    • User Name – The name the user enters to log on to the Enforce Server
    • Email – The email address of the user
    • Access – The role(s) in which the user is a member
    Assuming that you have the appropriate privileges, you can add, edit, or delete user accounts as follows:
    • Add a new user account, or modify an existing one.
    Click Add to begin adding a new user to the system.
    Click anywhere in a row or the pencil icon (far right) to view and edit that user account.
    Configuring user accounts
    • Click the red X icon (far right) to delete the user account; a dialog box confirms the deletion.
    NOTE
    The Administrator account is created on install and cannot be removed from the system.
    NOTE
    When you delete a user account, you also delete all private saved reports that are associated with that user.
    Manage and add roles

    Integrating Active Directory for user authentication


    You can configure the Enforce Server to use Microsoft Active Directory for user authentication.
    After you switch to Active Directory authentication, you must still define users in the Enforce Server administration
    console. If the user names you enter in the Administration Console match Active Directory users, the system associates
    any new user accounts with Active Directory passwords. You can switch to Active Directory authentication after you have
    already created user accounts in the system. Only those existing user names that match Active Directory user names
    remain valid after the switch.
    Users must use their Active Directory passwords when they log on. Note that all Symantec Data Loss Prevention user
    names remain case sensitive, even though Active Directory user names are not. You can switch to Active Directory
    authentication after already having created user names in Symantec Data Loss Prevention. However, users still have to
    use the case-sensitive Symantec Data Loss Prevention user name when they log on.
    To use Active Directory authentication
    1. Verify that the Enforce Server host is time-synchronized with the Active Directory server.
    NOTE
    Ensure that the clock on the Active Directory host is synched to within five minutes of the clock on the
    Enforce Server host.
    2. (Linux only) Make sure that the following Red Hat RPMs are installed on the Enforce Server host:
    • krb5-workstation
    • krb5-libs
    • pam_krb5
    3. Create the krb5.ini (or krb5.conf for Linux) configuration file that gives the Enforce Server information about your
    Active Directory domain structure and Active Directory server addresses.
    Creating the Configuration File for Active Directory Integration
    4. Confirm that the Enforce Server can communicate with the Active Directory server.
    Verifying the Active Directory connection

    617
    5. Configure Symantec Data Loss Prevention to use Active Directory authentication.
    Configuring the Enforce Server for Active Directory authentication

    Creating the Configuration File for Active Directory Integration


    You must create a krb5.ini configuration file (or krb5.conf on Linux) to give Symantec Data Loss Prevention
    information about your Active Directory domain structure and server locations. This step is required if you have more
    than one Active Directory domain. However, even if your Active Directory structure includes only one domain, it is
    still recommended to create this file. The kinit utility uses this file to confirm that Symantec Data Loss Prevention can
    communicate with the Active Directory server.
    NOTE
    If you are running Symantec Data Loss Prevention on Linux, verify the Active Directory connection using the
    kinit utility. You must rename the krb5.ini file as krb5.conf. The kinit utility requires the file to be named
    krb5.conf on Linux. Symantec Data Loss Prevention assumes that you use kinit to verify the Active Directory
    connection, and directs you to rename the file as krb5.conf.
    Symantec Data Loss Prevention provides a sample krb5.ini file that you can modify for use with your own system.
    The sample file is stored in Protect\config (for example, \Program Files\Symantec\DataLossPrevention
    \EnforceServer\16.0.10000\Protect\config on Windows or /opt/Symantec/DataLossPrevention/
    EnforceServer/16.0.10000/Protect/config on Linux). If you are running Symantec Data Loss Prevention on
    Linux, Symantec recommends renaming the file to krb5.conf. The sample file, which is divided into two sections, looks
    like this:
    [libdefaults]
    default_realm = TEST.LAB
    [realms]
    ENG.COMPANY.COM = {
    kdc = engAD.eng.company.com
    }
    MARK.COMPANY.COM = {
    kdc = markAD.eng.company.com
    }
    QA.COMPANY.COM = {
    kdc = qaAD.eng.company.com
    }

    The [libdefaults] section identifies the default domain. (Note that Kerberos realms correspond to Active Directory
    domains.) The [realms] section defines an Active Directory server for each domain. In the previous example, the Active
    Directory server for ENG.COMPANY.COM is engAD.eng.company.com.
    To create the krb5.ini or krb5.conf file
    1. Go to SymantecDLP\Protect\config and locate the sample krb5.ini file. For example, locate the file in
    \Program Files\Symantec\DataLossPrevention\EnforceServerProtect\config (on Windows) or /
    opt/Symantec/DataLossPrevention/EnforceServer/16.0.10000/Protect/config (on Linux).
    2. Copy the sample krb5.ini file to the c:\windows directory (on Windows) or the /etc directory (on Linux). If you
    are running Symantec Data Loss Prevention on Linux, plan to verify the Active Directory connection using the kinit
    command-line tool. Rename the file as krb5.conf.
    Verifying the Active Directory connection

    618
    3. Open the krb5.ini or krb5.conf file in a text editor.
    4. Replace the sample default_realm value with the fully qualified name of your default domain. (The value for
    default_realm must be all capital letters.) For example, modify the value to look like the following:
    default_realm = MYDOMAIN.LAB

    5. Replace the other sample domain names with the names of your actual domains. (Domain names must be all capital
    letters.) For example, replace ENG.COMPANY.COM with ADOMAIN.COMPANY.COM.
    6. Replace the sample kdc values with the host names or IP addresses of your Active Directory servers. (Be sure to
    follow the specified format, in which opening brackets are followed immediately by line breaks.) For example, replace
    engAD.eng.company.com with ADserver.eng.company.com, and so on.

    7. Remove any unused kdc entries from the configuration file. For example, if you have only two domains besides the
    default domain, delete the unused kdc entry.
    8. Save the file.

    Verifying the Active Directory connection


    kinit is a command-line tool you can use to confirm that the Active Directory server responds to requests. It also
    verifies that the Enforce Server has access to the Active Directory server. For Microsoft Windows installations,
    the utility is installed by the Symantec Data Loss Prevention installer in the C:\Program Files\Symantec
    \DataLossPrevention\EnforceServer\15.1\Protect\jre\bin directory. For Linux installations, the utility is
    part of the Red Hat Enterprise Linux distribution, and is in the following location: /usr/kerberos/bin/kinit. You can
    also download Java SE 6 and locate the kinit tool in \java_home\jdk1.6.0\bin.
    If you run the Enforce Server on Linux, use the kinit utility to test access from the Enforce Server to the Active Directory
    server. Rename the krb5.ini file as krb5.conf. The kinit utility requires the file to be named krb5.conf on Linux.
    To test the connection to the Active Directory server
    1. On the Enforce Server host, go to the command line and navigate to the directory where kinit is located.
    2. Issue a kinit command using a known user name and password as parameters. (Note that the password is visible in
    clear text when you type it on the command line.) For example, issue the following:
    kinit kchatterjee mypwd10#

    The first time you contact Active Directory you may receive an error that it cannot find the krb5.ini or krb5.conf
    file in the expected location. On Windows, the error looks similar to the following:
    krb_error 0 Could not load configuration file c:\winnt\krb5.ini
    (The system cannot find the file specified) No error.

    In this case, copy the krb5.ini or krb5.conf file to the expected location and then rerun the kinit command that
    is previously shown.
    3. Depending on how the Active Directory server responds to the command, take one of the following actions:
    • If the Active Directory server indicates it has successfully created a Kerberos ticket, continue configuring Symantec
    Data Loss Prevention.
    • If you receive an error message, consult with your Active Directory administrator.

    Configuring the Enforce Server for Active Directory authentication


    Perform the procedure in this section when you first set up Active Directory authentication, and any time you want to
    modify existing Active Directory settings. Make sure that you have completed the prerequisite steps before you enable
    Active Directory authentication.

    619
    Integrating Active Directory for user authentication
    To configure the Enforce Server to use Active Directory for authentication:
    1. Make sure all users other than the Administrator are logged out of the system.
    2. In the Enforce Server administration console, go to System > Settings > General and click Configure (at top left).
    3. At the Edit General Settings screen that appears, locate the Active Directory Authentication section near the bottom
    and select (check) Perform Active Directory Authentication.
    The system then displays several fields to fill out.
    4.
    Creating the configuration file for Active Directory integration
    5. If your environment has more than one Active Directory domain, click Configure and enter the domain names
    (separated by commas) in the Active Directory Domain List field.
    The system displays Active Directory domains in a drop-down list on the user logon page. Users then select the
    appropriate domain at logon. Do not list the default domain, as it already appears in the drop-down list by default.
    6. Click Save.
    7. Go to the operating system services tool and restart the Symantec Data Loss Prevention Manager service.

    About certificate authentication configuration


    Certificate authentication enables a user to automatically log on to the Enforce Server administration console. The user
    logs on using a client certificate that your public key infrastructure (PKI) generates. When a user accesses the Enforce
    Server administration console, the PKI automatically delivers the user's certificate to the Tomcat container that hosts the
    administration console. The Tomcat container validates the client certificate using the certificate authorities that you have
    configured in the Tomcat trust store.
    The client certificate is delivered to the Enforce Server computer when a client's browser performs the SSL handshake
    with the Enforce Server. For example, some browsers might be configured to operate with a smart card reader to present
    the certificate. Alternately, you can upload the X.509 certificate to a browser and configure the browser to send the
    certificate to the Enforce Server.
    If the certificate is valid, the Enforce Server administration console may also determine if the certificate was revoked.
    About certificate revocation checks
    If the certificate is valid, then the Enforce Server uses the common name (CN) in the certificate to determine if that CN is
    mapped to an active user account with a role.
    NOTE
    Some browsers cache a user's client certificate, and automatically log the user on to the Administration Console
    after the user has chosen to sign out. In this case, users must close the browser window to complete the log out
    process.
    The following table describes the steps necessary to use certificate authentication with Symantec Data Loss Prevention.

    620
    Table 262: Steps to configure certificate authentication

    Phase Action Description

    1 Enable certificate authentication on the Enforce Server You can configure an existing Enforce Server to enable
    computer. authentication. Enforce Servers have form-based
    authentication by default.
    Configuring certificate authentication for the Enforce
    Server administration console
    2 Add certificate authority (CA) certificates to establish the You can add CA certificates to the Tomcat trust store with
    trust chain. the Java keytool utility to manually add certificates to
    an existing Enforce Server.
    Adding certificate authority (CA) certificates to the Tomcat
    trust store
    3 (Optional) Change the Tomcat trust store password. The Symantec Data Loss Prevention installer configures
    each new Enforce Server installation with a default
    Tomcat trust store password. Follow these instructions to
    configure a secure password.
    Changing the Tomcat trust store password
    4 Map certificate common name (CN) values to Enforce Mapping Common Name (CN) values to Symantec Data
    Server user accounts. Loss Prevention user accounts
    5 Configure the Enforce Server to check for certificate About certificate revocation checks
    revocation.
    6 Verify Enforce Server access using certificate-based Troubleshooting certificate authentication
    single sign-on.
    7 (Optional) Disable forms-based logon. If you want to use certificate-based single sign-on for all
    access to the Enforce Server, disable forms-based logon.
    Disabling password authentication and forms-based
    logon

    Configuring Certificate Authentication for the Enforce Server Administration Console


    Form-based authentication is available by default on the Enforce Server. You must add certificate authentication manually.
    Follow this procedure to manually enable form and certificate authentication on a Symantec Data Loss Prevention
    installation.
    To enable form and certificate authentication for users of the Enforce Server administration console
    1. Log on to the Enforce Server computer using the account that you created during Symantec Data Loss Prevention
    installation.
    NOTE
    Do not change permissions or ownership on any configuration file from another root or Administrator
    account.
    2. Copy the corresponding springSecurityContext.xml file into the Tomcat WEB-INF directory.
    3. Edit C:\Program Files\Symantec\DataLossPrevention\EnforceServer\16.0.10000\Protect\tomcat
    \conf\server.xml (Windows) or /opt/Symantec/DataLossPrevention/EnforceServer/16.0.10000/

    621
    Protect/tomcat/conf/server.xml (Linux) and change the certificateVerification value from none to
    optional. Change the revocationEnabled value from true to false. Save the file.

    4. Restart the Enforce Server. This change to the server.xml file that you edited in the previous step enables the Use
    Certificate authentication check box in the Enforce Server administration console user interface.
    5. Logon to the Enforce Server administration console and go to System > Login Management > DLP Users.
    6. Check Use Certificate authentication and indicate the corresponding CN mapping.
    7. Add the CA certificates to the Tomcat trust store using the Java keytool utility.
    Adding certificate authority (CA) certificates to the Tomcat trust store
    Ensure that you have installed all necessary certificates and that users can log on with certificate authentication.
    Now the end user has both form-based authentication and certificate authentication.
    About certificate revocation checks
    Follow this procedure to enable certificate authentication on Symantec Data Loss Prevention.
    To enable certificate authentication for users of the Enforce Server administration console
    8. Log on to the Enforce Server computer using the account that you created during Symantec Data Loss Prevention
    installation.
    NOTE
    Do not change permissions or ownership on any configuration file from another root or Administrator
    account.
    9. Copy the corresponding springSecurityContext.xml file into the Tomcat WEB-INF directory.
    10. Edit C:\Program Files\Symantec\DataLossPrevention\EnforceServer\16.0.10000\Protect\tomcat
    \conf\server.xml (Windows) or /opt/Symantec/DataLossPrevention/EnforceServer/16.0.10000/
    Protect/tomcat/conf/server.xml (Linux) and change thecertificate verification value from false to
    optional. Save the file.

    11. Restart the Enforce Server. This change to the server.xml file that you edited in the previous step enables the Use
    Certificate authentication check box in the Enforce Server administration console user interface.
    12. Logon to the Enforce Server administration console and go to System > Login Management > DLP Users.
    13. Check Use Certificate authentication and indicate the corresponding Common Name (CN) mapping.
    14. Add the CA certificates to the Tomcat trust store using the Java keytool utility.
    Adding certificate authority (CA) certificates to the Tomcat trust store
    Ensure that you have installed all necessary certificates and that users can log on with certificate authentication.
    15. For certificate authentication only, copy the springSecurityContext-Certificate.xml file from C:
    \Program Files\Symantec\DataLossPrevention\EnforceServer\16.0.10000\Protect\tomcat
    \webapps\ProtectManager\security\template (Windows) or opt/Symantec/DataLossPrevention/
    EnforceServer//Protect/tomcat/webapps/ProtectManager/WEB-INF (Linux) and rename it to
    springSecurityContext.xml.
    16. Edit the C:\Program Files\Symantec\DataLossPrevention\EnforceServer\16.0.10000\Protect
    \tomcat\conf\server.xml (Windows) or /opt/Symantec/DataLossPrevention/
    EnforceServer/16.0.10000/Protect/tomcat/conf/server.xml file and change the
    certificateVerification value from optional to required.

    Restart the Enforce Server.


    Now the user has certificate authentication only.

    622
    Adding certificate authority (CA) certificates to the Tomcat trust store

    Adding certificate authority (CA) certificates to the Tomcat trust store


    To use certificate authentication with Symantec Data Loss Prevention, you must add all of the CA certificates that are
    required to authenticate users in your system to the Tomcat trust store. For Symantec Data Loss Prevention 15.0 and
    later, CA certificates can only be imported to the Enforce Server using the Java keytool utility. Each X.509 certificate must
    be provided in Distinguished Encoding Rules (DER) format in a .cer file. If multiple CAs are required to establish the
    certificate chain, then you must add multiple .cer files.
    To add certificate CA certificates to the Tomcat trust store
    1. Log on to the Enforce Server computer using the account that you created during Symantec Data Loss Prevention
    installation.
    NOTE
    Do not change permissions or ownership on any configuration file from another root or Administrator
    account.
    2. Change directory to the /opt/Symantec/DataLossPrevention/EnforceServer/16.0.10000/Protect/
    tomcat/conf (Linux) or c:\Program Files\Symantec\DataLossPrevention\EnforceServer
    \16.0.10000\Protect\tomcat\conf (Windows) directory. If you installed Symantec Data Loss Prevention to a
    different directory, substitute the correct path.
    3. Copy all certificate files (.cer files) that you want to import to the conf directory on the Enforce Server computer.
    4. Use the keytool utility that is installed with Symantec Data Loss Prevention to add a certificate to the Tomcat trust
    store. For Windows systems, enter:
    c:\Program Files\Symantec\DataLossPrevention\EnforceServer\jre\bin\keytool
    -import
    -trustcacerts
    -alias CA_CERT_1
    -file certificate_1.cer
    -keystore .\truststore.jks
    For Linux systems, enter:
    /opt/Symantec/DataLossPrevention/jre/bin/keytool
    -import
    -trustcacerts
    -alias CA_CERT_1
    -file certificate_1.cer
    -keystore ./truststore.jks
    In these commands, replace CA_CERT_1 with a unique alias for the certificate that you import. Replace
    certificate_1.cer with the name of the certificate file you copied to the Enforce Server computer.
    5. Enter the password to the keystore at the keytool utility prompt. The default keystore password is protect.
    6. Repeat these steps to install all the certificate files that are necessary to complete the certificate chain.
    7. Stop and then restart the Symantec DLP Manager service to apply your changes.
    8. If you have not yet changed the default Tomcat keystore password, do so now.
    Changing the Tomcat trust store password

    623
    Changing the Tomcat Trust Store Password

    When you install Symantec Data Loss Prevention, the Tomcat trust store uses protect as the default password. Follow
    this procedure to assign a secure password to the Tomcat trust store when you use certificate authentication.
    1. Log on to the Enforce Server computer using the account that you created during Symantec Data Loss Prevention
    installation.
    NOTE
    Do not change permissions or ownership on any configuration file from another root or Administrator
    account.
    2. Change directory to the /opt/Symantec/DataLossPrevention/EnforceServer/16.0.10000/jre/bin/
    (Linux) or c:\Program Files\Symantec\DataLossPrevention\EnforceServer\16.0.10000\Protect
    \config\ (Windows) directory. If you installed Symantec Data Loss Prevention to a different directory, substitute the
    correct path.
    3. Use the keytool utility that is installed with Symantec Data Loss Prevention to change the Tomcat truststore
    password. For Windows systems, enter:
    c:\Program Files\Symantec\DataLossPrevention\ServerJRE\1.8.0_162\bin\
    keytool - storepasswd -new new_password -keystore ./truststore.jks
    For Linux systems, enter:
    /opt/Symantec/DataLossPrevention/EnforceServer/16.0.10000/jre/bin/keytool -
    storepasswd
    -new new_password -keystore ./truststore.jks
    Replace new_password with a secure password.
    4. Enter the current password to the keystore when the keytool utility prompts you to do so. The default password is
    protect.

    5. Change directory to the /opt/Symantec/DataLossPrevention/EnforceServer/16.0.10000/Protect/


    tomcat/conf (Linux) or c:\Program Files\Symantec\DataLossPrevention\EnforceServer
    \16.0.10000\Protect\tomcat\conf (Windows) directory. If you installed Symantec Data Loss Prevention into a
    different directory, substitute the correct path.
    6. Open the server.xml file with a text editor.
    7. In the following line in the file, edit the truststorePass="protect" entry to specify your new password:
    <Connector URIEncoding="UTF-8" acceptCount="100" clientAuth="want"
    debug="0" disableUploadTimeout="true" enableLookups="false"
    keystoreFile="conf/.keystore" keystorePass="protect"
    maxSpareThreads="75" maxThreads="150" minSpareThreads="25"
    port="443" scheme="https" secure="true" sslProtocol="TLS"
    truststoreFile="conf/truststore.jks" truststorePass="protect"/>

    Replace protect with the new password that you defined in the keytool command.
    8. Save your changes and exit the text editor.
    9. Change directory to the /opt/Symantec/DataLossPrevention/EnforceServer/16.0.10000/
    Protect/config (Linux) or c:\Program Files\Symantec\DataLossPrevention\EnforceServer

    624
    \16.0.10000\Protect\config (Windows) directory. If you installed Symantec Data Loss Prevention into a
    different directory, substitute the correct path.
    10. Open the Manager.properties file with a text editor.
    Add the following line in the file to specify the new password:
    com.vontu.manager.tomcat.truststore.password = password

    Replace password with the new password. Do not enclose the password in quotation marks.
    11. Save your changes and exit the text editor.
    12. Open the Protect.properties file with a text editor.
    13. Edit (or if not present, add) the following line in the file to specify the new password:
    com.vontu.manager.tomcat.truststore.password = password

    Replace password with the new password. Do not enclose the password in quotation marks.
    14. Save your changes and exit the text editor.
    15. Stop and then restart the Symantec DLP Manager service to apply your changes.

    Mapping Common Name (CN) values to Symantec Data Loss Prevention user accounts
    Each user that accesses the Enforce Server administration console using certificate-based single sign-on must have an
    active user account in the Enforce Server configuration. The user account associates the common name (CN) value from
    the user's client certificate to one or more roles in the Enforce Server administration console. You can map a CN value to
    only one Enforce Server user account.
    The user account that you create does not require a separate Enforce Server administration console password. You can
    optionally configure a password if you want to allow the user to also log on from the Enforce Server administration console
    log-on page. If you enable password authentication and the user does not provide a certificate when the browser asks for
    one, then the Enforce Server displays the log-on page. A log-on failure is displayed if password authentication is disabled
    and the user does not provide a certificate.
    An active user account must identify a user's CN value and have a valid role assigned in the Enforce Server to log on
    using single sign-on with certificate authentication. You can disable or delete the associated Enforce Server user account
    to prevent a user from accessing the Enforce Server administration console without revoking their client certificate.
    Configuring user accounts

    About certificate revocation checks


    While managing your public key infrastructure, you may need to revoke a client's certificate with the CA. For example, you
    might revoke a certificate if an employee leaves the company, or if an employee's credentials are lost or stolen. When you
    revoke a certificate, the CA uses one or more Certificate Revocation Lists (CRLs) to publish those certificates that are no
    longer valid.
    NOTE
    Certificate revocation checking is disabled by default. You must enable it and configure it. Configuring certificate
    revocation checks
    Symantec Data Loss Prevention retrieves revocation lists from a Certificate Revocation List Distribution Point (CRLDP).
    To check revocation using a CRLDP, the client certificate must include a CRL distribution point field. The following shows
    an example CRLDP field definition:
    [1]CRL Distribution Point

    625
    Distribution Point Name:
    Full Name: URL=http://my_crldp

    NOTE
    Symantec Data Loss Prevention does not support specifying the CRLDP using an LDAP URL.
    If the CRL distribution point is defined in each certificate and the Enforce Server can directly access the server, then no
    additional configuration is required to perform revocation checks. If the CRL distribution point is accessible only by a proxy
    server, then you must configure the proxy server settings in the Symantec Data Loss Prevention configuration.
    Accessing the CRLDP with a proxy
    Regardless of which revocation checking method you use, you must enable certificate revocation checks on the Enforce
    Server computer. Certificate revocation checks are enabled by default if you select certificate installation during the
    Enforce Server installation. If you upgraded an existing Symantec Data Loss Prevention installation, certificate revocation
    is not enabled by default.
    Configuring certificate revocation checks

    Configuring Certificate Revocation Checks

    When you enable certificate revocation checks, Symantec Data Loss Prevention uses a CRLDP to determine the
    revocation status.
    Follow this procedure to enable certificate revocation checks.
    1. Ensure that the CRLDP is defined in the CRL distribution point field of each client certificate.
    2. Log on to the Enforce Server computer using the account that you created during Symantec Data Loss Prevention
    installation.
    NOTE
    Do not change permissions or ownership on any configuration file from another root or Administrator
    account.
    3. Navigate to the c:\Program Files\Symantec\DataLossPrevention\EnforceServer
    \16.0.10000\Protect\tomcat\conf\server.xml (Windows) or /opt/Symantec/DataLossPrevention/
    EnforceServer/16.0.10000/Protect/tomcat/conf/server.xml (Linux) directory and update the
    revocationEnabled value from false to true.

    4. To enable revocation checking using a CRLDP, add or uncomment the following line in the file:
    wrapper.java.additional.22=-Dcom.sun.security.enableCRLDP=true

    This option is enabled by default for new Symantec Data Loss Prevention installations.
    5. If you use CRLDP revocation checks, optionally configure the cache lifetime using the property:
    wrapper.java.additional.22=-Dsun.security.certpath.ldap.cache.lifetime=30
    This parameter specifies the length of time, in seconds, to cache the revocation lists that are obtained from a CRL
    distribution point. After this time is reached, a lookup is performed to refresh the cache the next time there is an
    authentication request. The default cache lifetime 30 seconds. Specify 0 to disable the cache, or -1 to store cache
    results indefinitely.

    626
    6. Stop and then restart the Symantec DLP Manager service to apply your changes.
    Accessing the CRLDP with a Proxy

    Symantec recommends that you allow direct access from the Enforce Server computer to all CRLDP servers that are
    required to perform certificate revocation checks. If the CRLDP servers are accessible only through a proxy, then you
    must configure the proxy settings on the Enforce Server computer.
    When you configure a proxy, the Enforce Server uses your proxy configuration for all HTTP connections, such as those
    connections that are created to connect to a CRLDP server to fetch certificate revocation lists. Check with your proxy
    administrator before you configure these proxy settings, and consider allowing direct access to CRLDP servers if at all
    possible.
    To configure proxy settings for a CRLDP server
    1. Ensure that the CRLDP is defined in the CRL distribution point field of each client certificate.
    2. Log on to the Enforce Server computer using the account that you created during Symantec Data Loss Prevention
    installation.
    NOTE
    Do not change permissions or ownership on any configuration file from another root or Administrator
    account.
    3. Change directory to the /opt/Symantec/DataLossPrevention/EnforceServer/16.0.10000/
    Protect/config (Linux) or c:\Program Files\Symantec\DataLossPrevention\EnforceServer
    \16.0.10000\Protect\config (Windows) directory. If you installed Symantec Data Loss Prevention into a
    different directory, substitute the correct path.
    4. Open the SymantecDLPManager.conf file with a text editor.
    5. Add or edit the following configuration properties to identify the proxy:
    wrapper.java.additional.22=-Dhttp.proxyHost=myproxy.mydomain.com
    wrapper.java.additional.23=-Dhttp.proxyPort=8080
    wrapper.java.additional.24=-Dhttp.nonProxyHosts=hosts
    Replace myproxy.mydomain.com and 8080 with the host name and port of your proxy server. You can include server
    host names, fully qualified domain names, or IP addresses separated with a pipe character. For example:
    wrapper.java.additional.24=-Dhttp.nonProxyHosts=crldp-server|
    127.0.0.1|DataInsight_Server_Host

    6. Save your changes to the configuration file.


    7. Stop and then restart the Symantec DLP Manager service to apply your changes.

    Troubleshooting Certificate Authentication


    By default Symantec Data Loss Prevention logs each successful log-on request to the Enforce Server administration
    console. Symantec Data Loss Prevention also logs an error message if a logon request is made without supplying
    a certificate, or if a valid certificate presents a CN that does not map to a valid user account in the Enforce Server
    configuration.
    NOTE
    If certificate authentication fails while the browser establishes an HTTPS connection to the Enforce Server
    administration console, then Symantec Data Loss Prevention cannot log an error message.
    You can optionally log additional information about certificate revocation checks by adding or uncommenting the following
    system property in the SymantecDLPManager.conf file:

    627
    wrapper.java.additional.90=-Djava.security.debug=certpath

    SymantecDLPManager.conf is located in the c:\Program Files\Symantec\DataLossPrevention


    \EnforceServer\16.0.10000\Protect\config (Windows) or /opt/Symantec/DataLossPrevention/
    EnforceServer/16.0.10000/Protect/config (Linux) directory.
    All debug messages are logged to c:\ProgramData\Symantec\DataLossPrevention\EnforceServer
    \16.0.10000\Protect\logs\debug\SymantecDLPManager.log (Windows) or /var/log/Symantec/
    DataLossPrevention/EnforceServer/16.0.10000/debug/SymantecDLPManager.log (Linux).

    Disabling password authentication and forms-based logon


    Forms-based log on with password authentication can be used as a fallback access mechanism while you configure
    and test certificate authentication. After you configure certificate authentication, you can disable forms-based logon and
    password authentication. Your public key infrastructure then handles all logon requests.
    Once you configure the common name (CN) with both forms and certificate enabled, then you can switch to certificate-
    only. You replace the springSecurityContext.xml file with the springSecurityContext-Certificate.xml file
    and restart the Enforce Server. Form-based logon is then completely disabled.
    NOTE
    When you disable forms-based logon you disable the feature for all users, including those with Administrator
    privileges. As an alternative, you can disable forms-based logon or certificate authentication for an individual
    user by configuring that user's account.
    Configuring user accounts
    If you later turn on forms-based logon but the Administrator user account does not have a password configured, you can
    reset the Administrator password. Reset the password using the AdminPasswordReset utility.
    Resetting the Administrator Password

    Connecting to group directories


    This section includes the following topics:
    Creating connections to LDAP servers
    Configuring directory server connections
    Scheduling Directory Server Indexing

    Creating connections to LDAP servers


    Symantec Data Loss Prevention supports directory server connections to LDAP-compliant directory servers such as
    Microsoft Active Directory (AD). A group directory connection specifies how the Enforce Server or Discover Server
    connects to the directory server.
    The connection to the directory server must be established before you create any user groups in the Enforce Server.
    The Enforce Server or Discover Server uses the connection to obtain details about the groups. If this connection is
    not created, you are not able to define any User Groups. The connection is not permanent, but you can configure the
    connection to synchronize at a specified interval. The directory server contains all of the information that you need to
    create User Groups.

    628
    NOTE
    If you use a directory server that contains a self-signed authentication certificate, you must add the certificate
    to the Enforce Server or the Discover Server. If your directory server uses a pre-authorized certificate, it is
    automatically added to the Enforce Server or Discover Server. Importing SSL certificates to Enforce or Discover
    servers
    To create a group directory connection
    1. Navigate to the System > Settings > Directory Connections screen.
    2. Click Add Connection.
    3. Configure the directory connection.
    Configuring directory server connections

    Configuring directory server connections


    The Directory Connections page is the home page for configuring directory server connections. Once you define the
    directory connection, you can create one or more User Groups.

    Table 263: Configuring directory server connections

    Step Action Description

    1 Navigate to the Directory Connections page (if This page is available at System > Settings > Directory
    not already there). Connections.
    2 Click Create New Connection. This action takes you to the Configure Directory Connection page.
    3 Enter a Name for the directory server The Connection Name is the user-defined name for the connection.
    connection. It appears at the Directory Connections home page once the
    connection is configured.
    4 Specify the Network Parameters for the Directory connection network parameters provides details on these
    directory server connection. parameters.
    Enter or specify the following parameters:
    • The Hostname of the computer where the directory server is
    installed.
    • The Port on the directory server that supports connections.
    • The Base DN (distinguished name) of the directory server.
    • The Encryption Method for the connection, either None or
    Secure.
    5 Specify the Authentication mode for connecting Directory connection authentication parameters provides details on
    to the directory server. configuring the authentication parameters.
    6 Click Test Connection to verify the connection. If there is anything wrong with the connection, the system displays
    an error message describing the problem.
    7 Click Save to save the direction connection The system automatically indexes the directory server after you
    configuration. successfully create, test, and save the directory server connection.
    8 Select the Index and Replication Status tab. Verify that the directory server was indexed. After some time
    (depending on the size of the directory server query), you should
    see that the Replication Status is "Completed <date> <time>". If
    you do not see that the status is completed, verify that you have
    configured and tested the directory connection properly. Contact
    your directory server administrator for assistance.

    629
    Step Action Description

    9 Select the Index Settings tab. You can adjust the directory server indexing schedule as necessary
    at the Index Settings tab.
    Scheduling directory server indexing

    Table 264: Directory connection network parameters

    Network parameters Description

    Hostname Enter the Hostname of the directory server.


    For example: enforce.dlp.symantec.com
    You must enter the Fully Qualified Name (FQN) of the directory server. Do not use the IP
    address.
    Port Enter the connection Port for the directory server.
    For example: 389
    Typically the port is 389 or 636 for secure connections.
    Base DN Enter the Base DN for the directory server. This field only accepts one directory server entry.
    For example: dc=enforce,dc=dlp,dc=symantec,dc=com
    The Base DN string cannot contain any space characters.
    The Base DN is the base distinguished name of the directory server. Typically, this name is the
    domain name of the directory server. The Base DN parameter defines the initial depth of the
    directory server search.
    Encryption Method Select the Secure option if you want the communication between the directory server and the
    Enforce Server to be encrypted using SSL.
    Note: If you choose to use a secure connection, you may need to import the SSL certificate
    for the directory server to the Enforce Server keystore. Importing SSL certificates to Enforce or
    Discover servers

    Table 265: Directory connection authentication parameters

    Authentication Description

    Authentication Select the Authentication option to connect to the directory server using authentication mode.
    Check Connect with Credentials to add your username and password to authenticate to the
    directory server.
    Username To authenticate with Active Directory, use one of the following methods:
    • Domain and user name, for example: Domain\username
    • User name and domain, for example: username@domain.com
    • Fully distinguished user name and domain (without spaces), for example:
    cn=username,cn=Users,dc=domain,dc=com
    To authenticate with another type of directory server:
    • A different syntax may be required, for example: uid=username,ou=people,o=company
    Password Enter the password for the user name that was specified in the preceding field.
    The password is obfuscated when you enter it.

    Scheduling Directory Server Indexing


    Each directory connection is set to automatically index the configured LDAP server once at 12:00 AM the day after
    you create the initial connection. You can modify the indexing schedule to specify when and how often the index is
    synchronized.

    630
    Each directory server connection automatically indexes the configured User Groups that are hosted in the directory server
    once at 12:00 AM. The indexing starts the day after you create the initial connection.
    After you create, test, and save the directory server connection, the system automatically indexes all User Groups that are
    hosted in the directory whose connection you have established. You can modify this setting, and schedule indexing to run:
    • minute
    • by the hour
    • daily
    • weekly
    • monthly
    1. Select an existing group directory server connection from the System > Settings > Directory Connections screen.
    Or, create a connection.
    Configuring directory server connections
    2. Adjust the Index Settings to the desired schedule.
    Schedule group directory server indexing and view status

    Table 266: Schedule group directory server indexing and view status

    Index Settings Description

    Index the directory server once. The Once setting is selected by default and automatically indexes the director server at 12:00
    AM the day after you create the initial connection. You can use the On and At settings to select a
    specific date and time.
    Use the following index settings to modify the default Once indexing schedule to specify when and
    how often the index is rebuilt.
    Index the directory server daily. Select the Daily option to schedule the index daily.
    Specify the At time. Optionally, specify the Until duration for this schedule.
    Index the directory server Select the Weekly option to schedule the index to occur once a week.
    weekly. Specify the day of the week to index.
    Specify the time to index.
    Optionally, specify the Until duration for this schedule.
    Index the directory server Specify the day of the month to index the directory and the time.
    monthly. Optionally, specify the Until duration for this schedule.
    Set up a custom indexing Specify a custom frequency, in hours and minutes, to index the directory. You can schedule the
    schedule. index to run from every one to 59 minutes. You can also schedule the index to run from every 1 hour
    to every 23 hours.
    Optionally, specify the Until duration for this schedule. Overlapping indexing jobs for the same
    directory connection or profile are not allowed to run concurrently. Queued jobs consume
    memory. To reduce memory consumption, don not overlap indexing jobs.
    View the indexing and Select the Index and Replication Status tab to view the status of the indexing process.
    replication status. • Indexing Status
    Displays the next scheduled index, date, and time.
    • Detection Server Name
    Displays the detection server where the User Group profile is deployed.
    • Replication Status
    • Displays the data and time of the most recent synchronization with the directory group server.

    Credential Store
    The credential store simplifies management of user name and password changes.

    631
    An authentication credential can be stored as a named credential in a central credential store. It can be defined once, and
    then referenced by any number of servers or endpoints. Passwords are encrypted before they are stored.
    You can add, delete, or edit stored credentials.
    Adding new credentials to the credential store
    Managing credentials in the credential store
    The Credential Management screen is accessible to users with the "Credential Management" privilege.
    Stored credentials can be used when you edit or create a Discover target.

    Adding new credentials to the credential store


    You can add new credentials to the credential store. These credentials can later be referenced with the credential name.
    1. Click System > Settings > Credentials, and click Add Credential.
    2. Enter the following information:

    Credential Name Enter your name for this stored credential.


    The credential name must be unique within the credential store.
    The name is used only to identify the credential.
    Access Username Enter the user name for authentication as <domain_name>
    \<username> in the NT4 format. The username must be a
    Windows domain user account.
    Access Password Enter the password for authentication.
    Re-enter Access Password Re-enter the password.

    3. Click Save.
    4. You can later edit or delete credentials from the credential store.

    Managing credentials in the credential store


    Configuring endpoint credentials

    Configuring endpoint credentials


    You must add credentials to the Credential Store before you can access credentials for Endpoint FlexResponse or the
    Endpoint Discover Quarantine response rule. The credentials are stored in an encrypted folder on all endpoints that are
    connected to an Endpoint Server. Because all endpoints store the credentials, you must be careful about the type of
    credentials you store. Use credentials that cannot access other areas of your system. Before your endpoint credentials
    can be used, you must enable the Enforce Server to recognize them.
    To create endpoint credentials

    632
    1. Go to: System > Settings > General.
    2. Click Configure.
    3. Under the Credential Management section, ensure that the Allow Saved Credentials on Endpoint Agent checkbox
    is selected.
    4. Click Save.
    5. Go to: System > Settings > Credentials.
    6. Click Add Credential.
    7. Under the General section, enter the details of the credential you want to add.
    8. Under Usage Permission, select Servers and Endpoint agents.
    9. Click Save.

    About the credential store

    Managing credentials in the credential store


    You can delete or edit a stored credential.
    1. Click System > Settings > Credentials.
    2. Do one of the following:
    • To edit a stored credential, click the edit icon (pencil) to the right of the name. Then, update the user name or
    password and click Save.
    • To edit a stored credential, click the delete icon to the right of the name. A credential can be deleted only if it is not
    currently referenced in a Discover target or indexed document profile.
    If you change the password for a given credential, the new password is used for all subsequent Discover scans that
    use that credential.

    Managing Stored Credentials


    Store your authentication credentials in a central store to simplify management of user name and password changes.
    You can set Symantec Data Loss Prevention to store authentication credential in a central credential store. You can define
    the store once as a named credential, and then reference it by any number of servers or endpoints.
    You can add, delete, or edit stored credentials.
    NOTE
    If you are connecting ICA to DLP, you create an API credential to allow DLP to fetch data from ICA. See Create
    an API user in ICA.

    Add a Stored Credential


    1. In System > Settings > Credentials, click Add Credential.
    2. Enter the following information:

    Credential Name Enter your name for this stored credential.


    The credential name must be unique within the credential store.
    The name is used only to identify the credential.
    Access Username Enter the user name for authentication.
    Access Password Enter the password for authentication.

    633
    Re-enter Access Password Re-enter the password.

    3. Click Save.

    Delete a Stored Credential


    A credential can be deleted only if it is not currently referenced in a Discover target, an indexed document profile, or in an
    ICA data source.
    1. In System > Settings > Credentials, locate the name of the stored credential that you want to remove.
    2. Click the delete icon to the right of the name.

    Edit a Stored Credential


    1. In System > Settings > Credentials, locate the name of the stored credential that you want to edit.
    2. Click the edit icon (pencil) to the right of the name.
    3. Update the user name or password.
    4. Click Save.
    5. If you change the password for a given credential, the new password is used for all subsequent Discover scans that
    use that credential.

    Managing System Events and Messages


    Learn the many ways that you can manage Symantec DLP System Events and Messages
    This section includes the following topics:
    System Events
    Using Audit Logs
    System Events Reports
    Working with Saved System Reports
    Server and Detectors Event Detail
    Configuring Event Thresholds and Triggers
    About System Svent Responses
    Enabling a Syslog Server
    System Alerts
    Configuring the Enforce Server to Send Email Alerts
    Configuring System Alerts
    About Log Review
    System event codes and messages

    Using Audit Logs


    Use the Audit Logs to view and filter Symantec Data Loss Prevention events.
    You can now filter and view audit log information at System > Servers and Detectors > Audit Logs in the Enforce
    Server administration console.

    634
    You can use Audit Logs to view the activities that are performed by users on Enforce. The Audit Logs page includes
    information about events and event details. You can also download Audit Log reports from the Audit Logs page. These
    reports are exported in CSV format.
    Some of the Audit Logs columns can be resorted using the arrows next to the item name. Sortable columns include:
    • Time
    • IP Address
    • User Name
    • Role
    • Entity
    • Action
    User ID, User Status, and Detail columns are not sortable.
    The default Audit Logs page is set to:
    • Time - last 30 days
    • Items per page - 50
    • Sort order - descending, with latest items first
    Use the drop-downs in the Filter By area on the left of the page to change these filter conditions:
    • Date - Select from All Dates, Today, Yesterday, Last 7 Days, Last 30 Days, Last Quarter, Last Year, or Custom.
    • IP Address - Start typing to select from the list of available IP addresses or scroll down and select an IP address.
    • User Name - Start typing to select from the list of available User Names or scroll down and select User Names.
    Multiple names are allowed.
    • Role - Start typing to select from the list of available Roles or scroll down and select Roles. Multiple roles are allowed.
    • Entity - Start typing to select from the list of available entities or scroll down and select entities. Multiple entities are
    allowed.
    • Action - Start typing to select from a list of available Actions or scroll down and select an action. The Action options
    are related to Entities. Each Entity has at least one action. Multiple entities are allowed.
    • Click Clear All to clear all filters. The filter is reset to the default Only Last 30 Days condition
    • Click Apply to view the filtered data. When you click Apply, the table order does not change. The page resets to the
    first page. The number of Items per page won't change.
    • Click Export To CSV at the top right of the page to download the filtered CSV Audit Logs data from the page that is
    displayed.
    The Action filter is updated when you select any entity filter options. If no Entity is selected, you can see all of the options
    of the Action filter.

    System Events
    Review system events to
    System events related to your Symantec Data Loss Prevention installation are monitored, reported, and logged. System
    events include notifications from Cloud Operations for cloud services.
    System event reports are viewed from the Enforce Server administration console:
    • The five most recent system events of severity Warning or Severe are listed on the Overview screen (System >
    Servers and Detectors > Overview).
    About the Overview screen
    See #unique_744/unique_744_Connect_42_v15599810 for information on the Servers Overview screen.
    • Reports on all system events of any severity can be viewed by going to System > Servers and Detectors > Events.

    635
    System Events Reports
    • Recent system events for a particular detection server or cloud service are listed on the Server/Detector Detail screen
    for that server or detector.
    Server/Detector Detail screen
    See for information on the Server Detail screen.
    • Click on any event in an event list to go to the Event Details screen for that event. The Event Details screen provides
    additional information about the event.
    Server and Detectors Event Detail
    There are three ways that system events can be brought to your attention:
    • System event reports displayed on the administration console
    • System alert email messages
    System Alerts
    • Syslog functionality
    Enabling a Syslog Server
    Some system events require a response.
    About System Svent Responses
    To narrow the focus of system event management you can:
    • Use the filters in the various system event notification methods.
    System Events Reports
    • Configure the system event thresholds for individual servers.
    Configuring Event Thresholds and Triggers

    System Events Reports


    To view all system events, go to the system events report screen (System > Servers and Detectors > Events). This
    screen lists events, one event per line. The list contains those events that match the selected data range, and any other
    filter options that are listed in the Applied Filters bar. For each event, the following information is displayed:

    Table 267: System events descriptions

    Events Description

    Type The type (severity) of the event. Type may be any one of those listed in the "System event types" folder.
    Time The date and time of the event.
    Server The name of the server on which the event occurred.
    Host The IP address or host name of the server on which the event occurred.
    Code A number that identifies the kind of event.
    See System event codes and messages for information on event code numbers.
    Summary A brief description of the event. Click on the summary for more detail about the event.

    636
    Table 268: System event types

    Event Description

    System
    information
    Warning

    Severe

    You can select from several report handling options.


    Click any event in the list to go to the Event Details screen for that event. The Event Details screen provides additional
    information about the event.
    Server and Detectors event detail
    Since the list of events can be long, filters are available to help you select only the events that you are interested in. By
    default, only the Date filter is enabled and it is initially set to All Dates. The Date filter selects events by the dates the
    events occurred.

    Filter the List of System Events by Date of Occurrence


    1. Go to the Filter section of the events report screen and select one of the date range options.
    2. Click Apply.
    3. Select Custom from the date list to specify beginning and end dates.

    Apply Additional Advanced Filters


    In addition to filtering by date range, you can also apply advanced filters. Advanced filters are cumulative with the current
    date filter. This means that events are only listed if they match the advanced filter and also fall within the current date
    range. Multiple advanced filters can be applied. If multiple filters are applied, events are only listed if they match all the
    filters and the date range.
    1. Click on Advanced Filters and Summarization.
    2. Click on Add Filter.
    3. Choose the filter you want to use from the left-most drop-down list. Available filters are listed in System events
    advanced filter options.
    4. Choose the filter-operator from the middle drop-down list.
    NOTE
    You can use the Cloud Operations filter value to view events from Cloud Operations for your detectors.
    For each advanced filter you can specify a filter-operator Is Any Of or Is None Of.
    5. Enter the filter value, or values, in the right-hand text box, or click a value in the list to select it.
    • To select multiple values from a list, hold down the Control key and click each one.
    • To select a range of values from a list, click the first one, then hold down the Shift key and click the last value in the
    range you want.

    637
    6. (Optional) Specify additional advanced filters if needed.
    7. When you have finished specifying a filter or set of filters, click Apply.
    Click the red X to delete an advanced filter.

    The Applied Filters bar lists the filters that are used to produce the list of events that is displayed. Note that multiple
    filters are cumulative. For an event to appear on the list it must pass all the applied filters.
    The following advanced filters are available:

    Table 269: System events advanced filter options

    Filter Description

    Event Code Filter events by the code numbers that identify each kind of event.
    You can filter by a single code number or multiple code numbers
    separated by commas (2121, 1202, 1204). Filtering by code
    number ranges, or greater than, or less than operators is not
    supported.
    Event type Filter events by event severity type (Info, Warning, or Severe).
    Server Filter events by the server on which the event occurred.

    NOTE
    A small subset of the parameters that trigger system events have thresholds that can be configured. These
    parameters should only be adjusted with advice from Symantec Support. Before changing these settings, you
    should have a thorough understanding of the implications that are involved. The default values are appropriate
    for most installations.
    Configuring event thresholds and triggers
    Related Links
    on page 469

    Working with Saved System Reports


    Save system reports to make them available later.
    The System Reports screen lists system and agent-related reports that have previously been saved. To display the
    System Reports screen, click System > System Reports. Use this screen to work with saved system reports.
    The System Reports screen is divided into two sections:
    • System Event - Saved Reports lists saved system reports.
    • Agent Management - Saved Reports lists saved agent reports.
    For each saved report you can perform the following operations:
    • Share the report. Click share to allow other Symantec Data Loss Prevention users who have the same role as you to
    share the report. Sharing a report cannot be undone; after a report is shared it cannot be made private. After a report is
    shared, all users with whom it is shared can view, edit, or delete the report.
    Saving custom incident reports
    • Change the report name or description. Click the pencil icon to the right of the report name to edit it.
    • Change the report scheduling. Click the calendar icon to the right of the report name to edit the delivery schedule of
    the report and to whom it is sent.
    Saving custom incident reports

    638
    Delivery Schedule Options for Incident and System Reports
    • Delete the report. Click the red X to the right of the report name to delete the report.
    1. Go to one of the following screens:
    • System Events (System > Events)
    • Agents Overview (System > Agents > Overview)
    • Agents Events (System > Agents > Events)
    About the Enforce Server administration console
    2. Select the filters and summaries for your custom report.
    About custom reports and dashboards
    3. Select Report > Save As.
    4. Enter the saved report information.
    Saving custom incident reports
    5. Click Save.

    Server and Detectors Event Detail


    To view the Server and Detectors Event Detail screen, go to System > Servers and Detectors > Events and click one
    of the listed events.
    System events reports
    The Server and Detectors Event Detail screen displays all of the information available for the selected event. The
    information on this screen is not editable.
    The Server and Detectors Event Detail screen is divided into two sections—General and Message.

    Table 270: Event detail — General

    Item Description

    Type The event is one of the following types:


    • Info: Information about the system.
    • Warning: A problem that is not severe enough to generate an error.
    • Severe: An error that requires immediate attention.
    Time The date and time of the event.
    Server or The name of the server or detector.
    Detector
    Host The host name or IP address of the server.

    Table 271: Event detail — Message

    Item Description

    Code A number that identifies the kind of event.


    System event codes and messages
    Summary A brief description of the event.
    Detail Detailed information about the event.

    639
    About system events
    System events reports
    About system alerts

    Configuring Event Thresholds and Triggers


    The default event threshold values are appropriate for most installations. A small subset of the parameters that trigger
    system events have thresholds that can be configured. These parameters are configured for each detection server or
    detector separately. These parameters should only be adjusted with advice from Symantec Support. Before changing
    these settings, you should have a thorough understanding of the implications.
    1. Go to the Overview screen (System > Servers and Detectors > Overview).
    2. Click on the name of a detection server or detector to display that server's Server/Detector Detail screen.
    3. Click Server/Detector Settings.
    The Advanced Server/Detector Settings screen for that server is displayed.
    4. Change the configurable parameters, as needed.

    Table 272: Configurable parameters that trigger events

    Parameter Description Event

    BoxMonitor.DiskUsageError Indicates the amount of filled disk space (as a Low disk space
    percentage) that triggers a severe system event.
    For example, a Severe event occurs if a detection
    server is installed on the C drive and the disk
    space error value is 90. The detection server
    creates a Severe system event when the C drive
    usage is 90% or greater. The default is 90.
    BoxMonitor.DiskUsageWarning Indicates the amount of filled disk space (as Low disk space
    a percentage) that triggers a Warning system
    event. For example, a Warning event occurs if the
    detection server is installed on the C drive and the
    disk space warning value is 80. Then the detection
    server generates a Warning system event when
    the C drive usage is 80% or greater. The default is
    80.
    BoxMonitor.MaxRestartCount Indicates the number of times that a system Process name restarts
    process can be restarted in one hour before a excessively
    Severe system event is generated. The default is
    3.
    IncidentDetection.MessageWaitSevere Indicates the number of minutes messages need Long message wait time
    to wait to be processed before a Severe system
    event is sent about message wait times. The
    default is 240.
    IncidentDetection.MessageWaitWarning Indicates the number of minutes messages need Long message wait time
    to wait to be processed before sending a Severe
    system event about message wait times. The
    default is 60.

    640
    Parameter Description Event

    IncidentWriter.BacklogInfo Indicates the number of incidents that can be N incidents in queue


    queued before an Info system event is generated.
    This type of backlog usually indicates that
    incidents are not processed or are not processed
    correctly because the system may have slowed
    down or stopped. The default is 1000.
    IncidentWriter.BacklogWarning Indicates the number of incidents that can be N incidents in queue
    queued before generating a Warning system
    event. This type of backlog usually indicates that
    incidents are not processed or are not processed
    correctly because the system may have slowed
    down or stopped. The default is 3000.
    IncidentWriter.BacklogSevere Indicates the number of incidents that can N incidents in queue
    be queued before a Severe system event is
    generated. This type of backlog usually indicates
    that incidents are not processed or are not
    processed correctly because the system may have
    slowed down or stopped. The default is 10000.

    Related Links
    System Events on page 466
    Review system events to

    About System Svent Responses


    There are three ways that system events can be brought to your attention:
    • System event reports displayed on the administration console
    • System alert email messages
    System Alerts
    • Syslog functionality
    Enabling a Syslog Server
    In most cases, the system event summary and detail information should provide enough information to direct investigation
    and remediation steps. The following table provides some general guidelines for responding to system events.

    Table 273: System event responses

    System event or category Appropriate response

    Low disk space If this event is reported on a detection server, recycle the Symantec Data Loss Prevention services
    on the detection server. The detection server may have lost its connection to the Enforce Server.
    The detection server then queues its incidents locally, and fills up the disk.
    If this event is reported on an Enforce Server, check the status of the Oracle and the Symantec DLP
    Incident Persister services. Low disk space may result if incidents do not transfer properly from the
    file system to the database. This event may also indicate a need to add additional disk space.
    Tablespace is almost full Add additional data files to the database. When the hard disk is at 80% of capacity, obtain a bigger
    disk instead of adding additional data files.
    Licensing and versioning Contact Symantec Support.

    641
    System event or category Appropriate response

    Monitor not responding Restart the Symantec DLP Detection Server service. If the event persists, check the network
    connections. Make sure the computer that hosts the detections server is turned on by connecting
    to it. You can connect with terminal services or another remote desktop connection method. If
    necessary, contact Symantec Support.
    Symantec Data Loss Prevention Services
    Alert or scheduled report Go to System > Settings > General and ensure that the settings in the Reports and Alerts and
    sending failed SMTP sections are configured correctly. Check network connectivity between the Enforce Server
    and the SMTP server. Contact Symantec Support.
    Auto key ignition failed Contact Symantec Support.
    Cryptographic keys are Contact Symantec Support.
    inconsistent
    Long message wait time Increase detection server capacity by adding more CPUs or replacing the computer with a more
    powerful one.
    Decrease the load on the detection server. You can decrease the load by applying the traffic filters
    that have been configured to detect fewer incidents. You can also re-route portions of the traffic to
    other detection servers.
    Increase the threshold wait times if all of the following items are true:
    • This message is issued during peak hours.
    • The message wait time drops down to zero before the next peak.
    • The business is willing to have such delays in message processing.
    process_name restarts Check the process by going to System > Servers > Overview. To see individual processes on this
    excessively screen, Process Control must be enabled by going to System > Settings > General > Configure.
    N incidents in queue Investigate the reason for the incidents filling up the queue.
    The most likely reasons are as follows:
    • Connection problems. Response: Make sure the communication link between the Endpoint
    Server and the detection server is stable.
    • Insufficient connection bandwidth for the number of generated incidents (typical for WAN
    connections). Response: Consider changing policies (by configuring the filters) so that they
    generate fewer incidents.

    Enabling a Syslog Server


    Syslog servers allow system administrators to filter and route the system event notifications on a more granular level.
    System administrators who use syslog regularly for monitoring their systems may prefer to use syslog instead of alerts.
    Syslog may be preferred if the volume of alerts seems unwieldy for email.

    642
    Syslog functionality is an on or off option. If syslog is turned on, all Severe events are sent to the syslog server.
    1. Go to the \Program Files\Symantec\DataLossPrevention\EnforceServer\16.0.10000\Protect
    \config directory on Windows or the /opt/Symantec/DataLossPrevention/EnforceServer/16.0.10000/
    Protect/config directory on Linux.
    2. Open the Manager.properties file.
    3. Uncomment the #systemevent.syslog.protocol = line by removing the # symbol from the beginning of the line, and
    enter [ udp | tcp | tls ] to secure communications sent from the Enforce Server to the syslog server.
    4. Uncomment the #systemevent.syslog.host= line by removing the # symbol from the beginning of the line, and enter
    the hostname or IP address of the syslog server.
    5. Uncomment the #systemevent.syslog.port= line by removing the # symbol from the beginning of the line. Enter the
    port number that should accept connections from the Enforce Server server. The default is 514.
    NOTE
    If you are using TCP or TLS communication, ensure that the port you enter correctly corresponds to the port
    that is configured on the syslog server.
    6. Uncomment the #systemevent.syslog.format= [{0}] {1} - {2} line by removing the # symbol from the
    beginning of the line. Then define the system event message format to be sent to the syslog server:
    If the line is uncommented without any changes, the notification messages are sent in the format: [server name]
    summary - details. The format variables are:
    • {0} - the name of the server on which the event occurred
    • {1} - the event summary
    • {2} - the event detail
    For example, the following configuration specifies that Severe system event notifications are sent to a syslog host
    named server1 which uses port 600.
    systemevent.syslog.protocol = TCP
    systemevent.syslog.host=server1
    systemevent.syslog.port=600
    systemevent.syslog.format= [{0}] {1} - {2}

    Using this example, a low disk space event notification from an Enforce Server on a host named server1 would look like:
    server1 Low disk space - Hard disk space for
    incident data storage server is low. Disk usage is over 82%.

    System Events

    System Alerts
    Configure system alerts to notify Symantec Data Loss Prevention administrators about a wide variety of system
    conditions.
    System alerts are email messages that are sent to designated addresses when a particular system event occurs. You
    define what alerts (if any) that you want to use for your installation. Alerts are specified and edited on the Configure Alert
    screen, which is reached by System > Servers and Detectors > Alerts > Add Alert.
    Alerts can be specified based on event severity, server name, or event code, or a combination of those factors. Alerts can
    be sent for any system event.

    643
    The email that is generated by the alert has a subject line that begins with Symantec Data Loss Prevention System
    Alert followed by a short event summary. The body of the email contains the same information that is displayed by the
    Event Detail screen to provide complete information about the event.
    Configuring the Enforce Server to send email alerts
    Configuring system alerts
    Server and Detectors event detail

    Configuring the Enforce Server to Send Email Alerts


    To send out email alerts regarding specified system events, the Enforce Server has to be configured to support the
    sending of alerts and reports. This section describes how to specify the report format and how to configure Symantec
    Data Loss Prevention to communicate with an SMTP server.
    After completing the configuration described here, you can schedule the sending of specific reports and can create
    specific system alerts.
    1. Go to System > Settings > General and click Configure.
    The Edit General Settings screen is displayed.
    2. In the Reports and Alerts section, select one of the following distribution methods:
    • Send reports as links, logon is required to view. Symantec Data Loss Prevention sends email messages with
    links to reports. You must log on to the Enforce Server to view the reports.
    NOTE
    If the Send reports as links option is set, reports with incident data cannot be distributed.
    • Send report data with emails. Symantec Data Loss Prevention sends email messages and attaches the report
    data.
    3. Enter the Enforce Server domain name or IP address in the Fully Qualified Manager Name field.
    If you send reports as links, Symantec Data Loss Prevention uses the domain name as the basis of the URL in the
    report email.
    Do not specify a port number unless you have modified the Enforce Server to run on a port other than the default of
    443.
    4. If you want alert recipients to see any correlated incidents, check the Correlations Enabled box.
    When correlations are enabled, users see them on the Incident Snapshot screen.

    644
    5. In the SMTP section, identify the SMTP server to use for sending out alerts and reports.
    Enter the relevant information in the fields as described in the following table:

    Server The fully qualified hostname or IP address of the SMTP server


    that Symantec Data Loss Prevention uses to deliver system
    events and scheduled reports.
    If the SMTP server that Symantec Data Loss Prevention
    uses does not accept connections on the default TCP port 25, and
    uses another port number instead, specify this port number as a
    suffix to the fully-qualified hostname or IP address. For example:
    Note: smtp.domain.com:587
    In this example, the fully-qualified hostname is
    smtp.domain.com , and the port number preceded by a
    colon:587 , is the suffix.
    System email The email address for the alert sender. Symantec Data Loss
    Prevention specifies this email address as the sender of all
    outgoing email messages. Your IT department may require the
    system email to be a valid email address on your SMTP server.
    User ID Type a valid user name for accessing the server. For example,
    enter DOMAIN\bsmith.
    Password Enter the password for the User ID.
    Anonymous SMTP servers are supported. If you use
    an Anonymous SMTP server, you can leave the User ID and
    Password fields blank.

    6. Click Save.

    About system alerts


    Configuring system alerts
    About system events

    Configuring System Alerts


    You can configure Symantec Data Loss Prevention to send an email alert whenever it detects a specified system event.
    Alerts can be specified based on event severity, server name, or event code, or a combination of those factors. Alerts can
    be sent for any system event.
    System Alerts
    Note that the Enforce Server must first be configured to send alerts and reports.
    Configuring the Enforce Server to Send Email Alerts
    Alerts are specified and edited on the Configure Alert screen, which is reached by System > Servers > Alerts and then
    choosing Add Alert to create a new alert, or clicking on the name of an existing alert to modify it.
    There are three kinds of conditions that you can specify to trigger an alert:
    • Event type - the severity of the event.
    • Server - the server associated with the event.
    • Event code - a code number that identifies a particular kind of event.
    For each kind of condition, you can choose one of two operators:

    645
    • Is any of.
    • Is none of.
    For each kind of condition, you can specify appropriate parameters:
    • Event type. You can select one, or a combination of, Information, Warning, Severe. Click on an event type to specify
    it. To specify multiple types, hold down the Control key while clicking on event types. You can specify one, two, or all
    three types.
    • Server. You can select one or more servers from the list of available servers. Click on the name of the server to specify
    it. To specify multiple servers, hold down the Control key while clicking on server names. You can specify as many
    different servers as necessary.
    • Event code. Enter the code number. To enter multiple code numbers, separate them with commas or use the Return
    key to enter each code on a separate line.
    System event codes and messages
    By combining multiple conditions, you can define alerts that cover a wide variety of system conditions.
    NOTE
    If you define more than one condition, the conditions are treated as if they were connected by the Boolean
    "AND" operator. This means that the Enforce Server only sends the alert if all conditions are met. For example,
    if you define an event type condition and a server condition, the Enforce Server only sends the alert if the
    specified event occurs on the designated server.
    1. Go to the Alerts screen (System > Servers and Detectors > Alerts).
    2. Click the Add Alert tab to create a new alert, or click on the name of an alert to modify it.
    The Configure Alert screen is displayed.
    3. Fill in (or modify) the name of the alert. The alert name is displayed in the subject line of the email alert message.
    4. Fill in (or modify) a description of the alert.
    5. Click Add Condition to specify a condition that will trigger the alert.
    Each time you click Add Condition you can add another condition. If you specify multiple conditions, every one of the
    conditions must be met to trigger the alert.
    Click on the red X next to a condition to remove it from an existing alert.
    6. Enter the email address that the alert is to be sent to. Separate multiple addresses by commas.
    7. Limit the maximum number of times this alert can be sent in one hour by entering a number in the Max Per Hour box.
    If no number is entered in this box, there is no limit on the number of times this alert can be sent out. The
    recommended practice is to limit alerts to one or two per hour, and to substitute a larger number later if necessary. If
    you specify a large number, or no number at all, recipient mailboxes may be overloaded with continual alerts.
    8. Click Save to finish.
    The Alerts list is displayed.

    About Log Review


    Your Symantec Data Loss Prevention installation includes a number of log files. These files provide information on server
    communication, Enforce Server and detection server operation, incident detection, and so on.
    By default, logs for the Enforce Server and detection server are stored in the following directories:
    • Windows: \ProgramData\Symantec\DataLossPrevention\EnforceServer\16.0.10000\logs
    • Linux: /var/log/Symantec/DataLossPrevention/EnforceServer/16.0.10000/

    646
    About log files
    See Log filesfor additional information about working with logs.

    System event codes and messages


    Symantec Data Loss Prevention system events are monitored, reported, and logged. Each event is identified by code
    number listed in the tables.
    System Events
    System event lists and reports can be filtered by event codes.
    System Events Reports
    NOTE
    Numbers enclosed in braces, such as {0}, indicate text strings that are dynamically inserted into the actual event
    name or description message.

    Table 274: General detection server events

    Code Summary Description

    1000 Monitor started All monitor processes have been started.


    1001 Local monitor started All monitor processes have been started.
    1002 Monitor started Some monitor processes are disabled and haven't been started.
    1003 Local monitor started Some monitor processes are disabled and haven't been started.
    1004 Monitor stopped All monitor processes have been stopped.
    1005 Local monitor stopped All monitor processes have been stopped.
    1006 {0} failed to start Process {0} can't be started. See log files for more detail.
    1007 {0} restarts excessively Process {0} has restarted {1} times during last {2} minutes.
    1008 {0} is down {0} process went down before it had fully started.
    1010 Restarted {0} {0} process was restarted because it went down unexpectedly.
    1011 Restarted {0} {0} was restarted because it was not responding.
    1012 Unable to start {0} Cannot bind to the shutdown datagram socket. Will retry.
    1013 {0} resumed starting Successfully bound to the shutdown socket.
    1014 Low disk space Hard disk space is low. Symantec Data Loss Prevention server disk
    usage is over {0}%.

    Table 275: Endpoint server events

    Code Summary Description

    1100 Aggregator started None


    1101 Aggregator failed to start Error starting Aggregator. {0} No incidents will be detected.
    1102 Communications with non-legacy SSL keystore and truststore are not configured for this endpoint
    agents are disabled server. Please go to configure server page to configure SSL keystore
    and truststore.

    647
    Table 276: Detection configuration events

    Code Summary Description

    1200 Loaded policy "{0}" Policy "{0}" v{1} ({2}) has been successfully loaded.
    1201 Loaded policies {0} None
    1202 No policies loaded No relevant policies are found. No incidents will be detected. 1203
    Unloaded policy "{0}" Policy "{0}" has been unloaded.
    1204 Updated policy "{0}" Policy "{0}" has been successfully updated. The current policy version
    is {1}. Active channels: {2}.
    1205 Incident limit reached for Policy "{0}" The policy "{0}" has found incidents in more than {1} messages within
    the last {2} hours. The policy will not be enforced until the policy is
    changed, or the reset period of {2} hours is reached.
    1206 Long message wait time Message wait time was {0}:{1}:{2}:{3}.
    1207 Failed to load Vector Machine Failed to load [{0}] Vector Machine Learning profile. See server logs
    Learning profile for more details.
    1208 Failed to unload Vector Machine Failed to unload [{0}] Vector Machine Learning profile. See server
    Learning profile logs for more details.
    1209 Loaded Vector Machine Learning Loaded [{0}] Vector Machine Learning profile.
    profile
    1210 Unloaded Vector Machine Learning Unloaded [{0}] Vector Machine Learning profile.
    profile
    1211 Vector Machine Learning training Training succeeded for [{0}] Vector Machine Learning profile.
    successful
    1212 Vector Machine Learning training Training failed for [{0}] Vector Machine Learning profile.
    failed
    1213 {0} messages timed out in Detection {0} messages timed out in Detection in the last {1} minutes. Enable
    recently Detection execution trace logs for details.
    1214 Detected regular expression rules Policy set contains regular expression rule(s) with invalid patterns.
    with invalid patterns See FileReader.log for details.
    1216 The Execution Matrix has reached The Execution Matrix has reached the memory limit of 200 MBs, or
    the memory limit of 200 MBs, or the Endpoint Server did not have sufficient memory for the Execution
    the Endpoint Server did not have Matrix.
    sufficient memory for the Execution Legacy agents do not receive new policies until they are upgraded to
    Matrix. the latest agent version or if the policy set is simplified.

    Table 277: File reader events

    Code Summary Description

    1301 File Reader started None


    1302 File Reader failed to start Error starting File Reader. {0} No incidents will be detected.
    1303 Unable to delete folder File Reader was unable to delete folder "{0}" in the file system.
    Please investigate, as this will cause system malfunction.
    1304 Channel enabled Monitor channel "{0}" has been enabled.
    1305 Channel disabled Monitor channel "{0}" has been disabled. 1306 License received. {0}.
    1306 License received. None
    1307 started Process is started.

    648
    Code Summary Description

    1308 down Process is down.

    Table 278: ICAP events

    Code Summary Description

    1400 ICAP channel configured The channel is in {0} mode


    1401 Invalid license The ICAP channel is not licensed or the license has expired. No
    incidents will be detected or prevented by the ICAP channel.
    1402 Content Removal Incorrect Configuration rule in line {0} is outdated or not written in proper
    grammar format. Either remove it from the config file or update the
    rule.
    1403 Out of memory Error (Web Prevent) While processing request on connection ID{0}, out of memory error
    while processing message occurred. Please tune your setup for traffic load.
    1404 Host restriction Any host (ICAP client) can connect to ICAP Server.
    1405 Host restriction error Unable to get the IP address of host {0}.
    1406 Host restriction error Unable to get the IP address of any host in Icap.AllowHosts.
    1407 Protocol Trace Enabled Enabled Traces available at {0}.
    1408 Invalid Load Balance Factor Icap LoadBalanceFactor configured to 0. Treating it as 1.

    Table 279: MTA events

    Code Summary Description

    1500 Invalid license The SMTP Prevent channel is not licensed or the license has expired.
    No incidents will be detected or prevented by the SMTP Prevent
    channel.
    1501 Bind address error Unable to bind {0}. Please check the configured address or the
    RequestProcessor log for more information. 1502 MTA restriction
    error Unable to resolve host {0}.
    1503 All MTAs restricted Client MTAs are restricted, but no hosts were resolved. Please check
    the RequestProcessor log for more information and correct the
    RequestProcessor.AllowHosts setting for this Prevent server.
    1504 Downstream TLS Handshake failed TLS handshake with downstream MTA {0} failed. Please check
    SmtpPrevent and RequestProcessor logs for more information.
    1505 Downstream TLS Handshake TLS handshake with downstream MTA {0} was successfully
    successful completed.

    Table 280: File inductor events

    Code Summary Description

    1600 Override folder invalid Monitor channel {0} has invalid source folder: {1} Using folder: {2}.
    1601 Source folder invalid Monitor channel {0} has invalid source folder: {1} The channel is
    disabled.

    649
    Table 281: File scan events

    Code Summary Description

    1700 Scan start failed Discover target with ID {0} does not exist. 1701 Scan terminated {0}
    1702 Scan completed Scan completed. Discover Target Name - "{0}"
    1703 Scan start failed {0}
    1704 Share list had errors {0}
    1705 Scheduled scan failed Failed to start a scheduled scan of Discover target {0}. {1}
    1706 Scan suspend failed {0}
    1707 Scan resume failed {0}
    1708 Scheduled scan suspension failed Scheduled suspension failed for scan of Discover target {0}. {1}
    1709 Scheduled scan resume failed Scheduled suspension failed for scan of Discover target {0}. {1}
    1710 Maximum Scan Duration Timeout Discover target "{0}" timed out because of Maximum Scan Duration.
    Occurred
    1711 Maximum Scan Duration Timeout Maximum scan time duration timed out for scan: {0}. However, an
    Failed error occurred while trying to abort the scan.
    1712 Scan Idle Timeout Occurred Discover target "{0}" timed out because of Scan Idle Timeout.
    1713 Scan Idle Timeout Failed Maximum idle time duration timed out for scan: {0}. However, an error
    occurred while trying to abort the scan.
    1714 Scan terminated - Invalid Server State Scan of discover target "{0}" has been terminated from the state
    of "{1}" because the associated discover server {2} entered an
    unexpected state of "{3}".
    1715 Scan terminated - Server Removed Scan of discover target "{0}" has been terminated because the
    associated discover server {1} is no longer available.
    1716 Scan terminated - Server Reassigned Scan of discover target "{0}" has been terminated because the
    associated discover server {1} is already scanning discover target(s)
    "{2}".
    1717 Scan terminated - Transition Failed Failed to handle the state change of discover server {1} while
    scanning discover target "{0}". See log files for details.
    1718 Scan start failed Scan of discover target "{0}" has failed to start. See log files for
    detailed error description.
    1719 Scan start failed due to unsupported Scan of discover target "{0}" has failed, as its target type is no longer
    target type supported.
    1720 Scan started Scan started. Discover Target Name - "{0}"
    1721 Scan paused Scan paused. Discover Target Name - "{0}"
    1722 Scan stopped Scan stopped. Discover Target Name - "{0}"
    1723 Scan queued Scan queued. Discover Target Name - "{0}"
    1724 Scan failed Scan failed. Discover Target Name - "{0}"

    650
    Table 282: Incident attachment external storage events

    Code Summary Description

    1750 Incident attachment migration started Migration of incident attachments from database to external storage
    directory has started.
    1751 Incident attachment migration Completed migrating incident attachments from database to external
    completed storage directory.
    1752 Incident attachment migration failed One or more incident attachments could not be migrated from
    database to external storage directory. Check the incident persister
    log for more details. Once the error is resolved, restart the
    SymantecDLPIncidentPersisterService service to resume the
    migration.
    1753 Incident attachment migration error. One or more incident attachments migration from database to
    external storage directory has encountered error. Check the incident
    persister log for more details. Migration will continue and will retry
    erred attachment later.
    1754 Failed to update incident attachment Failed to update the schedule to delete incident attachments in the
    deletion schedule external directory. Check the incident persister log for more details.
    1755 Incident attachment deletion started Deletion of obsolete incident attachments from the external storage
    directory has started.
    1756 Incident attachment deletion Deletion of obsolete incident attachments from the external storage
    completed directory has completed.
    1757 Incident attachment deletion failed One or more incident attachments could not be deleted from the
    external storage directory. Check the incident persister log for more
    details.
    1758 Incident attachment external storage Incident attachment external storage directory is not accessible.
    directory is not accessible Check the incident persister log for more details.
    Incident attachment external storage Incident attachment external storage directory is accessible.
    directory is accessible

    Table 283: Incident persister and incident writer events

    Code Summary Description

    1800 Incident Persister is unable to process Persister ran out of memory processing incident {0}.
    incident Incident
    1801 Incident Persister failed to process
    incident {0}
    1802 Corrupted incident received A corrupted incident was received, and renamed to {0}.
    1803 Policy misconfigured Policy "{0}" has no associated severity.
    1804 Incident Persister is unable to start Incident Persister cannot start because it failed to access the incident
    folder {0}. Check folder permissions.
    1805 Incident Persister is unable to access Incidents folder The Incident Persister is unable to access the
    incident folder {0}. Check folder permissions.
    1806 Response rule processing failed to Response rule processing failed to start: {0}.
    start
    1807 Response rule processing execution Response rule command runtime execution failed from error: {0}.
    failed
    1808 Unable to write incident Failed to delete old temporary file {0}.

    651
    Code Summary Description

    1809 Unable to write incident Failed to rename temporary incident file {0}.
    1810 Unable to list incidents Failed to list incident files in folder {0}. Check folder permissions.
    1811 Error sending incident Unexpected error occurred while sending an incident. {0} Look in the
    incident writer log for more information.
    1812 Incident writer stopped Failed to delete incident file {0} after it was sent. Delete the file
    manually, correct the problem and restart the incident writer.
    1813 Failed to list incidents Failed to list incident files in folder {0}. Check folder permissions.
    1814 Incident queue backlogged There are {0} incidents in this server's queue.
    1815 Low disk space on incident server Hard disk space for the incident data storage server is low. Disk
    usage is over {0}%.
    1816 Failed to update policy statistics Failed to update policy statistics for policy {0}.
    1817 Daily incident maximum exceeded The daily incident maximum for policy {0} has been exceeded.\n No
    further incidents will be generated.
    1818 Incident is oversized, has been Incident is oversized, has been partially persisted with messageID
    persisted with a limited number of {0}, Incident File Name {1}.
    components and/or violations
    1821 Failure to process an incident Unexpected error occurred while sending an incident {0}
    received from the cloud gateway

    Table 284: Install or update events

    Code Summary Description

    1900 Failed to load update package Database connection error occurred while loading the software
    update package {0}.
    1901 Software update failed Failed to apply software update from package {0}. Check the update
    service log.

    Table 285: Key ignition password events

    Code Summary Description

    2000 Key ignition error Failed to ignite keys with the new ignition password. Detection
    against Exact Data Profiles will be disabled.
    2001 Unable to update key ignition The key ignition password won't be updated, because the
    password. cryptographic keys aren't ignited. Exact Data Matching will be
    disabled.

    Table 286: Admin password reset event code

    Code Summary Description

    2099 Administrator password reset The Administrator password has been reset by the password reset
    tool.

    652
    Table 287: Manager administrator and policy events

    Code Summary Description

    2100 Administrator saved The administrator settings were successfully saved.


    2101 Data source removed The data source with ID {0} was removed by {1}.
    2102 Data source saved The {0} data source was saved by {1}.
    2103 Document source removed The document source with ID {0} was removed by {1}.
    2104 Document source saved The {0} document source was saved by {1}.
    2105 New protocol created The new protocol {0} was created by {1}.
    2106 Protocol order changed The protocol {0} was moved {1} by {2}.
    2107 Protocol removed The protocol {0} was removed by {1}.
    2108 Protocol saved The protocol {0} was edited by {1}.
    2109 User removed The user with ID {0} was removed by {1}.
    2110 User saved The user {0} was saved by {1}.
    2111 Runaway lookup detected One of the attribute lookup plug-ins did not complete gracefully and
    left a running thread in the system. Manager restart may be required
    for cleanup.
    2112 Loaded Custom Attribute Lookup Plug-ins The following Custom Attribute Lookup
    Plug-ins were loaded: {0}.
    2113 No Custom Attribute Lookup Plug-in No Custom Attribute Lookup Plug-in was found.
    was loaded
    2114 Custom attribute lookup failed Lookup plug-in {0} timed out. It was unloaded.
    2115 Custom attribute lookup failed Failed to instantiate lookup plug-in {0}. It was unloaded. Error
    message: {1}
    2116 Policy changed The {0} policy was changed by {1}.
    2117 Policy removed The {0} policy was removed by {1}.
    2118 Alert or scheduled report sending configured by {1} contains the following unreachable email
    failed. {0} addresses: {2}. Either the addresses are bad or your email server
    does not allow relay to those addresses.
    2119 System settings changed The system settings were changed by {0}.
    2120 Endpoint Location settings changed The endpoint location settings were changed by {0}.
    2121 The account ''{1}'' has been locked The maximum consecutive failed logon number of {0} attempts has
    out been exceeded for account ''{1}'', consequently it has been locked
    out.
    2122 Loaded FlexResponse Actions The following FlexResponse Actions were loaded: {0}.
    2123 No FlexResponse Action was loaded. No FlexResponse Action was found.
    2124 A runaway FlexResponse action was One of the FlexResponse plug-ins did not complete gracefully and left
    detected. a running thread in the system. Manager restart may be required for
    cleanup.
    2125 Data Insight settings changed. The Data Insight settings were changed by {0}.
    2126 Agent configuration created Agent configuration {0} was created by {1}.
    2127 Agent configuration modified Agent configuration {0} was modified by {1}.
    2128 Agent configuration removed Agent configuration {0} was removed by {1}.
    2129 Agent configuration applied Agent configuration {0} was applied to endpoint server {1} by {2}.

    653
    Code Summary Description

    2130 Directory Connection source removed The directory connection source with ID {0} was removed by {1}.
    2131 Directory Connection source saved The {0} directory connection source was saved by {1}.
    2132 Agent Troubleshooting Task Agent Troubleshooting task of type {0} created by user {1}.
    2133 Certificate authority file generated. Certificate authority file {0} generated.
    2134 Certificate authority file is corrupt. Certificate authority file {0} is corrupt.
    2135 Password changed for certificate Password changed for certificate authority file {0}. New certificate
    authority file. authority file is {1}.
    2136 Server keystore generated. Server keystore {0} generated for endpoint server {1}.
    2137 Server keystore is missing or corrupt. Server keystore {0} for endpoint server {1} is missing or corrupt.
    2138 Server truststore generated. Server truststore {0} generated for endpoint server {1}.
    2139 Server truststore is missing or corrupt. Server truststore {0} for endpoint server {1} is missing or corrupt.
    2140 Client certificates and key generated. Client certificates and key generated.
    2141 Agent installer package generated. Agent installer package generated for platforms {0}.

    Table 288: Enforce licensing and key ignition events

    Code Summary Description

    2200 End User License Agreement The Symantec Data Loss Prevention End User License Agreement
    accepted was accepted by {0}, {1}, {2}.
    2201 License is invalid None
    2202 License has expired One or more of your product licenses has expired. Some system
    feature may be disabled. Check the status of your licenses on the
    system settings page.
    2203 License about to expire One or more of your product licenses will expire soon. Check the
    status of your licenses on the system settings page.
    2204 No license The license does not exist, is expired or invalid. No incidents will be
    detected.
    2205 Keys ignited The cryptographic keys were ignited by administrator logon.
    2206 Key ignition failed Failed to ignite the cryptographic keys manually. Please look in the
    Enforce Server logs for more information. It will be impossible to
    create new exact data profiles.
    2207 Auto key ignition The cryptographic keys were automatically ignited.
    2208 Manual key ignition required The automatic ignition of the cryptographic keys is not configured.
    Administrator logon is required to ignite the cryptographic keys. No
    new exact data profiles can be created until the administrator logs on.

    Table 289: Manager major events

    Code Summary Description

    2300 Low disk space Hard disk space is low. Symantec Data Loss Prevention Enforce
    Server disk usage is over {0}%.
    2301 Tablespace is almost full Oracle tablespace {0} is over {1}% full.
    2302 {0} not responding Detection Server {0} did not update its heartbeat for at least 20
    minutes.

    654
    Code Summary Description

    2303 Monitor configuration changed The {0} monitor configuration was changed by {1}.
    2304 System update uploaded A system update was uploaded that affected the following
    components: {0}.
    2305 SMTP server is not reachable. SMTP server is not reachable. Cannot send out alerts or schedule
    reports.
    2306 Enforce Server started The Enforce Server was started.
    2307 Enforce Server stopped The Enforce Server was stopped.
    2308 Monitor status updater exception The monitor status updater encountered a general exception. Please
    look at the Enforce Server logs for more information.
    2309 System statistics update failed Unable to update the Enforce Server disk usage and database
    usage statistics. Please look at the Enforce Server logs for more
    information.
    2310 Statistics aggregation failure The statistics summarization task encountered a general exception.
    Refer to the Enforce Server logs for more information.
    2311 Version mismatch Enforce version is {0}, but this monitor's version is {1}.
    2312 Incident deletion failed Incident Deletion failed.
    2313 Incident deletion completed Incident deletion ran for {0} and deleted {1} incident(s).
    2314 Endpoint data deletion failed Endpoint data deletion failed.
    2315 Incident deletion started Incident deletion process started.
    2316 Over {0} incidents currently contained Persisting over {0} incidents can decrease database performance.
    in the database
    2318 Incident deletion flagging process Incident deletion flagging process started.
    started.
    2319 Incident deletion flagging process Incident deletion flagging process ended.
    ended.

    Table 290: Monitor version support events

    Code Summary Description

    2320 Version obsolete Detection server is not supported when two major versions older
    than Enforce server version. Enforce version is {0}, and this detection
    server's version is {1}. This detection server must be upgraded.
    2321 Version older than Enforce version Enforce will not have visibility for this detection server and will not be
    able to send updates to it. Detection server incidents will be received
    and processed normally. Enforce version is {0}, and this detection
    server's version is {1}.
    2322 Version older than Enforce version Functionality introduced with recent versions of Enforce relevant to
    this type of detection server will not be supported by this detection
    server. Enforce version is {0}, and this detection server's version is
    {1}.
    2323 Minor version older than Enforce Functionality introduced with recent versions of Enforce relevant to
    minor version this type of detection server will not be supported by this detection
    server and might be incompatible with this detection server. Enforce
    version is {0}, and this detection server's version is {1}. This detection
    server should be upgraded.

    655
    Code Summary Description

    2324 Version newer than Enforce version Detection server is not supported when its version is newer than the
    Enforce server version. Enforce version is {0}, and this detection
    server's version is {1}. Enforce must be upgraded or detection server
    must be downgraded.

    Table 291: Manager reporting events

    Code Summary Description

    2400 Export web archive finished Archive "{0}" for user {1} was created successfully.
    2401 Export web archive canceled Archive "{0}" for user {1} was canceled.
    2402 Export web archive failed Failed to create archive "{0}" for user {1}. The report specified had
    over {2} incidents.
    2403 Export web archive failed Failed to create archive "{0}" for user {1}. Failure occurred at incident
    {2}.
    2404 Unable to run scheduled report The scheduled report job {0} was invalid and has been removed.
    2405 Unable to run scheduled report The scheduled report {0} owned by {1} encountered an error: {2}.
    2406 Report scheduling is disabled The scheduled report {0} owned by {1} cannot be run because report
    scheduling is disabled.
    2407 Report scheduling is disabled The scheduled report cannot be run because report scheduling is
    disabled.
    2408 Unable to run scheduled report Unable to connect to mail server when delivery scheduled report {0}
    {1}.
    2409 Unable to run scheduled report User {0} is no longer in role {1} which scheduled report {2} belongs to.
    The schedule has been deleted.
    2410 Unable to run scheduled report Unable to run scheduled report {0} for user {1} because the account
    is currently locked.
    2411 Scheduled report sent The schedule report {0} owned by {1} was successfully sent.
    2412 Export XML report failed XML Export of report by user [{0}] failed XML Export of report by user
    [{0}] failed.
    2420 Unable to run scheduled data owner Unable to distribute report {0} (id={1}) by data owner because
    report distribution sending of report data has been disabled.
    2421 Report distribution by data owner Report distribution by data owner for report {0} (id={1}) failed.
    failed
    2422 Report distribution by data owner Report distribution by data owner for report {0} (id={1}) finished with
    finished {2} incidents for {3} data owners. {4} incidents for {5} data owners
    failed to be exported.
    2423 Report distribution to data owner The report distribution {1} (id={2}) for the data owner "{0}" exceeded
    truncated the maximum allowed size. Only the first {3} incidents were sent to
    "{0}".

    656
    Table 292: Messaging events

    Code Summary Description

    2500 Unexpected Error Processing {0} encountered an unexpected error processing a message. See the
    Message log file for details.
    2501 Memory Throttler disabled {0} x {1} bytes need to be available for memory throttling. Only {2}
    bytes were available. Memory Throttler has been disabled.

    Table 293: Detection server communication events

    Code Summary Description

    2600 Communication error Unexpected error occurred while sending {1} updates to {0}. {2}
    Please look at the monitor controller logs for more information.
    2650 Communication error(VML) Unexpected error occurred while sending profile updates config
    set {0} to {1} {2}. Please look at the monitor controller logs for more
    information.

    Table 294: Monitor controller events

    Code Summary Description

    2700 Monitor Controller started Monitor Controller service was started.


    2701 Monitor Controller stopped Monitor Controller service was stopped.
    2702 Update transferred to {0} Successfully transferred update package {1} to detection server {0}.
    2703 Update transfer complete Successfully transferred update package {0} to all detection servers.
    2704 Update of {0} failed Failed to transfer update package to detection server {0}.
    2705 Configuration file delivery complete Successfully transferred config file {0} to detection server.
    2706 Log upload request sent. Successfully sent log upload request {0}.
    2707 Unable to send log upload request Encountered a recoverable error while attempting to deliver log
    upload request {0}.
    2708 Unable to send log upload request Encountered an unrecoverable error while attempting to deliver log
    upload request {0}.
    2709 Using built-in certificate Using built-in certificate to secure the communication between
    Enforce and Detection Servers.
    2710 Using user generated certificate Using user generated certificate to secure the communication
    between Enforce and Detection Servers.
    2711 Time mismatch between Enforce Time mismatch between Enforce and Monitor. It is recommended to
    and Monitor. This may affect certain fix the time on the monitor through automatic time synchronization.
    functions in the system.
    2712 Connected to cloud detector Connected to cloud detector.
    2713 Cloud connector disconnected Error {0} - check your network settings.

    657
    Table 295: Packet capture events

    Code Summary Description

    2800 Bad spool directory configured for Packet Capture has been configured with a spool directory: {0}. This
    Packet Capture directory does not have write privileges. Please check the directory
    permissions and monitor configuration file. Then restart the monitor.
    2801 Failed to send list of NICs. {0} {0}.

    Table 296: EDM index events and messages

    Code Summary Description

    2900 EDM profile search failed {0}.


    2901 Keys are not ignited Exact Data Matching will be disabled until the cryptographic keys are
    ignited.
    2902 Index folder inaccessible Failed to list files in the index folder {0}. Check the configuration and
    the folder permissions.
    2903 Created index folder The local index folder {0} specified in the configuration had not
    existed. It was created.
    2904 Invalid index folder The index folder {0} specified in the configuration does not exist.
    2905 Exact data profile creation failed Data file for exact data profile "{0}" was not created. Please look in
    the enforce server logs for more information.
    2906 Indexing canceled Creation of database profile "{0}" was canceled.
    2907 Replication canceled Canceled replication of database profile "{0}" version {1} to server {2}.
    2908 Replication failed Connection to database was lost while replicating database profile {0}
    to server {1}.
    2909 Replication failed Database error occurred while replicating database profile {0} to
    server {1}.
    2910 Failed to remove index file Failed to delete index file {1} of database profile {0}.
    2911 Failed to remove index files Failed to delete index files {1} of database profile {0}.
    2912 Failed to remove orphaned file Failed to remove orphaned database profile index file {0}.
    2913 Replication failed Replication of database profile {0} to server {2} failed.{1} Check the
    monitor controller log for more details.
    2914 Replication completed Completed replication of database profile {0} to server {2}. File {1}
    was transferred successfully.
    2915 Replication completed Completed replication of database profile {0} to the server {2}. Files
    {1} were transferred successfully.
    2916 Database profile removed Database profile {0} was removed. File {1} was deleted successfully.
    2917 Database profile removed Database profile {0} was removed. Files {1} were deleted
    successfully.
    2918 Loaded database profile Loaded database profile {0} from {1}.
    2919 Unloaded database profile Unloaded database profile {0}.
    2920 Failed to load database profile {2} No incidents will be detected against database profile "{0}" version
    {1}.
    2921 Failed to unload database profile {2} It may not be possible to reload the database profile "{0}" version
    {1} in the future without detection server restart.

    658
    Code Summary Description

    2922 Couldn't find registered content Registered content with ID {0} wasn't found in database during
    indexing.
    2923 Database error Database error occurred during indexing. {0}
    2924 Process shutdown during indexing The process has been shutdown during indexing. Some registered
    content may have failed to create.
    2925 Policy is inaccurate Policy "{0}" has one or more rules with unsatisfactory detection
    accuracy against {1}.{2}
    2926 Created exact data profile Created {0} from file "{1}".\nRows processed: {2}\nInvalid rows:
    {3}\nThe exact data profile will now be replicated to all Symantec
    Data Loss Prevention Servers.
    2927 User Group "{0}" synchronization The following User Group directories have been removed/renamed
    failed in the Directory Server and could not be synchronized: {1}.Please
    update the "{2}" User Group page to reflect such changes.
    2928 One or more EDM profiles are out of Check the "Manage > Data Profiles > Exact Data" page for more
    date and must be reindexed details. The following EDM profiles are out of date: {0}.

    Table 297: IDM index events and messages

    Code Summary Description

    3000 {0} {1} Document profile wasn't created.


    3001 Indexing canceled Creation of document profile "{0}" was canceled.
    3002 Replication canceled Canceled replication of document profile "{0}" version {1} to server
    {2}.
    3003 Replication failed Connection to database was lost while replicating document profile
    "{0}" version {1} to server {2}.
    3004 Replication failed Database error occurred while replicating document profile "{0}"
    version {1} to server {2}.
    3005 Failed to remove index file Failed to delete index file {2} of document profile "{0}" version {1}.
    3006 Failed to remove index files Failed to delete index files {2} of document profile "{0}" version {1}.
    3007 Failed to remove orphaned file {0}
    3008 Replication failed Replication of document profile "{0}" version {1} to server {3} failed.
    {2}\nCheck the monitor controller log for more details.
    3009 Replication completed Completed replication of document profile "{0}" version {1} to server
    {3}. File {2} was transferred successfully.
    3010 Replication completed Completed replication of document profile "{0}" version {1} to server
    {3}.\nFiles {2} were transferred successfully.
    3011 Document profile removed Document profile "{0}" version {1} was removed. File {2} was deleted
    successfully.
    3012 Document profile removed Document profile "{0}" version {1} was removed. Files {2} were
    deleted successfully.
    3013 Loaded document profile Loaded document profile "{0}" version {1} from {2}.
    3014 Unloaded document profile Unloaded document profile "{0}" version {1}.
    3015 Failed to load document profile {2}No incidents will be detected against document profile "{0}" version
    {1}.
    3016 Failed to unload document profile {2} It may not be possible to reload the document profile "{0}" version
    {1} in the future without monitor restart.

    659
    Code Summary Description

    3017 Created document profile Created "{0}" from "{1}". There are {2} accessible files in the content
    root. {3} The profile contains index for {4} document(s). {5} The
    document profile will now be replicated to all Symantec Data Loss
    Prevention Servers.
    3018 Document profile {0} has reached maximum size. Only {1} out of {2} documents are
    indexed.
    3019 Nothing to index Document source "{0}" found no files to index.
    3020 Created document profile Created "{0}" from "{1}". There are {2} accessible files in the content
    root. {3} The profile contains index for {4} document(s). Comparing to
    last indexing run: {5} new document(s) were added, {6} document(s)
    were updated, {7} documents were unchanged, and {8} documents
    were removed. The document profile will now be replicated to all
    Symantec Data Loss Prevention servers.
    3021 Nothing to index The new remote IDM profile for source "{0}" was identical to the
    previous imported version.
    3022 Profile conversion IDM profile {0} has been converted to {1} on the endpoint.
    3023 Endpoint IDM profiles memory usage IDM profile {0} size plus already deployed profiles size are too large
    to fit on the endpoint, only exact matching will be available.

    Table 298: Attribute lookup events

    Code Summary Description

    3100 Invalid Attributes detected with Script Invalid or unsafe Attributes passed from Standard In were removed
    Lookup Plugin during script execution. Please check the logs for more details.
    3101 Invalid Attributes detected with Script Invalid or unsafe Attributes passed to Standard Out were removed
    Lookup Plugin during script execution. Please check the logs for more details.

    Table 299: Monitor stub events

    Code Summary Description

    3200 AggregatorStub started None


    3201 {0} updated List of updates:{1}.
    3202 {0} store intialized Initial items:{1}.
    3203 Received {0} Size: {1} bytes.
    3204 FileReaderStub started None
    3205 IncidentWriterStub started Using test incidents folder {0}.
    3206 Received configuration for {0} {1}.
    3207 PacketCaptureStub started None
    3208 RequestProcessorStub started None
    3209 Received advanced settings None
    3210 Updated settings Updated settings:{0}.
    3211 Loaded advanced settings None
    3212 UpdateServiceStub started None
    3213 DetectionServerDatabaseStub started None

    660
    Table 300: Packet capture events

    Code Summary Description

    3300 Packet Capture started Packet Capture has successfully started.


    3301 Capture failed to start on device {0} Device {0} is configured for capture, but could not be initialized.
    Please see PacketCapture.log for more information.
    3302 PacketCapture could not elevate its PacketCapture could not elevate its privileges. Some initialization
    privilege level tasks are likely to fail. Please check ownership and permissions of
    the PacketCapture executable.
    3303 PacketCapture failed to drop its Root privileges are still attainable after attempting to drop them.
    privilege level PacketCapture will not continue
    3304 Packet Capture started again as more Packet capture started processing again because some disk space
    disk space is available was freed on the monitor hard drives.
    3305 Packet Capture stopped due to disk Packet capture stopped processing packets because there is too little
    space limit space on the monitor hard drives.
    3306 Endace DAG driver is not available Packet Capture was unable to activate Endace device support.
    Please see PacketCapture.log for more information.
    3307 PF_RING driver is not available Packet Capture was unable to activate devices using the PF_RING
    interface. Please check PacketCapture.log and your system logs for
    more information.
    3308 PACKET_MMAP driver is not Packet Capture was unable to activate devices using the
    available PACKET_MMAP interface. Please check PacketCapture.log and your
    system logs for more information.
    3309 {0} is not available Packet Capture was unable to load {0} . No native capture interface is
    available. Please see PacketCapture.log for more information.
    3310 No {0} Traffic Captured {0} traffic has not been captured in the last {1} seconds. Please check
    Protocol filters and the traffic sent to the monitoring NIC.
    3311 Could not create directory Could not create directory {0} : {1}.

    Table 301: Log collection events

    Code Summary Description

    3400 Couldn't add files to zip The files requested for collection could not be written to an archive
    file.
    3401 Couldn't send log collection The files requested for collection could not be sent.
    3402 Couldn't read logging properties A properties file could not be read. Logging configuration changes
    were not applied.
    3403 Couldn't unzip log configuration The zip file containing logging configuration changes could not be
    package unpacked. Configuration changes will not be applied.
    3404 Couldn't find files to collect There were no files found for the last log collection request sent to
    server.
    3405 File creation failed Could not create file to collect endpoint logs.
    3406 Disk usage exceeded File creation failed due to insufficient disk space.
    3407 Max open file limit exceeded File creation failed as max allowed number of files are already open.

    661
    Table 302: Enforce SPC events

    Code Summary Description

    3500 SPC Server successfully registered. SPC Server successfully registered. Product Instance Id [{0}].
    3501 SPC Server successfully SPC Server successfully unregistered. Product Instance Id [{0}].
    unregistered.
    3502 A self-signed certificate was A self-signed certificate was generated. Certificate alias [{0}].
    generated.

    Table 303: Enforce user data sources events

    Code Summary Description

    3600 User import completed successfully. User import from source {0} completed successfully.
    3601 User import failed. User import from data source {0} has failed.
    3602 Updated user data linked to incidents. Updated user data linked to {0} existing incident events.

    Table 304: Catalog item distribution related events

    Code Summary Description

    3700 Unable to write catalog item Failed to delete old temporary file {0}.
    3701 Unable to rename catalog item Failed to rename temporary catalog item file {0}.
    3702 Unable to list catalog items Failed to list catalog item files in folder {0}.Check folder permissions.
    3703 Error sending catalog items Unexpected error occurred while sending an catalog item.{0}Look in
    the file reader log for more information.
    3704 File Reader failed to delete files. Failed to delete catalog file {0} after it was sent.\nDelete the file
    manually, correct the problem and restart the File Reader.
    3705 Failed to list catalog item files Failed to list catalog item files in folder {0}.Check folder permissions.
    3706 The configuration is not valid. The property {0} was configured with invalid value {1}. Please make
    sure that this has correct value provided.
    3707 Scan failed: Remediation detection Remediation detection catalog update timed out after {0} seconds for
    catalog could not be updated target {1}.

    Table 305: Detection server database events

    Code Summary Description

    3800 DetectionServerDatabase started None


    3801 DetectionServerDatabase failed to Error starting DetectionServerDatabase. Reason: {0}.
    start
    3802 Invalid Port for Could not retrieve the port for DetectionServerDatabase process to
    DetectionServerDatabase listen to connection. Reason: {0}. Check if the property file setting has
    the valid port number.

    662
    Table 306: Endpoint communication layer events

    Code Summary Description

    3900 Internal communications error. Internal communications error. Please see {0} for errors. Search for
    the string {1}.
    3901 System events have been System event throttle limit exceeded. {0} events have been
    suppressed. suppressed. Internal error code = {1}.

    Table 307: Agent communication event code

    Code Summary Description

    4000 Agent Handshaker error Agent Handshaker error. Please see {0} for errors. Search for the
    string {1}.

    Table 308: Monitor controller replication communication layer application error events

    Code Summary Description

    4050 Agent data batch persist error Unexpected error occurred while agent data being persisted : {0}.
    Please look at the monitor controller logs for more information.
    4051 Agent status attribute batch persist Status attribute data for {0} agent(s) could not be persisted. Please
    error look at the monitor controller logs for more information.
    4052 Agent event batch persist Event data for {0} agent(s) could not be persisted. Please look at the
    monitor controller logs for more information.

    Table 309: Enforce Server web services event code

    Code Summary Description

    4101 Response Rule Execution Service Request fetch failed even after {0} retries. Database connection still
    Database failure on request fetch down. The service will be stopped.

    Table 310: Cloud service enrollment events

    Code Summary Description

    4200 Cloud Service enrollment: Cloud Service enrollment: successfully received client certificate from
    successfully received client certificate Symantec Managed PKI Service.
    from Symantec Managed PKI Service
    4201 Cloud Service enrollment: error ERROR {0}.
    requesting client certificate from
    Symantec Managed PKI Service
    4205 Symantec Managed PKI certificate Symantec Managed PKI certificate expires in {0} days.
    expires in {0} days
    4206 Symantec Managed PKI Service Symantec Managed PKI Service certificate has expired.
    certificate has expired
    4210 Cloud Service enrollment bundle error Invalid enrollment file content.
    4211 Cloud Service enrollment bundle error Enrollment file missing from ZIP bundle.

    663
    Code Summary Description

    4212 Invalid Cloud Detector enrollment Detector info doesn't match the existing configuration.
    bundle

    Table 311: Cloud detector event code

    Code Summary Description

    4300 Cloud Detector created in Enforce Cloud detector {0} created in Enforce.

    Table 312: User Groups profile event code

    Code Summary Description

    4400 One or more User Group profiles are Check the System > Users > User Groups page for more details.
    out of date and must be reindexed. The following User Group profiles are out of date: {0}.

    Table 313: Cloud operations event code

    Code Summary Description

    4701 Cloud operations events or Cloud operations issued an event or notification about the cloud
    notifications service.

    Table 314: OCR event codes

    Code Summary Description

    4800 OCR service is busy Request not processed. OCR server's request queue is full.
    4801 Request failed to connect to OCR Please verify OCR server's address, port, and that it is reachable.
    server Check logs for more detail.
    4802 OCR server had an internal server Please check OCR server logs for details about what went wrong.
    error
    4803 OCR request was not successful {0}
    4804 Failed to initialize OCR Client {0}
    4805 An Unknown error encountered {0}
    4807 The client and/or OCR server are not Unable to verify client and server with each other as authorized
    authorized with each other endpoints. Please verify that the client and server keystores are
    configured correctly. Check logs on detection server and OCR server
    for more details.

    Table 315: Network Discover Cluster event code

    Code Summary Description

    2705 Configuration file {0} delivery Transferred configuration file {0} to detection server.
    complete
    2726 Connected to detection server Connected to detection server.
    2727 Detection server connection Error [FAILURE_TO_CONNECT]. Check your network settings.
    disconnected

    664
    Code Summary Description

    2730 Initiated detection server Initiated detection server


    disconnection disconnection. [REMOTE_PEER_DISCONNECTED]
    3408 Unable to create temp directory Unable to create a temporary directory for log configuration.
    3409 Unable to create temp file Unable to create a temporary zip file for log configuration.
    3410 Unexpected error while applying log An error occurred while applying the log configuration. Review the
    configuration Detector process logs.
    3411 Unexpected error while sending log An error occurred while sending the log configuration. Review the
    configuration monitor controller logs.
    3412 Failed to upload the logs to the file Failed to upload the logs to the file share.\nError Message: {0}\nFile
    share Share Path: {1}\nNode ID: {2}
    3413 Timed out waiting for the log file The cluster timed out while waiting for the log file upload to complete
    upload to complete on all cluster on all cluster nodes.\nLog collection event ID: {event Id}\nTimeout in
    nodes milliseconds: {timeout value}\nNode ID: {cluster node Id}
    3414 Failed to update the log configuration Failed to update the log configuration from zip file.\nError Message:
    from zip file {error message}\nNode ID: {cluster node Id}
    5802 Local database connectivity failed Failed to connect to the local database.\nAutomatic recovery
    of the database will be attempted. For details, check the
    Symantec DLP detector logs on Discover cluster worker node:
    {cluster node system name}.
    5806 Initiated the Discover cluster Initiated the Discover cluster {detection server name} recycle
    {detection server name} recycle process.
    process
    5807 Discover cluster {Detection Completed the recycle process for all nodes in the Discover cluster
    Server Name} recycle completed {Detection Server Name}.
    successfully
    5808 Discover cluster {0} recycle failed {0} nodes in the Discover cluster {1} did not finish recycling.
    5809 Discover cluster storage is running on Discover cluster storage is running on node {0}.
    node {0}
    5810 Discover cluster storage is down on Discover cluster storage is down on node {0}.
    node {0}
    6000 Low disk space Hard disk space is low. Hard disk space is low. The detection server
    disk usage is over {usage}%.
    6101 The Detector process started The Detector process started.
    6102 Discover Cluster data node {cluster Discover cluster data node {cluster node Id} started successfully.
    node Id} started
    6103 Discover cluster worker node {cluster Discover cluster worker node {cluster node Id} started successfully.
    node Id} started
    6104 {ServiceName} Detector Process {ServiceName} Detector process failed to start. Review the Symantec
    failed to start DLP detector logs.
    6105 Discover cluster data node {cluster Discover cluster data node {cluster node Id} failed to start. Review the
    node Id} startup failed Symantec DLP detector logs.
    6106 Discover cluster worker node {cluster Discover cluster worker node {cluster node Id} failed to
    node Id} startup failed start. Review the Symantec DLP detector logs.
    6107 Restarted {Process Name} {Process Name} was restarted because it wasn''t responding.
    6108 {Process Name} is down {Process Name} process went down before it fully started.
    6109 {Process Name} restarts excessively The {Process Name} process has restarted {1} times during last {2}
    minutes.

    665
    Code Summary Description

    6110 Detector process recycle requested The Detector process will be restarted as per the recycle request.
    6111 Discover cluster node {cluster node The Discover cluster node {cluster node Id} will restart based on a
    Id} recycle requested recycle request.

    Managing the Symantec Data Loss Prevention database


    This content includes the following topics:
    Working with Symantec Data Loss Prevention database diagnostic tools
    Viewing Tablespaces and Data File Allocations
    Viewing Table Details

    Working with Symantec Data Loss Prevention database diagnostic tools


    The Enforce Server administration console lets you view diagnostic information about the tablespaces and tables in your
    database to help you better manage your database resources. You can see how full your tablespaces and tables are, and
    whether or not the files in the tables are automatically extendable to accommodate more data. This information can help
    you manage your database by understanding where you may want to enable the Oracle Autoextend feature on data files,
    or otherwise manage your database resources. You can also generate a detailed database report to share with Symantec
    Technical Support for help with troubleshooting database issues.
    You can view the allocation of tablespaces, including the size, memory usage, extendability, status, and number of files in
    each tablespace. You can also view the name, size, and Autoextend setting for each file in a tablespace. In addition, you
    can view table-level allocations for incident data tables, other tables, indexes, and large object (LOB) tables.
    You can generate a full database report in HTML format to share with Symantec Technical Support at any time by clicking
    Get full report. The data in the report can help Symantec Technical Support troubleshoot issues in your database.
    Generating a database report

    Viewing Tablespaces and Data File Allocations


    View tablespaces and data file allocations to confirm information about the database.
    You can view tablespaces and data file allocations on the Database Tablespaces Summary page (System > Database
    > Tablespaces Summary).
    The following table lists details about the Database Tablespaces Summary page.

    Table 316: Database tablespaces summary

    Field Description

    Name The name of the tablespace.


    Size The size of the tablespace in megabytes.
    Used (%) The percentage of the tablespace currently in use. This
    percentage is calculated based on the Used (MB) and Size
    values. It does not take into account the Extendable To (MB)
    value.
    Used (MB) The amount of the tablespace currently in use, in megabytes.

    666
    Field Description

    Extendable To (MB) The size to which the tablespace can be extended. This
    value is based on the Autoextend settings of the files within
    the tablespace.
    Status The current status of the tablespace according to the percentage
    of the tablespace currently in use, depending on the warning
    thresholds. If you are using the default warning threshold settings,
    the status is:
    • OK: The tablespace is under 80% full, or the tablespace can
    be automatically extended.
    • Warning: The tablespace is between 80% and 90% full .
    If you see a warning on a tablespace, you may consider
    enabling Autoextend on the data files in the tablespace or
    extending the maximum value for data file auto-extensibility.
    • Severe: The tablespace is more than 90% full. If you
    see a severe warning on a tablespace, you should
    enable Autoextend on the data files in the tablespace, extend
    the maximum value for data file auto-extensibility, or determine
    whether you can purge some of the data in the tablespace.

    Number of Files The number of data files in the tablespace.


    Select a tablespace from the list to view details about the files
    it contains. The tablespace file view displays the following
    information:
    • Name: The name of the file.
    • Size: The size of the file, in megabytes.
    • Auto Extendable: Specifies if the file is
    automatically extendable based on the Autoextend setting of
    the file in the Oracle database.
    • Extendable To (MB): The maximum size to which the file can
    be automatically extended, in megabytes.
    • Path: The path to the file.

    Name The name of the file.


    Size The size of the file, in megabytes.
    Auto Extendable Specifies if the file is automatically extendable based on
    the Autoextend setting of the file in the Oracle database.
    Extendable To (MB) The maximum size to which the file can be automatically
    extended, in megabytes.
    Path The path to the file.

    Adjusting warning thresholds for tablespace usage in large databases


    If your database contains a very large amount of data (1 terabyte or more), you may want to adjust the warning thresholds
    for tablespace usage. For such large databases, Symantec recommends adjusting the Warning threshold to 85% full, and
    the Severe threshold to 95% full. You may want to set these thresholds even higher for larger databases. You can specify
    these values in the Manager.properties file.
    To adjust the tablespace usage warning thresholds
    1. Open the Manager.properties file in a text editor.
    2. Set the Warning and Severe thresholds to the following values:
    com.vontu.manager.tablespaceThreshold.warning=85

    667
    com.vontu.manager.tablespaceThreshold.severe=95

    3. Save the changes to the Manager.properties file and close it.


    4. Restart the Symantec DLP Manager service to apply your changes.

    Generating a Database Report


    Generate a database report to review database details and to troubleshoot database issues.
    You can generate a full database report in HTML format at any time by clicking Get full report on the Database
    Tablespaces Summary page. The database report includes the following information:
    • Detailed database information
    • Incident data distribution
    • Message data distribution
    • Policy group information
    • Policy information
    • Endpoint agent information
    • Detection server (monitor) information
    Symantec Support may request this report to help troubleshoot database issues.
    1. Navigate to System > Database > Tablespaces Summary.
    2. Click Get full report.
    3. The report takes several minutes to generate. Refresh your screen after several minutes to view the link to the report.
    4. To open or save the report, click the link above the Tablespaces Allocation table. The link includes the timestamp of
    the report for your convenience.
    5. In the Open File dialog box, choose whether to open the file or save it.
    6. To view the report, open it in a web browser or text editor.
    7. To update the report, click Update full report.

    Viewing Table Details


    You can view table-level allocations on the Database Table Details page (System > Database > Table Details). Viewing
    table-level allocations can be useful after a large data purge to see the de-allocation of space within your database
    segments. You can refresh the information displayed on this page by clicking Update table data at any time.
    The following table lists details about the Database Table Details page displays your table-level allocations on one of four
    tabs.

    Table 317: Database table details description

    Tab and description Field and description

    Incident Tables Table Name


    This tab lists all the incident data tables in the Symantec Data The name of the table.
    Loss Prevention database schema. In Tablespace
    The name of the tablespace that contains the table.
    Size (MB)
    The size of the table, in megabytes.

    668
    Tab and description Field and description

    % Full
    The percentage of the table currently in use.
    Other Tables Table Name
    This tab lists all other tables in the schema. The name of the table.
    In Tablespace
    The name of the tablespace that contains the table.
    Size (MB)
    The size of the table, in megabytes.
    % Full
    The percentage of the table currently in use.
    Indices Index Name
    This table lists all of the indexes in the schema. The name of the index.
    Table Name
    The name of the table that contains the index.
    In Tablespace
    The name of the tablespace that contains the table.
    Size (MB)
    The size of the table, in megabytes.
    % Full
    The percentage of the table currently in use.
    LOB Segments Table Name
    This table lists all of the large object (LOB) tables in the schema. The name of the table.
    Column Name
    The name of the table column containing the LOB data.
    In Tablespace
    The name of the tablespace that contains the table.
    LOB Segment Size (MB)
    The size of the LOB segment, in megabytes.
    LOB Index Size
    The size of the LOB index, in megabytes.
    % Full
    The percentage of the table currently in use.

    NOTE
    The percentage used value for each table displays the percentage of the table currently in use as reported by
    the Oracle database in dark blue. It also includes an additional estimated percentage used range in light blue.
    Symantec Data Loss Prevention calculates this range based on tablespace utilization.

    Secure Communications Between DLP Agents and Endpoint Servers


    Symantec Data Loss Prevention uses SSL certificates and public-key encryption to authenticate and secure
    communications between DLP Agents and Endpoint Servers.
    When you install or upgrade the Enforce Server, DLP sets up a root Certificate Authority (CA). DLP automatically
    generates the public certificates and the keys that are required to authenticate and secure communications
    between DLP Agents and Endpoint Servers. The certificates are signed by the Symantec Data Loss Prevention CA.

    669
    The public certificates and keys are securely stored in the Enforce Server database. The DLP Agent initiates connections
    to one of the Endpoint Prevent Servers or load balancer servers and authenticates the server certificate.
    When you deploy an Endpoint Prevent Server, the system generates the server public-private key pair that is signed by
    the DLP root CA certificate. These files are versioned. When you generate the agent package, the system generates the
    agent public-private key pair and the agent certificate, also signed by the DLP root CA.
    You can view which CA version is in use at the System > Settings > General screen. The password for the DLP root CA
    is randomly generated and used by the system. Changing the root CA password is reserved for internal use.

    Support for custom certificates


    You can use custom certificates to verify the identities of endpoints and Endpoint Prevent Servers. With custom
    certificates, you can integrate DLP with your Enterprise PKI (Public Key Infrastructure). Endpoint Prevent Servers also can
    check for revoked endpoint certificates.
    On Windows and macOS endpoints, DLP Agent uses custom endpoint certificates that are provisioned in the operating
    system certificate store. The DLP Agent does not support custom endpoint certificates on Linux endpoints.
    The certificate management feature enables you to add your own keystores to Endpoint Prevent Servers. You can also
    add your own truststores that endpoints and Endpoint Prevent Servers can use to verify each other's identity.
    For instructions about configuring new and existing Endpoint Prevent Servers to use custom certificates, see Configuring
    Endpoint Prevent Servers to Use Custom Certificates.
    For instructions about migrating endpoints from the default DLP Agent certificate to a custom certificate, see Configuring
    DLP Agents to Use Custom Certificates.
    For information about the limitations of using custom certificates, see Limitations of DLP support for custom certificates.
    Related links
    Related Links
    Adding and Modifying Custom Keystores for Endpoint Prevent Servers on page 672
    On the Certificate Management page of the Enforce Server administration console, you can add and modify custom
    keystores that are used to identify Endpoint Prevent Servers.
    Adding and Modifying Custom Truststores for Endpoints and Endpoint Prevent Servers on page 673
    On the Certificate Management page of the Enforce Server administration console, you can add and modify custom
    truststores.
    Deleting Custom Keystores and Truststores on page 673
    On the Certificate Management page of the Enforce Server administration console, you can delete custom keystores
    and truststores that are used by endpoints and Endpoint Servers.
    Advanced Endpoint Prevent Server Settings That Support Custom Certificates on page 675
    The following advanced Endpoint Prevent Server settings support custom certificates.

    Configuring Endpoint Prevent Servers to Use Custom Certificates


    Follow these steps to configure new Endpoint Prevent Servers to use custom certificates. You can also follow these
    instructions to migrate existing Endpoint Prevent Servers to use custom certificates.

    670
    Table 318: Configuring Endpoint Prevent Servers to Use Custom Certificates

    Step Description More information

    1 Upload a keystore that contains the custom Adding and Modifying Custom Keystores
    certificate for identifying the Endpoint for Endpoint Prevent Servers
    Prevent Server.
    Make sure that the custom certificate
    specifies 'Server Authentication' as the
    intended purpose.
    2 Upload a truststore with the CA public Adding and Modifying Custom Truststores
    certificate that agents can use to validate for Endpoints and Endpoint Prevent
    the custom Endpoint Prevent Server Servers
    certificate.
    3 Generate an agent installation package that Generating agent installation packages
    contains the custom truststore.
    4 Do one of the following actions: • Installing the DLP Agent on Windows
    • If you have not yet deployed any • Installing the DLP Agent for macOS
    DLP Agents, follow the installation • Installing the DLP Agent on Linux
    instructions. • Using the
    • If you have already deployed agent_communication_updater utility
    DLP Agents, use the
    agent_communication_updater tool
    to update the truststore in the agent
    database.

    5 Reconfigure the Endpoint Prevent Server Adding a detection server


    configuration to use the custom keystore.
    6 Recycle the Endpoint Prevent Server. NA

    For information about the limitations of using custom certificates, see Limitations of DLP support for custom certificates.

    Configuring DLP Agents to Use Custom Certificates


    Follow these steps to configure new and existing DLP Agents to use custom certificates.

    671
    Table 319: Configuring DLP Agents to Use Custom Certificates

    Step Description More information

    1 Provision the endpoint with the custom NA


    certificate that you want to use.
    Then, verify that the following conditions
    are true:
    • The custom certificate is present in the
    operating system certificate store and a
    private key is associated with it.
    • The custom certificate has the 'Client
    Authentication' property added under
    'Enhanced Key Usage'.
    • On macOS endpoints,
    the EPDA process has access to the
    private key of the custom certificate.
    If multiple matching certificates are present
    in the operating system certificate store,
    the DLP Agent uses the certificate with the
    farthest expiration date.
    2 Upload a truststore that contains Adding and Modifying Custom Truststores
    the corresponding CA public for Endpoints and Endpoint Prevent
    certificate that Endpoint Prevent Servers Servers
    can use to validate the custom endpoint
    certificate.
    If you plan to use a custom endpoint
    certificate, make sure that truststore
    contains the corresponding CA public
    certificate so that the Endpoint Prevent
    Server can validate the custom endpoint
    certificate.
    3 Reconfigure the Endpoint Prevent Server Adding a detection server
    configuration to use the custom truststore.
    4 Recycle the Endpoint Prevent Server. NA

    For information about the limitations of using custom certificates, see Limitations of DLP support for custom certificates.

    Adding and Modifying Custom Keystores for Endpoint Prevent Servers


    On the Certificate Management page of the Enforce Server administration console, you can add and modify custom
    keystores that are used to identify Endpoint Prevent Servers.
    Symantec Data Loss Prevention supports custom keystores in the Java KeyStore (JKS) file format.
    To add or modify custom keystores, do the following steps:
    1. In the Enforce Server administration console, navigate to System > Settings > Certificate Management.
    2. On the Certificate Management page, click the KeyStore tab.
    3. On the KeyStore tab, do one of the following steps:
    • To add a custom keystore, click the Add button. The Add KeyStore File dialog box appears.
    • To modify an existing keystore, click the ellipsis button (three vertical dots) on the far-right side of the keystore that
    you want to modify and then click Edit. The Edit KeyStore File dialog box appears.

    672
    4. In the dialog box, enter or modify the following values:
    Setting Description
    NAME The unique name of the custom keystore.
    DESCRIPTION The description of the custom keystore.
    UPLOAD FILE Click Browse and then specify the location of the keystore file
    (.jks) that you want to upload.
    PASSWORD The password for the uploaded .jks file.
    Make sure that the storepass and keypass are the same.

    5. Click Save.
    If you modified an existing custom keystore, recycle all the Endpoint Prevent Servers that use the updated custom
    keystore.
    Adding and Modifying Custom Truststores for Endpoints and Endpoint Prevent
    Servers
    On the Certificate Management page of the Enforce Server administration console, you can add and modify custom
    truststores.
    Symantec Data Loss Prevention supports custom truststores in the Java TrustStore (JKS) file format.
    To add or modify custom truststores, do the following steps:
    1. In the Enforce Server administration console, navigate to System > Settings > Certificate Management.
    2. On the Certificate Management page, click the TrustStore tab.
    3. On the TrustStore tab, do one of the following steps:
    • To add a custom truststore, click the Add button. The Add TrustStore File dialog box appears.
    • To modify an existing truststore, click the ellipsis button (three vertical dots) on the far-right side of the truststore
    that you want to modify and then click Edit. The Edit TrustStore File dialog box appears.
    4. In the dialog box, enter or modify the following values:
    Setting Description
    NAME The unique name of the custom truststore.
    DESCRIPTION The description of the custom truststore.
    UPLOAD FILE Click Browse and then specify the location of the truststore file
    (.jks) that you want to upload.
    PASSWORD The password for the uploaded .jks file.

    NOTE
    If you upload a new .jks file, make sure that endpoints use the corresponding custom certificate that the
    Endpoint Prevent Server can recognize.
    5. Make sure that Include DLP Root CA is checked.
    6. Click Save.
    If you modified an existing custom truststore, recycle all the Endpoint Prevent Servers that use the updated custom
    truststore.
    Deleting Custom Keystores and Truststores
    On the Certificate Management page of the Enforce Server administration console, you can delete custom keystores
    and truststores that are used by endpoints and Endpoint Servers.

    673
    Before you delete a custom keystore or truststore, make sure that it is not in use.
    1. In the Enforce Server administration console, navigate to System > Settings > Certificate Management.
    2. On the Certificate Management page, do one of the following steps:
    • To delete a custom keystore, click the KeyStore tab.
    • To delete a custom truststore, click the TrustStore tab.
    Depending on your choice, the list of custom keystores or the list of custom truststores is displayed.
    3. Select the custom keystore or truststore that you want to delete. Click an item once to select it; click the item again to
    deselect it. You can select only one item for deletion at a time.
    4. After you select the custom keystore or truststore that you want to delete, click Delete.
    5. In the confirmation dialog box, click OK.

    Using the agent_communication_updater utility


    You can use the agent_communication_updater utility to update existing DLP Agents so that they can communicate with
    Endpoint Prevent Servers that use custom certificates without deploying new agent packages.
    You can use the agent_communication_updater utility to update the agent truststore in the agent database. You can also
    use the agent_communication_updater utility to update the list of Endpoint Servers in the agent database.
    The agent_communication_updater utility supports endpoints that are on DLP 15.8 (legacy endpoints) or later.
    Before you begin
    If you want to use the agent_communication_updater utility to update the agent truststore, you must first generate a new
    agent installation package and extract the endpoint_truststore.pem file from the package.
    For more information, see Generating agent installation packages.
    Perform the following steps to use the agent_communication_updater utility:
    1. Stop the DLP agent (edpa) service.
    2. Open a command line and navigate to the DLP installation directory.
    3. Depending on the operating system, enter one of the following commands:
    • On Windows endpoints: agent_communication_updater.exe [-
    endpointServer=endpointServerHostIP:portNumber] [-p=password] [-
    truststore=endpoint_truststore.pem]
    • On macOS endpoints: agent_communication_updater [-
    endpointServer=endpointServerHostIP:portNumber] [-p=password] [-
    truststore=endpoint_truststore.pem]
    • On legacy macOS endpoints with the Apple M1 processor: % sudo arch -x86_64 ./
    agent_communication_updater [-p=password] [-truststore=endpoint_truststore.pem]
    The following table describes command parameters.

    Command parameter Description


    -endpointServer The host name or IP address of the Endpoint Server and the
    port number that it uses for communicating with DLP Agents.
    To specify more than one Endpoint Server, use semicolons to
    separate the details of the Endpoint Servers.
    For example: -
    endpointServer=Server1:1234;Server2:5678

    674
    Command parameter Description
    -p The agent tools password that you specified when you
    generated the agent package.
    -truststore The file path of the agent truststore
    (endpoint_truststore.pem file) that you extracted from
    the agent package.
    For example: -truststore=/User/temp/
    endpoint_truststore.pem

    4. Start the DLP agent (edpa) service.

    Limitations of DLP support for custom certificates


    The following limitations apply to using custom certificates on endpoints and Endpoint Prevent Servers:
    • The DLP Agent does not support using custom endpoint certificates on Linux endpoints.
    • The DLP Agent does not support custom endpoint certificates while connected to Endpoint Prevent Servers that are
    running in FIPS 140-2 mode.
    • Endpoint Prevent Servers perform revocation checks for endpoint certificates over HTTP. LDAP is not supported.
    For more information, see Revocation Checks For Custom Certificates.

    Advanced Endpoint Prevent Server Settings That Support Custom Certificates


    The following advanced Endpoint Prevent Server settings support custom certificates.
    In the Enforce Server administration console, navigate to System > Servers and Detectors > Overview > Server/
    Detector Detail and then clickServer Settings.

    Setting Default value Description

    EndpointCommunications.AllowLegacyAgentToConnect
    0 Specifies whether DLP Agents earlier
    than version 16.0 are allowed to connect
    to Endpoint Prevent Servers that use a
    custom truststore.
    • 0 - Not allowed (Default)
    • 1 - Allowed
    EndpointCommunications.CertificateRevocationCheckProtocol
    CRL The protocol used to verify the revocation
    status of custom endpoint certificates.
    Accepted values are None, OCSP, CRL,
    and OCSP+CRL.
    • None
    • CRL (Default)
    • OCSP
    • OCSP+CRL
    EndpointCommunications.ClientAuthSessionTimeoutInSeconds
    86400 The time in seconds during which custom
    endpoint certificates are exempted from
    revocation checks.
    During this interval, the DLP Agent does not
    send the endpoint certificate to Endpoint
    Prevent Server.

    675
    Revocation Checks For Custom Certificates
    DLP supports revocation checks for endpoint certificates over the Online Certificate Status Protocol (OCSP) or through
    a Certificate Revocation List (CRL). DLP does not support revocation checks for custom Endpoint Prevent Server
    certificates.
    If the CRL Distribution Point includes both HTTP and LDAP URLs, do the following actions to prioritize HTTP revocation
    checks:
    • Place the HTTP URLs before the LDAP URLs.
    • Configure an LDAP connection timeout of 1 second in the jndi.properties file. This property minimizes the delay
    in performing revocation checks over HTTP if the LDAP connections fail.

    Certificate Management
    The Certificate Management page of the Enforce Server administration console enables you to manage custom
    certificates that are used to authenticate and secure communications between DLP Agents and Endpoint Servers. You
    can add, modify, and delete keystores and truststores that contain the custom certificates and keys that you want to use.
    For more information about using custom certificates, see:
    • Secure Communications Between DLP Agents and Endpoint Servers
    • Configuring Endpoint Prevent Servers to Use Custom Certificates
    • Configuring DLP Agents to Use Custom Certificates
    • Adding and Modifying Custom Keystores for Endpoint Prevent Servers
    • Adding and Modifying Custom Truststores for Endpoints and Endpoint Prevent Servers
    • Deleting Custom Keystores and Truststores
    • Limitations of DLP support for custom certificates
    The following table describes the settings on the Certificate Management page of the Enforce Server administration
    console.

    Table 320: Certificate Management settings

    Setting Description

    KeyStore tab Click the KeyStore tab to view the list of custom keystores.
    TrustStore tab Click the TrustStore tab to view the list of custom keystores.
    Add Click Add to add a new keystore or truststore depending on which
    tab is open.
    Delete Click Delete to delete the selected keystore or truststore. The
    Delete button appears only after you select an item for deletion.
    Ellipsis button (three vertical dots) Click the ellipsis button on the far right side of a keystore or
    truststore to access the following menu options:
    • Edit—Click Edit to modify the keystore or truststore.
    • Delete—Click Delete to delete the keystore or truststore.

    Adding a new product module


    This section includes the following topics:
    Installing a New License File

    676
    Deploy Symantec Data Loss Prevention servers on Amazon Web Services
    System Readiness and Appliances Update
    Working with Microsoft Information Protection
    Configuring the connection between the Enforce Server and Data Insight

    Installing a New License File


    When you first purchase Symantec Data Loss Prevention, upgrade to a later version, or purchase more product modules,
    you must install one or more Symantec Data Loss Prevention license files. License files have names in the format
    name.slf.
    You can also enter a license file for one module to start and, later on, enter license files for more modules.
    1. Download the new license file.
    2. Log in to the Enforce Server administration console.
    3. Go to System > Settings > General and click Configure.
    4. At the Edit General Settings screen, scroll down to the License section.
    5. In the Install License field, browse for the new Symantec Data Loss Prevention license file you downloaded.
    6. Click Save to agree to the terms and conditions of the end-user license agreement (EULA) for the software and to
    install the license.

    The Current License list displays the following information for each product license:
    • Product – The individual Symantec Data Loss Prevention product name
    • Count – The number of users licensed to use the product
    • Status – The current state of the product
    • Expiration – The expiration date of license for the product
    A month before Expiration of the license, warning messages appear on the System > Servers > Overview screen.
    When you see a message about the expiration of your license, contact Symantec to purchase a new license key before
    the current license expires.

    Deploy Symantec Data Loss Prevention servers on Amazon Web Services


    Learn about deploying Symantec Data Loss Prevention servers on Amazon Web Services.
    About this guidecontent
    Introducing Symantec Data Loss Prevention on Amazon Web Services
    Considerations for deploying supported servers on Amazon Web Services
    Workflow for deploying a Data Loss Prevention detection server on AWS
    Configuring certificates for securing communications between the Enforce Server and Amazon RDS for Oracle
    Upgrading an Enforce Server running in AWS

    What you should know


    This guide provides technical information for customers deploying Symantec Data Loss Prevention servers on Amazon
    Web Services (AWS) infrastructure. Details include system requirements, security considerations, and deployment
    instructions.
    This guide assumes the following:

    677
    • You have knowledge and experience with Symantec Data Loss Prevention. See Introducing Symantec Data Loss
    Prevention.
    • You have an existing AWS account. To create an AWS account, go to http://www.aws.amazon.com.
    • You have knowledge and experience with AWS and its key features EC2, VPCs, and Security Groups. To access the
    AWS documentation, go to http://www.aws.amazon.com/documentation.

    Introducing Symantec Data Loss Prevention on Amazon Web Services

    This section includes the following topics:


    • About deploying Data Loss Prevention on Amazon Web Services
    • Supported VPC configurations for EC2 instances
    • Supported Data Loss Prevention servers on AWS
    • Supported Network Discover scan targets on AWS
    • Supported AWS EC2 instance types
    • Supported VPC configurations for EC2 instances
    • Supported operating systems for detection servers on AWS
    • Estimated sizing guidelines for EC2 instances

    About deploying Data Loss Prevention on Amazon Web Services

    Symantec Data Loss Prevention two- and three-tier deployments are supported on Amazon Web Services Virtual Private
    Cloud (VPC). That enables you to use a cloud infrastructure for one or more of your Data Loss Prevention servers. You
    can also use a hybrid architecture for your AWS cloud deployment. With hybrid architectures, you deploy an Enforce
    Server and Oracle database on premises and deploy detection servers on the AWS infrastructure. You can deploy the
    Enforce Server, the Oracle database (or Oracle RDS), and detection servers on AWS. You can use Transport Layer
    Security (TLS) to encrypt all data that is transmitted between the Enforce Server and the database server or Oracle RDS.
    See About securing communications between the Enforce Server and Amazon RDS for Oracle.
    Some examples of AWS deployments include:
    • A Network Discover detection server on AWS. This server discovers sensitive data residing on Microsoft SharePoint,
    Microsoft Exchange, and CIFS-compliant file share servers residing in the cloud.
    • A Network Prevent for Email detection server on AWS. This server controls the transmission of sensitive email from a
    Microsoft Exchange mail server residing in the cloud.
    • An Enforce Server with the Oracle database and the Cloud Prevent for Email Server in the AWS cloud. This server
    prevents data loss from Microsoft 365 email traffic.
    See Supported Data Loss Prevention servers on AWS.

    Supported VPC configurations for EC2 instances

    The Amazon Virtual Private Cloud (VPC) lets you provision a logically isolated region of the AWS cloud in a virtual
    network that you define.
    To deploy Data Loss Prevention on AWS, you must use a VPC. Symantec only supports connecting an on-premises
    Enforce Server to a detection server that is deployed to an EC2 instance with a VPC.
    If you created an AWS account after December 2013, when you provision an EC2 instance you either use the default VPC
    or one you define.

    678
    If you created an AWS account before December 2013, note the following. When you provision an EC2 instance you are
    given the option of creating an EC2 "Classic" instance. An EC2 Classic instance is EC2 without VPC, or EC2 with VPC. If
    this situation applies to you, you must make sure you provision the EC2 instance with VPC.

    Supported Data Loss Prevention servers on AWS

    Symantec Data Loss Prevention supports the deployment of the following servers on the AWS infrastructure:
    • Two-tier deployment of Enforce Server and the Oracle database on the same server
    • Three-tier deployment with the Oracle database or the Oracle RDS
    • Enforce Server with Oracle database on the same computer
    • Cloud Prevent for Email
    • Network Prevent for Web
    • Endpoint Prevent
    • Network Discover
    • Network Prevent for Email
    If you want to deploy the Enforce Server on the AWS infrastructure, Symantec supports two- and three-tier deployments
    of Symantec Data Loss Prevention on AWS. Two-tier deployments are where the Oracle database and the Enforce Server
    are deployed on a single system. In three-tier deployments, the Oracle database is deployed on a separate system from
    the Enforce Server system.

    Supported Network Discover scan targets on AWS

    Symantec Data Loss Prevention supports the scanning of the following Network Discover targets in the AWS cloud:
    • Microsoft Exchange Server
    • Microsoft SharePoint Server
    • File share server (CIFS)
    See Network Discover compatibility for the supported versions of these targets.

    Supported AWS EC2 instance types

    The Amazon Elastic Cloud Compute (EC2) is a web service that provides virtual servers in the cloud. You deploy
    supported Data Loss Prevention detection servers to EC2 instances.
    EC2 instances can be provisioned in three different ways: on demand, reserved, and spot. On demand and reserved EC2
    instances guarantee performance corresponding with the specifications of the Amazon machine image (AMI) provided
    by the instance. EC2 spot instances, on the other hand, allow users to bid on unused EC2 capacity at a lower price. Spot
    instances are only appropriate for the tasks that can withstand frequent or intermittent interruption. Your detection servers
    must run without foreseeable interruption. As such, Symantec Data Loss Prevention does not support the use of EC2 spot
    instances for your Data Loss Prevention on AWS deployments.
    Figure 14: No support for EC2 Spot Instances shows the EC2 instance details.

    679
    Figure 14: No support for EC2 Spot Instances

    AWS provides various types of EC2 instances. For example, there are t2.* instance types, m3.* instance types, c3*
    instance types, and more. In addition, for each EC2 instance type there are various sizes (micro, small, medium, and
    large). Be aware that t2.* instance types, including micro, small, and medium, are Burstable Performance Instances
    (http://aws.amazon.com/ec2/faqs/). Because the baseline CPU performance for t2.* burstable performance instances are
    only allocated a small percentage of a single CPU core, Symantec Data Loss Prevention does not recommend the use
    of t2.* instances for detection server deployments on AWS. You may use a t2.* instance type for deploying a data source
    host, such as a Discover scan target or server, but you should not use t2.micro. You may use t2.small or t2.medium to
    host a data source.
    To summarize, the following EC2 instance types are not supported or recommended:
    • EC2 spot instances are not supported for any Data Loss Prevention on an AWS deployment.
    • t2.micro instances are not supported for the Data Loss Prevention detection server on AWS deployments.
    • t2.small and t2.medium instances are not recommended, but may be used to host Data Loss Prevention data sources,
    such as Discover scan targets.
    Figure 15: EC2 instance types shows some of the various EC2 instance types. Symantec Data Loss Prevention does not
    recommend the use of t2.* instances types for deploying detection servers on AWS.

    680
    Figure 15: EC2 instance types

    Supported operating systems for detection servers on AWS

    When you provision an EC2 instance, you choose the type of Amazon machine image (AMI) to use. AWS provides
    several AMIs, and you can go to the AWS Marketplace for third-party provided AMIs. At a minimum, each AMI provides
    a host operating system. Some AMIs also provide storage, database, directory, and other services. The components of
    the AMI you choose depend on your business requirements.
    See Operating system requirements for servers for a complete list of supported operating systems for Data Loss
    Prevention.
    See Required Linux dependencies for a list of dependencies required for Linux servers. Confirm the file dependencies for
    RPM files when you install a detection server.
    NOTE
    The RHEL 7.x AWS AMI distributions require an additional package. See About configuring the Red Hat
    Enterprise Linux version 7.x AMI.

    Estimated sizing guidelines for EC2 instances

    See Minimum System Requirements for Symantec Data Loss Prevention Servers for a list of the minimum hardware
    requirements for detection servers.
    AWS terminology refers to a CPU as vCPU. Each vCPU is single-core. Therefore, 4 vCPU is equivalent to 2 x 2 two-
    core CPU. Keep in mind, however, that these are the minimum size requirements. Your sizing requirements may vary
    depending on the types of detection conditions you deploy to Data Loss Prevention servers.

    Considerations for deploying supported servers on Amazon Web Services


    This section includes the following topics:

    681
    • About securing your EC2 instances in the AWS cloud
    • About Endpoint Prevent and the AWS Elastic Load Balancer
    • About securing your Data Loss Prevention servers in the AWS cloud
    • About configuring AWS security groups
    • About Generating a Unique, Self-signed SSL Certificate for Data Loss Prevention Servers
    • About configuring the Red Hat Enterprise Linux version 7.x AMI
    • About installing supported server software on an AMI
    • About registering a detection server deployed on AWS with an Enforce Server
    • About Network Prevent for Email and AWS Simple Email Service

    About securing your EC2 instances in the AWS cloud

    When you deploy an EC2 instance in the AWS cloud, initially it is open to the entire Internet. Such a configuration is not
    recommended because it is not secure. To secure the EC2 instance and protect the integrity of the system, you need to
    configure an AWS Security Group.

    Related Links
    About configuring AWS security groups on page 683

    About Endpoint Prevent and the AWS Elastic Load Balancer

    Symantec Data Loss Prevention Endpoint Prevent on AWS Elastic Load Balancer (ELB) does not support SSL session
    affinity. SSL session affinity (also known as a "sticky session") is only for HTTP/HTTPS load balancer listeners. For more
    information, refer to the AWS document at: http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/
    US_StickySessions.html
    NOTE
    "Instance" is the AWS term for virtual machine.
    ELB is used to balance the Endpoint client connections to the Endpoint Server. When configuring a new ELB instance,
    follow the AWS instructions and use the following settings:
    • Configure the Endpoint clients to connect to the IP or the host name of ELB computer (not to the Endpoint Servers).
    • Listeners tab: Set Load Balancer Protocol to TCP and set Load Balancer Port to any port number (for example,
    443).
    • Instance Protocol tab: Configure Instance Protocol to TCP.
    • Instance Port: For Linux Endpoint detection servers, the value of the TCP Instance Port cannot be under 1024.
    • Health Check tab: Set Ping Protocol to TCP and set Ping Port to the port that Endpoint client servers listen on.

    About securing your Data Loss Prevention servers in the AWS cloud

    Symantec Data Loss Prevention servers communicate securely using SSL. When you deploy a detection server, the
    Enforce Server generates a default SSL certificate for secure server communications. While the default server certificate
    is suitable for pure on-premises deployments, the default certificate is not secure for hosted or cloud deployments.
    Someone familiar with Data Loss Prevention can use the default certificate to compromise the detection server you have
    deployed to AWS. This system might be vulnerable to man-in-the-middle attacks and other security threats.
    You must generate a unique custom SSL certificate for your Data Loss Prevention servers to secure your Data Loss
    Prevention on AWS deployment.
    About generating a unique, self-signed SSL certificate for Data Loss Prevention servers

    682
    About configuring AWS security groups

    An AWS Security Group is a virtual firewall that controls inbound and outbound traffic for one or more EC2 instances.
    When you launch an EC2 instance, you associate one or more security groups with the instance. You add inbound and
    outbound rules to each security group that allow traffic to or from its associated instances. You can modify the rules for a
    security group at any time. The new rules are automatically applied to all instances that are associated with the security
    group. AWS checks the security group rules before it allows traffic to or from the EC2 instance.
    Symantec recommends that you harden each AWS Security Group to which the detection server belongs. This hardening
    results in minimal open ports. We also recommend that you safe list the source IP to at least the third octet, for example:
    x.x.x.0/24.
    Figure 16: Example AWS Security Group configuration for a detection server: Inbound Rules shows an example AWS
    Security Group with inbound rules. Notice that only the necessary ports are opened, and the IP addresses are limited to
    the third octet.
    Figure 16: Example AWS Security Group configuration for a detection server: Inbound Rules

    About Generating a Unique, Self-signed SSL Certificate for Data Loss Prevention Servers

    The default Enforce Server certificate that is generated when you install a detection server is not secure for cloud
    deployments.
    You need to generate a custom server certificate using the SSL certificate generation tool that is provided with the Data
    Loss Prevention installation. Then, you deploy this custom certificate to both the on-premises Enforce Server and each
    detection server in the AWS cloud.
    A custom SSL certificate secures communication between your Data Loss Prevention servers. To generate a custom SSL
    certificate, see Configuring certificates for secure server communications.

    Related Links
    About installing supported server software on an AMI on page 684

    About configuring the Red Hat Enterprise Linux version 7.x AMI

    To install a Data Loss Prevention detection server on Red Hat Enterprise Linux version 7.x, see Installing a detection
    server on Linux.
    • Verify that the following x64_64 bit packages are installed. If these packages are not installed, you must install them:

    683
    • compat-openldap-1:2.3.43-5.el7
    • compat-db47-4.7.25-28.e17
    • openssl098e
    • apr
    • expat
    • libpng12
    • compat-libtiff3
    • libjpeg
    For the AMI version of Red Hat Enterprise Linux 7.x, you must verify that the apr-util.x86_64 package is installed.
    This package must be installed on the EC2 instance for the detection server FileReader process to start.
    When you install Symantec Data Loss Prevention on the RHEL 7.x AMI image in AWS, make sure the libjpeg
    package is installed. If the package is not installed, you may get this error: java.lang.UnsatisfiedLinkError: /opt/
    SymantecDLP/Protect/lib/native/libImageUtilitiesJNI.so: libjpeg.so.62: cannot open shared object
    file: No such file or directory.

    To install the additional 7.x package that is required for EC2 instances:
    1. Configure Red Hat Enterprise Linux to connect to a valid distribution repository.
    2. Issue the following command: yum install apr-util.x86_64.
    3. Verify that FileReader starts.

    NOTE
    You must also verify that the firewalld package is installed on RHEL 7.x before you install Data Loss
    Prevention. The standard RHEL 7.x AMI does not contain the firewalld package. The Data Loss Prevention
    installer does not install it automatically.
    About installing supported server software on an AMI

    When you install a server on an AWS EC2 instance, you must be sure to select the Hosted Network Prevent option.
    Ignore the description in the installer screen indicating that this option only applies to Network Prevent. This option applies
    to any detection server you deploy in the cloud.
    Selecting this option prevents the system from generating a default SSL certificate for connecting between the detection
    server and the Enforce Server. If you select this option, you cannot connect the detection server to the Enforce Server
    until you generate a custom SSL server certificate.

    Related Links
    About Generating a Unique, Self-signed SSL Certificate for Data Loss Prevention Servers on page 683

    About registering a detection server deployed on AWS with an Enforce Server

    When you register a detection server with the Enforce Server, you provide the connection TCP port. The Enforce Server
    administration console only accepts registered port numbers in the range of 1024 through 49151. Well-known ports (0
    through 1023) and private ports (49152 to 65535) are not supported. You must open the port you enter on the detection
    server. You can open a port by creating an inbound rule for a Security Group and apply that Security Group to the EC2
    instance.

    Related Links
    About configuring AWS security groups on page 683

    684
    About Network Prevent for Email and AWS Simple Email Service

    Network Prevent for Email on AWS does not support AWS Simple Email Service (SES) as a downstream Mail Transfer
    Agent (MTA). It does not work because SES relies on a user name and password credential, while Data Loss Prevention
    STMP Prevent relies on an anonymous connection.
    The next hop (downstream) MTA can be configured either in reflect mode or forward mode. With forward mode, a next
    hop MTA such as sendmail can be used to forward SMTP traffic.

    Workflow for deploying a Data Loss Prevention detection server on AWS


    This section includes the following topics:
    • About the deployment workflow
    • Deploying a supported Data Loss Prevention server on AWS
    • Deploying the Oracle database and Enforce Server in a two- or three-tier environment
    • Setting up a CIFS file share scan target on AWS
    • Testing and troubleshooting your Data Loss Prevention on AWS deployment

    About the deployment workflow

    This section provides the workflow for deploying a supported Data Loss Prevention detection server on the AWS
    infrastructure. The purpose of this section is to provide you with an example test deployment on which you can base
    other deployments for production purposes.
    These instructions are specific to the Windows Server 2012 operating system and the Network Discover detection server.
    However, the general workflow for deploying a supported Data Loss Prevention detection server on AWS is the same.
    After you have gone through the basic workflow, you can extrapolate these steps to other supported detection servers and
    operating systems. For example, similar steps work for deploying a Network Prevent for Email detection server on Red
    Hat Enterprise Linux 7.x.

    Related Links
    Deploying a supported Data Loss Prevention server on AWS on page 685
    About configuring the Red Hat Enterprise Linux version 7.x AMI on page 683
    Implementing Network Prevent for Email on page 1795

    Deploying a supported Data Loss Prevention server on AWS

    This section provides instructions for deploying a supported Data Loss Prevention detection server (Oracle database,
    Enforce Server, or detection server) on an AWS EC2 instance. It also details how to connect this detection server to an
    on-premises Enforce Server. These instructions assume that you have deployed an on-premises Enforce Server and that
    this server is available.
    See About the deployment workflow.
    The deployment workflow includes AWS-specific tasks and tasks specific to Symantec Data Loss Prevention.

    685
    Table 321: Deploying a supported Data Loss Prevention detection server on AWS

    Step Action Description

    1 Choose an AMI. Log on to the AWS Console and select an AMI that provides an operating system
    that Data Loss Prevention supports.
    See Supported Data Loss Prevention servers on AWS.
    For example: Microsoft Windows Server 2012 Base - ami-3b83c20b
    2 Choose an instance type. Select an EC2 instance type that is suitable for your business requirements.
    See Supported AWS EC2 instance types.
    For example:
    • Family: General purpose
    • Type: m3.large
    • vCPUs: 2
    • Memory (GB): 7.5
    • Instance Storage: 1 x 32 (SSD)
    • Network Performance: Moderate
    Note: Symantec Data Loss Prevention does not recommend the use of t2.* instance
    types.
    See Estimated sizing guidelines for EC2 instances.
    3 Configure instance details. Do not select Request Spot Instances. Spot instances are not supported.
    Verify that the Network is VPC. EC2 Classic (non-VPC) instance types are not
    supported.
    See Supported AWS EC2 instance types.
    4 Add storage. Skip this step. You do not need external storage for a Data Loss Prevention
    detection server.
    5 Tag the instance. Optionally you can add metadata tags to help yourself or other administrators
    organize and locate your EC2 instances.
    6 Configure the security group. Specify and configure your own security group. Initially the EC2 instance is open to
    the Internet and is not secure. You secure the instance by configuring a TCP port
    that the Enforce Server connects to. You also need to poke a hole in the firewall all
    so you can connect using RDP.
    See About configuring AWS security groups.
    7 Review and launch. Review the EC2 instance details and click Launch when you are ready.
    Back at the console, the instance displays Initializing.
    8 Create and download the private Select Create a new key pair. This key pair lets you decrypt the Windows password
    key, or use an existing one that you used to log on to the system.
    previously generated. Download the key pair. You use the key to log on to the system the first time.
    If you already generated a key pair, you can use it to log on to the EC2 instance.
    9 Use the private key to decrypt the Right click the instance and select Get Windows Password.
    Windows password. Select the *.pem file you downloaded.
    Click Decrypt Password.
    Write down the decrypted password. You need it to log on to the EC2 instance.
    10 RDP to the EC2 instance. RDP to the EC2 instance and logon using the password key you decrypted.
    Note: You may have to disable the operating system firewall to be able to connect
    using RDP.

    11 Change the host password. Alternatively, to avoid having to using the key password each time, you can change
    the password.

    686
    Step Action Description

    12 Copy the Data Loss Prevention You must copy the Data Loss Prevention installation software to the EC2 instance.
    installer to the EC2 instance. You can get the software at Symantec FileConnect using a web browser running on
    the EC2 instance. Alternatively you can place the software in a cloud or FTP storage
    site and download it to the EC2 instance.
    13 Install the Data Loss Prevention Make sure that you select the Hosted Network Prevent option.
    software. See About installing supported server software on an AMI
    14 Register the detection server. Go to the Enforce Server administration console and register the detection server
    with the Enforce Server by specifying the port. The port must be a registered TCP
    port in the range of 1024 to 49151. The Enforce Server does not accept well-known
    ports (0 through 103) or private ports (49152 through 65535). You must have added
    this port to an inbound rule for the Security Group.
    See About registering a detection server deployed on AWS with an Enforce Server.
    15 Generate custom server The default Data Loss Prevention server certificate is not secure. With Hosted
    certificates. Network Prevent option as recommended (step 13), you do not have a server
    certificate. Either way, you must generate a unique, self-signed server certificate to
    ensure secure communications between the on-premises Enforce Server and the
    detection server on AWS.
    16 Verify your Data Loss Prevention Once you deploy the custom certificate, the Enforce Server should be able to
    on AWS deployment. connect to the detection server.

    Deploying the Oracle database and Enforce Server in a two- or three-tier environment

    Symantec Data Loss Prevention supports two- and three-tier deployments on AWS IAAS. See "Oracle database
    requirements" in the Symantec Data Loss Prevention Help Center for a list of supported Oracle Database software
    versions.
    You estimate sizing requirements to best fit your implementation. See Estimated sizing guidelines for EC2 instances.
    Install the Oracle database before you install the Enforce Server.
    See Implementing the Database.
    See Installing DLP.

    687
    Table 322: Steps to deploy the Oracle database and Enforce Server in a two- or three-tier environment

    Step Action Description

    1 Configure the Oracle RDS instance. Confirm that the Oracle RDS instance meets the following configuration
    requirements:
    • DB Edition: Standard or Enterprise
    • DB Engine version: See "Oracle database requirements" in the
    Symantec Data Loss Prevention Help Center for a list of supported Oracle
    Database software versions
    • DB Instance Class: db.m4.2x large or higher
    • Storage Type: Provisioned IOPS(SSD) 100 GiB or more
    • Master User: “protect” with a complex password of at least 8 characters
    • Public Accessibility: “Yes”, if the Enforce Server is deployed outside of
    RDS VPC
    • Database name: “protect”
    • Database port: “1521”
    • Character set name: “AL32UTF8”
    2 Create the database user and table Complete the following steps:
    spaces for the Symantec Data Loss
    1. Connect to Oracle RDS using SQL*Plus use the following syntax:
    Prevention installation.
    sqlplus master_user/password@fqdn_oracle_rds:db_port/
    db_name
    For example, the following command uses protect for the master_user,
    1521 for the database port, and protect for the database name:
    sqlplus protect/password@fqdn_oracle_rds:1521/protect
    2. Run the following command to grant the Master User protect the required
    credentials:
    GRANT create session ,alter session ,create
    synonym ,create view ,create table ,create sequence TO
    protect;
    GRANT create table ,create cluster ,create
    sequence ,create trigger ,create procedure ,create
    type ,create indextype ,create operator TO protect;
    GRANT create materialized view TO protect;
    3. (Optional) Run the SQL script to create a user to manage the database.
    The user can access the database without using the Oracle RDS Master
    user.
    sqlplus master_user/password@fqdn_oracle_rds:db_port/
    db_name SQL> @oracle_create_user_oracle_rds.sql
    4. Create the required tablespaces by running the following command:
    create smallfile tablespace LOB_TABLESPACE datafile
    size 32767M autoextend on next 100M maxsize 32767M;
    alter tablespace LOB_TABLESPACE add datafile size
    1024M autoextend on next 100M maxsize 32767M;
    alter tablespace LOB_TABLESPACE add datafile size
    1024M autoextend on next 100M maxsize 32767M;

    3 Install the Enforce Server. See Installing DLP.


    4 Configure secure TLS communication See About securing communications between the Enforce Server and
    between Enforce Server and Oracle Amazon RDS for Oracle.
    RDS.

    688
    Setting up a CIFS file share scan target on AWS

    Symantec Data Loss Prevention supports the deployment of Network Discover Servers in the AWS cloud. It also supports
    the scanning of targets that are deployed in the AWS cloud, including Exchange and SharePoint servers and CIFS file
    shares.

    Testing and troubleshooting your Data Loss Prevention on AWS deployment

    As with any Data Loss Prevention deployment, you should test it to ensure that it is production ready. You must create
    some detection rules that are typical for your organization and generate some incidents. In addition, you should test the
    performance of your EC2 instance under some representative load.

    Configuring certificates for securing communications between the Enforce Server and
    Amazon RDS for Oracle

    This section includes the following topics:


    • About securing communications between the Enforce Server and Amazon RDS for Oracle
    • Configuring Oracle RDS Option Group with SSL
    • Configuring the Server Certificate on the Enforce Server
    • Setting up an SSL connection over JDBC
    • Verifying the Enforce Server-Oracle RDS database certificate usage
    About securing communications between the Enforce Server and Amazon RDS for Oracle

    You can use SSL/Transport Layer Security (TLS) to encrypt all data that is transmitted between the Enforce Server and
    the Oracle database hosted with Amazon RDS in a three-tier environment.
    These steps assume that you have already set up an AWS account that you can use to manage the Oracle database. See
    Deploy Symantec Data Loss Prevention servers on Amazon Web Services .
    The following table describes the process to secure communications between the Enforce Server and the database.

    Table 323: Steps to secure communications between the Enforce Server and the Oracle database hosted with
    Amazon RDS

    Step Action More info

    1 Configure the AWS Oracle RDS SSL Configuring Oracle RDS Option Group with
    connector. SSL
    2 Configure the server certificate on the Configuring the Server Certificate on the
    Enforce Server. Enforce Server
    3 Configure the AWS Oracle RDS for Secure Setting up an SSL connection over JDBC
    Sockets Layer (SSL) connection over
    JDBC.
    4 Verify the AWS Oracle RDS certificate Verifying the Enforce Server-Oracle RDS
    usage. database certificate usage

    Configuring Oracle RDS Option Group with SSL

    You enable SSL encryption for an Oracle RDS database instance by adding the Oracle SSL option to the option group
    associated with an Oracle DB instance. You specify the port you want to communicate over using SSL.

    689
    See Oracle Secure Sockets Layer in the AWS Oracle RDS documentation for steps to complete this process.

    Configuring the Server Certificate on the Enforce Server

    After you configure the AWS Oracle RDS Option Group with SSL, you configure the Enforce Server JDBC driver and the
    server certificate. You import the AWS Oracle RDS certificatte into the Enforce Server Java keystore. Last, you configure
    the JDBC driver to use the Oracle RDS SSL/TLS connection and port.
    NOTE
    The following process assumes that the SSL Option is configured with TCP port 2484.
    1. Locate the Jdbc.properties file at the following location (based on your platform):
    • Windows: C:\Program Files\Symantec\DataLossPrevention\EnforceServer\16.0.10000\Protect
    \config
    • Linux: /opt/Symantec/DataLossPrevention/EnforceServer/16.0.10000/protect/config
    2. Modify the following communication port and connection information:
    • Update the jdbc.dbalias.oracle-thin line to use TCPS.
    • Change the port number to 2484.
    The updated communication port and connection information should display as follows:
    jdbc.dbalias.oracle-thin=@(description=(address=(host=[oracle host name])
    (protocol=tcps)(port=2484))(connect_data=(service_name=protect))
    (SSL_SERVER_CERT_DN="CN=oracleserver"))
    The following is an example of what the completed communication port and connection information might look
    like. The information you use differs based on your system. Using the following information as-is may cause the
    configuration to fail.
    NOTE
    The example uses "protect" for the database SID and "2484" for the TLS port.
    jdbc.dbalias.oracle-thin=@(description=(address=(host=oracle-rds-dns-name)
    (protocol=tcps)(port=2484))(connect_data=(service_name=protect)
    (SSL_SERVER_CERT_DN="C=US,ST=Washington,L=Seattle,O=Amazon.com,OU=RDS,
    CN=oracle-rds-dns-name")))
    The certificate details provided above are valid for rds-ca-2015-root and rds-ca-2019-root certificates, but you
    replace the port number with the number used for the SSL port in the option group.
    3. Add the certificate to the cacerts file that is located on the Enforce Server by completing the following steps:
    Replace <version> with the OpenJRE version running on your system.
    a) Copy the Oracle RDS certificate (rds-ca-2015-root.der or rds-ca-2019-root.der) file to the following
    location (based on your platform):
    • Windows: C:\Program Files\AdoptOpenJRE\jdk8u<version>-b10-jre\lib\security
    • Linux: opt/AdoptOpenJRE/jdk8u<version>-b10-jre/lib/security
    b) Change the directory by running the following command (based on your platform):
    • Windows: cd C:\Program Files\AdoptOpenJRE\jdk8u<version>-b10-jre\lib\security
    • Linux: cd opt/AdoptOpenJRE/jdk8u<version>-b10-jre/lib/security
    c) Insert the certificate into the cacerts file by running the following command as an administrator (on Windows) ora
    root user (on Linux):
    keytool -import -alias oracleservercert -keystore cacerts -file rds-ca-2015-root.der

    or

    690
    keytool -import -alias oracleservercert2019 -keystore cacerts -file rds-ca-2019-root.der

    Enter the default password when you are prompted: changeit.


    d) Confirm that the certificate was added by running the following command (based on your platform):
    • Windows: keytool -list -v -keystore C:\Program Files\AdoptOpenJRE\jdk8u<version>-b10-jre\lib
    \security\cacerts -storepass changeit
    • Linux: keytool -list -v -keystore opt/AdoptOpenJRE/jdk8u<version>-b10-jre/lib/security/
    cacerts -storepass changeit

    4. Restart all SymantecDLP services.


    See Symantec Data Loss Prevention Services.
    Setting up an SSL connection over JDBC

    To set up an SSL connection over JDBC you download the Amazon RDS root CA certificate, convert the certificate format
    to .der, then import the certificate into the keystore.
    Refer to Setting up an SSL connection over JDBC in the AWS Oracle RDS documentation for steps to complete this
    process.

    Verifying the Enforce Server-Oracle RDS database certificate usage

    To confirm that certificates are configured correctly and the Enforce Server is communicating with the Oracle RDS
    database, log on to the Enforce Server administration console. If you can log on, the Enforce Server and database are
    communicating over a secure communication.
    If you cannot log on, verify the SSL Java application connection of Jdbc.properties. To confirm the SSL Java
    application connection, check the listener status on the Oracle RDS. In the listener status, the TCPS protocol and port
    2484 should be in use. If the listener status does not display these connection statuses, re-complete the process to enable
    Oracle RDS group with SSL.
    For full details on how to configure SSL/TLS communication between Oracle RDS, and the Enforce Server, see the
    documentation for AWS Oracle RDS Option Group, available from the Amazon Relational Database Service User Guide:
    https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Appendix.Oracle.Options.SSL.html

    Upgrading an Enforce Server running in AWS

    This section includes the following topics:


    • About upgrading the Enforce Server in Amazon RDS for Oracle
    • Steps to upgrade the Enforce Server in Amazon RDS for Oracle
    About upgrading the Enforce Server in Amazon RDS for Oracle

    To upgrade the Enforce Server in Amazon RDS for Oracle you must first confirm that the Oracle Amazon RDS is ready for
    upgrade. Then you can upgrade to the latest version of the Enforce Server.

    691
    Steps to upgrade the Enforce Server in Amazon RDS for Oracle

    Table 324: Upgrading the Enforce Server in Amazon RDS for Oracle

    Step Action More info

    1 Prepare the Amazon RDS for Oracle for a Symantec Preparing the Amazon RDS for Oracle for a Symantec Data Loss
    Data Loss Prevention upgrade. Prevention upgrade
    2 Upgrade the Enforce Server. See the Symantec Data Loss Prevention Upgrade Guide available
    in the Related Documents section of the Symantec DataLoss
    Prevention Help Center.

    Preparing the Amazon RDS for Oracle for a Symantec Data Loss Prevention Upgrade
    The following Amazon RDS for Oracle-related preparations must be made before you upgrade the Symantec Data Loss
    Prevention database schema.
    NOTE
    The Enforce Server upgrade process does not support a TLS connection to Amazon RDS. Symantec
    recommends that you run the Upgrade Readiness Tool and complete the Enforce Server upgrade using Amazon
    RDS on a non-TLS listener port. The TLS connection between the previous version Enforce Server and RDS is
    not migrated during the upgrade. After you complete the upgrade process, re-establish TLS communication with
    RDS.
    Symantec recommends that you prepare for the upgrade, including running the Update Readiness Tool, a few weeks
    before you plan to complete the upgrade. Preparing helps ensure that any issues that arise can be resolved before the
    scheduled upgrade.

    Table 325: Preparing the Amazon RDS for Oracle for a Symantec Data Loss Prevention upgrade

    Step Action More info

    1 Back up the Amazon RDS for Oracle database before you See Backing up and restoring an Amazon RDS DB instance
    start the upgrade. You cannot recover from an unsuccessful at the Amazon Relational Database Service User Guide.
    upgrade without a backup of your Amazon RDS for the Oracle
    database.
    2 Set Oracle variables. Setting variables in the Amazon RDS for Oracle database
    3 Prepare to run the Update Readiness Tool. Preparing to run the Update Readiness Tool for Amazon
    RDS for Oracle
    4 Create the Update Readiness Tool database account. Creating the Update Readiness Tool database account for
    Amazon RDS for Oracle
    5 Run the Update Readiness Tool for Amazon RDS for Oracle. Running the Update Readiness Tool for Amazon RDS for
    Oracle
    6 Review update readiness results. Reviewing Update Readiness Results

    692
    Setting variables in the Amazon RDS for Oracle database
    You set the ORACLE_HOME, ORACLE_SID, and java CLASSPATH: ORACLE_HOME variables before you begin the
    upgrade process. If you do not set these variables, you cannot complete the migration process during the Enforce Server
    upgrade process.
    1. Log on as a domain user.
    2. In the command prompt, run the following command to set the ORACLE_HOME variable. Confirm your Oracle version
    and installation path before setting this variable. For example:
    set ORACLE_HOME=c:\oracle\product\19.3.0.0\db_1

    3. Run the following command to set the java CLASSPATH: ORACLE_HOME variable:
    • For Windows:
    set CLASSPATH=%CLASSPATH%;JAVA_HOME\lib;.;
    echo %CLASSPATH%
    • For Linux:
    export CLASSPATH=${CLASSPATH}:.
    echo $CLASSPATH

    Preparing to run the Update Readiness Tool for Amazon RDS for Oracle
    Preparing the Update Readiness Tool includes downloading the tool and moving it to the Enforce Server.
    1. Obtain the current version of the tool (for both major or minor release versions of Symantec Data Loss Prevention)
    from Product Downloads at the Broadcom Support Portal.
    The current version of the Update Readiness Tool includes important fixes and improvements, and should be the
    version that you use before attempting any upgrade.
    Symantec recommends that you download the tool to the DLPDownloadHome\DLP\16.0 (for Windows) or
    DLPDownloadHome/DLP/16.0.1 (for Linux) directory on the Enforce Server.
    2. Unzip the tool, then copy the contents of the unzipped folder to the following location on the Enforce Server.
    NOTE
    Do not unzip the tool as a folder. The contents of the folder must reside directly in the URT folder.
    • Windows: \Program Files\Symantec\DataLossPrevention\EnforceServer\16.0.10000\Protect
    \Migrator\URT\
    • Linux: opt/Symantec/DataLossPrevention/EnforceServer/16.0.10000/Protect/Migrator/URT
    3. Copy oracle_create_user_aws_oracle_rds.sql to the to the following location on the Enforce Server:
    • Windows: ..URT\script
    • Linux: ../URT/script
    This SQL script creates a schema with necessary privileges to the Amazon RDS for Oracle.
    Creating the Update Readiness Tool database account for Amazon RDS for Oracle
    You can run the Update Readiness Tool from the command prompt on the Enforce Server host computer.

    1. Log on as the RDS Master user.


    NOTE
    The following steps use masteruser for the RDS Master user and password for the password. Enter
    information specific to your implementation for these values.
    2. Run the following script:
    sqlplus masteruser/password@endpoint_name.rds.amazonaws.com:1521/protect

    693
    3. Run the following script to grant full access to the DATA_PUMP_DIR to the "protect" user:
    SQL> GRANT read,write on DIRECTORY DATA_PUMP_DIR to protect;

    4. Run the following script to logon to the Amazon RDS for Oracle:
    sqlplus Oracle RDS username/password@endpoint_name.rds.amazonaws.com:1521/RDS Servicename
    Replace Oracle RDS username, password, and RDS Servicename with information specific to your implementation.
    5. Run the following script to create the Update Readiness Tool database account:
    SQL> @oracle_create_user_aws_oracle_rds.sql

    6. Enter the following information where prompted:


    • protect at Please enter the database username:
    • protect at Please enter the database user password:
    • protect_urt at Please enter the database readiness username:
    • protect at Please enter the database readiness user password:
    • endpoint_name.rds.amazonaws.com:1521/protect at Please enter the database service name:
    Running the Update Readiness Tool for Amazon RDS for Oracle
    Amazon RDS for Oracle is fully managed, so you run the Update Readiness Tool on the Enforce Server instead of on the
    database server.

    1. Run the following command:


    java UpdateReadinessTool

    2. Enter the following information when prompted:


    • protect at Please enter the database username
    • protect at Please enter the database user password
    • protect_urt at Please enter the database readiness username
    • protect at Please enter the database readiness user password:
    • endpoint_name.rds.amazonaws.com:1521/protect at Please enter the database service name:
    After the test completes, you can locate the results in a log file in the /output directory. This directory is located
    where you extracted the Update Readiness Tool. If you do not include [--quick] when you run the tool, the test may
    take up to an hour to complete. You can verify the status of the test by reviewing log files in the /output directory.
    Related Links
    Reviewing Update Readiness Results on page 363

    Reviewing Update Readiness Results


    After the test completes, you can locate the results in a log file in the /output directory. This directory is located where
    you extracted the Update Readiness Tool (URT). If you do not include quick when you run the tool, the test may take up
    to an hour to complete. You can verify the status of the test by reviewing log files in the /output directory.
    NOTE
    Symantec recommends that you contact Support prior to upgrading your system to review the URT results.

    Table 326: Update Readiness results

    Status Description

    Pass Items that display under this section are confirmed and ready for update.
    Warning If not fixed, items that display under this section may prevent the database from upgrading properly.

    694
    Status Description

    Error These items prevent the upgrade from completing and must be fixed.

    Related Links
    Resolving the error "Data Foreign Key Constraint Validation for EndPointProtocolFilter" on page 363

    Resolving the error "Data Foreign Key Constraint Validation for EndPointProtocolFilter"
    When running the Update Readiness Tool before an upgrade from Symantec Data Loss Prevention 14.6 to the current
    version, the tool returns results in its log file with the error below.
    Start: Data Foreign Key Constraint Validation - [date and time] Data violations are detected on your schema,
    please use the below query(s) to retrieve the invalid data.
    SELECT DISTINCT protocolFilterId AS "PROTOCOLFILTERID" FROM ENDPOINTPROTOCOLFILTER
    WHERE protocolFilterId IS NULL OR protocolFilterId NOT IN (SELECT acv.protocolFilterId FROM
    AgentConfigurationVersion acv WHERE acv.protocolFilterId IS NOT NULL);
    End : Data Foreign Key Constraint Validation - elapsed 0s - FAILED (1 violation)

    Complete the following steps to resolve the error "Data Foreign Key Constraint Validation for EndPointProtocolFilter":
    1. Run the following command to create a data backup:
    create table EndpointProtocolFilter_nomatch as
    select * from EndpointProtocolFilter where protocolFilterId not in (select acv.protocolFilterId FROM
    AgentConfigurationVersion acv where acv.protocolFilterId IS NOT NULL);
    2. Run the following command to confirm the record count:
    select count(*) from EndpointProtocolFilter where protocolFilterId not in (select acv.protocolFilterId
    FROM AgentConfigurationVersion acv where acv.protocolFilterId IS NOT NULL);
    3. Note the record count.
    4. Run the following command to delete data that causes the upgrade to fail:
    DELETE FROM EndpointProtocolFilter WHERE protocolFilterId NOT IN (SELECT acv.protocolFilterId FROM
    AgentConfigurationVersion acv WHERE acv.protocolFilterId IS NOT NULL);
    5. Confirm that the number of records deleted matches the record count. See step 3. If the record counts do not match,
    contact Symantec Support.
    6. Run the following command to complete the delete operation:
    commit;
    7. Run the following command to confirm that the number of records match:
    select count(*) from EndpointProtocolFilter where protocolFilterId not in (select acv.protocolFilterId
    FROM AgentConfigurationVersion acv where acv.protocolFilterId IS NOT NULL);

    Related Links
    Reviewing Update Readiness Results on page 363

    Upgrading the Enforce Server on Windows


    The table lists steps to upgrade the Enforce Server on Amazon RDS for Oracle.

    695
    Table 327: Upgrading the Enforce Server on Windows

    Step Action More info

    1 Install the Java Runtime See Install the Java Runtime Environment on the Enforce Server on Windows.
    Environment
    2 Install the Enforce Server See Install an Enforce Server on Windows.
    3 Run the Migration Utility See Migrate Data on the Enforce Server on Windows.

    Upgrading the Enforce Server on Linux


    The table lists steps to upgrade the Enforce Server on Amazon RDS for Oracle.

    Table 328: Upgrading the Enforce Server on Linux

    Step Action More info

    1 Install the Java Runtime See Install the Java Runtime Environment on the Enforce Server on Linux.
    Environment.
    2 Install the Enforce Server See Install an Enforce Server on Linux.
    3 Run the Migration Utility See Migrate Data on the Enforce Server on Linux

    System Readiness and Appliances Update


    Use the Appliance(s) Update screen to update appliances.
    See Updating appliance software.

    Working with Microsoft Information Protection


    This section includes the following topics:
    About the Symantec integration with MIP for DLP
    Implementing MIP capabilities for DLP Agents and on-premises detection servers
    Authorizing Symantec Data Loss Prevention on the Microsoft Azure portal
    Enabling MIP on the Azure portal for detection servers
    Configuring proxy server details for AIP Insight Deployment
    Managing MIP credential profiles for agents and on-premises detection servers
    Using the Content Matches MIP Tag rule
    Configuring response rules using MIP Classification labels in the Enforce Server administration console
    Integrating MIP classification labels in the Enforce Server administration console
    Troubleshooting the Symantec integration with MIP for DLP

    About the Symantec integration with MIP for DLP


    The Symantec integration with MIP for DLP combines the classification and encryption capabilities of Azure RMS with the
    powerful data inspection features of DLP. Using this Symantec integration with MIP helps you meet your compliance and
    data protection requirements.

    696
    You and the users in your organization can continue to secure information using Azure RMS in the way that you’re
    accustomed; with the Symantec integration with MIP for DLP deployed, your InfoSec team can gain visibility to sensitive
    information in RMS-encrypted files and email messages, including messages sent using Microsoft Exchange on-premises
    and Exchange Online.
    This solution works on both Linux and Windows detection servers, in the Cloud, and on DLP Agents. It is supported on
    any platform on which you can install a Data Loss Prevention detection server and on Windows and macOS endpoints.
    Features of the Symantec integration with MIP for DLP include:
    • DLP Storage support for inspecting files and emails encrypted by MIP. Network Discover supports the inspection of
    encrypted documents and emails for file shares, Microsoft SharePoint repositories, and Microsoft Exchange Server
    only.
    • Ability to import MIP labels to the Enforce Server administration console
    • Support for authoring an MIP classification-based Data Loss Prevention policy condition that reads existing MIP
    labels for the Endpoint, Network, and Storage
    • DLP Agent inspection of files that are encrypted by MIP
    • Ability to configure DLP Agents to allow or block files that are encrypted by MIP
    • Support for the DLP Agent to use a network proxy to connect to the MIP portal
    • Support for the DLP Agent to recommend labels or automatically apply labels for the Microsoft Office applications that
    contain confidential information.
    • Support for the DLP Agent to recommend labels or automatically apply labels for emails that confidential information
    that are sent using Microsoft Outlook. Labels are applied to the email body only.
    NOTE
    MIP classification for Microsoft Outlook is available only on Windows endpoints. If an email already has a
    label that enforces MIP encryption, DLP does not inspect the email again for classification.
    • Support for the Enforce Server and detection server to use a network proxy to connect to the MIP portal
    For details about supported server platforms, see Operating system requirements for servers .
    The Symantec integration with MIP for DLP is available for use on Data Loss Prevention 15.8 and later versions.
    Previous versions, named AIP Insight for DLP Cloud and Symantec AIP Insight for Data Loss Prevention, have been
    available for use with Data Loss Prevention 15.1, 15.5, and 15.7x.

    Implementing MIP capabilities for DLP Agents and on-premises detection servers
    The high-level steps for implementing MIP capabilities for endpoints and on-premises detection servers are provided
    in the following table.

    Table 329: Overview of implementing MIP capabilities for DLP Agents and on-premises detection servers

    Step Action Details

    1 On the Azure portal, authorize DLP to connect to the MIP service Authorizing Symantec Data Loss Prevention on the
    and generate the credentials that Data Loss Prevention uses to Microsoft Azure portal
    connect to the MIP service.
    2 In the Enforce Server administration console, configure the MIP Managing MIP credential profiles for agents and on-
    credentials that you generated using the Azure portal. These premises detection servers
    credentials are used by the Enforce Server, on-premises detection
    servers, and DLP Agents to connect to the MIP service.

    697
    Step Action Details

    3 In the Enforce Server administration console, synchronize Integrating MIP classification labels in the Enforce Server
    the labels that have been defined in MIP. The labels can then administration console
    be used by DLP Agents to classify documents and outgoing
    emails. MIP classification for Microsoft Outlook is available
    only on Windows endpoints. If an email already has a label that
    enforces MIP encryption, DLP does not inspect the email again for
    classification.
    4 Using the Classification tab in agent configurations, enable DLP Classification settings
    Agents to use MIP classification to label confidential documents and
    outgoing emails in supported applications.
    5 Using the Microsoft Information Protection section of the Microsoft Information Protection settings
    Settings tab in agent configurations, configure DLP Agents to
    decrypt and inspect documents that have been encrypted by MIP.
    6 Using the PostProcessor.AIP_DEFAULT_ACTION.int Advanced agent settings
    advanced setting in agent configurations, configure DLP Agents
    to either block or allow user actions when users attempt to copy or
    transfer files that are encrypted by MIP.
    Optionally, you can also configure the following agent advanced
    settings:
    • MIP.HTTP_OPERATION_TIMEOUT.int
    • MIP.MIP_AUTHENTICATION.int
    • PostProcessor.MIP_APPLY_LABEL_MAX_RETRY_COUNT.int
    7 Configure a policy to inspect documents and emails. Creating a policy from a template
    8 Configure the Endpoint: MIP Classification response action to Configuring the Endpoint: MIP Classification action
    enable DLP Agents to either suggest or automatically apply labels
    for documents that contain sensitive information.
    You can also configure the Endpoint: MIP Classification response
    action to to either suggest or automatically apply labels for emails
    that are sent using Microsoft Outlook on Windows endpoints.
    9 Customize or translate endpoint notifications for prompting users to About Endpoint Notifications
    authenticate with MIP using their Azure AD credentials when DLP
    Agents need to use MIP capabilities.
    10 Configure a policy that looks for MIP labels on documents and Using the Content Matches MIP Tag rule
    emails using the Content Matches MIP Tag rule.
    11 (Optional) Create an MDM configuration profile to ensure that DLP Enable MIP classification notifications on macOS
    Agent notifications about label suggestions and label enforcement endpoints
    are always displayed on macOS endpoints.
    12 (Optional) Using the Proxy section of the Settings tab in agent Agent proxy settings
    configurations, configure DLP Agents to use a network proxy to
    connect to the MIP service.
    Make sure that you add the required Microsoft URLs to the list of
    allowed URLs.
    13 (Optional) In the the General settings of the Enforce Server Configuring proxy server details for AIP Insight
    administration console, configure the Enforce Server and on- Deployment
    premises detection servers to use a network proxy to connect to the
    MIP service.
    Make sure that you add the required Microsoft URLs to the list of
    allowed URLs.

    698
    Step Action Details

    14 (Optional) In the the General settings of the Enforce Server Configuring the Enforce Server to use a proxy to connect
    administration console, configure the Enforce Server and cloud to cloud services
    services to use a network proxy to connect to the MIP service.
    Make sure that you add the required Microsoft URLs to the list of
    allowed URLs.

    699
    Authorizing Symantec Data Loss Prevention on the Microsoft Azure portal
    You must register an application on the Microsoft Azure portal before you can connect Symantec Data Loss Prevention to
    the MIP service.
    1. Log on to http://portal.azure.com/ with administrator privileges.
    2. Navigate to Azure Active Directory > App Registrations > New Registration.
    3. Provide a display name for the new application.
    4. Under Supported account types, select Accounts in any organizational directory (Any Azure AD directory -
    Multitenant).
    5. Leave the Redirect URI field empty.
    6. Click Register.
    7. After the application is registered, go to the applications page and select Authentication in the navigation pane.
    8. Click Add a platform, and select add Windows and macOS as supported platforms.
    a) In the Bundle ID field for iOS/macOS, enter com.microsoft.DLPMacApp. The Azure portal then uses this
    information to generate a Redirect URI.
    b) In the Redirect URI field for Mobile and desktop applications (for Windows), enter https://
    login.microsoftonline.com/common/oauth2/nativeclient.
    9. In the navigation pane, select API permissions and click Add a permission.
    10. Select Azure Rights Management Services from the Microsoft APIs tab.
    11. Choose the Delegated Permissions scope.
    12. Select the user_impersonation permission and click Add a permission.
    13. On the API permissions page, click Add a permission.
    14. Select Microsoft Information Protection Sync Service from the APIs my organization uses tab.
    15. Choose the Application Permissions scope.
    16. Select the UnifiedPolicy.Tenant.Read permission and click the Add permissions button.
    17. On the API permissions page, click Add a permission.
    18. Select Microsoft Information Protection Sync Service from the APIs my organization uses tab.
    19. Choose the Delegated Permissions scope.
    20. Select the UnifiedPolicy.User.Read permission and click the Add permissions button.
    21. Click Grant Admin Consent and then click Yes.
    22. In the navigation pane, select Certificates & secrets.
    23. Under Client secrets, click New client secret.
    24. Add a description.
    25. Choose a validity period and click Add.
    26. Save a copy of the client secret immediately as it is not visible later. You use this client secret later to configure MIP
    credential profiles that Symantec Data Loss Prevention uses to authenticate with the MIP service.
    27. In the navigation pane, select Overview, and copy the Application (client) ID and Directory (tenant) ID values. You
    use these details later to configure MIP credential profiles that Symantec Data Loss Prevention uses to authenticate
    with the MIP service.

    Enabling MIP on the Azure portal for detection servers


    700
    Follow these steps to enable use of MIP for Data Loss Prevention on the Azure portal.
    1. Log in to http://portal.azure.com/ with administrator privileges.
    2. Go to Azure Active Directory > App Registrations > New Registration.
    3. Under Supported account types choose the Single tenant account type option.
    4. Provide a display name.
    5. Leave the Redirect URI field empty.
    6. Click Register.
    7. Select Azure Rights Management Services from the Microsoft APIs tab.
    8. Choose Application Permissions scope.
    9. Select the Content.SuperUser permission, then click Add a permission.
    10. Click Grant Admin Consent and then click Yes.
    11. Go to Certificates & secrets.
    12. Click New Client secret under Client secrets.
    13. Add a description.
    14. Choose a validity period and click Add.
    15. Copy the Client secret. Copy this immediately; it will not be visible later. You will use this client secret in Configuring
    detection servers with Azure access credentials.
    16. Go to the Overview page and copy the Application (client) ID and Directory (tenant) ID.

    Configuring proxy server details for AIP Insight Deployment

    Configuring proxy server details for AIP Insight Deployment

    If you have a proxy server in your environment, follow these steps to make AIP Insight work in with your proxy. Symantec
    supports both transparent and explicit proxy types for AIP decryption.
    • Proxies can be configured either to tunnel, or to use TLS termination of the AIP Insight traffic.
    • Proxy authentication is not supported. If a proxy is configured with authentication, you must add a bypass rule to
    exclude AIP Insight traffic from proxy authentication. See "Configure proxy authentication bypass (for authenticated
    proxies)" below.

    Provide the proxy hostname/IP and port number on the detection server (for explicit proxies only):
    1. Open the plugin_settings.txt file.
    For Linux, it is located in /opt/Symantec/DataLossPrevention/ContentExtractionService/
    <DLP version>/Plugins/Protect/plugins/contentextraction/
    MicrosoftInformationProtectionPlugin/.
    For Windows, it is located in C:\Program Files\Symantec\DataLossPrevention
    \ContentExtractionService\<DLPversion>\Plugins\Protect\plugins\contentextraction
    \MicrosoftInformationProtectionPlugin.
    2. Enter the following lines:
    proxy=http://<Proxy IP or DNS name>
    proxyPort=<proxy port>
    NOTE
    Note: The "http://" in the previous syntax is the protocol used to connect to the proxy before a TLS
    connection is established between the client and the origin server. For more information, see the curl article
    about proxies at https://ec.haxx.se/libcurl/libcurl-proxies. This protocol scheme is optional, so the following
    syntax should also work: proxy=<Proxy IP or DNS name>:<proxy port>.
    Changes in this file are picked up automatically and the plugin will be re-initialized. There is no need to restart the
    detection server.
    Configure a TLS terminating proxy

    701
    NOTE
    Since the proxy is terminating TLS connections, the DLP detection server needs to trust the proxy and the proxy
    needs to trust the origin server (the Azure service). The following example is for illustration purposes only, and is
    based on the assumption that proxy's certificate is self-signed.
    Import the proxy certificates to the detection server trust store
    1. Obtain the ProxySG certificate in .pem format.
    2. Add the certificate to the trust store:
    – On Linux, add the .pem file to the directory /usr/local/share/ca-certificates (RHEL 6.x) or /etc/pki/
    ca-trust/source/anchors (RHEL 7.x).
    – Run the # /bin/update-ca-trust command to update the certificate authority file.
    3. Type # trust list | more to validate that the certificate was added.

    Import the Microsoft Azure certificate to the ProxySG


    1. Obtain a Microsoft Azure certificate using the following command:
    # openssl s_client -connect api.aadrm.com:443 -showcerts
    2. Copy and paste the intermediate CA certificate from the previous command output into a .pem file.
    This certificate is preceded with the following output:

    s:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/
    CN=Microsoft Secure Server CA 2011
    i:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/
    CN=Microsoft Root Certificate Authority 2011

    3. Follow the steps in the documentation for the proxy to import the Microsoft Secure Server CA 2011 certificate to the
    proxy.
    Configure the TLS non-terminating proxy (Tunneling Mode)
    1. Use the URL list from https://docs.microsoft.com/en-us/azure/azure-portal/azure-portal-safelist-urls?tabs=public-cloud
    to exclude the Azure destination hosts from TLS termination on the proxy.
    2. Add the following items to the list:
    api.aadrm.com
    13.107.6.181
    13.107.9.181

    Configure proxy authentication bypass (for authenticated proxies)


    Proxy authentication is not currently supported by the MIP SDK and must be bypassed. Use the proxy documentation
    to configure authentication bypass for the URLs mentioned in the previous instructions in "Configure the TLS
    non-terminating proxy." You can find an example of configuring authentication bypass on ProxySG at https://
    knowledge.broadcom.com/external/article/165425/bypassing-authentication-on-the-proxysg.html.

    Updating the DLP content extraction software on Windows detection servers

    Managing MIP credential profiles for agents and on-premises detection servers
    Symantec Data Loss Prevention uses MIP credential profiles to authenticate with the MIP service. On the System >
    Settings > MIP Credential Profiles page of the Enforce Server administration console, you can configure two types of
    MIP credential profiles for agents and on-premises detection servers:

    702
    • An MIP classification credential profile – Used by the Enforce Server and DLP Agents to synchronize classification
    labels with the MIP service. You can configure only one MIP classification credential profile at a time.
    • MIP decryption credential profiles – Used by detection servers to inspect documents and emails that have been
    encrypted by MIP. You can configure multiple MIP decryption credential profiles.
    NOTE
    Before you can configure an MIP credential profile, you must first enable authorizeSymantec Data Loss
    Prevention to access the MIP service on the Azure portal. The application that you register on the Azure portal
    must possess the necessary permissions for enabling the functionality that you want to use, such as labeling
    confidential documents or inspecting MIP-encrypted files.
    For more information, see Authorizing Symantec Data Loss Prevention on the Microsoft Azure portal.
    After you register an application, you gain access to the information that must be included in an MIP credential
    profile.
    When you view the MIP Credential Profiles page, you can see the Tenant ID that was authorized for use by MIP Insight for
    Symantec Data Loss Prevention. You can also see when a particular credential profile was last modified.
    For more information about managing MIP credential profiles, refer to the following topics:
    Creating an MIP credential profile for agents and on-premises detection servers
    Editing an MIP credential profile for agents and on-premises detection servers
    Deleting MIP credential profiles for agents and on-premises detection servers

    Configuring detection servers with MIP access credentials

    For your MIP integration to work, you'll need to configure your detection servers with MIP access credentials in the
    Enforce Server administration console. You set up the credentials in Enabling MIP on the Azure Portal. You can add only
    one tenant to a Classification Credential Decryption. You can add multiple tenants to a Decryption Credential profiles. The
    example below shows how to add a Decryption Credential Profile; the process is the same for both types.
    To configure detection servers with MIP access credentials
    1. Go to System > Settings > MIP Credential Profile.
    2. Click Add Profile in the Microsoft Information Protection Decryption Credential Profile section.
    3. Add a Profile Name (maximum of 100 characters).
    4. Add a Tenant ID (maximum of 36 characters).
    5. Add an Application ID from Microsoft Azure AD.
    6. Add an Application Secret. You created this secret in Enabling MIP on the Azure portal.
    7. Click Save.

    Creating an MIP credential profile for agents and on-premises detection servers

    The following procedure requires the Server Administrator role.


    1. In the Enforce Server administration console, navigate to System > Settings > MIP Credential Profiles.
    2. On the MIP Credential Profiles page, do one of the following:
    • To authorize Symantec Data Loss Prevention to classify documents that contain sensitive information and to
    synchronize labels with the MIP service, under Microsoft Information Protection Classification Credential
    Profile, click Add profile.
    • To authorize Symantec Data Loss Prevention to inspect documents and emails that have been encrypted by MIP,
    under Microsoft Information Protection Decryption Credential Profile, click Add profile.

    703
    Depending on your selection, either the Add Classification Credential Profile dialog box or the Add Decryption
    Credential Profile dialog box is displayed.
    3. In the dialog box, type a name for the profile in the Profile Name field.
    4. Fill the Tenant ID, Application ID, and Application Secret (client secret) fields using the information that you copied
    when you registered an application on the Azure portal.
    For more information, see Authorizing Symantec Data Loss Prevention on the Microsoft Azure portal.
    5. Click Save.
    Editing an MIP credential profile for agents and on-premises detection servers

    The following procedure requires the Server Administrator role.


    1. In the Enforce Server administration console, navigate to System > Settings > MIP Credential Profiles.
    2. On the MIP Credential Profiles page, click the credential profile that you want to edit.
    Depending on your selection, either the Edit Classification Credential Profile dialog box or the Edit Decryption
    Credential Profile dialog box is displayed.
    3. In the dialog box, modify the values in the fields that you want to update.
    4. Click Save.
    Deleting MIP credential profiles for agents and on-premises detection servers

    The following procedure requires the Server Administrator role.


    NOTE
    If you want to delete an MIP classification credential profile, you must first delete all of the response actions
    that use the labels that were enabled using the MIP classification credential profile. After you delete the MIP
    classification credential profile, all of the labels that were enabled using the profile are removed from the
    database.
    1. In the Enforce Server administration console, navigate to System > Settings > MIP Credential Profiles.
    2. On the MIP Credential Profiles page, do one of the following:
    • Select the MIP classification credential profile that you want to delete and click Delete Profile.
    • Select one or more MIP decryption credential profiles that you want to delete and click Delete Profile.
    3. When prompted, confirm that you want to delete the selected MIP credential profiles.

    Using the Content Matches MIP Tag rule


    Using the Content matches MIP (Classification/Tag) rule, you can create a DLP policy that looks for specific MIP tags
    on documents and emails. For more information about how the Content Matches MIP Tag rule behaves, see "Expected
    behaviors for emails and attachments with the "Expected behaviors for Emails and Attachments with the Symantec
    integration with MIP for DLP" table.
    For more information on the MIP incident format, see About MIP incident and matches Behavior.
    To create or edit a policy with the content matches MIP Tag rule:
    1. Go to Manage > Policies and create a policy or click an existing policy to modify.
    2. Go to the Configure Policy page and navigate to the Detection tab.
    3. Click Add Rule. You are now on the Detection Rule page.
    4. Select Content Matches MIP Classification (Detect incidents by MIP classification) under Rule Types in Content.

    704
    5. Click Next.
    6. Enter a Rule Name in the General section.
    7. Select a severity level under Severity. To add more severity levels, click Add Severity.
    8. Under Conditions, in the Content Matches MIP Classification section, click Content is classified, Content is not
    classified, Content matches, or Content does not match.
    9. Choose a Label in the Select Label menu. You can choose multiple labels using the OR operator.
    10. Choose a Sub-Label in the Select Sub-Label menu.
    11. Select what to match on: Envelope or Attachment. You may choose more than one.
    12. Click OK on the Configure Policy page to save the rule.

    Table 330: Expected Behaviors for Emails and Attachments with the Symantec integration with MIP for DLP

    Detection request for Rule configured Expected Behavior

    Outlook Email / Network Monitor for Email / Content matches on Incident is not generated.
    SMTP Prevent with no MIP classification Content not classified Incident is generated
    and with no attachment Content classified Incident is not generated.
    Outlook Email / Network Monitor for Email / Content matches on Incident is generated if there is a match for
    SMTP Prevent with MIP classification for Content not classified both the Site ID and the Label GUID in the
    this tenant Content classified email header
    Attachments, if present, follow the same
    Incident is not generated.
    rules as files.
    Incident is generated if a label matching the
    site ID is found in the email header
    Outlook Email / Network Monitor for Email / Content matches on Incidents are generated incident if there a
    SMTP Prevent with MIP classification for Content not classified match for both the Site ID and the Label
    this tenant and RMS protection Content classified GUID is found in the email header
    Attachments are inside the rpmsg Incident is not generated.
    envelope, so they won't trigger incidents
    Incident is generated if a label matching the
    until the email body can be decrypted.
    site ID is found in the email header
    Outlook Email / Network monitor for email / Content matches on Incident is not generated.
    SMTP Prevent with MIP classification for Content not classified Incident is generated
    a second tenant (that is, no classification Content classified Incident is not generated.
    from the target tenant)
    Attachments, if present, follow the same
    rules as files.
    Unsupported email client Content matches on Incident is not generated (pass through)
    Content not classified
    Content classified
    When content extraction fails to extract Content matches on Incident is not generated (pass through)
    metadata due to an error (for example, Content not classified
    files with corrupted metadata, files not Content classified
    supported by a third-party library, or a
    content extraction timeout).

    Configuring response rules using MIP Classification labels in the Enforce Server
    administration console
    To configure Response rules using MIP Classification labels in the Enforce Server administration console
    1. Go to the Manage > Policies > Response Rule page.

    705
    2. Click Add Response Rule and click Automated Response Rule.
    3. Click Next.
    4. Provide a Rule Name and Description.
    5. Go to the Action section and scroll to Endpoint > MIP Classification.
    6. Click Add Action.
    7. Use the dropdown lists to select the classification labels and select sub-labels under Endpoint Notification Content.
    8. Click Save.
    For detailed information about configuring the Endpoint: MIP Classification, response rule, see Configuring the Endpoint:
    MIP Classification action .
    The Response Rule is saved.

    Integrating MIP classification labels in the Enforce Server administration console


    Symantec Data Loss Prevention can connect to the Microsoft MIP portal and pull down both the global and scoped policy
    labels (including their sub labels) into the Enforce Server administration console. Then, you can use the Enforce Server
    administration console to select from the imported MIP labels to create policy detection rules.
    This integration of Microsoft MIP classification labels into the Enforce Server administrator console enables reading of MIP
    classification labels in documents and emails across network detection servers, cloud detectors, and endpoints.
    Before you integrate MIP labels with Data Loss Prevention in the Enforce Server administration console, you must set up
    the connection between MIP and DLP by enabling MIP Insight for DLP on the Azure portal and then configuring the MIP
    credentials that you generated using the Azure portal In the Enforce Server administration console. More specifically, you
    must create an application, configure the Azure AD application permission, and request API permissions. All of these
    steps are included in Authorizing-MIP-Insight-for-Data-Loss-Prevention-on-the-Azure-portal.
    These credentials are used by the Enforce Server, on-premises detection servers, cloud services, and DLP Agents
    to connect to the MIP service on the Internet. Use the steps in Managing-MIP-credential-profiles to complete the links
    between the MIP service and the Enforce Server administration console.
    To synchronize MIP labels in the Enforce Server administration console
    1. Go to System > Setting > Data Classification and click the MIP tab.
    2. If the profile is valid, you will see the Sync Now button.
    3. Click Sync Now.
    NOTE
    The MIP SDK refreshes the policy and label information after a period of up to 4 hours and not
    instantaneously. You may want to wait for 4 hours to ensure that labels are synchronized.
    After synchronization is complete, MIP Labels and Sub Labels are displayed on the page.

    About MIP incident and matches behavior


    The following attributes are displayed in an MIP match:
    • Label name
    • Parent Label
    • GUID information
    If more than one label matching the rule criterion is found, one match per label is shown. Only the matching label is
    reported to the Enforce Server administration console.

    706
    Table 331: MIP Incident matches behaviors

    Incident behavior
    Behavior Rule Files encountered
    and what displays ( )
    1 Match on labels A or B File has labels A and C. Incident is created: Highlight Label name
    of A (label, parent, and GUID)
    2 Match on labels A or B (For example: 2 rules: File has labels A and B. Incident is created: - Highlight Label
    1 matches on the parent and another matches name of A (label, parent, and GUID), but
    the child) shows 2 matches: for A and B.
    3 Does not match on label A File has labels A and B. No incident is created.
    4 Keyword "confidential" AND Does not contain File has the keyword 1 keyword match and 1 match for the
    label "Confidential" "confidential" but does not have classification rule. Reports a hard-coded,
    confidential label applied. localized string: "Did not find expected
    label(s)."
    5 Does not match on labels A or B File has label C. Generates an incident: 1 match. Reports
    a hard-coded, localized string: "Did not
    find expected label(s)."
    6 Does not match on labels A or B File has label C (from a different Generates incident: 1 match. Reports a
    tenancy). hard-coded, localized string: "Did not find
    expected label(s)."
    7 Does not match on labels A or B File has labels C, D, E, and F. Generates an incident: 1 match. Reports
    a hard-coded, localized string: "Did not
    find expected label(s)."
    8 Does not match on labels A or B File has no label. Generates an incident: 1 match. Reports
    a hard-coded, localized string: "Did not
    find expected label(s)."
    9 Match when not AIP classified File has no label. Generates an incident: 1 match. Reports
    a hard-coded, localized string: "No labels
    were found."
    10 Match when not AIP classified File contains label A from No incident is generated.
    taxonomy and label B not
    belonging to the taxonomy
    11 Match when not AIP classified File contains labels A and - 1 match (since no labels are to be
    B, neither of which are in displayed)
    taxonomy
    12 Match on any label (in tenancy) File has label from said tenancy - 1 match
    Report <Parent-Label-Name> \ <Child-
    Label-Name> \ <GUID>
    13 Match on any label File has multiple labels from the Multiple matches: one for each label
    taxonomy found belonging to the taxonomy.

    707
    Troubleshooting the Symantec integration with MIP for DLP
    For troubleshooting issues with the Symantec integration with MIP for DLP, verbose-level logging for the content
    extraction service (ContextExtractionHost_fileReader.log) and the MIP SDK can be enabled by performing the
    following steps.
    1. Open <installation_dir>/Symantec/DataLossPrevention/DetectionServer/<version>/Protect/
    config/log4cxx_config_filereader.xml.
    2. Change the default value from info to trace in the following XML section in the file:

    <category name="cehost">
    <priority value ="info"/>
    <appender-ref ref="cehostAppender"/>
    </category>
    3. Open <installation_dir>/Symantec/DataLossPrevention/ContentExtractionService/<version>/
    Plugins/Protect/plugins/ contentextraction/MicrosoftInformationProtectionPlugin/
    plugin_settings.txt.
    4. Set the value of mip_log_level to Trace.
    NOTE
    On Windows, the mip SDK log file is created under
    C:\Users\<dlp user>\AppData\Local\Temp
    \DetectionServerContentExtractionTemporary<temp id>\mip\logs.
    On Linux, the mip SDJ log file is created under
    /tmp/DetectionServer/ContentExtractionTemporary<temp id>/mip/logs.
    Share the steps to reproduce the issue and the verbose logs with Symantec Enterprise Security Support. If possible,
    share the original, unprotected email or file with Support.

    Configuring the connection between the Enforce Server and Data Insight
    Before you can use the information from Veritas Data Insight, you need to configure the connection to the Veritas Data
    Insight Management Server.
    You can also optionally configure the risk score and other options for the report of folders at risk. The risk score is based
    on relevant information from the Symantec Data Loss Prevention incidents plus the information from the Veritas Data
    Insight Management Server.
    1. Click System > Settings > Data Insight from the Enforce Server administration console.
    The Data Insight page in the Enforce Server administration console is now accessible to all Network Discover
    customers without a license file. After adding a Network Discover license, you will be able to configure the Data Insight
    connection and lookup plugins. For this, you should restart the Symantec DLP Manager and Symantec Incident
    Persister services.
    2. Click Configure.
    3. Enter the Host Name of the Veritas Data Insight Management Server. The Host Name may need to match the host
    name in the certificate.
    4. Enter the Port number of the Veritas Data Insight Management Server. The default is 443.
    5. Click Retrieve Certificate.
    This retrieval sends a request to the specified Veritas Data Insight Management Server to obtain its SSL certificate.

    708
    6. Click Yes to trust the certificate.
    Verify that the certificate is returned from the Veritas Data Insight Management Server and that is the correct
    certificate.
    7. Enter the log on information to the Veritas Data Insight Management Server.
    • Select Use Saved Credentials to use a credential that is saved in the credential store.
    Then enter the name of the saved credential.
    • Select Use These Credentials to enter the credentials here.
    • Enter the Username and Password, and Re-enter Password.
    8. Click Test Connection to verify the connection to the Veritas Data Insight Management Server.
    This tests the connection to the Veritas Data Insight Management Server using the specified credentials. This Test
    Connection operation is available only after the server certificate is verified. If the test is successful, the system
    displays the message: "The test connection succeeded." If the test is not successful, verify the connection parameters
    and credentials.
    9. Optionally, you can configure the risk score and timeframes for the report of folders at risk. Generally, the defaults are
    acceptable.
    Configuring the risk score and timeframes for the report of folders at risk
    10. Optionally, you can also configure the data refresh schedule to retrieve the information from the Data Insight
    Management Server.
    Changing Data Insight refresh intervals

    Generating Local Telemetry Reports


    The Telemetry Report page of the Enforce Server administration console enables you to generate granular reports about
    various aspects of your DLP environment. The collected data is stored locally and is not shared with Broadcom.
    Local telemetry reports are saved as CSV files that you can download and do not contain any personally identifiable
    information.
    NOTE
    If you contact Broadcom Customer Support, your assigned support representative might request you to generate
    a report.
    To generate a local telemetry report, follow these steps:
    1. In the Enforce Server administration console, navigate to System > Telemetry Report.
    2. In the Report Configuration Sections pane of the Telemetry Reporting page, enable the toggle button for the
    product area that you want to include in the report.
    NOTE
    The Telemetry Report feature currently supports reporting for the Enforce Server only.
    3. Expand the enabled product area, and use the toggle buttons to select the metrics that you want to include in the
    report for that product area.
    For information about the metrics that are included in local telemetry reports, see Telemetry Reporting.
    4. Click Generate Report.
    For instructions to download and view local telemetry reports, see Viewing Local Telemetry Reports.

    709
    Viewing Local Telemetry Reports
    Local telemetry reports are saved as CSV files that you can download.
    To download and view a local telemetry report, follow these steps:
    1. In the Enforce Server administration console, navigate to System > Telemetry Report.
    2. In the Generated Reports pane of the Telemetry Reporting page, click the download button next to the report that
    you want to view.
    3. When prompted, save the CSV file to the desired location.
    4. Open the downloaded file to view the collected telemetry data.
    For information about the metrics that are included in local telemetry reports, see Telemetry Reporting.
    Related Links
    Generating Local Telemetry Reports on page 709
    The Telemetry Report page of the Enforce Server administration console enables you to generate granular reports about
    various aspects of your DLP environment. The collected data is stored locally and is not shared with Broadcom.

    Telemetry Reporting
    The Telemetry Reporting page of the Enforce Server administration console enables you to generate granular reports
    about various aspects of your DLP environment. The collected data is stored locally and is not shared with Broadcom.
    Local telemetry reports are saved as CSV files that you can download.
    For information about generating and viewing local telemetry reports, see:
    • Generating Local Telemetry Reports
    • Viewing Local Telemetry Reports
    The following table describes the reporting options on the Telemetry Reporting page.

    Setting Description

    Enforce Reporting toggle button Enables and disables telemetry for the Enforce Server.
    Enforce Reporting section Expand the Enforce Reporting section to view list of Enforce
    Server-related metrics that you can include in the local telemetry
    report.
    Data Profile Metrics toggle button Adds the following metrics to the local telemetry report:
    • Total number of EDM profiles
    • Total number of EMDI profiles
    • Total number of IDM profiles
    • Total number of VML profiles
    • Total number of form recognition profiles

    Detection Rule Metrics toggle button Adds the following metrics to the local telemetry report:
    • Number of active policies by detection condition type
    Detection Server Metrics toggle button Adds the following metrics to the local telemetry report:
    • Number of active policies by detection server
    • Number of detection servers by server type
    • Number of policy groups by detection server
    • Number of active policies by detection server
    • Total number of detection servers

    710
    Setting Description

    Enforce Server Metrics toggle button Adds the following metrics to the local telemetry report:
    • Enforce server ID
    • Enforce server version
    • OS version
    • Total number of CPUs
    • Total amount of RAM (GB)

    Group Rule Metrics toggle button Adds the following metrics to the local telemetry report:
    • Number of active policies by group rule type
    Incident Metrics toggle button Adds the following metrics to the local telemetry report:
    • Is Data Access Governance being used?
    • Is Data Insight being used?
    • Total number of custom attributes
    • Total number of incidents
    • Total number of incidents in database
    • Total number of incidents in external storage
    • Total number of lookup plugins

    Policy Group Metrics toggle button Adds the following metrics to the local telemetry report:
    • Total number of policy groups
    • Number of policies per policy group
    Policy Metrics toggle button Adds the following metrics to the local telemetry report:
    • Is OCR enabled?
    • Number of active policies
    • Number of keywords per keyword condition
    • Number of patterns per sender/recipient pattern condition
    • Total number of policies
    • Total number of policy exceptions
    • Total number of policy rules
    • Total number of recipient patterns
    • Total number of sender patterns

    Response Rule Metrics toggle button Adds the following metrics to the local telemetry report:
    • Number of automated response rules
    • Number of smart response rules
    • Total number of response rules
    User/Role Metrics Adds the following metrics to the local telemetry report:
    • Number of user logins
    • Total number of roles
    • Total number of users

    Using ICA with Symantec Data Loss Prevention


    Use Information Centric Analytics (ICA) with Symantec Data Loss Prevention to detect data based on user risk scores.
    You can use ICA with Symantec Data Loss Prevention to protect sensitive data in your organization.
    See Introducing User Risk Based Detection for user risk detection details.

    711
    NOTE
    Using ICA with Network Discover and Endpoint Discover detection is not supported.
    Complete the following steps to implement user risk with Symantec Data Loss Prevention:
    1. Create an API user in ICA to enable the connection between ICA and DLP. See Create an API user in ICA.
    2. Connect Symantec Data Loss Prevention to ICA. See Adding ICA User Source Data.
    3. Create a policy that detects on user risk.
    You can use the following policy features to detect on user risk:
    • Add a User Risk Score context match condition to a policy. See Adding a Rule to a Policy.
    • Add a User Risk response rule condition. See Configuring the User Risk Response Condition.
    4. Review incidents. See Reviewing the User Risk in Incidents.

    Create an API user in ICA


    Create an API user in ICA to allow Symantec Data Loss Prevention to fetch users and user risk scores from ICA.
    See Using ICA with Symantec Data Loss Prevention for a list of overview steps for using
    ICA with Symantec Data Loss Prevention.
    You use the API credentials that you create when you add ICA user source data to Symantec Data Loss Prevention.
    Complete the following steps to create the API user.
    1. Locate the ApiAccountUtility.exe file on the server where ICA is installed.
    The file is at C:\Program Files\Bay Dynamics\Database Utilities\ApiAccountUtility.
    2. Run ApiAccountUtility.exe using the following example command:
    C:\Program Files\Bay Dynamics\Database Utilities\ApiAccountUtility\ApiAccountUtility.exe
    <username> <password>

    Where <username> and <password> are values you define. After you create the user name and password, you can
    add ICA user source data to Symantec Data Loss Prevention.
    See Adding ICA User Source Data.

    712
    Managing Detection Servers
    Manage your detection servers.
    Installing and managing detection servers and cloud detectors
    Managing Log Files
    Using Symantec Data Loss Prevention utilities
    Increasing the inspection content size

    Installing and managing detection servers and cloud detectors


    This section includes the following topics:
    About managing Symantec Data Loss Prevention servers
    About Microsoft Rights Management file and email monitoring
    Enabling Advanced Process Control
    Server controls
    Server configuration—basic
    Editing a detector
    Server and detector configuration—advanced
    Adding a detection server
    Adding a cloud detector
    Adding an appliance
    Configuring an appliance
    Configuring the API Detection for Developer Apps Appliance
    Removing a server
    Importing SSL certificates to Enforce or Discover servers
    About the Overview screen
    Configuring the Enforce Server to use a proxy to connect to cloud services
    Server and detector status overview
    Recent error and warning events list
    Server/Detector Detail screen
    Configure Server - Edit Protocol Filtering
    Advanced Server Settings
    Advanced detector settings
    About using load balancers in an endpoint deployment

    713
    About managing Symantec Data Loss Prevention servers
    Symantec Data Loss Prevention servers and cloud detectors are managed from the System > Servers and Detectors >
    Overview screen. This screen provides an overview of your system, including server status and recent system events. It
    displays summary information about all Symantec Data Loss Prevention servers, a list of recent error and warning events,
    and information about your license. From this screen you can add or remove detection servers.
    • Click on the name of a server to display its Server/Detector Detail screen, from which you can control and configure
    that server.
    Installing a new license file
    About the Enforce Server administration console
    About the Overview screen
    Server/Detector Detail screen
    Adding a detection server
    Adding a cloud detector
    Removing a server
    Server controls
    Server configuration—basic

    About Microsoft Rights Management file and email monitoring


    You must complete prerequisites before enabling Microsoft Rights Management (RMS) file detection. The following
    prerequisites apply to RMS administered by Azure RMS or Active Directory (AD) RMS.

    Table 332: Microsoft Rights Management file monitoring prerequisites

    RMS solution Requirements

    MIP Encryption The MIP Encryption Insight solution supports Azure RMS file and email monitoring on both Windows and Linux
    Insight detection servers.
    Complete the prerequisite tasks and install the AIP Insight plugin on the detection server.
    See About the Symantec integration with MIP for DLP for more details on deployment.
    Azure RMS The Azure RMS solution supports file monitoring on Windows detection servers only.
    Install the RMS client, version 2.1, on the detection server.
    See Enabling Microsoft Rights Management file monitoring for more details on deployment.
    AD RMS The AD RMS solution supports file monitoring on Windows detection servers only.
    • Install the RMS client, version 2.1, on the detection server using a domain service user that is added to the
    AD RMS Super Users group. Only file monitoring is available with this client.
    • Provide both the AD RMS Service User and the DLP Service User with Read and Execute permissions to
    access ServerCertification.asmx. Refer to the Microsoft Developer Network for additional details:
    https://docs.microsoft.com/en-us/azure/information-protection/what-is-azure-rms?redirectedfrom=MSDN.
    • Add the detection server to the AD RMS server domain.
    • Run the detection server services using a domain user that is a member of the AD RMS Super Users group.
    See Enabling Microsoft Rights Management file monitoring for more details on deployment.

    714
    Enabling Microsoft Rights Management file monitoring
    Symantec Data Loss Prevention can detect files that are encrypted using Microsoft Rights Management (RMS)
    administered by Azure or Active Directory (AD).
    Before you enable Microsoft Rights Management file monitoring, confirm that prerequisites for the RMS environment and
    the detection server have been completed.
    Enabling RMS detection for Azure-managed RMS

    For Azure RMS, complete the following on each detection server to enable RMS file monitoring:
    1. Locate the plugin Enable-Plugin.ps1 located on the detection server at the following path:

    C:\Program Files\Symantec\DataLossPrevention\ContentExtractionService
    \16.0.10000\Plugins\Protect\plugins\contentextraction
    2. Run the plugin by executing the following command:

    powershell.exe -ExecutionPolicy RemoteSigned -File


    "C:\Program Files\Symantec\DataLossPrevention\ContentExtractionService\16.0.10000\
    Plugins\Protect\plugins\contentextraction\Enable-Plugin.ps1"
    3. Run the configuration utility ConfigurationCreator.exe to add the system user. Run the utility as the protect
    user.
    NOTE
    Enter all credentials accurately to ensure that the feature is enabled.

    C:\Program Files\Symantec\DataLossPrevention\ContentExtractionService
    \16.0.10000\Plugins\Protect\plugins\contentextraction\MicrosoftRightsManagementPlugin
    \ConfigurationCreator.exe
    Do you want to configure ADAL authentication [y/n]: n
    Do you want to configure symmetric key authentication [y/n]: y
    Enter your symmetric key (base-64): [user's Azure RMS symmetric key]
    Enter your app principal ID: [user's Azure RMS app principal ID]
    Enter your BPOS tenant ID: [user's Azure RMS BPOS tenant ID]
    After running this script, the following files are created in the MicrosoftRightsManagementPlugin at \Program
    Files\Symantec\DataLossPrevention\ContentExtractionService\16.0.10000\Plugins\Protect
    \plugins\contentextraction:
    • rightsManagementConfiguration
    • rightsManagementConfigurationProtection
    4. Restart each detection server to complete the process.
    NOTE
    You can confirm that Symantec Data Loss Prevention is monitoring RMS content by reviewing
    the ContentExtractionHost_FileReader.log file (located at \ProgramData\Symantec
    \DataLossPrevention\DetectionServer\16.0.10000\logs\debug). Error messages that display
    for the MicrosoftRightsManagementPlugin.cpp item indicate that the plugin is not monitoring RMS
    content.

    715
    Enabling RMS detection for AD-managed RMS

    For AD RMS, complete the following on each detection server to enable RMS file monitoring:
    1. Run the plugin, Enable-Plugin.ps1, which is located at located at \Program Files\Symantec
    \DataLossPrevention\Protect\bin on the Enforce Server.
    powershell.exe -ExecutionPolicy RemoteSigned -File
    "C:\Program Files\Symantec\DataLossPrevention\ContentExtractionService
    \16.0.10000\Plugins\Protect\plugins\contentextraction\MicrosoftRightsManagementPlugin
    \Enable-Plugin.ps1"
    2. Restart each detection server to complete the process.
    NOTE
    You can confirm that Symantec Data Loss Prevention is monitoring RMS content by reviewing
    the ContentExtractionHost_FileReader.log file (located at \ProgramData\Symantec
    \DataLossPrevention\DetectionServer\16.0.10000\logs\debug). Error messages that display
    for the MicrosoftRightsManagementPlugin.cpp item indicate that the plugin is not monitoring RMS
    content.

    Enabling Advanced Process Control


    Symantec Data Loss Prevention Advanced Process Control lets you start or stop individual server processes from the
    Enforce Server administration console. You do not have to start or stop an entire server. This feature can be useful for
    debugging. When Advanced Process Control is off (the default), each Server/Detector Detail screen shows only the
    status of the entire server. When you turn Advanced Process Control on, the General section of the Server/Detector
    Detail screen displays individual processes.
    Server/Detector Detail screen
    To enable Advanced Process Control
    1. Go to System > Settings > General and click Configure.
    The Edit General Settings screen is displayed.
    2. Scroll down to the Process Control section and check the Advanced Process Control box.
    3. Click Save.

    Table 333: Advanced processes describes the individual processes and the servers on which they run once advanced
    process control is enabled.

    Table 333: Advanced processes

    Process Description Control

    Monitor Controller The Monitor Controller process controls The MonitorController Status is available for the Enforce
    detection servers. Server.
    File Reader The File Reader process detects incidents. The FileReader Status is available for all detection servers.
    Incident Writer The Incident Writer process sends incidents The IncidentWriter Status is available for all detection
    to the Enforce Server. servers, unless they are part of a single-tier installation, in
    which case there is only one Incident Writer process.
    Packet Capture The Packet Capture process captures The PacketCapture Status is available for Network Monitor.
    network streams.

    716
    Process Description Control

    Request Processor The Request Processor processes SMTP The RequestProcessor Status is available for Network
    requests. Prevent for Email.
    Endpoint Server The Endpoint Server process interacts with The EndpointServer Status is available for Endpoint
    Symantec DLP Agents. Prevent.
    Detection Server The Detection Server Database process is The DetectionServerDatabase Status is available for
    Database used for automated incident remediation Network Discover.
    tracking.

    Server configuration—basic

    Server controls
    Servers and their processes are controlled from the Server/Detector Detail screen.
    • To reach the Server/Detector Detail screen for a particular server, go to the System > Servers and Detectors >
    Overview screen and click a server name, detector name, or appliance name in the list.
    Server/Detector Detail screen
    The status of the server and its processes appears in the General section of the Server/Detector Detail screen. The
    Start, Recycle and Stop buttons control server and process operations.
    Current status of the server is displayed in the General section of the Server/Detector Detail screen. The possible values
    are:

    Table 334: Server status values

    Icon Status

    Starting - In the process of starting.

    Running - Running without errors.

    Running Selected - Some processes on the server are stopped or have errors. To see the statuses of individual
    processes, you must first enable Advanced Process Control on the System Settings screen.
    Stopping - In the process of stopping.

    Stopped - Fully stopped.

    Unknown - The Server has encountered one of the following errors:

    • Start. To start a server or process, click Start.


    • Recycle. To stop and restart a server, click Recycle.
    • Stop. To stop a server or process, click Stop.
    • To halt a process during its start-up procedure, click Terminate.
    • To reboot an appliance, click Reboot.
    NOTE
    Status and controls for individual server processes are only displayed if Advanced Process Control is enabled
    for the Enforce Server. To enable Advanced Process Control, go to System > Settings > General > Configure,
    check the Advanced Process Control box, and click Save.

    717
    • To update the status, click the refresh icon in the upper-right portion of the screen, as needed.
    About Symantec Data Loss Prevention administration
    About the Overview screen
    Server/Detector Detail screen
    Server configuration—basic
    System events reports
    Server and Detectors event detail

    Server configuration—basic
    Enforce Servers are configured from the System > Settings > General menu.
    Working with General Settings
    Detection servers and detectors are configured from each server's individual Configure Server screen.
    To configure a server
    1. Go to the System > Servers and Detectors > Overview screen.
    2. Click on the name of the server in the list.
    That server's Server/Detector Detail screen is displayed. The following buttons are in the upper-left portion of a
    Server/Detector Detail:
    • Done. Click Done to return to the previous screen.
    • Configure. Click Configure to specify a basic configuration for this server.
    • Server Settings. Click Server Settings to specify advanced configuration parameters for this server. Use caution
    when modifying advanced server settings. It is recommended that you check with Symantec Support before
    changing any of the advanced settings.
    Server and detector configuration—advanced
    For cluster, the Discover Cluster Details screen is displayed. See View Information on the Discover Cluster
    Details Screen.
    3. Click Configure or Server Settings to display a configuration screen for that type of server.
    4. Specify or change settings on the screen as needed, and then click Save.
    Click Cancel to return to the previous screen without changing any settings.

    NOTE
    A server must be recycled before new settings take effect.
    Server controls
    The Configure Server screen contains a General section for all detection servers that contains the following parameters:
    • Name. The name you choose to give the server. This name appears in the Enforce Server administration console
    (System > Servers and Detectors > Overview). The name is limited to 255 characters.
    For Network Discover Cluster, enter the name of the cluster in Discover Cluster Name.
    • Host. The host name or IP address of the system hosting the server. Host names must be fully qualified. If the host
    has more than one IP address, specify the address on which the detection server listens for connections to the Enforce
    Server.
    For Network Discover Cluster, enter the host name or IP address of the data node in Data Node Host.

    718
    NOTE
    You can update the cluster name and IP address of the data node in the Discover Cluster Name and Data
    Node Host fields only when there are no scans running.
    • Port. The port number used by the detection server to communicate with the Enforce Server. The default is 8100.
    For Single Tier Monitors, the Host field on the Configure Server page is pre-populated with the local IP address
    127.0.0.1. You cannot change this value.
    The next portions of a Configure Server screen vary according to the type of server, except for the OCR Engine and
    Detection tabs, which are common to all servers.
    Click the OCR Engine tab to set up a connection to an OCR server.
    About content detection with OCR Sensitive Image Recognition
    Click the Detection tab to customize the Inspection Content Size.
    Network Discover Server and Network Protect—basic configuration
    Endpoint Server—basic configuration
    Single Tier Monitor — basic configuration
    Server/Detector Detail screen

    Network Monitor Server—Basic Configuration


    Detection servers are configured from the Configure Server screen. To display the Configure Server screen, go to
    the Overview screen (System > Servers and Detectors > Overview) and click the name of the server in the list. The
    Server/Detector Detail screen appears. Click Configure to display the Configure Server screen.
    A Network Monitor Configure Server screen is divided into a general section and two tabs:
    • General section. Use this section to specify the server name, host, and port.
    • Packet Capture tab. Use this tab to configure network packet capture settings.
    • SMTP Copy Rule tab. Use this tab to modify the source folder where the server retrieves SMTP message files.
    The top portion of the Packet Capture defines general packet capture parameters.

    Field Description

    Source Folder Override The source folder is the directory that the server uses to buffer network streams before it
    processes them. The recommended setting is to leave the Source Folder Override field
    blank to accept the default. If you want to specify a custom buffer directory, type the full
    path to the directory.
    Network Interfaces Select the network interface card to use for monitoring. To monitor a NIC, Npcap
    software must be installed on the Network Monitor Server.

    Implementing Network Monitor


    The Protocol section of the Packet Capture specifies the types of network traffic (by protocol) to capture and specifies
    any custom parameters to apply. This section lists the standard protocols that you have licensed with Symantec, and any
    custom TCP protocols you have added.
    To monitor a particular protocol, check its box. When you initially configure a server, the settings for each selected protocol
    are inherited from the system-wide protocol settings. You configure these settings by going to System > Settings >
    Protocol. System-wide default settings are listed as Standard.

    719
    To override the inherited filtering settings for a protocol, click the name of the protocol. The following custom settings are
    available (some settings may not be available for some protocols):
    • IP filter
    • L7 sender filter
    • L7 recipient filter
    • Content filter
    • Search Depth (packets)
    • Sampling rate
    • Maximum wait until written
    • Maximum wait until dropped
    • Maximum stream packets
    • Minimum stream size
    • Maximum stream size
    • Segment Interval
    • No traffic notification timeout (The maximum value for this setting is 360000 seconds.)
    Use the SMTP Copy Rule to modify the source folder where this server retrieves SMTP message files. You can modify
    the Source Folder by entering the full path to a folder.
    In addition to the settings available through the Configure Server screen, you can specify advanced settings for this
    server. To specify advanced configuration parameters, click Server Settings on the Server/Detector Detail screen.
    Use caution when modifying advanced server settings. Check with Symantec Support before you change any advanced
    setting.

    Network Prevent for Web Server—Basic Configuration


    Detection servers are configured from the Configure Server screen for each server. To display the Configure Server
    screen, go to the Overview screen (System > Servers and Detectors > Overview) and click the name of the server in
    the list. That server Server/Detector Detail screen appears. Click Configure to display the Configure Server screen.
    A Network Prevent for Web Server Configure Server screen is divided into a general section, a Symantec Encryption
    Server Administration section, and two tabs:
    • General section. This section specifies the server name, host, and port.
    • ICAP tab. This tab is for configuring the Internet Content Adaptation Protocol (ICAP) Use the ICAP tab to configure the
    web-based network traffic.
    The ICAP tab is divided into four sections:
    • The Trial Mode section enables you to test prevention without blocking traffic. When trial mode is selected, the server
    detects incidents and creates incident reports, but it does not block any traffic. This option enables you to test your
    policies without blocking traffic. Check the box to enable trial mode.
    • Click the box in the Security Configuration section to enable Secure ICAP with the Blue Coat ProxySG server. You
    also must have a keystore that is configured and must provide the keystore password when you enable secure ICAP.
    Configuring a Secure ICAP keystore for Network Prevent for Web

    720
    For instructions on setting up the Secure ICAP client configuration with ProxySG, see the ProxySG documentation at
    https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/proxysg/7-3.html
    • The Request Filtering section configures traffic filtering criteria:

    Field Description

    Ignore Requests Smaller Than Specify the minimum body size of HTTP requests to inspect on this server. The
    default value is 4096 bytes. HTTP requests with bodies smaller than this number are
    not inspected.
    Ignore Requests from Hosts or Domains Enter the host names or domains whose requests should be filtered out (ignored).
    Enter one host or domain name per line.
    Ignore Requests from User Agents Enter the names of user agents whose requests should be filtered out (ignored).
    Enter one agent per line.
    • The Response Filtering section configures the filtering criteria to manage HTTP responses:

    Field Description

    Ignore Responses Smaller Than Enter the minimum body size of HTTP responses to inspect on this server. The
    default value is 4096 bytes. HTTP responses with bodies smaller than this number
    are not inspected.
    Inspect Content Type MIME types Specify the MIME content types that you want this server to monitor. By default,
    this field contains content type values for standard Microsoft Office, PDF, and plain-
    text formats. You can add other MIME content type values. Enter separate content
    types on separate lines. For example, to inspect Excel files enter application/
    ynd.ms-excel.
    Ignore Responses from Hosts or Domains Enter the host names or domains whose responses are to be ignored. Enter one
    host or domain name per line.
    Ignore Responses to User Agents Enter the names of user agents whose responses are to be ignored. Enter one user
    agent per line.
    • Click the OCR Engine tab to add an OCR Engine Configuration profile. Scroll to select a configuration.
    • Click the Detection tab to change the Inspection Content Size.
    • The Connection section configures settings for the ICAP connection between an HTTP proxy server and the Network
    Prevent for Web Server:

    Field Description

    TCP Port Specify the TCP port number that this server is to use to listen to ICAP requests.
    The same value must be configured on the HTTP proxy sending ICAP requests to
    this server. The recommended value is 1344.
    Maximum Number of Requests Enter the maximum number of simultaneous ICAP request connections. The default
    is 25.
    Maximum Number of Responses Enter the maximum number of simultaneous ICAP response connections from the
    HTTP proxy or proxies that are allowed. The default is 25.
    Connection Backlog Enter the maximum number of waiting connections allowed. Each waiting connection
    means that a user waits at their browser. The minimum value is 1.

    Configuring Network Prevent for Web Server


    See Configuring a Secure ICAP keystore for Network Prevent for Web for information on ICAP and capturing web-based
    network traffic.
    In addition to the settings available through the Configure Server screen, you can specify advanced settings for this
    server. To specify advanced configuration parameters, click Server Settings on the Server/Detector Detail screen. Use

    721
    caution when modifying Advanced Server settings. Check with Symantec Support before you change any advanced
    setting.

    Network Discover Server and Network Protect—basic configuration


    Detection servers are configured from each server's individual Configure Server screen. To display the Configure screen
    for a server, go to the System > Servers and Detectors > Overview screen and click on the name of the server in the
    list. That server's Server/Detector Detail screen is displayed. Click Configure. The server's Configure Server screen is
    displayed.

    A Network Discover Server's Configure Server screen is divided into a the following sections:
    • General section. This section is for specifying the server's name, host, and port.
    Server configuration—basic
    • Discover tab. This tab is for modifying the number of parallel scans that run on this Discover Server.
    The maximum count can be increased at any time. After it is increased, any queued scans that are eligible to run on
    the Network Discover Server are started. The count can be decreased only if the Network Discover Server has no
    running scans. Before you reduce the count, pause, or stop, all scans running on the server.
    To view the scans running on Network Discover Servers, go to Manage > Discover Scanning > Discover Targets.
    About Symantec Data Loss Prevention administration
    Server/Detector Detail screen
    Server configuration—basic
    Server controls
    In addition to the settings available through the Configure Server screen, you can also specify advanced settings for
    this server. To specify advanced configuration parameters, click Server Settings on the Server/Detector Detail screen.
    Use caution when modifying advanced server settings. It is recommended that you check with Symantec Support before
    changing any of the advanced settings.
    Advanced server settings

    Endpoint Prevent Server—Basic Configuration


    To configure an Endpoint Prevent Server, navigate to System > Servers and Detectors > Overview page of the Enforce
    Server administration console and click the server that you want to configure. On the Server/Detector Detail page that
    appears, click Configure to display the Configure Server page for that server.
    This topic describes only the areas of the Configure Server page that are related to configuring Endpoint Prevent
    Servers. For general information about configuring detection servers, see Adding a detection server.
    The Configure Server screen for an Endpoint Prevent Server is divided into the following areas:
    • General section. This section is for specifying the server name, host, and port.
    Server configuration—basic
    • Endpoint Server tab. This tab is for adding agent security certificates to the Endpoint Prevent Server.

    Endpoint Server tab


    The Endpoint Server tab is divided into the following sections:

    722
    • Agent Listener section. Use this section to configure the Endpoint Prevent Server to listen for connections
    from Symantec DLP Agents.
    • Certificate Configuration section. Use this section to specify which certificate is used to authenticate and secure
    communications with DLP Agents.

    Table 335: Endpoint Prevent Server tab settings

    Section Field Description

    Agent Listener Bind address Enter the IP address on which the Endpoint Prevent
    Server listens for communications from the Symantec
    DLP Agents. The default IP address is 0.0.0.0 which
    allows the Endpoint Prevent Server to listen on all
    host IP addresses.
    Port Enter the port over which the Endpoint Prevent
    Server listens for communications from the Symantec
    DLP Agents.
    Note: Many Linux systems restrict ports below 1024
    to root access. The Endpoint Prevent Server cannot
    be configured to listen for connections from Symantec
    DLP Agents to these restricted ports on Linux systems.

    Certificate KeyStore Select the keystore that contains the certificate and key
    Configuration that identify the Endpoint Prevent Server.
    For information You can select either the DLP Default KeyStore that
    about the contains the self-signed certificate and key or a custom
    limitations of keystore that you added.
    using custom TrustStore Select the truststore that contains the certificate and
    certificates, see key that the Endpoint Prevent Server uses to validate
    Limitations of endpoint certificates.
    DLP support You can select either the DLP Default TrustStore that
    for custom contains the self-signed certificate and key or a custom
    certificates. truststore that you added.

    NOTE
    If you are using FIPS 140-2 mode for communication between the Endpoint Prevent Server and DLP Agents,
    do not use Diffie-Hellman (DH) cipher suites. Mixing cipher suites prevents the agent and Endpoint
    Prevent Server from communicating. You can confirm the current cipher suit setting by referring to the
    EndpointCommunications.SSLCipherSuites setting on the Server Settings page. Advanced server settings

    Single Tier Monitor — basic configuration


    Detection servers are configured from each server's individual Configure Server screen. To display the Configure
    Server screen, go to the System > Servers and Detectors > Overview screen and click the name of the server in the
    list. That server's Server/Detector Detail screen appears. Click Configure to display the Configure Server screen.
    The Single Tier Monitor is a detection server that includes the detection capabilities of the Network Monitor, Network
    Discover, Network Prevent for Web, Network Prevent for Email, and the Endpoint Prevent and Endpoint Discover
    detection servers. Each of these detection server types is associated with one or more detection "channels." The Single
    Server deployment simplifies Symantec Data Loss Prevention administration and reduces maintenance and hardware
    costs for small organizations, or for branch offices of larger enterprises that would benefit from on-site deployments of
    Symantec Data Loss Prevention.

    723
    About Symantec Data Loss Prevention administration
    About the Overview screen
    Server/Detector Detail screen
    Server configuration—basic
    Server controls
    Advanced server settings
    Related Links
    Advanced Server Settings on page 734

    Editing a detector
    You can change the name of your detector on the Server/Detector Detail screen.
    Editing the name of a detector
    1. Go to System > Servers and Detectors > Overview and click on the name of the detector.
    The Server/Detector Detail screen appears.
    2. Click Edit.
    The Edit Detector page appears.
    3. Enter a new name for the detector in the Detector Name field.
    4. Click Save.

    Server and detector configuration—advanced


    Symantec Data Loss Prevention provides advanced server and detector configuration settings for each detection server or
    detector in your system.
    NOTE
    Check with Symantec Support before changing any advanced settings. If you make a mistake when changing
    advanced settings, you can severely degrade performance or even disable the server entirely.
    To change an advanced configuration setting for a detection server or detector
    1. Go to System > Servers and Detectors > Overview and click on the name of the detection server.
    That server's Server/Detector Detail screen appears.
    2. Click Server Settings or Detector Settings, as appropriate.
    The Server/Detector Detail - Advanced Settings screen appears.
    Advanced server settings
    3. With the guidance of Symantec Support, modify the appropriate setting(s).
    4. Click Save.
    Changes to settings on this screen normally do not take effect until you restart the server.

    Server configuration—basic

    Adding a detection server


    Add the detection servers that you want to your Symantec Data Loss Prevention system from the System > Servers and
    Detectors > Overview screen.

    724
    You can add the following types of servers:
    • Network Monitor Server, which monitors network traffic.
    • Network Discover Server, which inspects stored data for policy violations.
    • Network Prevent for Email Server, which prevents SMTP violations.
    • Cloud Prevent for Email Server, which prevents Microsoft Office 365 Exchange traffic violations.
    • Network Prevent for Web Server, which prevents ICAP proxy server violations such as FTP, HTTP, and HTTPS.
    • Endpoint Prevent Server, which controls Symantec DLP Agents that monitor and scan endpoints.
    • Network Discover Cluster Server, which inspects stored data for policy violations.
    • Single-Tier Server: By selecting the Single-Tier Server option, the detection servers that you have licensed are
    installed on the same host as the Enforce Server. The single-tier server performs detection for the following products
    (you must have a license for each): Network Monitor, Network Discover, Network Prevent for Email, Network Prevent
    for Web, and Endpoint Prevent.
    NOTE
    Symantec recommends that you apply the same hardware and software configuration to all of the detections
    servers that you intend to use for grid scans. Symantec Data Loss Prevention supports grid scans that have up
    to 11 participating detection servers.
    To add a detection server
    1. Go to the System Overview screen (System > Servers and Detectors > Overview).
    About the Overview screen
    2. Click Add Server.
    The Software Server screen appears.
    3. Select the type of server you want to install and click Next.
    The Configure Server screen for that detection server appears.
    4. To perform the basic server configuration, use the Configure Server screen, then click Save when you are finished.
    See Network Monitor Server—basic configuration
    See Network Prevent for Email Server—basic configuration
    See Symantec Data Loss Prevention Cloud Prevent for Microsoft 365 Implementation Guide for more details.
    See Network Prevent for Web Server—basic configuration
    See Network Discover Server and Network Protect—basic configuration
    See Endpoint Prevent Server—basic configuration
    5. In addition to the configuration steps specific to each server, you can configure the OCR Engine or Detection server
    Inspection Content Size from tabs on this screen.
    See Creating an OCR Configuration
    See Increasing the inspection content size
    6. To return to the System Overview screen, click Done.
    Your new server is displayed in the Servers and Detectors list with a status of Unknown.
    7. Click on the server to display its Server/Detector Detail screen.
    See Server/Detector Detail screen
    See View Information on the Discover Cluster Details Screen

    725
    8. Click [Recycle] to restart the server.
    9. Click Done to return to the System Overview screen.
    When the server is finished restarting, its status displays Running.
    10. If necessary, click Server Settings on the Server/Detector Detail screen to perform Advanced Server configuration.
    Advanced server settings

    Server configuration—basic

    Adding a cloud detector


    A cloud detector is a Symantec Data Loss Prevention detection service deployed in the Symantec Cloud. After Symantec
    has set up your detection service in the cloud, Symantec sends you an enrollment bundle. This bundle contains the
    information that you need to set up the connection from your on-premises Enforce Server to the detection service in the
    Symantec Cloud.
    The enrollment bundle is a ZIP archive. For security reasons, you should save the unextracted ZIP file to a location that is
    not accessible by others users. For example, on a Microsoft Windows system, save the bundle to a folder such as:
    c:\Users\username\downloads

    On a Linux system, save the bundle to a directory such as:


    /home/username/

    See the documentation for your cloud detector for more detailed information about the enrollment process.
    After you have saved the enrollment bundle, register your cloud detector to enable communication between it and your
    on-premises Enforce Server.
    To register a cloud detector
    1. Log on to the Enforce Server as Administrator.
    2. Navigate to System > Servers and Detectors > Overview.
    The Overview page appears.
    3. Click Add Cloud Detector.
    The Add Cloud Detector page appears.
    4. Click Browse in the Enrollment Bundle File field.
    5. Locate your saved enrollment bundle file, then enter a name in the Detector Name field.
    6. Click Enroll Detector.
    The Server/Detector Detail screen appears.
    7. If necessary, click Detector Settings on the Server/Detector Detail screen to perform advanced detector
    configuration.
    Advanced detector settings
    8. Click Done.

    It may take several minutes for the Enforce Server administration console to show that the cloud detector is running. To
    verify that the detector was added, check the System > Servers and Detectors > Overview page. The detector should
    appear in the Servers and Detectors list with the Connected status.

    726
    Adding an appliance
    After you have set up the appliance, you can register your detection appliance at the Enforce Server administration
    console.
    To add a detection appliance
    1. Log on to the Enforce Server administration console as administrator.
    2. Go to System > Servers and Detectors.
    3. Click Add Server...Appliance.
    4. The Add an Appliance screen appears.
    5. Choose a detection appliance type to add, then click Next.

    Configuring an appliance

    Configuring an appliance
    After you add an appliance and choose a detection appliance type, you can configure the appliance detection type.
    Some of the configuration steps vary, depending on the server license you have purchased.
    To configure the appliance identity, network information, and administrator credentials
    1. Add a name for this appliance in the Appliance Name field.
    2. Enter the 10-digit serial number that you received from Symantec in the Serial Number field.
    3. Enter the host name or the IP address in the Hostname or IP Address field.
    4. Enter admin in the User Name field.
    5. Enter your administration password in the Password field.
    6. Re-enter your password in the Re-enter Password field.
    NOTE
    This password is your console logon password that you configured previously. It is not your enable
    password.

    After you have set up the identity, network information, and administrator credentials, you can move on to enter
    information specific to your detection appliance type.

    727
    Configuring the API Detection for Developer Apps Appliance
    After you add the API Detection for Developer Apps Appliance, follow these configuration steps:
    1. In the Enforce Server administration console, navigate to System > Servers and Detectors > Overview > Configure
    Appliance
    2. Add a name for this appliance in the Appliance Name field.
    3. Enter the 10-digit serial number that you received from Symantec in the Serial Number field.
    4. Enter the host name or the IP address in the Hostname or IP Address field.
    5. Enter the port number in the Port field.
    6. Enter admin in the User Name field.
    7. Enter your administration password in the Password field.
    8. Re-enter your password in the Re-enter Password field.
    NOTE
    This password is your console logon password that you configured previously. It is not your enable
    password.
    9. In the Upload keystore for SSL certificate field, click Browse to select your PKCS12 keystore file.
    10. Enter the keystore password in the Keystore password field.
    11. To enable TLS client authentication, check the Enable TLS client authentication box. Leave this box unchecked to
    disable TLS client authentication.
    12. Optional: If you enabled TLS client authentication, click Browse in the Upload truststore to validate client
    certificate field to select your PKCS12 truststore file.
    13. If you enabled TLS client authentication, enter the truststore password in the Truststore password field.
    14. Click Save.

    Removing a server
    An Enforce Server administration console lists the detection servers registered with it on the System > Servers and
    Detectors > Overview screen. If Symantec Data Loss Prevention is uninstalled from a detection server, or that server is
    stopped or disconnected from the network, its status is shown as Unknown on the console.
    NOTE
    See Uninstalling a server for information about uninstalling Symantec Data Loss Prevention from a server.
    A detection server can be removed (de-registered) from an Enforce Server administration console. When a detection
    server is removed from an Enforce Server, its Symantec Data Loss Prevention services continue to operate. This means
    that even though a detection server is de-registered from Enforce, it continues to function unless some action is taken
    to halt it. In other words, even though it is removed from an Enforce Server administration console, a detection server
    continues to operate. Incidents it detects are stored on the detection server. If a detection server is re-registered with an
    Enforce Server, incidents detected and stored are then forwarded to Enforce.
    1. Go to System > Servers and Detectors > Overview.
    About the Overview screen
    2. In the Servers and Detectors section of the screen, click the red X on a server's status line to remove it from this
    Enforce Server administration console.
    Server controls

    728
    3. Click OK to confirm.
    The server's status line is removed from the System Overview list.

    Importing SSL certificates to Enforce or Discover servers


    You can import SSL certificates to the Java trusted keystore on the Enforce or Discover servers. The SSL certificate can
    be self-signed (server) or issued by a well-known certificate authority (CA).
    You may need to import an SSL certificate to make secure connections to external servers such as Active Directory (AD).
    If a recognized authority has signed the certificate of the external server, the certificate is automatically added to the
    Enforce Server. If the server certificate is self-signed, you must manually import it to the Enforce or Discover Servers.

    Table 336: Importing an SSL certificate to Enforce or Discover

    Step Description

    1 Copy the certificate file you want to import to the Enforce Server or Discover Server computer.
    2 Change the directory to where the JRE is located on the Enforce Server or Discover Server computer.
    Locate the path based on the JRE type and the platform where your system is running:
    • ServerJRE:
    – Windows: C:\Program Files\Symantec\DataLossPrevention\ServerJRE\<version>\lib
    \security
    – Linux: /opt/Symantec/DataLossPrevention/ServerJRE/<version>/bin/java
    • OpenJRE:
    – Windows: C:\Program Files\AdoptOpenJRE\jdk8u<version>-jre
    – Linux: /opt/AdoptOpenJRE/jdk8u<version>-jre
    Where <version> represents the installed JRE version.
    3 Execute the keytool utility with the -importcert option to import the public key certificate to the Enforce Server or
    Discover Server keystore:
    keytool -importcert -alias new_endpointgroup_alias
    -keystore ..\lib\security\cacerts -file my-domaincontroller.crt
    In this example command, new_endpointgroup_alias is a new alias to assign to the imported certificate and my-
    domaincontroler.crt is the path to your certificate.
    4 When you are prompted, enter the password for the keystore.
    By default, the password is changeit. If you want you can change the password when prompted.
    To change the password, use: keytool -storepassword -alias new_endpointgroup_alias -keystore ..\lib\security\cacerts
    5 Answer Yes when you are asked if you trust this certificate.
    6 Restart the Enforce Server or Discover Server.

    Configuring directory server connections

    About the Overview screen


    The System Overview screen is reached by System > Servers and Detectors > Overview. This screen provides a
    quick snapshot of system status. It lists information about the Enforce Server, and each registered detection server, cloud
    detector, or appliance.
    The System Overview screen provides the following features:
    • The Software Server button is used to register a detection server. When this screen is first viewed after installation,
    only the Enforce Server is listed. You must register your various detection servers with the Software Server button.
    After you register detection servers, they are listed in the Servers and Detectors section of the screen.

    729
    Adding a detection server
    • The Cloud Detector button is used to register a cloud detector. When this screen is first viewed after installation, only
    the Enforce Server is listed. You must register your cloud detectors with the Cloud Detector button. After you register
    cloud detectors, they are listed in the Servers and Detectors section of the screen.
    • The Appliance button is used to register and appliance. When this screen is first viewed after installation, on the
    Enforce Server is listed. You must register your appliances with the Appliance button. After you register your
    appliances, they are listed in the Servers and Detectors section of the screen.
    • The System Readiness and Appliances Update button is used to access the System Readiness and Appliances
    Update screen where you can run tests to confirm that database update readiness and update appliances.
    System Readiness and Appliances Update
    • The Servers and Detectors section of the screen displays summary information about the status of each server,
    detector, appliance, or Network Discover Cluster. It can also be use to remove (de-register) a server, detector,
    appliance, or Network Discover Cluster.
    Server and detector status overview
    • The Recent Error and Warning Events section shows the last five events of error or warning severity for any of the
    servers listed in the Servers and Detectors section.
    Recent error and warning events list
    • The License section of the screen lists the Symantec Data Loss Prevention individual products that you are licensed
    to use.
    Server configuration—basic
    About Symantec Data Loss Prevention administration

    Configuring the Enforce Server to use a proxy to connect to cloud services


    To configure the Enforce Server to use a proxy to connect to cloud services, you must set up your proxy according to the
    proxy manufacturer's instructions. Then you configure the Enforce Server to support the use of the proxy. After setting up
    your proxy, use these instructions to complete the setup.
    1. Go to System > Settings > General and click Configure. The Edit General Settings screen is displayed.
    2. In the Enforce to Cloud Proxy Settings section, select one of the following proxy categories:
    • No proxy, or transparent proxy, or
    • Manual proxy
    3. If you choose Manual proxy, fields for a URL, Port, and Proxy is Authenticated appear.
    • Enter the the HTTP Proxy URL. Do not include the protocol identifier.
    • Enter a port number.
    4. If you are using an authenticated proxy, also enter
    • a user ID
    • a password
    NOTE
    The Enforce Server supports basic authentication when using a proxy to connect to cloud services.
    5. Click Save.

    NOTE
    For information about making sure that your network proxy is configured correctly for Microsoft Information
    Protection, refer to the Microsoft documentation.

    730
    https://docs.microsoft.com/en-us/information-protection/develop/faqs-known-issues#error-proxyautherror-
    exception
    https://docs.microsoft.com/en-us/azure/information-protection/requirements#firewalls-and-network-infrastructure

    Safelisting Cloud Proxy Connections


    You can safelist the following Cloud Proxy connection scenarios:
    • Add local hosts to the Cloud Proxy safelist
    • Safelist hosts to bypass the Cloud Proxy

    Add Local Hosts to the Cloud Proxy Safelist

    You can add local hosts to the Cloud Proxy safelist using the com.vontu.enforce.nonproxy.hosts property in the
    Manager.properties file.
    1. Open the Manager.properties file in a text editor.
    2. Add a safelist entry to the file using the com.vontu.enforce.nonproxy.hosts property.
    For example, to safelist the hosts 20.20.20.20 and 30.30.30.30, include this entry in your Manager.properties:
    com.vontu.enforce.nonproxy.hosts=20.20.20.20|30.30.30.30

    This setting does not perform DNS resolution or reverse IP lookup. If you have configured hostnames, you must
    explicitly define both the hostname and IP address in your safelist. For example, if you have a host that is named
    forty.com at the IP address 40.40.40.40, the safelist entry would be as follows:
    com.vontu.enforce.nonproxy.hosts=40.40.40.40|forty.com

    3. Save the changes to the Manager.properties file and close it.


    4. Restart the Symantec DLP Manager service to apply your changes.
    Safelist Hosts to Bypass the Cloud Proxy

    You can safelist Enforce Server direct connections to bypass the Cloud Proxy. Safelisting is defined in the property setting
    nonproxy.hosts in the Enforce Server Protect.properties file.

    1. Configure the Cloud Proxy separately by completing the following steps:


    a) Go to Systems > Settings > General.
    b) Click Configure and locate the Edit General Settings page in the Enforce to Cloud Proxy Settings section.
    2. Define the safelist information for the nonproxy.hosts setting.
    Use the following examples when creating the safelist:
    • Example 1: Two non-proxy IP addresses:
    com.vontu.enforce.nonproxy.hosts=20.20.20.20|30.30.30.30
    • Example 2: Two servers that are named forty.com and fifty.com, with connections configured with IP addresses.
    The setting acts like a mask. No DNS name resolution or reverse IP lookups are done; you must define both, as
    follows:
    com.vontu.enforce.nonproxy.hosts=40.40.40.40|forty.com|50.50.50.50|fifty.com
    3. Save your changes.

    Server and detector status overview


    The Servers and Detectors section of the System Overview screen is reached by System > Servers and Detectors >
    Overview. This section of the screen provides a quick overview of system status.

    731
    Table 337: Server and detector statuses

    Icon Status Description

    Starting The server is starting up.

    Running The server is running normally without errors.

    Running Some Symantec Data Loss Prevention processes on the server are stopped or have errors. To see the
    Selected statuses of individual processes, you must first enable Advanced Process Control on the System
    Settings screen.
    Enabling Advanced Process Control
    Connected The Network Discover Cluster is connected, when the data node is able to establish the connection with
    Monitor Controller.
    Stopping The server is in the process of stopping Symantec Data Loss Prevention services.
    Symantec Data Loss Prevention Services
    Stopped All Symantec Data Loss Prevention processes are stopped.

    Unknown The server is experiencing one of the following errors:


    • The Enforce Server is not reachable from server.
    • Symantec Data Loss Prevention is not installed on the server.
    • A license key has not been configured for the Enforce Server.
    • There is problem with Symantec Data Loss Prevention account permissions in Windows.

    For each server and cluster, the following additional information appears. You can also click on any server name to
    display the Server/Detector Detail screen for that server. You can also click on any cluster name to display the Network
    Discover Cluster Detailsscreen for that cluster.

    Table 338: Server, detector, and cluster status additional information

    Column name Description

    Messages (Last 10 sec) The number of messages processed in the last 10 seconds.
    Messages (Today) The number of messages processed since 12:00 AM today.
    Incidents (Today) The number of incidents processed since 12:00 AM today.
    For Endpoint Servers, the Messages and Incidents are not aligned. This is because messages are being
    processed at the Endpoint and not the Endpoint Server. However, the incident count still increases.
    Incident Queue For the Enforce Server, this is the number of incidents that are in the database, but do not yet have an
    assigned status. This number is updated whenever this screen is generated.
    For the other types of servers, this is the number of incidents that have not yet been written to the Enforce
    Server. This number is updated approximately every 30 seconds. If the server is shut down, this number is
    the last number updated by the server. Presumably the incidents are still in the incidents folder.
    Message Wait Time The amount of time it takes to process a message after it enters the system. This data applies to the last
    message processed. If the server that processed the last message is disconnected, this is N/A.

    To see details about a server, detector, or cluster


    1. Click on any server name or cluster name to see additional details regarding that server or cluster.
    Server/Detector Detail screen
    View Information on the Discover Cluster Details Screen
    To remove a server, detector, or cluster from an Enforce Server

    732
    2. Click the red X for that server or cluster, and then confirm your decision.

    NOTE
    Removing (de-registering) a server only disconnects it from this Enforce Server, it does not stop the detection
    server from operating.
    Removing a server

    Recent error and warning events list


    The Recent Error and Warning Events section of the System > Servers and Detectors > Overview screen shows the
    last five events of either error or warning severity for any of the servers listed in the Servers and Detectors section.

    Table 339: Recent error and warning events information

    Column name Description

    Type

    The yellow triangle indicates a warning, the red octagon indicates an error.
    Time The date and time when the event occurred.
    Server The name of the server on which the event occurred.
    Host The IP address or name of the machine where the server resides. The server and host names may be the same.
    Code The system event code. The Messagecolumn provides the code text. Event lists can be filtered by code number.
    Message A summary of the error or warning message that is associated with this event code.

    • To display a list of all error and warning events, click Show all.
    • To display the Event Detail screen for additional information about that particular event, click an event.
    About the Overview screen
    System events reports
    Server and Detectors event detail

    Server/Detector Detail screen


    The Server/Detector Detail screen provides detailed information about a single selected server, detector, or appliance.
    The Server/Detector Detail screen is also used to control and configure a server, detector, or appliance.
    To display the Server/Detector Detail screen for a particular server or detector
    1. Navigate to the System > Servers and Detectors > Overview screen.
    2. Click the detection server, detector, or appliance name in the Servers and Detectors list.

    About the Overview screen


    The Server/Detector Detail screen is divided into sections. The sections listed below display all server, detector, and
    appliance types. The system displays sections based on the type of detection.

    733
    Table 340: Server Detail screen display information

    Server Detail
    Description
    display sections
    General The General section identifies the server, displays system status and statistics, and provides controls
    for starting and stopping the server and its processes.
    Server controls
    Configuration The Configuration section displays the Channels, Policy Groups, Agent Configuration, User Device,
    and Configuration Status for the detection server.
    All Agents The All Agents section displays a summary of all agents that are assigned to an Endpoint Server.
    Click the number next to an agent status to view agent details on the System > Agents > Overview >
    Summary Reports screen.
    Note: The system only displays the Agent Summary section for an Endpoint Server.

    Recent Error and Warning The Recent Error and Warning Events section displays the five most recent Warning or Severe
    Events events that have occurred on this server.
    Click on an event to show event details. Click show all to display all error and warning events.
    About system events
    All Recent Events The All Recent Events section displays all events of all severities that have occurred on this server
    during the past 24 hours.
    Click on an event to show event details. Click show all to display all detection server events.
    Deployed Exact Data Profiles The Deployed Exact Data Profile section lists any Exact Data or Document Profiles you have
    deployed to the detection server. The system displays the version of the index in the profile.

    About the Overview screen


    Server configuration—basic
    Server controls
    System events reports
    Server and Detectors event detail

    Configure Server - Edit Protocol Filtering


    Use the Edit Protocol Filtering screen to override the system settings for the selected protocol on the Network Monitor
    Server. You define system settings in the Configure Protocol screen (click System > Protocols).
    The Use Standard Settings option in the Content Processing field is selected by default. This means that the Network
    Monitor Server uses the system settings that are defined in the Configure Protocol screen. The remaining options on this
    screen are disabled.
    Click Use Custom Settings to override the system settings with the values that you enter in the remaining fields. If you do
    not specify a value for a field, the server uses the default system value for that field.
    Configure a protocol

    Protocols screen

    Advanced Server Settings


    This topic covers the advanced settings for detection servers. There is another topic for advanced settings for cloud
    detectors.
    Detector advanced settings

    734
    Click Server Settings on the System > Servers and Detectors > Overview > Server/Detector Detail screen to modify
    the settings on that server.
    Use caution when modifying these settings on a server. Contact Broadcom Support before changing any of the settings on
    this screen. Changes to these settings normally do not take effect until after the server has been restarted.
    You cannot change settings for the Enforce Server from the Server/Detector Detail screen. The Server/Detector Detail -
    Advanced Settings screen only displays for detection servers and detectors.
    NOTE
    If you change advanced server settings to Endpoint Prevent Servers in a load-balanced environment, you must
    apply the same changes to all Endpoint Prevent Servers in the load-balanced environment.

    Table 341: Detection server advanced settings

    Setting Default Description

    BoxMonitor.Channels Varies The values are case-sensitive and comma-


    separated if multiple.
    Although any mix of them can be
    configured, the following are the
    officially supported configurations:
    • Network Monitor Server: Packet
    Capture, Copy Rule
    • Discover Server: Discover
    • Endpoint Prevent Server: Endpoint
    • Network Prevent for Email: Inline SMTP
    • Network Prevent for Web: ICAP
    BoxMonitor.DetectionServerDatabase on Enables the BoxMonitor process to start the
    Automated Incident Remediation Tracking
    database on the Detection Server. If you set
    this to off, you must start the remediation
    tracking database manually.
    BoxMonitor.DetectionServer -Xrs -Xms300M -Xmx1024M Any combination of JVM memory flags can
    DatabaseMemory be used.
    BoxMonitor.DiskUsageError 90 The amount of disk space filled (as a
    percentage) that triggers a severe system
    event. For example, if Symantec Data Loss
    Prevention is installed on the C drive and
    this value is 90. In this case, the detection
    server creates a severe system event when
    the C drive usage is above 90%.
    BoxMonitor.DiskUsageWarning 80 The amount of disk space filled (as a
    percentage) that triggers a warning system
    event. For example, if Symantec Data Loss
    Prevention is installed on the C drive and
    this value is 80, then the detection server
    generates a warning system event when
    the C drive usage is above 80%.
    BoxMonitor.EndpointServer on Enables the Endpoint Prevent Server.
    BoxMonitor.EndpointServerMemory -Xrs -Xms300M -Xmx4096M Any combination of JVM memory flags can
    be used. For example: -Xrs -Xms300m -
    Xmx1024m.

    735
    Setting Default Description

    BoxMonitor.FileReader on If off, the BoxMonitor cannot start the


    FileReader, although it can still be started
    manually.
    BoxMonitor.FileReaderMemory -Xrs -Xms1200M -Xmx4G FileReader JVM command-line arguments.
    BoxMonitor.HeartbeatGapBeforeRestart 960000 The time interval in milliseconds that the
    BoxMonitor waits for a monitor process
    (for example, FileReader, IncidentWriter)
    to report the heartbeat. If the heartbeat is
    not received within this time interval the
    BoxMonitor restarts the process.
    BoxMonitor.IncidentWriter on If off, the BoxMonitor cannot start the
    IncidentWriter in the two-tier mode,
    although it can still be started manually.
    This setting has no effect in the single-tier
    mode.
    BoxMonitor.IncidentWriterMemory -Xrs IncidentWriter JVM command-line
    arguments. For example: -Xrs
    BoxMonitor.InitialRestartWaitTime 5000 The time interval in milliseconds that the
    BoxMonitor waits after restarting a monitor
    process, such FileReader or IncidentWriter.
    BoxMonitor.MaxRestartCount 3 The number of times that a process can be
    restarted in one hour before generating a
    SEVERE system event.
    BoxMonitor.MaxRestartCount 5 The maximum times that the monitor server
    DuringStartup attempts to restart on its own.
    BoxMonitor.PacketCapture on If off, the BoxMonitor cannot start
    PacketCapture, although it can still be
    started manually. The PacketCapture
    channel must be enabled for this setting to
    work.
    BoxMonitor.PacketCaptureDirectives -Xrs PacketCapture command-line parameters
    (in Java). For example: -Xrs
    BoxMonitor.ProcessLaunchTimeout 30000 The time interval (in milliseconds) for a
    monitor process (for example, FileReader)
    to start.
    BoxMonitor.ProcessShutdownTimeout 45000 The time interval (in milliseconds) allotted
    to each monitor process to shut down
    gracefully. If the process is still running after
    this time the BoxMonitor attempts to kill the
    process.
    BoxMonitor.RequestProcessor on If off, the BoxMonitor cannot start the
    RequestProcessor; although, it can still be
    started manually. The Inline SMTP channel
    must be enabled for this setting to work.
    BoxMonitor.RequestProcessorMemory -Xrs -Xms300M -Xmx1300M Any combination of JVM memory flags can
    be used. For example: -Xrs -Xms300M -
    Xmx1300M
    BoxMonitor.RmiConnectionTimeout 15000 The time interval (in milliseconds) allowed
    to establish a connection to the RMI object.

    736
    Setting Default Description

    BoxMonitor.RmiRegistryPort 37329 The TCP port on which the BoxMonitor


    starts the RMI registry.
    BoxMonitor.StatisticsUpdatePeriod 10000 The monitor statistics are updated after this
    time interval (in milliseconds).
    Classification.WebserviceLog 7 Specifies the number of days classification
    RetentionDats web service logs are retained.
    ContentExtraction.DefaultCharset N/A Defines the default character set that is
    ForSubFileName used in decoding the sub-filename if the
    charset conversion fails.
    ContentExtraction.EnableMetaData off Allows detection on the file metadata. If
    the setting is turned on, you can detect
    metadata for Microsoft Office and PDF files.
    For Microsoft Office files, OLE metadata
    is supported, which includes the fields
    Title, Subject, Author, and Keywords. For
    PDF files, only Document Information
    Dictionary metadata is supported. This
    metadata includes fields such as Author,
    Title, Subject, Creation, and Update dates.
    Extensible Metadata Platform (XMP)
    content is not detected. Enabling this
    metadata detection option can cause false
    positives.
    ContentExtraction.Image 1 Allows you to adjust or turn off the content
    ExtractorEnabled extraction for Form Recognition.
    The default setting, 1, loads the Image
    Extractor plug-in on demand. If one or
    more Form Recognition rules are used,
    the Dynamic Image Extractor plug-in
    automatically loads on the detection
    server when corresponding policy updates
    are received. When Form Recognition
    rules are deleted or disabled, the plug-in
    automatically unloads. This option prevents
    the Dynamic Image Extractor plug-in from
    running if Form Recognition is not being
    used.
    Enter O to disable the Image Extractor plug-
    in. This setting prevents Form Recognition
    from extracting images, effectively disabling
    the feature.
    Enter 2 if you want the Image Extractor
    plug-in to load when the content extraction
    service launches after the detection server
    starts up. The plugin continues to run
    regardless of whether form Recognition
    policies have been configured or not.
    ContentExtraction.LongContentSize 1M If the message component exceeds
    this size (in bytes), then the
    ContentExtraction.LongTimeout
    is used instead of
    ContentExtraction.ShortTimeout.

    737
    Setting Default Description

    ContentExtraction.LongTimeout Varies The default value for this setting varies


    depending on the detection server type
    (60,000 or 120,000).
    The time interval (in milliseconds)
    given to the ContentExtractor
    to process a document larger
    than ContentExtraction.
    LongContentSize. If the document
    cannot be processed within the specified
    time, it is reported as unprocessed.
    This value should be greater than
    ContentExtraction. ShortTimeout
    and less than ContentExtraction.
    RunawayTimeout.
    ContentExtraction.MarkupAsText off Bypasses Content Extraction for files that
    are determined to be XML or HTML. This
    setting should be used in cases where web
    pages contain data in the header block or
    script blocks. Default is off.
    ContentExtraction.MaxContentSize 30M The maximum size (in MB) of the
    document that can be processed by the
    ContentExtractor.
    ContentExtraction.MaxNumImages 10 The maximum number of images to
    ToExtract extract from PDF files and multi-page TIFF
    documents.
    ContentExtraction.RunawayTimeout 300,000 The time interval (in milliseconds) given to
    the ContentExtractor to finish processing of
    any document. If the ContentExtractor does
    not finish processing some document within
    this time, it is considered unstable and it is
    restarted. This value should be greater than
    ContentExtraction. LongTimeout.
    ContentExtraction.ShortTimeout 30,000 The time interval (in milliseconds)
    given to the ContentExtractor to
    process a document smaller than
    ContentExtraction.LongContentSize.
    If the document cannot be processed
    within the specified time, it is reported
    as unprocessed. This value should
    be less than ContentExtraction.
    LongTimeout.
    ContentExtraction.TemporaryDirectory N/A Specifies the directory for temporary
    content extraction files.

    738
    Setting Default Description

    ContentExtraction.TrackedChanges off Allows detection of content that has


    changed over time (Track Changes content)
    in Microsoft Office documents.
    Note: Using the foregoing option might
    reduce the accuracy rate for IDM and
    data identifiers. The default is set to off
    (disallow).
    To index content that has changed
    over time, set ContentExtraction.
    TrackedChanges=on in the
    Indexer.properties file. The default
    and recommended setting is off.
    DDM.MaxBinMatchSize 30,000,000 The maximum size (in bytes) used to
    generate the MD5 hash for an exact
    binary match in an IDM. This setting
    should not be changed. The following
    conditions must be matched for IDM to
    work correctly:
    • This setting must be identical
    to the max_bin_ match_size
    setting on the Enforce Server in the
    indexer.properties file.
    • This setting must be smaller or equal
    to the FileReader. FileMaxSize
    value.
    • This setting must be smaller or
    equal to the ContentExtraction.
    MaxContentSize value
    on the Enforce Server in the
    indexer.properties file.
    Note: Changing the first or third item in the
    list requires re-indexing all IDM files.

    Detection.EncodingGuessing ISO-8859-1 Specifies the backup encoding that is


    DefaultEncoding assumed for a byte stream.
    Detection.EncodingGuessingEnabled on Designates whether the encoding of
    unknown byte streams should be guessed.
    Detection.EncodingGuessing 50 Specifies the confidence level that is
    MinimumConfidence required for guessing the encoding of
    unknown byte streams.
    Detection.MessageTimeout 3600 Number of seconds between each System
    ReportIntervalInSeconds Event published to display the number of
    messages that have timed out recently.
    These System Events are scheduled to be
    published at a fixed rate, but is skipped if no
    messages have timed out in that period.
    DI.MaxViolations 100 Specifies the maximum number of
    violations that are allowed with data
    identifiers.

    739
    Setting Default Description

    Discover.CountAllFilteredItems false Provides more accurate scan statistics


    by counting the items in folders skipped
    because of filtering.
    Setting the value to false enables optimized
    Discover path filters, which improve
    performance but may occasionally lead to
    unexpected filter behavior. Optimized filters
    normalize slashes, truncate filter strings
    before wildcard characters, and remove
    trailing slashes. Therefore, the filter string
    /Fol*der matches /Folder, but it also
    matches /FolXYZ.
    Set this value to true to disable optimized
    Discover path filters.
    Discover.Exchange.FollowRedirects true Specifies whether to follow redirects.
    Symantec Data Loss Prevention follows
    redirects only from the public root folder.
    Discover.Exchange.ScanHiddenItems false Scan hidden items in Exchange
    repositories, when set to true.
    Discover.Exchange.UseSecure true Specifies whether connections to Exchange
    HttpConnections repositories and Active Directory are secure
    when using the Exchange Web Services
    crawler.
    Discover.IgnorePstMessageClasses IPM.Appointment, This setting specifies a comma-separated
    IPM.Contact, list of .pst message classes. All items in
    IPM.Task, a .pst file that have a message class in
    REPORT. IPM. Note. DR, the list are ignored (no attempt is made to
    extract the .pst item). This setting is case-
    REPORT. IPM. Note.IPNRN
    sensitive.
    Discover.IncludePstMessageClasses IPM.Note This setting specifies a comma-separated
    list of .pst message classes. All items in a
    .pst file that have a message class in the
    list are included.
    When both the include setting and
    the ignore setting are defined,
    Discover.IncludePstMessageClasses takes
    precedence.
    Discover.PollInterval 10000 Specifies the time interval (in milliseconds)
    at which Enforce retrieves data from the
    Discover monitor while scanning.
    Discover.Sharepoint.FetchACL true Turns off ACL fetching for integrated
    SharePoint scans. The default value is true
    (on).
    Discover.Sharepoint.SocketTimeout 60000 Sets the timeout value of the socket
    connection (in milliseconds) between
    the Network Discover server and the
    SharePoint target.

    740
    Setting Default Description

    Discover.ValidateSSLCertificates false Set to true to enable validation of the SSL


    certificates for the HTTPS connections for
    SharePoint and Exchange targets. When
    validation is enabled, scanning SharePoint
    or Exchange servers using self-signed or
    untrusted certificates fails. If the SharePoint
    web application or Exchange server is
    signed by a certificate that is issued by a
    certificate authority (CA), then the server
    certificate or the server CA certificate
    must reside in the Java trusted keystore
    that is used by the Discover Server. If the
    certificate is not in the keystore, you must
    import it manually using the keytool utility.
    Importing SSL certificates to Enforce or
    Discover servers
    DiscoverCluster.AclFetcherTimeoutInSeconds
    180 The time interval (in seconds) for ACL
    fetcher threads if ACLs are fetched
    asynchronously. This setting has no effect if
    DiscoverCluster.FetchAclAsynchronously
    is set to False.
    DiscoverCluster.FetchAclAsynchronously false If enabled (true), the worker nodes fetch the
    ACL asynchronously.
    The default setting is disabled (false).
    DiscoverCluster.ContentFetcherThreadPoolSize
    24 Specifies the bounded thread pool size for
    a content fetcher between 4 to 24.
    DiscoverCluster.CrawlerThreadPoolSize 1 Specifies the number of crawler threads
    on the worker node. The crawler thread is
    responsible for picking up the next folder for
    scanning.
    DiscoverCluster.DataNodeDiskSpace.CriticalThresholdInGB
    20 The lower limit for disk space (in GB) that
    is used for triggering an internal pause and
    resume, and computing the cluster health
    status.
    For instance, when the data
    node disk space goes below
    DiscoverCluster.DataNodeDiskSpace.CriticalThres
    the Cluster Health Status is changed to
    Critical and the File System - High Speed
    Discovery scans are paused internally.
    DiscoverCluster.DataNodeDiskSpace.WarningThresholdInGB
    40 The upper limit for disk space (in GB) that
    is used for triggering an internal pause and
    resume, and computing the cluster health
    status.
    For instance, when the data
    node disk space goes below
    DiscoverCluster.DataNodeDiskSpace.WarningThre
    the Cluster Health Status is
    changed to Warning. When the
    data node disk space goes above
    DiscoverCluster.DataNodeDiskSpace.WarningThre
    the internally paused File System - High
    Speed Discovery scans are internally
    resumed.

    741
    Setting Default Description

    DiscoverCluster.ContentFetcherTimeoutInSeconds
    1800 The time interval (in seconds) to fetch the
    content of an item. If the item cannot be
    downloaded within the specified time and
    if the allowed number of retry attempts
    to download the item exceeds, then it is
    reported as failed.
    DiscoverCluster.ContainerFetcherTimeoutInSeconds
    10800 The time interval (in seconds) to download
    the content of a PST item. If the item cannot
    be downloaded within the specified time
    and if the allowed number of retry attempts
    to download the item exceeds, then it is
    reported as failed.
    EndpointCommunications.AllowLegacyAgentToConnect
    0 Specifies whether DLP Agents earlier
    than version 16.0 are allowed to connect
    to Endpoint Prevent Servers that use a
    custom truststore:
    • 0 - Not allowed (Default)
    • 1 - Allowed
    EndpointCommunications.CertificateRevocationCheckProtocol
    CRL The protocol used to verify the revocation
    status of custom endpoint certificates.
    Accepted values are None, OCSP, CRL,
    and OCSP+CRL.
    • None
    • CRL (Default)
    • OCSP
    • OCSP+CRL
    EndpointCommunications.ClientAuthSessionTimeoutInSeconds
    86400 The time in seconds during which custom
    endpoint certificates are not subjected to
    revocation checks.
    During this interval, the DLP Agent does not
    send the endpoint certificate to Endpoint
    Prevent Server.
    EDM.HighlightAllMatchesInProximity false If false (default), the system highlights the
    minimum number of matches, starting from
    the leftmost. For example, if the EDM policy
    is configured to match 3 out of 8 column
    fields in the index, only the first 3 matches
    are highlighted in the incident snapshot.
    If true, the system highlights all matches
    occurring in the proximity window, including
    duplicates. For example, if the policy is
    configured to match 3 of 8 and there are
    7 matches occurring within the proximity
    window, the system highlights all 7 matches
    in the incident snapshot.
    EDM.MatchCountVariant 3 Specifies how matches are counted.
    • 1 - Counts the total number of token
    sets matched.
    • 2 - Counts the number of unique token
    sets matched.
    • 3 - Counts the number of unique super
    sets of token sets. (default)

    742
    Setting Default Description

    EDM.MaximumNumberOfMatches 100 Defines a top limit on the number of


    ToReturn matches returned from each RAM index
    search.
    EDM.RunProximityLogic true If true, runs the token proximity check.
    EDM.SimpleTextProximityRadius 35 Number of tokens that are evaluated
    together when the proximity check is
    enabled.
    EDM.TokenVerifierEnabled false If enabled (true), the server validates tokens
    for Chinese, Japanese, and Korean (CJK)
    keywords.
    Default is disabled (false).
    EMDI.MaxLookups 10000 Maximum number of EMDI lookups.
    Increasing the limit above the default
    value of 10000 increases the likelihood of
    false positives and performance degrades
    linearly. For example, a setting of 20000 is
    twice as slow as a setting of 10000.
    To change this setting, add
    EMDI.MaxLookups=<value> to the
    protect.properties file.
    EndpointCommunications. 0 If enabled, limits the transfer rate of all
    AllConnInboundDataThrottleInKBPS inbound traffic in kilobits per second.
    Default is disabled.
    Changes to this setting apply to all new
    connections. Changes do not affect existing
    connections.
    EndpointCommunications. 0 If enabled, limits the transfer rate of all
    AllConnOutboundDataThrottleInKBPS outbound traffic in kilobits per second.
    Default is disabled.
    Changes to this setting apply to all new
    connections. Changes do not affect existing
    connections.
    EndpointCommunications. 60 Maximum time for server to wait for each
    ApplicationHandshakeTimeoutInSeconds round trip during application handshake
    communications before closing the server-
    to-agent connection.
    Applies to the duration of time between
    when the agent accepts the TCP
    connection and when the agent receives
    the handshake message. This duration
    includes the SSL handshake and the
    agent receiving the HTTP headers. If the
    process exceeds the specified duration, the
    connection closes.
    Changes to this setting apply to all new
    connections. Changes do not affect existing
    connections.
    EndpointCommunications.MaxActive 90000 Sets the maximum number of agents that
    AgentsPerServer are associated with a given server at any
    moment in time.
    This setting is implemented after the next
    Endpoint Prevent Server restart.

    743
    Setting Default Description

    EndpointCommunications. 150000 Sets the maximum number of agents


    MaxActiveAgentsPerServerGroup that are associated with a given group
    of servers behind the same local load
    balancer at any moment in time. Used
    for maximum sizes of caches for internal
    endpoint features.
    This setting is implemented after the next
    Endpoint Prevent Server restart.
    EndpointCommunications. 90000 Sets the maximum number of simultaneous
    MaxConcurrent Connections connections to allow.
    Changes to this setting apply to all new
    connections. Changes do not affect existing
    connections.
    EndpointCommunications. 86400 (1 day) Sets the maximum time to allow a
    MaxConnectionLifetimeInSeconds connection to remain open. Do not set
    connections to remain open indefinitely.
    Connections that close ensure that SSL
    session keys are frequently updated to
    improve security. This timeout only applies
    during the normal operation phase of a
    connection, after the SSL handshake
    and application handshake phases of a
    connection.
    This setting is implemented immediately to
    all connections.
    EndpointCommunications.Shutdown 5000 (5 seconds) Sets the maximum time to wait to gracefully
    TimeoutInMillis close connections during shutdown before
    forcing connections to close.
    This setting is implemented immediately to
    all connections.
    EndpointCommunications. TLS_RSA_WITH_ AES_128_CBC_SHA Lists the allowed SSL cipher suites. Enter
    SSLCipherSuites multiple entries, which are separated by
    commas.
    Changes to this setting apply to all new
    connections. Changes do not affect existing
    connections. You must restart the Endpoint
    Prevent Server for changes you make to
    take effect. Server controls
    If you are using FIPS 140-2 mode for
    communication between the Endpoint
    Prevent Server and DLP Agents, do not
    use Diffie-Hellman (DH) cipher suites.
    Mixing cipher suites prevents the agent
    and Endpoint Prevent Server from
    communicating.
    EndpointCommunications. 86400 Sets the maximum SSL session entry
    SSLSessionCacheTimeoutInSeconds lifetime in the SSL session cache.
    The default settings equal one day. This
    setting is implemented after the next
    Endpoint Prevent Server restart.

    744
    Setting Default Description

    EndpointMessageStatistics.MaxFile 100 The maximum number of times a valid file


    DetectionCount is scanned. The file must not cause an
    incident. After exceeding this number, a
    system event is generated recommending
    that the file is filtered out.
    EndpointMessageStatistics.MaxFolder 1800 The maximum number of times a valid
    DetectionCount folder is scanned. The folder must not
    cause an incident. A system event is
    generated recommending that the file is
    filtered out after exceeding this number,
    EndpointMessageStatistics.Max 2000 The maximum number of times a valid
    MessageCount message is scanned. The message must
    not cause an incident. After exceeding
    this number, a system event is generated
    recommending that the file is filtered out.
    EndpointMessageStatistics.MaxSetSize 3 The maximum list of hosts that are
    displayed from where valid files, folders,
    and messages come. When a system event
    for
    EndpointMessageStatistics.
    MaxFileDetectionCount,
    EndpointMessageStatistics.
    MaxFolderDetectionCount,
    or EndpointMessageStatistics.
    MaxMessageCount is generated, Symantec
    Data Loss Prevention lists the host
    machines where these system events were
    generated. This setting limits the number of
    hosts that are displayed in the list.
    EndpointServer.Discover.Scan 60000 The interval of time in milliseconds the
    StatusBatchInterval Endpoint Prevent Server accumulates
    Endpoint Discover scan statuses before
    sending them to the Endpoint Prevent
    Server as a batch.
    EndpointServer.Discover.ScanStatusBatchSize
    1000 The number of scan statuses the
    Aggregator accumulates before sending
    them to the Enforce Server as a batch. The
    Endpoint Prevent Server forwards a batch
    of statuses to the Enforce Server when the
    status count reaches the configured value.
    The batch is forwarded to the Enforce
    Server when any of the thresholds for the
    following settings are met:
    • EndpointServer.Discover.
    ScanStatusBatchInterval
    • EndpointServer.Discover.
    ScanStatusBatchSize

    745
    Setting Default Description

    EndpointServer.EndpointSystem 20000 The maximum number of system events


    EventQueueSize that can be stored in the endpoint queue
    of the agent that is sent to the Endpoint
    Prevent Server. If the database connection
    is lost or some other occurrence results in
    a massive number of system events, any
    additional system events that occur after
    this number is reached are discarded. This
    value can be adjusted according to memory
    requirements.
    EndpointServer.MaxPercentage 60 The maximum amount (in percentage) of
    MemToStoreEndpointFiles memory to use to store shadow cache files.
    EndpointServer.MaxTimeToKeep 20000 The time interval (in minutes) that the
    EndpointFilesOpen endpoint file is kept open or the file size
    can exceed the EndpointServer.
    MaxEndpointFileSize setting,
    whichever occurs first.
    EndpointServer.MaxTimeToWaitForWriter 1000 The maximum time (in milliseconds) that
    the agent waits to connect to the server.
    EndpointServer.NoOfRecievers 15 The number of endpoint shadow cache file
    receivers.
    EndpointServer.NoOfWriters 10 The number of endpoint shadow cache file
    writers.
    FileReader.MaxFileSize 30M The maximum size (in MB) of a message
    to be processed. Larger messages
    are truncated to this size. To process
    large files, ensure that this value is
    equal to or greater than the value of
    ContentExtraction.MaxContentSize.
    FileReader.MaxFileSystemCrawler For Network Discover Server: 1024M The maximum memory that is allocated for
    Memory For Network Discover Cluster: 1200M the File System Crawler. If this value is less
    than FileReader.MaxFileSize, then
    the greater of the two values is assigned.
    FileReader.MaxReadGap 15 The time that a child process can have data
    but not have read anything before it stops
    sending heartbeats.
    FileReader.ScheduledInterval 1000 The time interval (in milliseconds) between
    drop folder checks by the file reader. This
    affects Copy Rule, Packet Capture, and File
    System channels only.
    FileReader.TempDirectory Path to a secure directory as specified in A secure directory on the detection server
    the filereader. temp. io.dir in which to store temporary files for the file
    attribute in the FileReader. reader.
    properties configuration file.
    FormRecognition.ALIGNMENT_ 85.00 A threshold on a scale from 0 to 100,
    COEFFICIENT indicating how well an image should align
    with an indexed gallery form to create an
    incident.
    FormRecognition.CANONICAL_ 930 The width in pixels to which all images are
    FORM_WIDTH internally resized for form recognition.

    746
    Setting Default Description

    Icap.AllowHosts any The default value of "any" permits all


    systems to make a connection to the
    Network Prevent for Web Server on the
    ICAP service port. Replacing "any" with the
    IP address or Fully Qualified Domain Name
    (FQDN) of one or more systems restricts
    ICAP connections to just those designated
    systems. To designate multiple systems,
    separate their IP addresses of FQDNs by
    commas.
    Icap.AllowStreaming false If true, ICAP output is streamed to the proxy
    directly without buffering the ICAP request
    first.
    Icap.BindAddress 0.0.0.0 IP address to which a Network Prevent
    for Web Server listener binds. When
    BindAddress is configured, the server only
    answers a connection to that IP address.
    The default value of 0.0.0.0 is a wild
    card that permits listening to all available
    addresses including 127.0.0.1.
    Icap.BufferSize 3K The size (in kilobytes) of the memory
    buffer that is used for ICAP request
    streaming and chunking. The streaming
    can happen only if the request is larger than
    FileReader.MaxFileSize and the request
    has a Content-Length header.
    Icap.DisableHealthCheck false If true, disables the ICAP periodic self-
    check. If false, enables the ICAP periodic
    self-check. This setting is useful for
    debugging to remove clutter produced by
    self-check requests from the logs.
    Icap.EnableIncidentSuppression true Enables the Incident Suppression cache for
    Gmail Tablet ICAP traffic.
    Icap.EnableTrace false If set to true, protocol debug tracing is
    enabled once a folder is specified using the
    Icap.TraceFolder setting.
    Icap.ExchangeActiveSync SendMail A comma-separated, case-sensitive list of
    CommandsToInspect ActiveSync commands which must be sent
    through Symantec Data Loss Prevention
    detection. If this parameter is left blank,
    ActiveSync support is disabled. If this
    parameter is set to "any", all ActiveSync
    commands are inspected.
    Icap.IncidentSuppressionCache 120000 The time interval in milliseconds for running
    CleanupInterval the Incident Suppression cache clean-up
    thread.
    Icap.IncidentSuppressionCacheTimeout 120000 The time in milliseconds to invalidate the
    Incident Suppression cache entry.

    747
    Setting Default Description

    Icap.LoadBalanceFactor 1 The number of web proxy servers that


    a server is able to communicate with.
    For example, if the server is configured
    to communicate with 3 proxies, set the
    Icap.LoadBalanceFactor value to 3.
    Icap.SpoolFolder N/A This value is needed for ICAP Spools.
    Icap.TraceFolder N/A The fully qualified name of the folder or
    directory where protocol debug trace data
    is stored when the Icap.EnableTrace
    setting is true. By default, the value for this
    setting is left blank.
    ImagePreclassifier.ENABLE_ true Determines what types of images are
    FORM_RECOGNITION _PRECLASSIFIER processed for form recognition. If true,
    Symantec Data Loss Prevention filters out
    colorful photographs, images such as logos,
    email signatures, and other images that
    are not characteristic of forms. If false,
    Symantec Data Loss Prevention processes
    all images.
    ImagePreclassifier.ENABLE_ true Determines what types of images are
    OCR_PRECLASSIFIER processed for optical character recognition
    (OCR). If true, Symantec Data Loss
    Prevention filters out colorful photographs,
    images such as logos, email signatures,
    and other images that do not include
    meaningful text. If false, Symantec Data
    Loss Prevention processes all images.
    ImageRecognition.NUM_ 2 The number of threads in the pool used by
    WORKER_THREADS the image recognition detection process.
    The value for this setting should equal half
    of the number of physical cores on your
    system.
    IncidentDetection.Incident 86400000 Specifies the time frame (in milliseconds)
    LimitResetTime used by the
    IncidentDetection.
    MaxIncidentsPerPolicy
    setting. The default setting 86400000
    equals one day.
    IncidentDetection.MaxContentLength 2000000 Applies only to regular expression rules.
    On a per-component basis, only the first
    MaxContentLength number of characters
    are scanned for violations. The default
    (2,000,000) is equivalent to > 1000 pages
    of typical text. The limiter exists to prevent
    regular expression rules from taking too
    long.

    748
    Setting Default Description

    IncidentDetection.MaxIncidentsPerPolicy 10000 Defines the maximum number of incidents


    that are detected that are by a specific
    policy on a particular monitor within the
    time-frame that is specified in the
    IncidentDetection.
    IncidentTimeLimitResetTime.
    The default is 10,000 incidents per policy
    per time limit.
    IncidentDetection.MessageWaitSevere 240 The number of minutes to wait before
    sending a severe system event about
    message wait times.
    IncidentDetection.MessageWaitWarning 60 The number of minutes to wait before
    sending a warning system event about
    message wait times.
    IncidentDetection.MinNormalizedSize 30 This setting applies to IDM detection.
    It MUST be kept in sync with
    the corresponding setting in the
    Indexer.properties file on the Enforce
    Server (which applies to indexing).
    Derivative detections only apply to
    messages when their normalized content is
    greater than this setting. If the normalized
    content size is less than this setting, IDM
    detection does a straight binary match.
    IncidentDetection.patternCondition 100 The maximum number of matches a
    MaxViolations detection server reports. The detection
    server does not report matches more than
    the value of the
    IncidentDetection.
    patternConditionMaxViolations
    parameter, even if there are any.
    IncidentDetection.StopCachingWhen 400M Instructs Detection to stop caching
    MemoryLowerThan tokenized and cryptographic content
    between rule executions if the available
    JVM memory drops below this value (in
    megabytes). Setting this attribute to 0
    enables caching regardless of the available
    memory and is not recommended because
    OutOfMemoryErrors may occur.
    Setting this attribute to a value close to, or
    larger than, the value of the -Xmx option in
    BoxMonitor.FileReaderMemory effectively
    disables the caching.
    Setting this value too low can have severe
    performance consequences.
    IncidentDetection.TrialMode false Prevention trial mode setting to generate
    prevention incidents without having a
    prevention setup.
    If true, SMTP incidents coming from the
    Copy Rule and Packet Capture channels
    appear as if they were prevented and HTTP
    incidents coming from Packet Capture
    channel appear as if they were prevented.

    749
    Setting Default Description

    IncidentWriter.BacklogInfo 1000 The number of incidents that collect


    in the log before an information level
    message about the number of messages is
    generated.
    IncidentWriter.BacklogSevere 10000 The number of incidents that collect in the
    log before a severe level message about
    the number of messages is generated.
    IncidentWriter.BacklogWarning 3000 The number of incidents that collect in the
    log before a warning level message about
    the number of messages is generated.
    IncidentWriter.ResolveIncident false If true, only recipient host names are
    DNSNames resolved from IP.
    IncidentWriter.ShouldEncryptContent true If true, the monitor encrypts the body of
    every message, message component, and
    cracked component before writing to disk or
    sending to Enforce.
    Keyword.TokenVerifierEnabled false Default is disabled (false).
    If enabled (true), the server validates tokens
    for Asian language keywords (Chinese,
    Japanese, and Korean).
    L7.cleanHttpBody true If true, the HTML entity references are
    replaced with spaces.
    L7.DefaultBATV Standard This setting determines the tagging scheme
    that Network Prevent for Email uses to
    interpret Bounce Address Tag Validation
    (BATV) tags in the MAIL FROM header of
    a message. If this setting is “Standard” (the
    default), Network Prevent uses the tagging
    scheme that is described in the BATV
    specification:
    http://tools.ietf.org/html/draft-levine-mass-
    batv-02
    Change this setting to “Ironport” to enable
    compatibility with the IronPort proxy
    implementation of BATV tagging.
    L7.DefaultUrlEncodedCharset UTF-8 Defines the default character set to be
    used in decoding query parameters or
    URL-encoded body when the character set
    information is missing from the header.
    L7.discardDuplicateMessages true If true, the Monitor ignores duplicate
    messages based on the messageID.
    If Network Prevent for Email is not
    blocking messages correctly in a Gmail or
    Microsoft 365 environment, even though
    incidents are properly generated, set
    L7.discardDuplicateMessages to false.
    Also enable incident reconciliation.
    Note: Enabling incident reconciliation

    750
    Setting Default Description

    L7.ExtractBATV true If true (the default), Network Prevent for


    Email interprets Bounce Address Tag
    Validation (BATV) tags that are present
    in the MAIL FROM header of a message.
    This allows Network Prevent to include a
    meaningful sender address in incidents
    that are generated from messages having
    BATV tags. If this setting is false, Network
    Prevent for Email does not interpret BATV
    tags, and a message that contains BATV
    tags may generate an incident that has an
    unreadable sender address.
    L7.httpClientIdHeader X-Forwarded-For The sender identifier header name.
    L7.MAX_NUM_HTTP_HEADERS 30 If any HTTP message that contains more
    than the specified header lines, it is
    discarded.
    L7.maxWordLength 30 The maximum word length (in characters)
    allowed in UTCP string extraction.
    L7.messageIDCacheCleanupInterval 600000 The length of time that the
    messageID is cached. If the
    L7.discardDuplicateMessages setting is
    set to true, the system does not cache
    duplicate messages during this time period.
    L7.minSizeOfGetUrl 100 The minimum size of the GET URL to
    process. HTTP GET actions are not
    inspected by Symantec Data Loss
    Prevention for policy violations if the
    number of bytes in the URL is less than
    the value of this setting. For example,
    with the default value of 100, no detection
    check is performed when a browser
    displays the Symantec web site at: http://
    www.symantec.com/index.jsp. The reason
    is that the URL contains only 33 characters,
    which is less than the 100 minimum.
    Note: Other request types such as
    POST or PUT are not affected by
    L7.minSizeofGetURL. For Symantec Data
    Loss Prevention to inspect any GET actions
    at all, the L7.processGets setting must be
    set to true.

    L7.processGets true If true, the GET requests are processed.


    If false, the GET requests are not
    processed. This setting interacts with the
    L7.minSizeofGetURL setting.
    Lexer.IncludePunctuationInWords true If true, punctuation characters internal to a
    token are considered during detection.

    751
    Setting Default Description

    Lexer.MaximumNumberOfTokens 30000 Maximum number of tokens extracted


    from each message component for
    detection. Applicable to all detection
    technologies where tokenization is required
    (EDM, profiled DGM, and the system
    patterns supported by those technologies).
    Increasing the default value may cause the
    detection server to run out of memory and
    restart.
    Lexer.Validate true If true, performs system pattern-specific
    validation.
    Max_EMDI_Lookup.int 10000 Maximum number of EMDI lookups.
    Increasing this number increases the
    likelihood of false positives.
    MessageChain.ArchiveTimedOutStreams false Specifies whether messages should be
    archived to the temp folder.
    MessageChain.CacheSize For Network Discover Server: 4 Limits the number of messages that can be
    For Network Discover Cluster: 6 queued in the message chains.
    MessageChain.ContentDumpEnabled false If set to true, each message entering
    the detection message chain is logged
    to ${\SymantecDLP.temp.dir\}/dump.
    This setting is intended for use in
    troubleshooting and debugging.
    MessageChain.MaximumComponentTime Varies The time interval (in milliseconds) allowed
    before any chain component is restarted.
    The setting varies based on the type of
    detection server:
    • Network Monitor: 360000
    • Network Discover: 600000
    • Network Prevent for Email: 40000
    • Network Prevent for Web: 40000
    • Endpoint Prevent: 360000
    • Combination of Network Monitor,
    Endpoint Prevent, and Network
    Discover: 600000

    MessageChain.MaximumFailureTime 360000 Number of milliseconds that must elapse


    before restarting the file reader. This is
    tracked after a message chain error is
    detected and that message chain has not
    been recovered.

    752
    Setting Default Description

    MessageChain.MaximumMessageTime Varies The maximum time interval (in milliseconds)


    that a message can remain in a message
    chain.
    The setting varies based on the type of
    detection server:
    • Network Monitor: 600000
    • Network Discover: 1800000
    • Network Prevent for Email: 60000
    • Network Prevent for Web: 60000
    • Endpoint Prevent: 600000
    • Combination of Network Monitor,
    Endpoint Prevent, and Network
    Discover: 1800000

    MessageChain.MemoryThrottler 200,000,000 Number of bytes required to be available


    ReservedBytes before a message is sent through the
    message chain. This setting can avoid out
    of memory issues. The default value is 200
    MB. The throttler can be disabled by setting
    this value to 0.
    MessageChain.MinimumFailureTime 30000 Number of milliseconds that must elapse
    before failure of a message chain is
    tracked. Failure eventually leads to
    restarting the message chain or file reader.
    MessageChain.NumChains Varies This number varies depending on detection
    server type. It is either 4 or 8.
    The number of messages, in parallel,
    that the file reader processes. Setting this
    number higher than 8 (with the other default
    settings) is not recommended. A higher
    setting does not substantially increase
    performance and there is a much greater
    risk of running out of memory. Setting this
    to less than 8 (sometimes 1) helps when
    processing large files, but it may slow down
    the system considerably.
    MessageChain.StopProcessing 200M Instructs detection to stop drilling down into
    WhenMemoryLowerThan and processing sub-files if JVM available
    memory drops below this value. Setting
    this attribute to 0 forces sub-file processing,
    regardless of how little memory is available.
    Setting this attribute to a value close to or
    larger than the value of the -Xmx option
    in BoxMonitor.FileReaderMemory
    effectively disables sub-file processing.

    753
    Setting Default Description

    OCR.ENABLE_AUTO_ true When true, this setting enables the


    LANGUAGE_DETECTION OCR engine to extract the text more
    quickly by automatically identifying the
    primary language in an image, rather than
    processing every language in the OCR
    configuration. This causes only the detected
    language to be used to increase the
    accuracy for that language.
    When false, the OCR engine extracts the
    text without using a specific language,
    making text extraction slower but improving
    mixed-Latin language accuracy. Single-
    language accuracy is decreased because
    content is not matched to a single Latin
    spell check dictionary, but must use generic
    Latin character mappings without dictionary
    corrections.
    OCR.ENABLE_SPELL_CHECK true When true, this setting enables the OCR
    engine to extract text more accurately by
    using internal spelling dictionaries. When
    false, the accuracy of extracted text may be
    reduced.
    OCR. RECORD_REQUEST _STATISTICS false When true, this setting enables the OCR
    sizing tool. The OCR sizing tool gives
    you insight into your image traffic data,
    which helps you determine the sizing
    requirements for your OCR implementation.
    PacketCapture.DISCARD_HTTP_GET true If true, discards HTTP GET streams.
    PacketCapture.DOES_DISCARD_ false If true, a list of tcpstreams is dumped to an
    TRIGGER_STREAM_DUMP output file in the log directory the first time a
    discard message is received.
    PacketCapture.Filter tcp || ip proto 47 || (vlan && (tcp || ip When set to the default value all non-TCP
    proto 47)) packets are filtered out and not sent to
    Network Monitor. The default value can
    be overridden using the tcpdump filter
    format that is documented in the tcpdump
    program. This setting allows specialists
    to create more exact filters (source and
    destination IPs for given ports).
    PacketCapture.INPUT_SOURCE_FILE /dummy.dmp The full path and name of the input file.
    PacketCapture.IS_ARCHIVING_PACKETS false DO NOT USE THIS FIELD. Diagnostic
    setting that creates dumps of packets that
    are captured in packet capture for later
    reuse. This feature is unsupported and
    does not have normal error checking. May
    cause repeated restarts on pcap.
    PacketCapture.IS_FTP_RETR_ENABLED false If true, FTP GETS and FTP PUTS are
    processed. If false, only process FTP PUTS
    are processed.
    PacketCapture.IS_INPUT_SOURCE_FILE false If true, continually reads in packets from a
    tcpdump formatted file that is indicated in
    INPUT_SOURCE_FILE.

    754
    Setting Default Description

    PacketCapture.KERNEL_BUFFER_ 64M For 32-bit Linux platforms, this setting


    SIZE_I686 specifies the amount of memory that is
    allocated to buffer network packets. Specify
    K for kilobytes or M for megabytes. Do not
    specify a value larger than 128M.
    PacketCapture.KERNEL_BUFFER_ 16M For 32-bit Windows platforms, this setting
    SIZE_Win32 specifies the amount of memory that is
    allocated to buffer network packets. Specify
    K for kilobytes or M for megabytes.
    PacketCapture.KERNEL_BUFFER_ 64M For 64-bit Windows platforms, this setting
    SIZE_X64 specifies the amount of memory that is
    allocated to buffer network packets. Specify
    K for kilobytes or M for megabytes.
    PacketCapture.KERNEL_BUFFER_ 64M For 64-bit Linux platforms, this setting
    SIZE_X86_64 specifies the amount of memory that is
    allocated to buffer network packets. Specify
    K for kilobytes or M for megabytes. Do not
    specify a value larger than 64M.
    PacketCapture.MAX_FILES_PER_ 30000 After the specified number of file streams
    DIRECTORY are processed a new directory is created.
    PacketCapture.MBYTES_LEFT_ 1000 If the amount of disk space (in MB) left
    TO_DISABLE_CAPTURE on the drop_pcap drive falls below this
    specification, packet capture is suspended.
    For example, if this number is 100, pcap
    stops writing out drop_pcap files when there
    is less than 100 MB on the installed drive.
    PacketCapture.MBYTES_REQUIRED 1500 The amount of disk space (in MB) needed
    _TO_RESTART_CAPTURE on the drop_pcap drive before packet
    capture resumes again after stopping due
    to lack of space. For example, if this value
    is 150 and packet capture is suspended,
    packet capture resumes when more than
    150 MB is available on the drop_pcap drive.
    PacketCapture.NAPATECH_TOOLS_PATH N/A This setting specifies the location of the
    Napatech Tools directory. This directory
    is not set by default. If packet-capture
    is enabled for Napatech, enter the fully
    qualified path to the Napatech Tools
    installation directory.
    PacketCapture.NO_TRAFFIC_ALERT 86,400 The refresh time (in seconds), between no
    _PERIOD traffic alert messages. No traffic system
    events are created for a given protocol
    based on this time period. For instance,
    if this is set to 24*60*60 seconds, a new
    message is sent every day that there is
    no new traffic for a given protocol. Do not
    confuse this setting with the per protocol
    traffic timeout, which indicates how long we
    initially go without traffic before sending the
    first alert.
    PacketCapture.NUMBER_BUFFER_ 600000 The number of standard-sized preallocated
    POOL_PACKETS packet buffers used to buffer and sort the
    incoming traffic.

    755
    Setting Default Description

    PacketCapture.NUMBER_JUMBO_ 1 The number of large-sized preallocated


    POOL_PACKETS packet buffers that are used to buffer and
    sort the incoming traffic.
    PacketCapture.NUMBER_SMALL_ 200000 The number of small-sized preallocated
    POOL_PACKETS packet buffers that are used to buffer and
    sort the incoming traffic.
    PacketCapture.RING_CAPTURE_LENGTH 1518 Controls the amount of packet data that
    is captured. The default value of 1518
    is sufficient to capture typical Ethernet
    networks and Ethernet over 802.1Q tagged
    VLANs.
    PacketCapture.RING_DEVICE_MEM 67108864 This setting is deprecated. Instead,
    use the PacketCapture.KERNEL_
    BUFFER_SIZE_I686 setting
    (for 32-bit Linux platforms) or
    the PacketCapture.KERNEL_
    BUFFER_SIZE_X86_64 setting (for 64-bit
    Linux platforms).
    Specifies the amount of memory (in bytes)
    to be allocated to buffer packets per device.
    (The default of 67108864 is equivalent to 64
    MB.)
    PacketCapture.SIZE_BUFFER_ 1540 The size of standard-sized buffer pool
    POOL_PACKETS packets.
    PacketCapture.SIZE_JUMBO_ 10000 The size of jumbo-sized buffer pool
    POOL_PACKETS packets.
    PacketCapture.SIZE_SMALL_ 150 The size of small-sized buffer pool packets.
    POOL_PACKETS
    PacketCapture.SPOOL_DIRECTORY N/A The directory in which to spool streams
    with large numbers of packets. This setting
    is user-defined.
    PacketCapture.STREAM_ 5000 The time (in milliseconds) between
    WRITE_TIMEOUT each count (The write timeout of the
    StreamManager).
    RequestProcessor.AddDefaultHeader true If true, adds a default header to every
    email processed (when in Inline
    SMTP mode). The default header is
    RequestProcessor.DefaultHeader.
    This header is added to all messages that
    pass through the system. That is, if it is
    redirected, if another header is added, or if
    the message has no policy violations then
    the header is added.

    756
    Setting Default Description

    RequestProcessor.AddHeader false if there is a message timeout, the default


    OnMessageTimeout value sets the system to continue sending
    messages.
    Set to true, then the X-Header "X-
    Symantec-DLP: Message timed out
    (potential Enforce System event 1213)”
    is inserted in the email message. The
    downstream edge MTA uses this header
    information to handle the message, and the
    log message displays “Passed message
    through due to timeout, with added timeout
    header.”
    RequestProcessor.AllowExtensions 8BITMIME VRFY DSN This setting lists the SMTP protocol
    HELP PIPELINING SIZE extensions that Network Prevent for Email
    ENHANCEDSTATUSCODES STARTTLS can use when it communicates with other
    MTAs.
    RequestProcessor.AllowHosts any The default value of any permits all systems
    to make connections to the Network
    Prevent for Email Server on the SMTP
    service port. Replacing any with the IP
    address or Fully Qualified Domain Name
    (FQDN) of one or more systems restricts
    SMTP connections to just those designated
    systems. To designate multiple systems,
    separate their addresses with commas.
    Use only a comma to separate addresses;
    do not include any spaces between the
    addresses.
    RequestProcessor.Allow false The default value ensures that MTAs must
    UnauthenticatedConnections authenticate with Network Prevent for Email
    for TLS communication.
    RequestProcessor.Backlog 12 The backlog that the request processor
    specifies for the server socket listener.
    RequestProcessor.BindAddress 0.0.0.0 IP address to which a Network Prevent
    for Email Server listener binds. When
    BindAddress is configured, the server only
    answers a connection to that IP address.
    The default value of 0.0.0.0 is a wild
    card that permits listening to all available
    addresses including 127.0.0.1.
    RequestProcessor.BlockStatusCode 5.7.1 Enables overriding of the ESMTP status
    Override code sent back to the upstream MTA when
    executing a block response rule.
    Accepted values are 5.7.0 and 5.7.1. If any
    other values are entered, this setting falls
    back to the default of 5.7.1.
    Use of the 5.7.0 value (other or undefined
    security status) is preferred when the
    detection server is working with Office365
    email, because the 5.7.1 value provides
    an incorrect context for the Office365 use
    case.

    757
    Setting Default Description

    RequestProcessor.CacheCleanupInterval 120000 Specifies the interval after which the cached


    responses are cleaned from the cache.
    Units are in milliseconds.
    RequestProcessor.CachedMessage 120000 Specifies the amount of time after
    Timeout generation when a given cached response
    can be cleared from the cache. Units are in
    milliseconds.
    RequestProcessor.CacheEnabled false Enables caching of responses for duplicate
    SMTP messages. The cache was added
    as part of the cloud solution to support
    envelope splitting.
    RequestProcessor.DefaultCommand 300 Specifies the number of seconds the
    Timeout Network Prevent for Email Server waits
    for a response to an SMTP command
    before closing connections to the upstream
    and downstream MTAs. The default is
    300 seconds. This setting does not apply
    to the "." command (the end of a DATA
    command). Do not modify the default before
    first consulting Symantec support.
    RequestProcessor.DefaultPassHeader X-CFilter-Loop: Reflected This is the default header that is added if
    RequestProcessor. AddDefaultPassHeader
    is set to true, when in Inline SMTP
    mode. Must be in a valid header format,
    recommended to be an X header.
    RequestProcessor.DotCommandTimeout 600 Specifies the number of seconds the
    Network Prevent for Email Server waits
    for a response to the "." command
    (the end of a DATA command) before
    closing connections to the upstream and
    downstream MTAs. The default is 600
    seconds. Do not modify the default without
    first consulting Symantec support.
    RequestProcessor.ForwardConnection 20000 The timeout value to use when forwarding
    Timeout to an MTA.
    RequestProcessor.KeyManagement SunX509 The key management algorithm used in
    Algorithm TLS communication.
    RequestProcessor.MaxLineSize 1048576 The maximum size (in bytes) of data lines
    expected from an external MTA. If the data
    lines are larger than they are broken down
    to this size.
    RequestProcessor.Mode ESMTP Specifies the protocol mode to use (SMTP
    or ESMTP).
    RequestProcessor.MTAResubmitPort 10026 This is the port number that is used by the
    request processor on the MTA to resend the
    SMTP message.
    RequestProcessor.NumberOf 4 The maximum number of DNS queries that
    DNSAttempts Network Prevent for Email performs when
    it attempts to obtain mail exchange (MX)
    records for a domain. Network Prevent for
    Email uses this setting only if you have
    enabled MX record lookups.

    758
    Setting Default Description

    RequestProcessor.RPLTimeout 360000 The maximum time in milliseconds allowed


    for email message processing by a Prevent
    server. Any email messages that are not
    processed during this time interval are
    passed on by the server.
    RequestProcessor.ServerSocketPort 10025 The port number to be used by the SMTP
    monitor to listen for incoming connections
    from MTA.
    RequestProcessor.TagHighestSeverity false When set to true, an extra email header
    that reports the highest severity of all the
    violated policies is added to the message.
    For example, if the email violated a policy of
    severity HIGH and a policy of severity LOW,
    it shows: X-DLP-MAX-Severity:HIGH.
    RequestProcessor.TagPolicyCount false When set to true an extra email header
    reporting the total number of policies that
    the message violates is added to the
    message. For example, if the message
    violates 3 policies a header reading: X-DLP-
    Policy-Count: 3 is added.
    RequestProcessor.TagScore false When set to true an extra email header
    reporting the total cumulative score of
    all the policies that the message violates
    is added to the message. Scores are
    calculated using the formula: High=4,
    Medium=3, Low=2, and Info=1. For
    example, if a message violates three
    policies, one with a severity of medium and
    two with a severity of low a header reading:
    X-DLP-Score: 7 is added.
    RequestProcessor.TrustManagement PKIX The trust management algorithm
    Algorithm that Network Prevent for Email uses
    when it validates certificates for TLS
    communication. You can optionally specify
    a built-in Java trust manager algorithm
    (such as SunX509 or SunPKIX) or a custom
    algorithm that you have developed.
    RequestProcessorListener.Server 12355 The local TCP port that FileReader
    SocketPort uses to listen for connections from
    RequestProcessor on a Network Prevent
    server.
    ServerCommunicator.CONNECT_ 60 The delay time (in seconds) after which a
    DELAY_POST_WAKEUP_ detection server returning online attempts to
    OR_POST_VPN_ connect to the Enforce Server. The default
    SECONDS value is 60 seconds. The range for this
    setting is 30 through 600 seconds.
    SocketCommunication.BufferSize 8K The size of the buffer that Network Prevent
    for Web uses to process ICAP requests.
    Increase the default value only if you must
    process ICAP requests that are greater
    than 8K. Certain features, such as Active
    Directory authentication, may require an
    increase in buffer size.

    759
    Setting Default Description

    UDS.DataNode.Detector.Debug Xrunjdwp:transport=dt_socket,address=5010,server=y,suspend=n
    Specifies the setting to enable the debugger
    settings of the Detector Server Service on
    the data node.
    UDS.DataNode.Detector.InitMemory 1024 Specifies the initial memory size of the
    Detector Server Service on the data node.
    UDS.DataNode.Detector.MaxMemory 10240 Specifies the maximum memory size of the
    Detector Server Service on the data node.
    UDS.DataNode.EnforceConnector.Debug Xrunjdwp:transport=dt_socket,address=5010,server=y,suspend=n
    Specifies the setting to enable the debugger
    settings of the Enforce Connector Service
    on the data node.
    UDS.DataNode.EnforceConnector.InitMemory
    1200 Specifies the initial memory size of the
    Enforce Connector Service on the data
    node.
    UDS.DataNode.EnforceConnector.MaxMemory
    6144 Specifies the maximum memory size of
    Enforce Connector Service on the data
    node.
    UDS.Detector.LargeFile.InitMemory 0 Specifies the additional initial memory
    size that is required by the worker node
    for scanning large files. If the file size is
    greater than 30 MB, then this setting helps
    to provide extra required initial memory.
    UDS.Detector.LargeFile.MaxMemory 0 Specifies the additional maximum memory
    size that is required by the worker node for
    scanning large files.
    UDS.WorkerNode.Detector.Debug Xrunjdwp:transport=dt_socket,address=5010,server=y,suspend=n
    Specifies the setting to enable the debugger
    settings of the Detector Server Service on
    the worker node.
    UDS.WorkerNode.Detector.InitMemory 1200 Specifies the initial memory size of the
    Detector Server Service on the worker
    node.
    UDS.WorkerNode.Detector.MaxMemory 8192 Specifies the maximum memory size of
    the Detector Server Service on the worker
    node.
    UnicodeNormalizer.AsianCharRanges default Can be used to override the default
    definition of characters that are
    considered Asian by the detection engine.
    Must be either default, or a comma-
    separated list of ranges, for example:
    11A80-11F9,3200-321E
    UnicodeNormalizer.Enabled on Can be used to disable Unicode
    normalization.
    Enter off to disable.
    UnicodeNormalizer.Newline on Can be used to disable newline elimination
    EliminationEnabled for Asian languages.
    Enter off to disable.

    About Symantec Data Loss Prevention administration

    About the Overview screen


    Server/Detector Detail screen

    760
    Server configuration—basic
    Server controls

    Advanced detector settings


    Click Detector Settings on the detector's System > Servers and Detectors > Overview > Server/Detector Detail
    screen to modify the settings on that server.
    Use caution when modifying these settings on a detector. Contact Symantec Support before changing any of the settings
    on this screen. Changes to these settings normally do not take effect until after the detector has been restarted.
    You cannot change settings for the Enforce Server from the Server/Detector Detail screen. The Server/Detector Detail -
    Advanced Settings screen only displays for detection servers and detectors.

    Table 342: Detector advanced settings

    Setting Default Description

    ContentExtraction.EnableMetaData off Allows detection on file metadata. If the setting is


    turned on, you can detect metadata for Microsoft
    Office and PDF files. For Microsoft Office files, OLE
    metadata is supported, which includes the fields
    Title, Subject, Author, and Keywords. For PDF files,
    only Document Information Dictionary metadata is
    supported, which includes fields such as Author,
    Title, Subject, Creation, and Update dates. Extensible
    Metadata Platform (XMP) content is not detected. Note
    that enabling this metadata detection option can cause
    false positives.
    ContentExtraction.MarkupAsText off Bypasses Content Extraction for files that are
    determined to be XML or HTML. This should be used
    in cases such as web pages containing data in the
    header block or script blocks. Default is off.
    ContentExtraction.TrackedChanges off Allows detection of content that has changed over
    time (Track Changes content) in Microsoft Office
    documents.
    Note: Using the foregoing option might reduce the
    accuracy rate for IDM and data identifiers. The default
    is set to off (disallow).
    To index content that has changed over time, set
    ContentExtraction.TrackedChanges=on in file
    \Protect\config\Indexer.properties.
    The default and recommended setting is
    ContentExtraction.TrackedChanges=off.

    761
    Setting Default Description

    DDM.MaxBinMatchSize 30,000,000 The maximum size (in bytes) used to generate


    the MD5 hash for an exact binary match in an
    IDM. This setting should not be changed. The
    following conditions must be matched for IDM to
    work correctly:
    • This setting must be exactly identical to the
    max_bin_match_size setting on the Enforce Server
    in file indexer.properties.
    • This setting must be smaller or equal to the
    FileReader.FileMaxSize value.
    • This setting must be smaller or equal to the
    ContentExtraction.MaxContentSize value on the
    Enforce Server in file indexer.properties.
    Note: Changing the first or third item in the list requires
    re-indexing all IDM files.

    Detection.EncodingGuessingDefaultEncoding ISO-8859-1 Specifies the backup encoding assumed for a byte


    stream.
    Detection.EncodingGuessingEnabled on Designates whether the encoding of unknown byte
    streams should be guessed.
    Detection.EncodingGuessingMinimumConfidence 50 Specifies the confidence level required for guessing
    the encoding of unknown byte streams.
    DI.MaxViolations 100 Specifies the maximum number of violations allowed
    with data identifiers.
    EDM.MatchCountVariant 3 Specifies how matches are counted.
    • 1 - Counts the total number of token sets matched.
    • 2 - Counts the number of unique token sets
    matched.
    • 3 - Counts the number of unique super sets of
    token sets. (default)
    EDM.MaximumNumberOfMatchesToReturn 100 Defines a top limit on the number of matches returned
    from each RAM index search.
    EDM.SimpleTextProximityRadius 35 Number of tokens that are evaluated together when the
    proximity check is enabled.
    EDM.TokenVerifierEnabled false If enabled (true), the server validates tokens for
    Chinese, Japanese, and Korean (CJK) keywords.
    Default is disabled (false).
    IncidentDetection.MaxContentLength 2000000 Applies only to regular expression rules. On a per-
    component basis, only the first MaxContentLength
    number of characters are scanned for violations. The
    default (2,000,000) is equivalent to > 1000 pages
    of typical text. The limiter exists to prevent regular
    expression rules from taking too long.
    IncidentDetection.MinNormalizedSize 30 This setting applies to IDM detection. It must be
    kept in sync with the corresponding setting in the
    Indexer.properties file on the Enforce Server
    (which applies to indexing). Derivative detections only
    apply to messages when their normalized content is
    greater than this setting. If the normalized content size
    is less than this setting, IDM detection does a straight
    binary match.

    762
    Setting Default Description

    IncidentDetection.patternConditionMaxViolations 100 The maximum number of matches a


    detector reports. The detector does not
    report matches more than the value of the
    'IncidentDetection.patternConditionMaxViolations'
    parameter, even if there are any.
    Keyword.TokenVerifierEnabled false Default is disabled (false).
    If enabled (true), the server validates tokens for Asian
    language keywords (Chinese, Japanese, and Korean).
    Lexer.IncludePunctuationInWords true If true, punctuation characters internal to a token are
    considered during detection.
    Lexer.MaximumNumberOfTokens 30000 Maximum number of tokens extracted from each
    message component for detection. Applicable to
    all detection technologies where tokenization is
    required (EDM, profiled DGM, and the system patterns
    supported by those technologies). Increasing the
    default value may cause the detector to run out of
    memory and restart.
    Lexer.Validate true If true, performs system pattern-specific validation.
    UnicodeNormalizer.AsianCharRanges default Can be used to override the default definition of
    characters that are considered Asian by the detection
    engine. Must be either default, or a comma-separated
    list of ranges, for example: 11A80-11F9,3200-321E
    UnicodeNormalizer.Enabled on Can be used to disable Unicode normalization.
    Enter off to disable.
    UnicodeNormalizer.NewlineEliminationEnabled on Can be used to disable newline elimination for Asian
    languages.
    Enter off to disable.

    About using load balancers in an endpoint deployment


    You can use a load balancer to manage multiple Endpoint Servers, or a server pool. Adding Endpoint Servers to a load-
    balanced server pool enables Symantec Data Loss Prevention to use less bandwidth while managing more agents. When
    setting up a server pool to manage Endpoint Servers and agents, default Symantec Data Loss Prevention settings allow
    for communication between servers and agents. However, there are a number of load balancer settings that may affect
    how Endpoint Servers and agents communicate. You may have to make changes to advanced agent and server settings if
    the load balancer you use does not use default settings.
    In general, load balancers should have the following settings applied to work best with Symantec Data Loss Prevention:
    • 1-Gbps throughput
    • Source IP persistence. Set the persistence time to be greater than the agent polling period.
    • 24-hour SSL session timeout period
    The Endpoint Servers communicate most efficiently with agents when the load balancer is set up to use source IP
    persistence. (This protocol name may differ across load balancer brands.) Using source IP persistence in a Symantec
    Data Loss Prevention implementation ensures that if an agent is restarted on the same network, it reconnects to the same
    Endpoint Server regardless of the SSL session state. Source IP persistence also uses less bandwidth during the SSL
    handshake between agents and Endpoint Servers. This protocol also helps maintain the event/attribute cache coherence.
    For agents that connect to the Endpoint Server over a NAT or a proxy, SSL session server affinity is the optimal load
    balancer setting. However, if this setting is used, and the agent is restarted or if the SSL cached session identity is

    763
    flushed, a new SSL session is negotiated. Negotiating a new SSL session may cause the agent to connect to a different
    monitor more frequently which may interfere with agent status updates on the Enforce Server.
    You review agent connection settings if the load balancer idle connection settings is not set to default. The load balancer
    idle connection setting can also be called connection timeout interval, clean idle connection, and so-on depending on the
    load balancer brand.
    You can assess your Symantec Data Loss Prevention and load balancer settings by considering the following two
    scenarios:
    • Default DLP settings. Default Symantec Data Loss Prevention settings scenario
    • Non-default DLP settings. Non-default Symantec Data Loss Prevention settings scenario
    NOTE
    Contact Symantec Support before changing default advanced agent and advanced server settings.

    Table 343: Default Symantec Data Loss Prevention settings scenario

    Description Resolution

    Symantec Data Loss Prevention uses non-persistent Consider how the agent idle timeout coincides with the load balancer close idle
    connections by default. Using non-persistent connection setting. If the load balancer is configured to close idle connections
    connections means that Endpoint Servers close after less than 30 seconds, agents are prematurely disconnected from Endpoint
    connections to agents after agents are idle for 30 Servers.
    seconds. To resolve the issue, complete one of the following:
    • Change the agent idle timeout setting (EndpointCommunications.
    IDLE_TIMEOUT_IN_SECONDS.int) to less than the close idle connection
    setting on the load balancer.
    • Increase the agent heartbeat setting
    (EndpointCommunications.HEARTBEAT_INTERVAL_IN_SECONDS.int)
    to be less than the load balancer close idle connections setting.
    The user must also increase the no traffic timeout setting
    (CommLayer.NO_TRAFFIC_TIMEOUT_IN_SECONDS.int) to a value
    greater than the agent heartbeat setting.

    Table 344: Non-default Symantec Data Loss Prevention settings scenario

    Description Resolution

    Consider how changes to default Symantec To resolve the issue, complete one of the following:
    Data Loss Prevention settings affect how the • Change the agent heartbeat
    load balancer handles idle and persistent agent (EndpointCommunications.HEARTBEAT_INTERVAL_IN_SECONDS.int)
    connections. For example, if you change the and no traffic timeout settings
    idle timeout setting to 0 to create a persistent (CommLayer.NO_TRAFFIC_TIMEOUT_IN_SECONDS.int) to less than the
    connection and you leave the default agent load balancer idle connection setting.
    heartbeat setting (270 seconds), you must consider • Verify that the no traffic timeout setting is greater than the heartbeat setting.
    the idle connection setting on the load balancer. If
    the idle connection setting on the load balancer is
    less than 270 seconds, then agents are prematurely
    disconnected from Endpoint Servers.

    Advanced server settings

    764
    Endpoint Prevent Server Support For Deploying An NGINX Server As A Reverse
    Proxy
    Endpoint Prevent Servers support configuring an NGINX server as a reverse proxy to manage network traffic and perform
    load balancing.
    Endpoint Prevent Servers support only reverse proxies that are running in transparent mode. As a result, SSL and TLS
    connections cannot be terminated on the reverse proxy.
    Broadcom recommends that you implement measures to protect the NGINX reverse proxy server from DDoS attacks. For
    more information, refer to the official NGINX documentation at https://www.nginx.com/blog/mitigating-ddos-attacks-with-
    nginx-and-nginx-plus/ .

    Sample configuration for deploying an NGINX server as a reverse proxy


    NOTE
    For illustration purposes, the following instructions assume that the NGINX server is running on a Red Hat
    Enterprise Linux host.
    1. Stop the NGINX server by runing the following command:
    sudo systemctl stop nginx
    2. Edit the /etc/nginx/nginx.conf file and add the following settings:
    stream {
    server {
    listen <Port number that Endpoint Prevent Servers listen on>;
    proxy_pass <IP address of the Endpoint Prevent Servers>:<Port Number>;
    proxy_timeout 3s;
    proxy_connect_timeout 1s;
    proxy_buffer_size 16k;
    }
    }
    3. Start the NGINX server by runing the following command:
    sudo systemctl start nginx

    Managing Log Files


    This section includes the following topics:
    Log files
    Log collection and configuration screen
    Configuring Server Logging Behavior
    Collecting Server Logs and Configuration Files
    About log event codes

    Log files
    Symantec Data Loss Prevention provides a number of different log files that record information about the behavior of the
    software. Log files fall into these categories:
    • Operational log files record detailed information about the tasks the software performs and any errors that occur while
    the software performs those tasks. You can use the contents of operational log files to verify that the software functions

    765
    as you expect it to. You can also use these files to troubleshoot any problems in the way the software integrates with
    other components of your system.
    For example, you can use operational log files to verify that a Network Prevent for Email Server communicates with a
    specific MTA on your network.
    Operational Log Files
    • Debug log files record fine-grained technical details about the individual processes or software components that
    comprise Symantec Data Loss Prevention. The contents of debug log files are not intended for use in diagnosing
    system configuration errors or in verifying expected software functionality. You do not need to examine debug log files
    to administer or maintain an Symantec Data Loss Prevention installation. However, Symantec Support may ask you to
    provide debug log files for further analysis when you report a problem. Some debug log files are not created by default.
    Symantec Support can explain how to configure the software to create the file if necessary.
    Debug Log Files
    • Installation log files record information about the Symantec Data Loss Prevention installation tasks that are performed
    on a particular computer. You can use these log files to verify an installation or troubleshoot installation errors.
    Installation log files reside in the following locations:
    – installdir\SymantecDLP\.install4j\installation.log stores the installation log for Symantec Data
    Loss Prevention.
    – installdir\oracle_home\admin\protect\ stores the installation log for Oracle.

    Operational Log Files


    The Enforce Server and the detection servers store operational log files in the c:\ProgramData\Symantec
    \DataLossPrevention\<EnforceServer or DetectionServer>logs\ directory on Windows installations and
    in the /var/log/Symantec/DataLossPrevention/<EnforceServer or DetectionServer>/16.0.10000/
    directory on Linux installations. A number at the end of the log file name indicates the count (shown as 0 in Operational
    log files).
    Operational log files lists and describes the Symantec Data Loss Prevention operational log files.

    Table 345: Operational log files

    Log file name Description Server

    agentmanagement_webservices_access_0.log Logs successful and failed attempts to Enforce Server


    access the Agent Management API web
    service.
    agentmanagement_webservices_soap_0.log Logs the entire SOAP request and Enforce Server
    response for most requests to the Agent
    Management API web Service.
    boxmonitor_operational_0.log The BoxMonitor process oversees the All detection
    detection server processes that pertain to servers
    that particular server type.
    For example, the processes that run on
    Network Monitor are file reader and packet
    capture.
    The BoxMonitor log file is typically very
    small, and it shows how the application
    processes are running.
    detection_operational_0.log The detection operation log file provides All detection
    details about how the detection server servers
    configuration and whether it is operating
    correctly.

    766
    Log file name Description Server

    detection_operational_trace_0.log The detection trace log file provides details All detection
    about each message that the detection servers
    server processes. The log file includes
    information such as:
    • The policies that were applied to the
    message
    • The policy rules that were matched in
    the message
    • The number of incidents the message
    generated.
    machinelearning_training_operational_0.log This log records information about the Enforce Server
    tasks, logs, and configuration files called
    on startup of the VML training process.
    manager_operational_0.log. Logs information about the Symantec Enforce Server
    Data Loss Prevention manager process,
    which implements the Enforce Server
    administration console user interface.
    monitorcontroller_operational_0.log Records a detailed log of the connections Enforce Server
    between the Enforce Server and all
    detection servers. It provides details about
    the information that is exchanged between
    these servers including whether policies
    have been pushed to the detection servers
    or not.
    SmtpPrevent_operational0.log This operational log file pertains to SMTP Prevent
    SMTP Prevent only. It is the primary detection servers
    log for tracking the health and activity
    of a Network Prevent for Email system.
    Examine this file for information about the
    communication between the MTAs and the
    detection server.
    WebPrevent_Access0.log This access log file contains information Network Prevent
    about the requests that are processed for Web detection
    by Network Prevent for Web detection servers
    servers. It is similar to web access logs for
    a proxy server.
    WebPrevent_Operational0.log This operational log file reports on the Network Prevent
    operating condition of Network Prevent for for Web detection
    Web, such as whether the system is up or servers
    down and connection management.

    Network Prevent for Web operational log files and event codes
    Network Prevent for Web access log files and fields
    Network Prevent for Email log levels
    Network Prevent for Email operational log codes
    Network Prevent for Email originated responses and codes

    767
    Debug Log Files
    The Enforce Server and the detection servers store debug log files in the c:\ProgramData\Symantec
    \DataLossPrevention\<Enforce Server or Detection Server>\16.0.10000\logs\ directory on
    Windows installations and in the /var/log/Symantec/DataLossPrevention/<Enforce Server or Detection
    Server>/16.0.10000/ directory on Linux installations. A number at the end of the log file name indicates the count
    (shown as 0 in debug log files).
    The following table lists and describes the Symantec Data Loss Prevention debug log files.

    Table 346: Debug log files

    Log file name Description Server

    Aggregator0.log This file describes communications between the Endpoint detection


    detection server and the agents. servers
    Look at this log to troubleshoot the following problems:
    • Connection to the agents
    • To find out why incidents do not appear when they
    should
    • If unexpected agent events occur
    BoxMonitor0.log This file is typically very small, and it shows how the All detection servers
    application processes are running. The BoxMonitor
    process oversees the detection server processes that
    pertain to that particular server type.
    For example, the processes that run on Network
    Monitor are file reader and packet capture.
    ContentExtractionAPI_FileReader.log Logs the behavior of the Content Extraction API file Detection Server
    reader that sends requests to the plug-in host. The
    default logging level is "info" which is configurable
    using log4cxx_config_filereader.xml in a
    location based on your platform:
    • Windows: \ProgramData\Symantec
    \DataLossPrevention\
    DetectionServer\16.0.10000\logs
    • Linux: /var/log/Symantec/
    DataLossPrevention/
    DetectionServer/16.0.10000/logs
    ContentExtractionAPI_Manager.log Logs the behavior of the Content Extraction API Enforce Server
    manager that sends requests to the plug-in host. The
    default logging level is "info" which is configurable
    using log4cxx_config_manager.xml in a
    location based on your platform:
    • Windows: \ProgramData\Symantec
    \DataLossPrevention\
    DetectionServer\16.0.10000\logs
    • Linux: /var/log/Symantec/
    DataLossPrevention/
    DetectionServer/16.0.10000/logs

    768
    Log file name Description Server

    ContentExtractionHost_FileReader.log Logs the behavior of the Content Extraction Detection Server


    File Reader hosts and plug-ins. The default
    logging level is "info" which is configurable using
    log4cxx_config_filereader.xml in a
    location based on your platform:
    • Windows:
    \ProgramData\Symantec
    \DataLossPrevention\
    DetectionServer\16.0.10000\logs
    • Linux: /var/log/Symantec/
    DataLossPrevention/
    DetectionServer/16.0.10000/logs
    ContentExtractionHost_Manager.log Logs the behavior of the Content Extraction Enforce Server
    Manager hosts and plug-ins. The default
    logging level is "info" which is configurable using
    log4cxx_config_manager.xml in a location
    based on your platform:
    • Windows: \ProgramData\Symantec
    \DataLossPrevention\
    DetectionServer\16.0.10000\logs
    • Linux: /var/log/Symantec/
    DataLossPrevention/
    DetectionServer/16.0.10000/logs
    DiscoverNative.log.0 This log file is located in Discover detection
    \ProgramData\Symantec servers
    \DataLossPrevention\DetectionServer
    \16.0.10000\logs\debug
    This log file contains the log statements that the
    Network Discover native code emits. Currently contains
    the information that is related to .pst scanning. This
    log file applies only to the Network Discover servers
    that run on Windows platforms.
    You can configure this log in the c:
    \Program Files\Symantec
    \DataLossPrevention\DetectionServer
    \16.0.10000\Protect\config\
    DiscoverNativeLogging.properties file.
    FileReader0.log This log file pertains to the file reader process and All detection servers
    contains application-specific logging, which may be
    helpful in resolving issues in detection and incident
    creation. One symptom that shows up is content
    extractor timeouts.
    SymantecDLPDetector.log These log files list file reader process and application- All Network
    SymantecDLPDetector0.log specific details. Discover clusters
    SymantecDLPEnforceConnector.log
    SymantecDLPEnforceConnector0.log
    flash_client_0.log Logs messages from the Adobe Flex client that is used Enforce Server
    for folder risk reports by Network Discover.

    769
    Log file name Description Server

    flash_server_remoting_0.log Contains log messages from BlazeDS, an open-source Enforce Server


    component that responds to remote procedure calls
    from an Adobe Flex client. This log indicates whether
    the Enforce Server has received messages from the
    Flash client. At permissive log levels (FINE, FINER,
    FINEST), the BlazeDS logs contain the content of the
    client requests to the server and the content of the
    server responses to the client
    IncidentPersister0.log This log file pertains to the Incident Persister process. Enforce Server
    This process reads incidents from the incidents
    folder on the Enforce Server, and writes them to
    the database. Look at this log if the incident queue
    on the Enforce Server (manager) grows too large.
    This situation can be observed also by checking
    the incidents folder on the Enforce Server to see if
    incidents have backed up.
    Indexer0.log This log file contains information when an EDM Enforce Server (or
    profile or IDM profile is indexed. It also includes the computer where the
    information that is collected when the external indexer external indexer is
    is used. If indexing fails, then this log should be running)
    consulted.
    jdbc.log This log file is a trace of JDBC calls to the database. By Enforce Server
    default, writing to this log is turned off.
    machinelearning_native_filereader.log This log file records the runtime category Detection Server
    classification (positive and negative) and
    associated confidence levels for each message
    that is detected by a VML profile. The default
    logging level is "info" which is configurable using
    \log4cxx_config_filereader.xml in a
    location based on your platform:
    • Windows: \ProgramData\Symantec
    \DataLossPrevention\
    DetectionServer\16.0.10000\logs
    • Linux: /var/log/Symantec/
    DataLossPrevention/
    DetectionServer/16.0.10000/logs
    machinelearning_training_0_0.log This log file records the design-time base accuracy Enforce Server
    percentages for the k-fold evaluations for all VML
    profiles.
    machinelearning_training_native_manager.log
    This log file records the total number of features Enforce Server
    that are modeled at design-time for each
    VML profile training run. The default logging
    level is "info" which is configurable using
    log4cxx_config_manager.xml in a location
    based on your platform:
    • Windows: \ProgramData\Symantec
    \DataLossPrevention\
    DetectionServer\16.0.10000\logs
    • Linux: /var/log/Symantec/
    DataLossPrevention/
    DetectionServer/16.0.10000/logs

    770
    Log file name Description Server

    MonitorController0.log This log file is a detailed log of the connections Enforce Server
    between the Enforce Server and the detection
    servers. It gives details around the information that is
    exchanged between these servers including whether
    policies have been pushed to the detection servers or
    not.
    PacketCapture.log This log file pertains to the packet capture process that Network Monitor
    reassembles packets into messages and writes to the
    drop_pcap directory. Look at this log if there is a
    problem with dropped packets or traffic is lower than
    expected. PacketCapture is not a Java process, so
    it does not follow the same logging rules as the other
    Symantec Data Loss Prevention system processes.
    PacketCapture0.log This log file describes issues with PacketCapture Network Monitor
    communications.
    RequestProcessor0.log This log file pertains to SMTP Prevent only. SMTP Prevent
    The log file is primarily for use in cases where detection servers
    SmtpPrevent_operational0.log is not
    sufficient.
    ScanDetail-target-0.log Where target is the name of the scan target. All white Discover detection
    spaces in the target's name are replaced with hyphens. servers
    This log file pertains to Discover server scanning. It is
    a file by file record of what happened in the scan. If the
    scan of the file is successful, it reads success, and then
    the path, size, time, owner, and ACL information of the
    file scanned. If it failed, a warning appears followed by
    the file name.
    tomcat\localhost.date.log These Tomcat log files contain information for any Enforce Server
    action that involves the user interface. The logs include
    the user interface errors from red error message box,
    password failures when logging on, and Oracle errors
    (ORA –#).
    SymantecDLPIncidentPersister.log This log file contains minimal information: stdout and Enforce Server
    stderr only (fatal events).
    SymantecDLPManager.log This log file contains minimal information: stdout and Enforce Server
    stderr only (fatal events).
    SymantecDLPMonitor.log This log file contains minimal information: stdout and All detection servers
    stderr only (fatal events).
    SymantecDLPMonitorController.log This log file contains minimal information: stdout and Enforce Server
    stderr only (fatal events).
    SymantecDLPNotifier.log This log file pertains to the Notifier service and its Enforce Server
    communications with the Enforce Server and the
    MonitorController service. Look at this file to
    see if the MonitorController service registered
    a policy change.
    SymantecDLPUpdate.log This log file is populated when you update Symantec Enforce Server
    Data Loss Prevention.

    Network Prevent for Web protocol debug log files


    Network Prevent for Email Log Levels

    771
    Log collection and configuration screen
    Use the System > Servers and Detectors > Logs screen to collect log files or to configure logging behavior for any
    Symantec Data Loss Prevention server. The Logs screen contains two tabs that provide the following features:
    • Collection—Use this tab to collect log files and configuration files from one or more Symantec Data Loss Prevention
    servers.
    Collecting server logs and configuration files
    • Configuration—Use this tab to configure basic logging behavior for a Symantec Data Loss Prevention server, or to
    apply a custom log configuration file to a server.
    Configuring server logging behavior
    About log files

    Configuring Server Logging Behavior


    Use the Configuration tab of the System > Servers and Detectors > Logs screen to change logging configuration
    parameters for any server in the Symantec Data Loss Prevention deployment. The Select a Diagnostic Log Setting
    menu provides preconfigured settings for Enforce Server and detection server logging parameters. You can select an
    available preconfigured setting to define common log levels or to enable logging for common server features. The Select
    a Diagnostic Log Setting menu also provides a default setting that returns logging configuration parameters to the
    default settings used at installation time.
    Preconfigured log settings for the Enforce Server describes the preconfigured log settings available for the Enforce
    Server.
    Optionally, you can upload a custom log configuration file that you have created or modified using a text editor. (Use the
    Collection tab to download a log configuration file that you want to customize.) You can upload only those configuration
    files that modify logging properties (file names that end with Logging.properties). When you upload a new log
    configuration file to a server, the server first backs up the existing configuration file of the same name. The new file is then
    copied into the configuration file directory and its properties are applied immediately.
    You do not need to restart the server process for the changes to take effect, unless you are directed to do so.
    As of the current software release, only changes to the PacketCaptureNativeLogging.properties and
    DiscoverNativeLogging.properties files require you to restart the server process.
    Server controls
    Make sure that the configuration file that you upload contains valid property definitions that are applicable to the type
    of server you want to configure. If you make a mistake when uploading a log configuration file, use the preconfigured
    Restore Defaults setting to revert the log configuration to its original installed state.
    The Enforce Server administration console performs only minimal validation of the log configuration files that you upload.
    It ensures that:
    • Configuration file names correspond to actual logging configuration file names.
    • Root level logging is enabled in the configuration file. This configuration ensures that some basic logging functionality
    is always available for a server.
    • Properties in the file that define logging levels contain only valid values (such as INFO, FINE, or WARNING).
    If the server detects a problem with any of these items, it displays an error message and cancels the file upload.
    If the Enforce Server successfully uploads a log configuration file change to a detection server, the administration console
    reports that the configuration change was submitted. If the detection server then encounters any problems when it tries to
    apply the configuration change, it logs a system event warning to indicate the problem.

    772
    Table 347: Preconfigured log settings for the Enforce Server

    Select a Diagnostic
    Description
    Log Setting value
    Restore Defaults Restores log file parameters to their default values.
    Custom Attribute Lookup Logs diagnostic information each time the Enforce Server uses a lookup plug-in to populate
    Logging custom attributes for an incident. Lookup plug-ins populate custom attribute data using
    LDAP, CSV files, or other data repositories. The diagnostic information is recorded in the
    IncidentPersister_0.log file and Tomcat log file. The Tomcat log file is located at the
    following locations:
    • Windows: c:\ProgramData\Symantec\DataLossPrevention\EnforceServer\
    16.0.10000\logs\tomcat\localhost.date.log
    • Linux: /var/log/Symantec/DataLossPrevention/
    EnforceServer/16.0.10000/logs/tomcat/localhost.date.log

    Table 348: Preconfigured log settings for detection servers

    Select a Diagnostic
    Detection server uses Description
    Log Setting value
    Restore Defaults All detection servers Restores log file parameters to their default values.
    Discover Trace Logging Network Discover Servers Enables informational logging for Network Discover scans. These
    log messages are stored in FileReader0.log.
    Detection Trace Logging All detection servers Logs information about each message that the detection server
    processes. This includes information such as:
    • The policies that were applied to the message
    • The policy rules that were matched in the message
    • The number of incidents that the message generated.
    When you enable Detection Trace Logging,
    the resulting messages are stored in the
    detection_operational_trace_0.log file.
    Note: Trace logging can produce a large amount of data, and the
    data is stored in clear text format. Use trace logging only when
    you need to debug a specific problem.

    Packet Capture Debug Network Monitor Servers Enables basic debug logging for packet capture with
    Logging Network Monitor. This setting logs information in the
    PacketCapture.log file.
    While this type of logging can produce a large amount of data, the
    Packet Capture Debug Logging setting limits the log file size to
    50 MB and the maximum number of log files to 10.
    If you apply this log configuration setting to a server, you must
    restart the server process to enable the change.
    Email Prevent Logging Network Prevent for Email Enables full message logging for Network Prevent for Email
    servers servers. This setting logs the complete message content and
    includes execution and error tracing information. Logged
    information is stored in the RequestProcessor0.log file.
    Note: Trace logging can produce a large amount of data, and the
    data is stored in clear text format. Use trace logging only when
    you need to debug a specific problem.
    Network Prevent for Email operational log codes
    Network Prevent for Email originated responses and codes

    773
    Select a Diagnostic
    Detection server uses Description
    Log Setting value
    ICAP Prevent Message Network Prevent for Web Enables operational and access logging for Network Prevent for
    Processing Logging servers Web. This setting logs information in the FileReader0.log
    file.
    Network Prevent for Web operational log files and event codes
    Network Prevent for Web access log files and fields

    Table 349: Preconfigured log settings for the Network Discover Cluster

    Select a Diagnostic Log Setting value Description

    Restore Defaults Restores log file parameters to their default values.


    When you select Restore Defaults, the zip file containing the
    default configuration logs is copied from the Enforce Server (C:
    \Program Files\Symantec\DataLossPrevention
    \EnforceServer\<product_version>\Protect
    \config\logpreconfig detection_trace.zip,
    discover_trace.zip ) and unzipped on the data node and
    all the worker nodes at the following location:
    C:\ProgramData\Symantec\DataLossPrevention
    \DetectionServer\<product_version>
    \LoggingConfigurationOverwrite

    Detection Trace Logging Enables informational logging for Network Discover scans. These
    log messages are stored in FileReader0.log .
    When you select Detection Trace Logging, the zip file containing
    the debug logs for the detection service are copied to the data
    node and all the worker nodes at the following location:
    C:\ProgramData\Symantec\DataLossPrevention
    \DetectionServer\<product_version>
    \LoggingConfigurationOverwrite
    The following properties are used to enable trace logging:
    • com.symantec.dlp.clouddetectionserver.logging.Uni
    in UDSDetectorLogging.properties .
    • UDSEnforceConnectorLogging.properties for the
    enforce connector process in data node

    Change the Log Configuration for a Symantec Data Loss Prevention Server
    Follow this procedure to change the log configuration for a Symantec Data Loss Prevention server.
    1. Click the Configuration tab if it is not already selected.
    2. If you want to configure logging properties for a detection server, select the server name from the Select a Detection
    Server menu.
    3. If you want to apply preconfigured log settings to a server, select the configuration name from the Select a Diagnostic
    Configuration menu next to the server you want to configure.
    See Preconfigured log settings for the Enforce Server and Preconfigured log settings for detection servers for a
    description of the diagnostic configurations.

    774
    4. To customize log configuration, do one of the following:
    • If you instead want to use a customized log configuration file, click Choose File next to the server you want to
    configure. Then select the logging configuration file to use from the File Upload dialog, and click Open. You upload
    only logging configuration files, and not configuration files that affect other server features.
    • For the Network Discover Cluster, you can customize the following files and upload them by choosing Choose file
    in the Log Configuration File section and then the customized files are downloaded to the data node and worker
    nodes. Based on the customization done, the logs are collected for the data node and worker nodes:
    – UDSDetectorLogging.properties
    – UDSEnforceConnectorLogging.properties

    NOTE
    For the customization of the UDSEnforceConnectorLogging.properties file to take
    effect, restart the Enforce Connector Service.
    NOTE
    If the Choose File button is unavailable because of a previous menu selection, click Clear Form.
    5. Click Configure Logs to apply the preconfigured setting or custom log configuration file to the selected server.
    6. Check for any system event warnings that indicate a problem in applying configuration changes on a server.

    Log collection and configuration screen


    NOTE
    The following debug log files are configured manually outside of the logging framework available
    through the Enforce Server administration console: ContentExtractionAPI_FileReader.log,
    ContentExtractionAPI_Manager.log, ContentExtractionHost_FileReader.log,
    ContentExtractionHost_Manager.log, machinelearning_native_filereader.log, and
    machinelearning_training_native_manager.log. Refer to the entry for each of these log files in the
    debug log file list for configuration details. Debug log files

    Collecting Server Logs and Configuration Files


    Use the Collection tab of the System > Servers and Detectors > Logs screen to collect log files and configuration files
    from one or more Symantec Data Loss Prevention servers. You can collect files from a single detection server or from
    all detection servers, the Enforce Server computer and Network Discover Cluster. You can limit the collected files to only
    those files that were last updated in a specified range of dates.
    Following are the details for log collection for all the Detection Servers (except Network Discover Cluster) and Network
    Discover Cluster:

    Table 350: Details of log collection

    Location/Targets Description
    All Detection Servers, except Network Discover Cluster The Enforce Server administration console stores all log and
    configuration files that you collect in a single ZIP file on the
    Enforce Server computer. If you retrieve files from multiple
    Symantec Data Loss Prevention servers, each server's files are
    stored in a separate subdirectory of the ZIP file.

    775
    Network Discover Cluster For Network Discover Cluster log collection, when you select the
    Operational Logs, Debug and Trace Logs, or Configuration
    Files checkbox, the File Path and Credentials fields are
    displayed. Enter the file share path and credentials for a file share
    folder where you want to upload the cluster log files. You must
    have read and write permissions for this file share folder. The
    cluster logs are uploaded to this file share and they are not stored
    on the Enforce Server. The data node and all the worker nodes in
    the cluster upload their logs to this file share.

    Checkboxes on the Collection tab enable you to collect different types of files from the selected servers. File types for
    collection describes each type of file.

    Table 351: File types for collection

    File type Description

    Operational Logs Operational log files record detailed information about the tasks the software performs
    and any errors that occur while the software performs those tasks. You can use the
    contents of operational log files to verify that the software functions as you expect it
    to. You can also use these files to troubleshoot any problems in the way the software
    integrates with other components of your system.
    For example, you can use operational log files to verify that a Network Prevent for Email
    Server communicates with a specific MTA on your network.
    Debug and Trace Logs Debug log files record fine-grained technical details about the individual processes or
    software components that comprise Symantec Data Loss Prevention. The contents
    of debug log files are not intended for use in diagnosing system configuration errors
    or in verifying expected software functionality. You do not need to examine debug log
    files to administer or maintain a Symantec Data Loss Prevention installation. However,
    Symantec Support may ask you to provide debug log files for further analysis when you
    report a problem. Some debug log files are not created by default. Symantec Support
    can explain how to configure the software to create the file if necessary.
    Configuration Files Use the Configuration Files option to retrieve both logging configuration files and server
    feature configuration files.
    Logging configuration files define the overall level of logging detail that is recorded in
    server log files. Logging configuration files also determine whether specific features or
    subsystem events are recorded to log files.
    You can modify many common logging configuration properties by using the presets that
    are available on the Configuration tab.
    If you want to update a logging configuration file by hand, use the Configuration Files
    checkbox to download the configuration files for a server. You can modify individual
    logging properties using a text editor and then use the Configuration tab to upload the
    modified file to the server.
    Configuring server logging behavior
    The Configuration Files option retrieves the active logging configuration files and also
    any backup log configuration files that were created when you used the Configuration
    tab. This option also retrieves server feature configuration files. Server feature
    configuration files affect many different aspects of server behavior, such as the location
    of a syslog server or the communication settings of the server. You can collect these
    configuration files to help diagnose problems or verify server settings. However, you
    cannot use the Configuration tab to change server feature configuration files. You can
    only use the tab to change logging configuration files.

    776
    File type Description

    Agent Logs Use the Agent Logs option to collect DLP agent service and operational log files from
    an Endpoint Prevent detection server. This option is available only for Endpoint Prevent
    servers. To collect the DLP Agent logs, you must have already pulled the log files from
    individual agents to the Endpoint Prevent detection server using a Pull Logs action.
    Use the Agent List screen to select individual agents and pull selected log files to the
    Endpoint Prevent detection server. Then use the Agent Logs option on this page to
    collect the log files.
    When the logs are pulled from the endpoint, they are stored on the Endpoint Server in
    an unencrypted format. After you collect the logs from the Endpoint Server, the logs are
    deleted from the Endpoint Server and are stored only on the Enforce Server. You can
    only collect logs from one endpoint at a time.

    Operational, debug, trace log files are stored in the server_identifier/logs subdirectory of the ZIP file.
    server_identifier identifies the server that generated the log files, and it corresponds to one of the following values:
    • If you collect log files from the Enforce Server, Symantec Data Loss Prevention replaces server_identifier with the
    string Enforce. Note that Symantec Data Loss Prevention does not use the localized name of the Enforce Server.
    • If a detection server’s name includes only ASCII characters, Symantec Data Loss Prevention uses the detection server
    name for the server_identifier value.
    • If a detection server’s name contains non-ASCII characters, Symantec Data Loss Prevention uses the string
    DetectionServer-ID-id_number for the server_identifier value. id_number is a unique identification number for
    the detection server.
    If you collect agent service log files or operational log files from an Endpoint Prevent server, the files are placed in the
    server_identifier/agentlogs subdirectory. Each agent log file uses the individual agent name as the log file prefix.
    Follow this procedure to collect log files and log configuration files from Symantec Data Loss Prevention servers.
    To collect log files from one or more servers
    1. Click the Collection tab if it is not already selected.
    2. Use the Date Range menu to select a range of dates for the files you want to collect. Note that the collection process
    does not truncate downloaded log files in any way. The date range limits collected files to those files that were last
    updated in the specified range.
    3. To collect log files from the Enforce Server, select one or more of the checkboxes next to the Enforce Server entry to
    indicate the type of files you want to collect.
    4. To collect log files from one or all detection servers, use the Select a Detection Server menu to select either the
    name of a detection server or the Collect Logs from All Detection Servers option. Then select one or more of the
    checkboxes next to the menu to indicate the type of files you want to collect.
    5. Click Collect Logs to begin the log collection process.
    • For the Enforce Server log collection, the administration console adds a new entry for the log collection process in
    the Previous Log Collections list at the bottom of the screen. If you are retrieving many log files, you may need to
    refresh the screen periodically to determine when the log collection process has completed.
    • For Network Discover Cluster log collection, when the logs are successfully collected, the success message is
    added in the Previous Log Collections list at the bottom of the screen. Navigate to the file share folder where the
    cluster logs were uploaded. The file share folder has subfolders for each data node (DN) and worker node (WN),
    that contain the logs for each of these nodes.
    A system event is generated in case there is a failure for Network Discover Cluster log collection.
    The default timeout interval for the log collection command is 30 minutes.
    NOTE
    You can run only one log collection process at a time.

    777
    6. To cancel an active log collection process, click Cancel next to the log collection entry. You may need to cancel log
    collection if one or more servers are offline and the collection process cannot complete.
    When you cancel the Enforce Server log collection, the ZIP file contains only those files that were successfully
    collected.
    7. To download the Enforce Server collected logs to your local computer, click Download next to the log collection entry.
    The Download option is not available for Network Discover Cluster log collection.
    8. For the Enforce Server collected logs, to remove ZIP files stored on the Enforce Server, click Delete next to a log
    collection entry.
    The Delete option is not available for Network Discover Cluster log collection.

    Log collection and configuration screen


    About log files

    About log event codes


    Operational log file messages are formatted to closely match industry standards for the various protocols involved.
    These log messages contain event codes that describe the specific task that the software was trying to perform when the
    message was recorded. Log messages are generally formatted as:
    Timestamp [Log Level] (Event Code) Event description [event parameters]

    • Network Prevent for Web operational log files and event codes
    • Network Prevent for Email operational log codes
    • Network Prevent for Email originated responses and codes

    Network Prevent for Web Operational Log Files and Event Codes
    Network Prevent for Web log file names use the format of WebPrevent_OperationalX.log (where X is a
    number). The number of files that are stored and their sizes can be specified by changing the values in the
    FileReaderLogging.properties file. This file is in the c:\Program Files\Symantec\DataLossPrevention
    \DetectionServer\16.0.10000\Protect\config (Windows) or /opt/Symantec/DataLossPrevention/
    DetectionServer/16.0.10000/Protect/config (Linux) directory. By default, the values are:
    • com.vontu.icap.log.IcapOperationalLogHandler.limit = 5000000
    • com.vontu.icap.log.IcapOperationalLogHandler.count = 5
    Status codes for Network Prevent for Web operational logs lists the Network Prevent for Web-defined operational logging
    codes by category. The italicized part of the text contains event parameters.

    Table 352: Status codes for Network Prevent for Web operational logs

    Code Text and Description

    Operational Events
    1100 Starting Network Prevent for Web

    1101 Shutting down Network Prevent for Web

    Connectivity Events

    778
    Code Text and Description

    1200 Listening for incoming connections at icap_bind_address:icap_bind_port


    Where:
    • icap_bind_address is the Network Prevent for Web bind address to which the server listens. This address is specified
    with the Icap.BindAddress Advanced Setting.
    • icap_bind_port is the port at which the server listens. This port is set in the Server > Configure page.
    1201 Connection (id=conn_id) opened from host(icap_client_ip:icap_client_port)
    Where:
    • conn_id is the connection ID that is allocated to this connection. This ID can be helpful in doing correlations between
    multiple logs.
    • icap_client_ip and icap_client_port are the proxy's IP address and port from which the connect operation to Network
    Prevent for Web was performed.
    1202 Connection (id=conn_id) closed (close_reason)
    Where:
    • conn_id is the connection ID that is allocated to the connect operation.
    • close_reason provides the reason for closing the connection.
    1203 Connection states: REQMOD=N, RESPMOD=N,
    OPTIONS=N, OTHERS=N
    Where N indicates the number of connections in each state, when the message was logged.
    This message provides the system state in terms of connection management. It is logged whenever a connection is
    opened or closed.
    Connectivity Errors
    5200 Failed to create listener at icap_bind_address:icap_bind_port
    Where:
    • icap_bind_address is the Network Prevent for Web bind address to which the server listens. This address can be
    specified with the Icap.BindAddress Advanced Setting.
    • icap_bind_port is the port at which the server listens. This port is set on the Server > Configure page.
    5201 Connection was rejected from unauthorized host (host_ip:port)
    Where host_ip and port are the proxy system IP and port address from which a connect attempt to Network Prevent for
    Web was performed. If the host is not listed in the Icap.AllowHosts Advanced setting, it is unable to form a connection.

    About log files

    Network Prevent for Web Access Log Files and Fields


    Network Prevent for Web log file names use the format of WebPrevent_AccessX.log (where X is a
    number). The number of files that are stored and their sizes can be specified by changing the values in the
    FileReaderLogging.properties file. By default, the values are:
    • com.vontu.icap.log.IcapAccessLogHandler.limit = 5000000
    • com.vontu.icap.log.IcapAccessLogHandler.count = 5
    A Network Prevent for Web access log is similar to a proxy server’s web access log. The “start” log message format is:
    # Web Prevent starting: start_time

    Where start_time format is date:time, for example: 13/Aug/2018:03:11:22:015-0700.


    The description message format is:
    # host_ip "auth_user" time_stamp "request_line" icap_status_code
    request_size "referer" "user_agent" processing_time(ms) conn_id client_ip

    779
    client_port action_code icap_method_code traffic_source_code

    Network Prevent for Web access log fields lists the fields. The values of fields that are enclosed in quotes in this example
    are quoted in an actual message. If field values cannot be determined, the message displays - or "" as a default value.

    Table 353: Network Prevent for Web access log fields

    Field Explanation

    host_ip IP address of the host that made the request.


    auth_user Authorized user for this request.
    time_stamp Time that Network Prevent for Web receives the request.
    request_line Line that represents the request.
    icap_status_code ICAP response code that Network Prevent for Web sends by for this request.
    request_size Request size in bytes.
    referrer Header value from the request that contains the URI from which this request came.
    user_agent User agent that is associated with the request.
    processing_time (milliseconds) Request processing time in milliseconds. This value is the total of the receiving, content
    inspection, and sending times.
    conn_id Connection ID associated with the request.
    client_ip IP of the ICAP client (proxy).
    client_port Port of the ICAP client (proxy).
    action_code An integer representing the action that Network Prevent for Web takes. Where the action code is
    one of the following:
    • 0 = UNKNOWN
    • 1 = ALLOW
    • 2 = BLOCK
    • 3 = REDACT
    • 4 = ERROR
    • 5 = ALLOW_WITHOUT_INSPECTION
    • 6 = OPTIONS_RESPONSE
    • 7 = REDIRECT
    icap_method_code An integer representing the ICAP method that is associated with this request. Where the ICAP
    method code is one of the following:
    • -1 = ILLEGAL
    • 0 = OPTIONS
    • 1 = REQMOD
    • 2 = RESPMOD
    • 3 = LOG
    traffic_source_code An integer that represents the source of the network traffic. Where the traffic source code is one
    of the following:
    • 1 = WEB
    • 2 = UNKNOWN

    About log files

    780
    Network Prevent for Web protocol debug log files
    To enable ICAP trace logging, set the Icap.EnableTrace advanced setting to true and use the Icap.TraceFolder
    advanced setting to specify a directory to receive the traces. Symantec Data Loss Prevention service must be restarted
    for this change to take effect.
    Trace files that are placed in the specified directory have file names in the format: timestamp-conn_id. The first line of a
    trace file provides information about the connecting host IP and port along with a timestamp. File data that is read from the
    socket is displayed in the format <<timestamp number_of_bytes_read. Data that is written to the socket is displayed in the
    format >>timestamp number_of_bytes_written. The last line should note that the connection has been closed.
    NOTE
    Trace logging produces a large amount of data and therefore requires a large amount of free disk storage
    space. Trace logging should be used only for debugging an issue because the data that is written in the file is in
    clear text.
    About log files

    Network Prevent for Email Log Levels


    Network Prevent for Email log file names use the format of EmailPrevent_OperationalX.log (where X is a
    number). The number of files that are stored and their sizes can be specified by changing the values in the
    FileReaderLogging.properties file. By default, the values are:
    • com.vontu.mta.log.SmtpOperationalLogHandler.limit = 5000000
    • com.vontu.mta.log.SmtpOperationalLogHandler.count = 5
    At various log levels, components in the com.vontu.mta.rp package output varying levels of detail. The
    com.vontu.mta.rp.level setting specifies log levels in the RequestProcessorLogging.properties file
    which is stored in the FileReaderLogging.properties file. This file is in the c:\Program Files\Symantec
    \DataLossPrevention\DetectionServer\16.0.10000\Protect\config (Windows) or /opt/Symantec/
    DataLossPrevention/DetectionServer/16.0.10000/Protect/config (Linux) directory. For example,
    com.vontu.mta.rp.level = FINE specifies the FINE level of detail.
    Network Prevent for Email log levels describes the Network Prevent for Email log levels.

    Table 354: Network Prevent for Email log levels

    Level Guidelines

    INFO General events: connect and disconnect notices, information on the messages that are processed per connection.
    FINE Some additional execution tracing information.
    FINER Envelope command streams, message headers, detection results.
    FINEST Complete message content, deepest execution tracing, and error tracing.

    About log files

    Network Prevent for Email operational log codes


    Status codes for Network Prevent for Email operational log lists the defined Network Prevent for Email operational
    logging codes by category.

    781
    Table 355: Status codes for Network Prevent for Email operational log

    Code Description

    Core Events
    1100 Starting Network Prevent for Email

    1101 Shutting down Network Prevent for Email

    1102 Reconnecting to FileReader (tid=id)


    Where id is the thread identifier.
    The RequestProcessor attempts to re-establish its connection with the FileReader for detection.
    1103 Reconnected to the FileReader successfully (tid=id)
    The RequestProcessor was able to re-establish its connection to the FileReader.
    Core Errors
    5100 Could not connect to the FileReader (tid=id timeout=.3s)
    An attempt to re-connect to the FileReader failed.
    5101 FileReader connection lost (tid=id)
    The RequestProcessor connection to the FileReader was lost.
    Connectivity Events
    1200 Listening for incoming connections (local=hostname)
    Hostnames is an IP address or fully-qualified domain name.
    1201 Connection accepted (tid=id cid=N
    local=hostname:port
    remote=hostname:port)
    Where N is the connection identifier.
    1202 Peer disconnected (tid=id cid=N
    local=hostname:port
    remote=hostname:port)

    1203 Forward connection established (tid=id cid=N


    local=hostname:port
    remote=hostname:port)

    1204 Forward connection closed (tid=id cid=N


    local=hostname:port
    remote=hostname:port)

    1205 Service connection closed (tid=id cid=N


    local=hostname:port
    remote=hostname:port messages=1 time=0.14s)

    Connectivity Errors
    5200 Connection is rejected from the unauthorized host (tid=id
    local=hostname:port
    remote=hostname:port)

    5201 Local connection error (tid=id cid=N


    local=hostname:port
    remote=hostname:port reason=Explanation)

    782
    Code Description

    5202 Sender connection error (tid=id cid=N


    local=hostname:port
    remote=hostname:port reason=Explanation)

    5203 Forwarding connection error (tid=id cid=N


    local=hostname:port
    remote=hostname:port reason=Explanation)

    5204 Peer disconnected unexpectedly (tid=id cid=N


    local=hostname:port
    remote=hostname:port reason=Explanation)

    5205 Could not create listener (address=local=hostname:port


    reason=Explanation)

    5206 Authorized MTAs contains invalid hosts: hostname,


    hostname, ...

    5207 MTA restrictions are active, but no MTAs are authorized


    to communicate with this host

    5208 TLS handshake failed (reason=Explanation tid=id cid=N


    local=hostname remote=hostname)

    5209 TLS handshake completed (tid=id cid=N


    local=hostname remote=hostname)

    5210 All forward hosts unavailable (tid=id cid=N


    reason=Explanation)

    5211 DNS lookup failure (tid=id cid=N


    NextHop=hostname reason=Explanation)

    5303 Failed to encrypt incoming message (tid=id cid=N


    local=hostname remote=hostname)

    5304 Failed to decrypt outgoing message (tid=id cid=N


    local=hostname remote=hostname)

    Message Events
    1300 Message complete (cid=N message_id=3 dlp_id=message_identifier
    size=number sender=email_address recipient_count=N
    disposition=response estatus=statuscode rtime=N
    dtime=N mtime=N
    Where:
    • Recipient_count is the total number of addressees in the To, CC, and BCC fields.
    • Response is the Network Prevent for Email response which can be one of: PASS, BLOCK,
    BLOCK_AND_REDIRECT, REDIRECT, MODIFY, or ERROR.
    • Thee status is an Enhanced Status code.
    Network Prevent for Email originated responses and codes
    • The rtime is the time in seconds for Network Prevent for Emailto fully receive the message from the sending MTA.
    • The dtime is the time in seconds for Network Prevent for Email to perform detection on the message.
    • The mtime is the total time in seconds for Network Prevent for Email to process the message Message Errors.
    Message Errors

    783
    Code Description

    5300 Error while processing message (cid=N message_id=header_ID


    dlp_id=message_identifier size=0 sender=email_address
    recipient_count=N disposition=response estatus=statuscode
    rtime=N dtime=N mtime=N reason=Explanation
    Where header_ID is an RFC 822 Message-Id header if one exists.
    5301 Sender rejected during re-submit

    5302 Recipient rejected during re-submit

    About log files

    Network Prevent for Email Originated Responses and Codes


    Network Prevent for Email originates the following responses. Other protocol responses are expected as Network Prevent
    for Email relays command stream responses from the forwarding MTA to the sending MTA. Network Prevent for Email
    originated responses shows the responses that occur in situations where Network Prevent must override the receiving
    MTA. It also shows the situations where Network Preventgenerates a specific response to an event that is not relayed
    from downstream.
    “Enhanced Status” is the RFC1893 Enhanced Status Code associated with the response.

    Table 356: Network Prevent for Email originated responses

    Enhanced
    Code Text Description
    Status
    250 2.0.0 Ok: Carry on. Success code that Network Prevent for Email uses.

    221 2.0.0 Service The normal connection termination code that Network Prevent for Email
    closing. generates if a QUIT request is received when no forward MTA connection is
    active.
    451 4.3.0 Error: This “general, transient” error response is issued when a (potentially)
    Processing recoverable error condition arises. This error response is issued when a more
    error. specific error response is not available. Forward connections are sometimes
    closed, and their unexpected termination is occasionally a cause of a code 451,
    status 4.3.0. However sending connections should remain open when such a
    condition arises unless the sending MTA chooses to terminate.
    421 4.3.0 Fatal: This “general, terminal” error response is issued when a fatal, unrecoverable
    Processing error condition arises. This error results in the immediate termination of any
    error. sender or receiver connections.
    Closing
    connection.

    421 4.4.1 Fatal: That an attempt to connect the forward MTA was refused or otherwise failed to
    Forwarding establish properly.
    agent
    unavailable.

    421 4.4.2 Fatal: Closing connection. The forwarded MTA connection is lost in a state where
    Connection further conversation with the sending MTA is not possible. The loss usually
    lost to occurs in the middle of message header or body buffering. The connection is
    terminated immediately.
    forwarding
    agent.

    784
    Enhanced
    Code Text Description
    Status
    451 4.4.2 Error: The forward MTA connection was lost in a state that may be recoverable if the
    Connection connection can be re-established. The sending MTA connection is maintained
    lost to unless it chooses to terminate.
    forwarding
    agent.

    421 4.4.7 Error: The last command issued did not receive a response within the time window
    Request that is defined in the RequestProcessor.DefaultCommandTimeout. (The time
    timeout window may be from RequestProcessor.DotCommandTimeout if the command
    issued was the “.”). The connection is closed immediately.
    exceeded.

    421 4.4.7 Error: The connection was idle (no commands actively awaiting response) in excess of
    Connection the time window that is defined in RequestProcessor.DefaultCommandTimeout.
    timeout
    exceeded.

    501 5.5.2 Fatal: A fatal violation of the SMTP protocol (or the constraints that are placed
    Invalid on it) occurred. The violation is not expected to change on a resubmitted
    transmission message attempt. This message is only issued in response to a single
    command or data line that exceeds the boundaries that are defined in
    request.
    RequestProcess.MaxLineSize.
    502 5.5.1 Error: Defined but not currently used.
    Unrecognized
    command.

    550 5.7.1 User This combination of code and status indicates that a Blocking response rule has
    Supplied. been engaged. The text that is returned is supplied as part of the response rule
    definition.

    Note that a 4xx code and a 4.x.x enhanced status indicate a temporary error. In such cases the MTA can resubmit the
    message to the Network Prevent for Email Server. A 5xx code and a 5.x.x enhanced status indicate a permanent error. In
    such cases the MTA should treat the message as undeliverable.
    About log files

    Using Symantec Data Loss Prevention utilities


    This section includes the following topics:
    About Symantec Data Loss Prevention utilities
    About Endpoint utilities
    DBPasswordChanger

    About Symantec Data Loss Prevention utilities


    Symantec provides a suite of utilities to help users accomplish those tasks that need to be done on an infrequent basis.
    The utilities are typically used to perform troubleshooting and maintenance tasks. They are also used to prepare data and
    files for use with the Symantec Data Loss Prevention software.
    The Symantec Data Loss Prevention utilities are provided for both Windows and Linux operating systems. You use
    the command line to run the utilities on both operating systems. The utilities operate in a similar manner regardless of
    operating system.

    785
    Table 357: Symantec Data Loss Prevention utilities describes how and when to use each utility.

    Table 357: Symantec Data Loss Prevention utilities

    Name Description

    DBPasswordChanger Changes the encrypted password that the Enforce Server uses to connect to the Oracle
    database.
    sslkeytool Generates custom authentication keys to improve the security of the data that
    is transmitted between the Enforce Server and detection servers. The custom
    authentication keys must be copied to each Symantec Data Loss Prevention server.
    See About the sslkeytool utility and server certificates.
    SQL Preindexer Indexes an SQL database or runs an SQL query on specific data tables within the
    database. This utility is designed to pipe its output directly to the Remote EDM Indexer
    utility.
    Remote EDM Indexer Converts a comma-separated or tab-delimited data file into an exact data matching
    index. The utility can be run on a remote machine to provide the same indexing
    functionality that is available locally on the Enforce Server.
    This utility is often used with the SQL Preindexer. The SQL Preindexer can run an SQL
    query and pass the resulting data directly to the Remote EDM Indexer to create an EDM
    index.

    About Endpoint utilities


    The following table describes those utilities that apply to the Endpoint products.

    Table 358: Endpoint utilities

    Name Description

    Service_Shutdown.exe This utility enables an administrator to turn off both the agent and the watchdog services
    on an endpoint. (As a tamper-proofing measure, it is not possible for a user to stop either
    the agent or the watchdog service.)
    Vontu_sqlite3.exe This utility provides an SQL interface that enables you to view or modify the encrypted
    database files that the Symantec DLP Agent uses. Use this tool when you want to
    investigate or make changes to the Symantec Data Loss Prevention files.
    Logdump.exe This tool lets you view the Symantec DLP Agent extended log files, which are hidden for
    security reasons.
    Start_agent This utility enables an administrator to start agents running on Mac endpoints that have
    been shut down using the shutdown task.

    DBPasswordChanger
    Symantec Data Loss Prevention stores encrypted passwords to the Oracle database in a file that is called
    DatabasePassword.properties.
    Locate DatabasePassword.properties in C:\Program Files\Symantec\DataLossPrevention
    \EnforceServer\16.0.10000\Protect\config (Windows) or /opt/Symantec/DataLossPrevention/
    EnforceServer/16.0.10000/Protect/config (Linux).
    Because the contents of the file are encrypted, you cannot directly modify the file. Use the DBPasswordChanger utility to
    change the stored Oracle database passwords that the Enforce Server uses.

    786
    Complete the following before you use DBPasswordChanger to change the password to the Oracle database:
    • Shut down the Enforce Server.
    • Change the Oracle database password using Oracle utilities.

    Related Links
    Example of using DBPasswordChanger on page 787

    DBPasswordChanger Syntax
    The DBPasswordChanger utility uses the following syntax:
    DBPasswordChanger password_file new_oracle_password

    All command-line parameters are required. The following table describes each command-line parameter.

    Table 359: DBPasswordChanger command-line parameters

    Parameter Description

    password_file Specifies the file that contains the encrypted password. By default, this file is named
    DatabasePassword.properties and is stored in
    C:\Program Files\Symantec\DataLossPrevention\EnforceServer
    \16.0.10000\Protect\config (Windows) or
    /opt/Symantec/DataLossPrevention/EnforceServer/16.0.10000/
    Protect/config (Linux).
    new_oracle_password Specifies the new Oracle password to encrypt and store.

    Example of using DBPasswordChanger


    If Symantec Data Loss Prevention was installed in the default location, then the DBPasswordChanger utility is located at
    C:\Program Files\Symantec\DataLossPrevention\EnforceServer\16.0.10000\Protect\bin (Windows)
    or /opt/Symantec/DataLossPrevention/EnforceServer/16.0.10000/Protect/bin (Linux). You must be an
    Administrator (or root) to run DBPasswordChanger.
    For example, type:
    DBPasswordChanger \Symantec\DataLossPrevention\EnforceServer\16.0.10000\Protect\config
    \DatabasePassword.properties
    protect_oracle

    DBPasswordChanger syntax

    Increasing the inspection content size


    Data Loss Prevention provides an easier way for you to increase the inspection content size. The default maximum file
    inspection size is unchanged (30 MB), but you can easily adjust the inspection size to higher values. The adjustments
    can be made using a slider at the System > Servers and Detectors > Overview > Configure Server page under the
    Detection tab for detection servers. Currently, the highest limit for the servers (except Discover Exchange Crawler and
    Web Prevent) is 2 GB.
    The adjustments can be made using a slider at the System > Agents > Agent Configuration page under the Settings
    tab for agent configurations. Currently the highest limit for the DLP Agent is 150 MB.
    Consider the following inspection content size parameters for Network Discover scans before you change settings:

    787
    • The content inspection value indicates the maximum allowed size of the original file or message that is to be inspected.
    • The largest content inspection size is 2 GB. This limitation applies to container type files (for example, zip, docx, and
    so on).
    However, the largest text extraction size for the files (and sub-files from a container) can only be 1 GB. For example,
    we can still take a 2 GB zip file for extraction, but within that zip file if there are text files that are greater than 1 GB,
    these files are not extracted.
    • The largest non-container file (or sub-file) for text extraction is 1 GB.
    • Each slider position sets the ContentExtraction.MaxContentSize setting. This setting indicates the buffer
    needed to hold all the extracted data, including sub-files and their extracted text.
    • If the extracted data buffer exceeds 2 GB, additional data cannot be extracted. In this case, detection is performed on
    content in the buffer.
    • The maximum value for the ContentExtraction.MaxContentSize setting is 2 GB, which is same as the
    maximum file size.
    • The extracted data buffer stores extracted text in UTF-16 regardless of what the source document was stored in.
    There are different content inspection file size limits for different channels. Channel-specific content inspection file size
    limits lists the different channels that Symantec has tested and the corresponding supported file size limits.

    Table 360: Channel-specific content inspection file size limits

    Channel File size limit

    Endpoint Prevent 150 MB


    EDAR 150 MB
    Discover
    Discover Exchange Crawler 150 MB
    Discover File System 2 GB
    Discover Sharepoint 2 GB
    Appliance - REST 1.2 GB
    1.7 GB (Base64 encoded)
    Web Prevent
    Web Prevent FTP 150 MB
    Web Prevent HTTPS/HTTP 100 MB
    SMTP Prevent 150 MB

    Increasing the maximum inspection size limit for files means that larger files are inspected. Inspection of larger files takes
    longer and requires more memory for the inspection to complete. Also, timeout limits increase, so the detection engine
    takes longer to timeout in the case of detection failures.
    Depending on the content inspection size you choose, certain advanced settings are automatically adjusted. The
    Inspection Content Size feature only shows the inspection size options that you can enable based on your existing system
    memory.
    NOTE
    To complete the update, you must restart the service after you have increased the maximum inspection size limit
    using the slider or edited any properties files.
    The behavior of the "Increasing the maximum inspection size limit" feature is enabled or disabled depending on many
    factors:

    788
    • For a new detection server, the slider is disabled by default and the box is not checked.
    • For a new Agent, the slider is enabled at 30 MB by default and the box is checked.
    • Memory limits on the server are different from memory limits on the agent.
    • You cannot use the slider to increase the maximum inspection size limit if the detection server is not connected an
    Enforce Server.
    NOTE
    The maximum inspection size limit for the DLP cloud services is not customer-configurable. These limits are
    enumerated in the Service Description for the DLP cloud services. This feature is only available for detection
    servers, appliances, and the DLP Agent.
    To customize the inspection content size
    1. Go to System > Servers and Detectors > Configure a Server for detection servers or System > Agents > Agent
    Configuration > Settings for DLP Agents.
    2. Click the Detection tab for detection servers or go to the Setting section for DLP Agents.
    3. Click Customize settings, under Inspection Content Size.
    Move the slider to the size you want. These values that follow are examples only; you only see the options that can be
    enabled based on your system memory.
    • 30 MB, 50 MB, 100 MB, or 150 MB for DLP Agents
    • 30 MB, 100 MB, 150 MB, 500 MB, or 2 GB for detection servers and appliances
    When you select a new size, Symantec Data Loss Prevention automatically updates Advanced Server or Advanced
    Agent settings to implement your selection. If your settings are different from the preferred and recommended settings,
    a link to Preview updated settings appears.
    4. Click Preview updated settings to see the Advanced Setting Name, Current Value, and Preferred Value.
    5. For the detection servers only, if you need to change properties file settings, a Tuning Guidelines link appears. You
    can click the link and review the tuning guidelines per your requirements. See Related Documents. You do not need to
    edit properties files for the DLP Agent.
    6. Restart the service. To complete the update, you must restart the service after you have adjusted the maximum
    inspection size limit using the slider or edited any properties files.

    System Event Codes


    System events are shown whenever the Advanced Settings are updated. For a list of system events that you might see
    after Advanced Settings have been updated, see System Events for changes in Advanced Settings for larger files.

    Table 361: System Events for changes in Advanced Settings for larger files.

    System event code Description/Message Server or Agent

    5306 Agent advanced settings update is Agent


    complete.
    5307 Agent advanced settings have been Agent
    updated.
    5308 Agent advanced settings update has failed. Agent
    5309 Server advanced settings update is Server
    complete.
    5310 Advanced settings have been updated for Server
    the server.

    789
    System event code Description/Message Server or Agent

    5311 Advanced settings update has failed for the Server


    server {0}.

    If you choose a setting of 500 MB or greater on the detection server, Symantec recommends that you enable external
    storage for incident attachments (blob externalization). To enable external storage for incident attachments during
    installation or upgrade, see "External storage for incident attachments,” in the Symantec Data Loss Prevention Installation
    Guide and Symantec Data Loss Prevention Upgrade Guide.
    To enable external storage for incident attachments after installation or upgrade, see "About the incident attachment
    external storage directory" in the Symantec Data Loss Prevention System Maintenance Guide.
    Related Documents

    Guidelines for Increasing System Memory on Detection Servers


    If you try to increase the content inspection size when you do not have enough system memory, you cannot set the slider
    to higher file sizes. You also see this message:
    Based on the system's current physical memory, inspection of content up to <X> MB is enabled. To enable
    inspection of all content please increase system memory.
    The slider limit is based on:
    • The number of message chains (MessageChain.Numchains) and cache size (MessageChain.CacheSize).
    • System memory: The slider only enables the inspection of content up to the capacity of your current physical memory.
    To inspect files larger than your current settings:
    • Reduce the value of MessageChain.CacheSize and MessageChain.NumChains for the detection server
    • Increase the system memory
    To reduce the value of the two message chain settings: Go to Advanced Settings for the detection server and reduce
    the value of MessageChain.CacheSize and MessageChain.NumChains. Symantec recommends that you configure
    MessageChain.CacheSize to equal the value of MessageChain.NumChains. After you save your settings, you can use the
    slider to increase the content inspection size.
    To increase the system memory, consult Minimum system memory required for file sizes and corresponding number of
    chains. Find your file size setting in column one and your message chains in the remaining headers. Read across to get
    the minimum physical system memory needed for the corresponding slider limits and number of chains.

    Table 362: Minimum System Memory Required for File Sizes and Corresponding Number of Chains

    File size 4 chains 6 chains 8 chains 16 chains

    30 MB 6 GB 7 GB 8 GB 16 GB
    100 MB 16 GB 20 GB 24 GB 44 GB
    150 MB 24 GB 30 GB 36 GB 72 GB
    500 MB 54 GB 64 GB 74 GB 148 GB
    2 GB 130 GB 178 GB 226 GB 452 GB

    As the table indicates, the amount of extra system memory that is required for every two extra message chains varies
    according to the file size:

    790
    • 1-GB RAM for a 30-MB file
    • 4-GB RAM for a 100-MB file
    • 6-GM RAM for a 150-MB file
    • 10-GB RAM for a 500-MB file
    • 48-GB RAM for a 2-GB file

    NOTE
    The guidelines in Minimum system memory required for file sizes and corresponding number of chains may not
    work for detection servers with profiles or indexes.
    See The Effect of Scale on System Requirements.
    Refer to General performance tuning recommendations for detection servers for more information on how to configure the
    appropriate number of message chains.

    791
    Table 363: General Performance Tuning Recommendations for Detection Servers

    Parameter Default Setting Recommended Setting Remarks

    MessageChain.NumChains 4 (typically) or 8 • For virtualized environments This setting establishes


    (for some detection MessageChain.NumChains = the number of parallel
    servers) 0.8 * Number of vCPUs messages that the File
    For example, for a Reader process can handle.
    system with 8 vCPUs,
    MessageChain.NumChains = 6.
    Note: The test results presented
    in this document provide
    general guidelines. When the
    tests were conducted in the
    Broadcom lab environment, the
    runs were more stable when
    a 0.8 factor was used. In
    this case, stable means that
    there were a reduced number
    of errors in the scan due to
    detection timeouts. However,
    you may adjust these values to
    optimize performance in your
    environment.
    • For physical systems
    MessageChain.NumChains =
    0.8 * Number of CPU cores
    For example, for physical
    systems with 8 CPU cores,
    MessageChain.NumChains = 6.
    • For physical systems that
    have hyper threading enabled
    MessageChain.NumChains =
    1.6 * Number of CPU cores
    For example, for physical
    systems with 8 CPU cores
    and hyper threading enabled,
    MessageChain.NumChains =
    12.

    MessageChain.CacheSize 4 or 8 Same as This setting limits the


    MessageChain.NumChains. number of messages
    that can be queued for
    processing by the message
    chains. This setting should
    not exceed the number of
    message chains.

    792
    About Data Loss Prevention Policy Authoring
    Use Symantec Data Loss prevention policy authoring features to detect and prevent data loss. DLP provides seven key
    features that enable you to create policies that protect your organization from data loss.
    You implement policies to detect and prevent data loss. A Symantec Data Loss Prevention policy combines detection
    rules and response actions. If a policy rule is violated, the system generates an incident that you can report and act
    on. The policy rules that you implement are based on your information security objectives. The actions that you take in
    response to policy violations are based on your compliance requirements. The Enforce Server administration console
    provides an intuitive, centralized, web-based interface for authoring policies.
    Workflow for implementing policies
    Policy authoring features describes the policy authoring features that are provided by Symantec Data Loss Prevention.

    Table 364: Policy Authoring Features

    Feature Description

    Intuitive policy building The policy builder interface supports Boolean logic for the detection configuration.
    You can combine different detection methods and technologies in a single policy.
    Detecting data loss
    Best practices for authoring policies
    Decoupled response The system stores response rules and policies as separate entities.
    rules You can manage and update response rules without having to change policies; you can reuse response rules
    across policies.
    Fine-grained policy The system provides severity levels for policy violations.
    reporting You can report the overall severity of a policy violation by the highest severity.
    Policy severity
    Centralized data and The system stores data and group profiles separate from policies.
    group profiling This separation enables you to manage and update profiles without changing policies.
    Data Profiles
    User Groups
    Template-based policy The system provides 65 pre-built policy templates.
    detection You can use these templates to quickly configure and deploy policies.
    Policy templates
    Policy sharing The system supports policy template import and export.
    You can share policy templates across environments and systems.
    Policy template import and export
    Role-based access The system provides role-based access control for various user and administrative functions.
    control You can create roles for policy authoring, policy administration, and response rule authoring.
    Policy authoring privileges

    Handling Non-BMP Unicode Characters in Data Loss Prevention 16.0.1


    Non-BMP Unicode characters, such as emojis, cause detection issues in Symantec Data Loss Prevention 16.0.1. These
    characters must be removed or replaced.
    If policies and data identifiers include non-BMP Unicode characters, the correctness of matcher results and incident
    snapshots is compromised.

    793
    Using the Update Readiness Tool
    When you upgrade from DLP 16.0 to 16.0.1 using the Upgrade Readiness Tool (URT), policies and data identifiers (DIs)
    containing non-BMP characters are logged verbosely and update fails. You can use the Upgrade logs to identify which
    policies and data identifiers contain non-BMP characters.
    You must remove the characters and then must rerun the URT. Consult the following topics to learn more about non-
    BMP characters and the update process.
    Finding Non-BMP Unicode Characters in Policies
    Running the Update Readiness Tool at the Command Line
    Detection Resiliency
    During detection, Symantec DLP now handles non-BMP characters in several ways.
    • Non-BMP characters in the content that DLP scans are replaced by the Unicode Replacement
    Character OxFFFD before scanning.
    • Condition matches are regularly detected with a correct offset or span across all platforms.
    • For Conditions that allow partial string matching, you can match strings containing non-BMP Unicode points. For
    example, the regular expression "sensitive.*" matches "sensitive#file" and the highlight is shown as "sensitive��file".
    Policy Authoring
    The Enforce user interface restricts you from entering non-BMP Unicode characters into relevant fields that are used for
    message scanning for detection. Non-BMP characters are flagged when you try to Save. An error message identifies
    fields containing non-BMP Unicode characters, so that you can remove them.
    Incident Snapshots
    In Incident Snapshots, the extracted content for files containing non-BMP characters is replaced by the Unicode
    replacement characters �� (Unicode 0xFFFD).

    Non-BMP Unicode Characters Explained


    The Basic Multilingual Plane (BMP) includes characters and symbols that are used by most modern languages.
    Characters such as emojis are included in the Supplementary Multilingual Plane and are considered non-BMP.
    Characters in the BMP are represented by a single 16-bit code. Non-BMP characters are represented by an ordered pair
    (called a Surrogate Pair in the Unicode vocabulary) of two 16-bit codes. Even though non-BMP characters are human
    readable as a single character, they are treated as two characters. This treatment may lead to unexpected problems when
    iterating the characters in a string. Symantec Data Loss Prevention handles non-BMP characters by flagging them for
    removal.
    For a more information on Unicode characters, see Programming with Unicode.

    Policy components
    A valid policy has at least one detection or group rule with at least one match condition. Response rules are optional
    policy components.
    Policy components describes Data Loss Prevention policy components.

    794
    Table 365: Policy components

    Component Use Description

    Policy group Required A policy must be assigned to a single Policy Group.


    Policy groups
    Policy name Required The policy name must be unique within the Policy Group.
    Manage and add policies
    Policy rule Required A valid policy must contain at least one rule that declares at least one match
    condition.
    Policy matching conditions
    Data Profile May be required Exact Data Matching (EDM), Indexed Document Matching (IDM), Vector Machine
    Learning (VML), and Form Recognition policies all require data profiles.
    Data Profiles
    User group May be required A policy requires a User Group only if a group method in the policy requires it.
    Synchronized DGM rules and exceptions require a User Group.
    User Groups
    Policy description Optional A policy description helps users identify the purpose of the policy.
    Configuring policies
    Policy label Optional A policy label helps Veritas Data Insight business users identify the purpose of the
    policy when using the Veritas Self-Service Portal.
    Configuring policies
    Response Rule Optional A policy can implement one or more response rules to report and remediate
    incidents.
    About response rules
    Policy exception Optional A policy can contain one or more exceptions to exclude data from matching.
    Exception conditions
    Compound rules Optional A policy rule or exception can implement multiple match conditions.
    Compound rules

    Policy templates
    Symantec Data Loss Prevention provides policy templates to help you quickly deploy detection policies in your enterprise.
    You can share policies across systems and environments by importing and exporting policy rules and exceptions as
    templates.
    Using policy templates saves you time and helps you avoid errors and information gaps in your policies because the
    detection methods are predefined. You can edit a template to create a policy that precisely suits your needs. You can also
    export and import your own policy templates.
    Some policy templates are based on well-known sets of regulations, such as the Payment Card Industry Security
    Standard, Gramm-Leach-Bliley, California SB1386, and HIPAA. Other policy templates are more generic, such as
    Customer Data Protection, Employee Data Protection, and Encrypted Data. Although the regulation-based templates can
    help address the requirements of the relevant regulations, consult with your legal counsel to verify compliance.
    Creating a policy from a template
    System-defined policy templates describes the system-defined policy templates provided by Symantec Data Loss
    Prevention.

    795
    Table 366: System-defined policy Templates

    Policy template type Description

    US Regulatory Enforcement US Regulatory Enforcement policy Templates


    General Data Protection Regulation General Data Protection Regulation (GDPR) policy Templates
    International Regulatory Enforcement International Regulatory Enforcement policy Templates
    Customer and Employee Data Protection Customer and Employee Data Protection policy Templates
    Confidential or Classified Data Protection Confidential or Classified Data Protection policy Templates
    Network Security Enforcement Network Security Enforcement policy Templates
    Acceptable Use Enforcement Acceptable Use Enforcement policy Templates
    Imported Templates Policy template import and export

    Solution packs
    Symantec Data Loss Prevention provides solution packs for several industry verticals. A solution pack contains configured
    policies, response rules, user roles, reports, protocols, and the incident statuses that support a particular industry or
    organization. For a list of available solution packs and instructions, see Importing a solution pack. You can import one
    solution pack to the Enforce Server.
    Once you have imported the solution pack, start by reviewing its policies. By default the solution pack activates the
    policies it provides.
    Manage and add policies

    Policy groups
    You deploy policies to detection servers using policy groups. Policy groups limit the policies, incidents, and detection
    mechanisms that are accessible to specific users.
    Each policy belongs to one policy group. When you configure a policy, you assign it to a policy group. You can change the
    policy group assignment, but you cannot assign a policy to more than one policy group. You deploy policy groups to one
    or more detection servers.
    The Enforce Server is configured with a single policy group called the Default Policy Group. The system deploys the
    default policy group to all detection servers. If you define a new policy, the system assigns the policy to the default policy
    group, unless you create and specify a different policy group. You can change the name of the default policy group. A
    solution pack creates several policy groups and assigns policies to them.
    After you create a policy group, you can link policies, Discover targets, and roles to the policy group. When you create a
    Discover target, you must associate it with a single policy group. When you associate a role with particular policy groups,
    you can restrict users in that role. Policies in that policy group detect incidents and report them to users in the role that is
    assigned to that policy group.
    The relationship between policy groups and detection servers depends on the server type. You can deploy a policy group
    to one or more Network Monitor, Network Prevent, or Endpoint Servers. Policy groups that you deploy to an Endpoint
    Server apply to any DLP Agent that is registered with that server. The Enforce Server automatically associates all policy
    groups with all Network Discover Servers.
    For Network Monitor and Network Prevent, each policy group is assigned to one or more Network Monitor Servers,
    Network Prevent for Email Servers, or Network Prevent for Web Servers. For Network Discover, policy groups are
    assigned to individual Discover targets. A single detection server may handle as many policy groups as necessary to
    scan its targets. For Endpoint Monitor, policy groups are assigned to the Endpoint Server and apply to all registered DLP
    Agents.

    796
    Manage and add policy groups
    Creating and modifying policy groups

    Policy deployment
    You can use policy groups to organize and deploy your policies in different ways. For example, consider a situation in
    which your detection servers are set up across a system that spans several countries. You can use policy groups to
    ensure that a detection server runs only the policies that are valid for a specific location.
    You can dedicate some of your detection servers to monitor internal network traffic and dedicate others to monitor network
    exit points. You can use policy groups to deploy less restrictive policies to servers that monitor internal traffic. At the same
    time, you can deploy stricter policies to servers that monitor traffic leaving your network.
    You can use policy groups to organize policies and incidents by business units, departments, geographic regions, or
    any other organizational unit. For example, policy groups for specific departments may be appropriate where security
    responsibilities are distributed among various groups. In such cases, policy groups provide for role-based access control
    over the viewing and editing of incidents. You deploy policy groups according to the required division of access rights
    within your organization (for example, by business unit).
    You can use policy groups for detection-server allocation, which may be more common where security departments are
    centralized. In these cases, you would carefully choose the detection server allocation for each role and reflect the server
    name in the policy group name. For example, you might name the groups Inbound and Outbound, United States and
    International, or Testing and Production.
    In more complex environments, you might consider some combination of the following policy groups for
    deploying policies:
    • Sales and Marketing - US
    • Sales and Marketing - Europe
    • Sales and Marketing - Asia
    • Sales and Marketing - Australia, New Zealand
    • Human Resources - US
    • Human Resources - International
    • Research and Development
    • Customer service
    Lastly, you can use policy groups to test policies before deploying them in production, to manage legacy policies, and to
    import and export policy templates.
    Policy groups

    Policy severity
    When you configure a detection rule, you can select a policy severity level. You can then use response rules to take action
    based on a severity level.
    About response rule conditions
    The default severity level is set to "High," unless you change it. The default severity level applies to any condition that the
    detection rule matches. For example, if the default severity level is set to "High," every detection rule violation is labeled
    with this severity level. If you do not want to tag every violation with a specific severity, you can define the criteria by which
    a severity level is established. In this case the default behavior is overridden. For example, you can define the "High"
    severity level to be applied only after a specified number of condition matches have occurred.
    Defining rule severity

    797
    In addition, you can define multiple severity levels to layer severity reporting. For example, you can set the "High" severity
    level after 100 matches, and the medium severity level to apply after 50 matches.

    Table 367: Rule severity levels

    Rule severity level Description

    High If a condition match occurs, it is labeled "High" severity.


    Medium If a condition match occurs, it is labeled "Medium" severity.
    Low If a condition match occurs, it is labeled "Low" severity.
    Info If a condition match occurs, it is labeled "Info" severity.

    Policy authoring privileges


    Policy authors configure and manage policies and their rules and exceptions. To author policies, a user must be assigned
    to a role that grants the policy authoring privilege. This role can be expanded to include management of policy groups,
    scanning targets, and credentials.
    Response rule authoring privileges are separate credentials from policy authoring and administration privileges. Whether
    or not policy authors have response rule authoring privileges is based on your enterprise needs.
    Policy authoring privileges describes the typical privileges for the policy and response rule authoring roles.

    Table 368: Policy authoring privileges

    Role privilege Description

    Author Policies Add, configure, and manage policies.


    Add, configure, and manage policy rules and exceptions.
    Import and export policy templates.
    Modify system-defined data identifiers and create custom data identifiers.
    Add, configure, and manage User Groups.
    Add response rules to policies (but do not create response rules).
    Enforce Server Add, configure, and manage policy groups.
    Administration Add, configure, and manage Data Profiles.
    Author Response Rules Add, configure, and manage response rules (but do not add them to policies).

    Data Profiles
    Data Profiles are user-defined configurations that you create to implement Exact Match Data Identifier (EMDI), Exact
    Data Matching (EDM), Indexed Document Matching (IDM), Form Recognition, and Vector Machine Learning (VML) policy
    conditions.
    Data Loss Prevention policy detection technologies
    Types of Data Profiles describes the types of Data Profiles that the system supports.

    798
    Table 369: Types of Data Profiles

    Data Profile type Description

    Exact Match Data An Exact Match Data Identifier Profile is used for Exact Match Data Identifier (EMDI ) policies. The Exact
    Identifier Profile Match Data Identifier Profile contains data that has been indexed from a structured data source, such
    as a CSV file. An important concept for EMDI is the "key column." When using EMDI, you must specify
    two or more columns with at least one "key column" that has highly unique and discriminatory values that
    matches a distinctive pattern (that is expressible with a data identifier).
    About using EMDI to protect content
    About EMDI and key columns
    Configuring Exact Match Data Identifier profiles
    Exact Data Profile An Exact Data Profile is used for Exact Data Matching (EDM) policies. The Exact Data Profile contains
    data that has been indexed from a structured data source, such as a database, directory server, or CSV
    file. The Exact Data Profile runs on the detection server. If an EDM policy is deployed to an endpoint, the
    DLP Agent sends the message to the detection server for evaluation (two-tier detection).
    About the Exact Data Profile and index
    Introducing profiled Directory Group Matching (DGM)
    About two-tier detection for EDM on the endpoint
    Indexed Document Profile An Indexed Document Profile is used for Indexed Document Matching (IDM) policies. The Indexed
    Document Profile contains data that has been indexed from a collection of confidential documents. The
    Indexed Document Profile runs on the detection server. If an IDM policy is deployed to an endpoint, the
    DLP Agent sends the message to the detection server for evaluation (two-tier detection).
    About the Indexed Document Profile
    Vector Machine Learning A Vector Machine Learning Profile is used for Vector Machine Learning (VML) policies. The Vector
    Profile Machine Learning Profile contains a statistical model of the features (keywords) extracted from content
    that you want to protect. The VML profile is loaded into memory by the detection server and DLP Agent.
    VML does not require two-tier detection.
    About the Vector Machine Learning Profile
    Form Recognition Profile A Form Recognition Profile is used for Form Recognition policies. The Form Recognition Profile contains
    blank images of forms you want to detect.
    When you configure a profile, yoo specify a numeric value to represent the Fill Threshold. This number is
    a value from 1-10. 1 represents a form that has been filled out minimally and 10 a form that is completely
    filled in. If the Fill Threshold is met or exceeded, an incident is opened.
    Managing Form Recognition profiles

    User Groups
    You define User Groups on the Enforce Server. User Groups contain user identity information that you populate by
    synchronizing the Enforce Server with a group directory server (Microsoft Active Directory).
    You must have server administrator privileges to define User Groups. You must define the User Groups before you
    synchronize users.
    Once you define a User Group, you populate it with users, groups, and business units from your directory server. After
    the user group is populated, you associate it with the User/Sender and Recipient detection rules or exceptions. The policy
    only applies to members of that User Group.
    Introducing synchronized Directory Group Matching (DGM)

    Configuring User Groups

    799
    Policy template import and export
    You can export and import policy templates to and from the Enforce Server. This feature lets you share policy templates
    across environments, version existing policies, and archive legacy policies.
    Consider a scenario where you author and refine a policy on a test system and then export the policy as a template. You
    then import this policy template to a production system for deployment to one or more detection servers. Or, if you want to
    retire a policy, you export it as a template for archiving, then remove it from the system.
    Importing policy templates
    Exporting policy detection as a template
    A policy template is an XML file. The template contains the policy metadata, and the detection and the group rules and
    exceptions. If a policy template contains more than one condition that requires a Data Profile, the system imports only one
    of these conditions. A policy template does not include policy response rules, or modified or custom data identifiers.
    Components included in policy templates describes policy template components.

    Table 370: Components included in policy Templates

    Policy component Description Included in Template

    Policy metadata (name, description, The name of the template has to be less than 60 characters or it does YES
    label) not appear in the Imported Templates list.
    Described Content Matching (DCM) If the template contains only DCM methods, it imports as exported YES
    rules and exceptions without changes.
    Exact Data Matching (EDM) and If the template contains multiple EDM or IDM match conditions, only one YES
    Indexed Document Matching (IDM) is exported.
    conditions If the template contains an EDM and an IDM condition, the system drops
    the IDM.
    User Group User group methods are maintained on import only if the user groups NO
    exist on the target before import.
    Policy Group Policy groups do not export. On import you can select a local policy NO
    group, otherwise the system assigns the policy to the Default Policy
    group.
    Response Rules You must define and add response rules to policies from the local NO
    Enforce Server instance.
    Data Profiles On import you must reference a locally defined Data Profile, otherwise NO
    the system drops any methods that require a Data Profile.
    Custom data identifiers Modified and custom data identifiers do not export. NO
    Custom protocols Custom protocols do not export. NO
    Policy state Policy state (Active/Suspended) does not export. NO

    Workflow for implementing policies


    Policies define the content, event context, and identities you want to detect. Policies may also define response
    rule actions if a policy is violated. Successful policy creation is a process that requires careful analysis and proper
    configuration to achieve optimum results.
    Policy implementation process describes the typical workflow for implementing Data Loss Prevention policies.

    800
    Table 371: Policy implementation process

    Action Description

    Familiarize yourself with the different types of detection Detecting data loss
    technologies and methods that Symantec Data Loss Data Loss Prevention policy detection technologies
    Prevention provides, and considerations for authoring data loss Policy matching conditions
    prevention policies. Best practices for authoring policies
    Develop a policy detection strategy that defines the type of data Develop a policy strategy that supports your data security objectives
    you want to protect from data loss.
    Review the policy templates that ship with Symantec Data Loss Policy templates
    Prevention, and any templates that you import manually or by Solution packs
    solution pack.
    Create policy groups to control how your policies are accessed, Policy groups
    edited, and deployed. Policy deployment
    To detect exact data or content or similar unstructured data, Data Profiles
    create one or more Data Profiles.
    To detect exact identities from a synchronized directory server User Groups
    (Active Directory), configure one or more User Groups.
    Configure conditions for detection and group rules and Creating a policy from a template
    exceptions.
    Test and tune your policies. Test and tune policies to improve match accuracy
    Add response rules to the policy to take action when the policy
    is violated.
    Manage the policies in your enterprise. Manage and add policies

    Viewing, printing, and downloading policy details


    You may be required to share high-level details about your policies with individuals who are not Symantec Data Loss
    Prevention users. For example, you might be asked to provide policy details to an information security officer in your
    company, or to and outside security auditor. To facilitate such an action, you can view and print policy details in an easily
    readable format from the Policy List screen. The policy detail view does not include any technical nomenclature or
    branding specific to Symantec Data Loss Prevention. It displays the policy name, description, label, group, status, version,
    and last modified date for the policy. It also displays the detection and the response rules for that policy.
    Any user with the Author Policies privilege for a given policy or set of policies can view and print policy details.
    Policy authoring privileges
    Working with policy details describes how to work with policy details.

    Table 372: Working with policy details

    Action Description

    View and print details for a single policy. Viewing and printing policy details
    Download details for all policies. Downloading policy details

    Detecting data loss


    Symantec Data Loss Prevention detects data from virtually any type of message or file, any user, sender, or recipient,
    wherever your data or endpoints exist. You can use Data Loss Prevention to detect both the content and the context of

    801
    data within your enterprise. You define and manage your detection policies from the centralized, Web-based Enforce
    Server administration console.
    Content that can be detected
    Files that can be detected
    Protocols that can be monitored
    Endpoint events that can be detected
    Identities that can be detected
    Languages that can be detected

    Content that can be detected


    Symantec Data Loss Prevention detects data and document content, including text, markup, presentations, spreadsheets,
    archive files and their contents, email messages, database files, designs and graphics, multimedia files, image-based
    forms and more. For example, the system can open a compressed file and scan a Microsoft Word document within the
    compressed file for the keyword "confidential." If the keyword is matched, the detection engine flags the message as an
    incident.
    Content-based detection is based on actual content, not the file itself. A detection server can detect extracts or derivatives
    of protected or described content. This content may include sections of documents that have been copied and pasted to
    other documents or emails. A detection server can also identify sensitive data in a different file format than the source
    file. For example, if a confidential Word file is fingerprinted, the detection engine can match the content emailed in a PDF
    attachment.
    Content matching conditions

    Files that can be detected


    Symantec Data Loss Prevention recognizes many types of files and attachments based on their context, including file
    type, file name, and file size. Symantec Data Loss Prevention identifies over 300 types of files, including word-processing
    formats, multimedia files, spreadsheets, presentations, pictures, encapsulation formats, encryption formats, and others.
    For file type detection, the system does not rely on the file extension to identify the file type. For example, the system
    recognizes a Microsoft Word file even if a user changes the file extension to .txt. In this case the detection engine checks
    the binary signature of the file to match its type.
    File property matching conditions

    Protocols that can be monitored


    Symantec Data Loss Prevention detects messages on the network by identifying the protocol signature: email (SMTP),
    Web (HTTP), file transfer (FTP), newsgroups (NNTP), TCP, Telnet, and SSL.
    You can configure a detection server to listen on non-default ports for data loss violations. For example, if your network
    transmits Web traffic on port 81 instead of port 80, the system still recognizes the transmitted content as HTTP.
    Protocol matching condition for network

    Endpoint events that can be detected


    Symantec Data Loss Prevention lets you detect data loss violations at several endpoint destinations. These destinations
    include the local drive, CD/DVD drive, removable storage devices, network file shares, Windows Clipboard, printers and
    faxes, and application files. You can also detect protocol events on the endpoint for email (SMTP), Web (HTTP), and file
    transfer (FTP) traffic.

    802
    For example, the DLP Agent (installed on each endpoint computer) can detect the copying of a confidential file to a USB
    device. Or, the DLP Agent can allow the copying of files only to a specific class of USB device that meets corporate
    encryption requirements.
    Endpoint matching conditions

    Identities that can be detected


    Symantec Data Loss Prevention lets you detect the identity of data users, message senders, and message recipients
    using a variety of methods. These methods include described identity patterns and exact identities matched from a
    directory server or a corporate database.
    For example, you can detect email messages sent by a specific user, or allow email messages sent to or from a specific
    group of users as defined in your Microsoft Active Directory server.
    Groups (identity) matching conditions

    Languages that can be detected


    Symantec Data Loss Prevention provides broad international support for detecting data loss in many languages.
    Supported languages include most Western and Central European languages, Hebrew, Arabic, Chinese (simplified and
    traditional), Japanese, Korean, and more.
    The detection engine uses Unicode internally. You can build localized policy rules and exceptions using any detection
    technology in any supported language.

    Detecting non-English language content

    Data Loss Prevention policy detection technologies


    Symantec Data Loss Prevention provides several types of detection technologies to help you author policies to detect
    data loss. Each type of detection technology provides unique capabilities. Often you combine technologies in policies to
    achieve precise detection results. In addition, Symantec Data Loss Prevention provides you with several ways to extend
    policy detection and match any type of data, content, or files you want.
    About Data Loss Prevention policies
    Best practices for authoring policies
    Data Loss Prevention detection technologies lists the various types of the detection technologies and customizations
    provided by Data Loss Prevention.

    Table 373: Data Loss Prevention detection technologies

    Technology Description

    Exact Data Matching (EDM) Use EDM to detect personally identifiable information.
    Introducing Exact Data Matching (EDM)
    Exact Match Data Identifiers Use EMDI to detect structured data, especially personally-identifiable information. EMDI provides
    (EMDI) better matching performance and greater memory efficiency than EDM.
    Introducing Exact Match Data Identifiers (EMDI)
    Indexed Document Matching Use IDM to detect exact files and file contents, and derivative content.
    (IDM) Introducing Indexed Document Matching (IDM)
    Vector Machine Learning (VML) Use VML to detect similar document content.
    Introducing Vector Machine Learning (VML)

    803
    Technology Description

    Form Recognition Use Form Recognition to detect images of forms that belong to a gallery associated with a Form
    Recognition policy.
    About Form Recognition detection
    Directory Group Matching (DGM) Use DGM to detect exact identities synchronized from a directory server or profiled from a
    database.
    Introducing synchronized Directory Group Matching (DGM)
    Introducing profiled Directory Group Matching (DGM)
    Described Content Matching Use DCM to detect message content and context, including:
    (DCM) • Data Identifiers to match content using precise patterns and data validators.
    Introducing data identifiers
    • Keywords to detect content using key words, key phrases, and keyword dictionaries.
    Introducing keyword matching
    • Regular Expressions to detect characters, patterns, and strings.
    Introducing regular expression matching
    • File properties to detect files by type, name, size, and custom type.
    Introducing file property detection
    • User, sender, and recipient patterns to detect described identities.
    Introducing described identity matching
    • Protocol signatures to detect network traffic.
    Introducing protocol monitoring for network
    • Destinations, devices, and protocols to detect endpoint events.
    Introducing endpoint event detection
    User Risk-based Detection Use User Risk-based detection to trigger policies based on the risk score for a particular user.
    See Introducing User Risk Based Detection.
    Custom policy detection methods Data Loss Prevention provides methods for customizing and extending detection,
    including:
    • Custom Data Identifiers
    Implement your own data identifier patterns and system-defined validators.
    Introducing data identifiers
    • Custom script validators for Data Identifiers
    Use the Symantec Data Loss Prevention Scripting Language to validate custom data types.
    Workflow for creating custom data identifiers
    • Custom file type identification
    Use the Symantec Data Loss Prevention Scripting Language to detect custom file types.
    About custom file type identification
    • Custom endpoint device detection
    Detect or allow any endpoint device using regular expressions.
    About endpoint device detection
    • Custom network protocol detection
    Define custom TCP ports to tap.
    Introducing protocol monitoring for network
    • Custom content extraction
    Use a plug-in to identify custom file formats and extract file contents for analysis by the
    detection server.
    Overview of detection file format support

    Policy Evaluation Engine Details for DLP 16.0


    Symantec DLP 16.0 includes a new and improved policy evaluation engine that enables you to create complex policies
    with many compound exceptions.

    804
    The new high-performance and memory-efficient policy evaluation engine enables you to
    • Create complex policies with up to 400 compound exceptions
    • Create policies with component matching in the Enforce Server administration console for the Endpoint.
    When you specify a component that a condition should match, you now get more accurate results.
    Consult the following topics for more details:
    Changes in the 16.0 Policy Evaluation Engine
    Handling Large Policies for Legacy (pre-DLP 16.0) Agents
    Detection Messages and Message Components
    Two-Tier Detection for DLP Agents

    Changes in the 16.0 Policy Evaluation Engine


    Learn about improvements and changes in the Symantec Data Loss Prevention 16.0 policy evaluation engine.
    The following improvements in policy evaluation have been made for Symantec Data Loss Prevention 16.0.
    1. A policy with only group rules matching on the envelope (for example, sender, recipient) and Match Component Only
    (MCO) exceptions now correctly generates an incident when the MCO exception matches in a component which is not
    the envelope.
    NOTE
    The DLP 15.8 implementation incorrectly treated the MCO exception as an Entire Message exception in the
    described scenario.
    2. A policy with at least one condition with "Only report incidents with at least N matches" when N is greater than one,
    only show components that meet the requirement if there is an incident.
    NOTE
    If there is an incident, the DLP 15.8 implementation shows components that do not meet the requirement if
    the policy does not define any "Matched Components Only" exceptions.
    3. Incidents are correctly generated if an exception contains a mix of "Same" or "Any" component conditions.
    NOTE
    The DLP 15.8 implementation treats "Same" component exceptions as "Any" component exceptions, even if
    they are all defined as "Same" component.
    4. The new 16.0 policy evaluation engine evaluates two-tier detection requests entirely on the server. As a result of the
    new implementation, no duplicated Server/Endpoint incidents are generated for the same policy, for two-tier detection
    requests.
    NOTE
    The DLP 15.8 implementation generates duplicated Server/Endpoint incidents for the same policy in a two-
    tier detection request, under certain circumstances.
    5. For a compound policy where part of the policy can be executed on the agent (for example, Keyword ANDed EDM):
    The Keyword condition is executed on the agent. Only if the request violates the Keyword is a TTD request created.
    The Keyword execution on the agent is used for filtering and reducing the number of TTD requests. The Keyword
    execution is not used for the incident generation. This request is then evaluated on the server for both Keyword and
    EDM.

    Handling Large Policies for Legacy (pre-DLP 16.0) Agents


    You might encounter the following issues when using a combination of legacy and DLP 16.0 agents.

    High Memory Requirements

    805
    One policy with many compound exceptions creates high memory requirements. The Endpoint Server and the legacy
    (pre-DLP 16.0) agents might not be able to handle the high memory requirements of the policy.
    To solve this issue, alter the policy size value.
    Go to the System > Settings > General > Legacy Agents Policy Set Size Limit setting. Alter the value.
    This new value applies to all Endpoint Servers. An Endpoint Server processes the policy set only if its size is less than
    a predetermined threshold. The threshold is computed based on the estimated agent memory consumption. The legacy
    execution engine data is shipped to the legacy agents. The new execution engine data is shipped to the DLP 16.0 agents.
    Compound Exceptions and Policy Set Upgrades
    If you have an environment with legacy and DLP 16.0 agents and define policies with many compound exceptions, only
    the DLP 16.0 agents receive a policy set upgrade. The legacy agents do not receive a policy set upgrade. They keep
    using the latest policy set that fits the memory threshold. Other entities such as indexes and data identifiers are still
    received. TTD requests from those endpoints are also dropped on the Endpoint Server because the policy sets may be
    incompatible.
    A system event informs you that a policy set was not shipped to legacy agents. The event also informs you that you
    should take the appropriate action. You must either update the legacy agents or separate the legacy agents from the 16.0
    agents using policy targeting.
    The system posts a warning if:
    • The Enforce database contains legacy agents, and
    • Legacy agents are configured to connect to Enforce when you save a policy that generates a legacy execution engine,
    and
    • The legacy execution engine is estimated as larger than the defined threshold.

    Policy matching conditions


    Symantec Data Loss Prevention provides several types of match conditions, each offering unique detection capabilities.
    You implement match conditions in policies as rules or exceptions. Detection rules use conditions to match message
    content or context. Group rules use conditions to match identities. You can also use conditions as detection and group
    policy exceptions.
    Exception conditions
    Policy match condition types lists the various types of policy matching conditions provided by Data Loss Prevention.

    Table 374: Policy match condition types

    Condition type Description

    Content Content matching conditions


    File property File property matching conditions
    Protocol Protocol matching condition for network
    Endpoint Endpoint matching conditions
    Groups (identity) Groups (identity) matching conditions
    User risk Introducing Contextual Attributes for User Risk Scores

    806
    Content matching conditions
    Symantec Data Loss Prevention provides several conditions to match message content. Certain content conditions
    require an associated Data Profile and index. For content detection, you can match on individual message components,
    including header, body, attachments, and subject for some conditions.
    Detection Messages and Message Components
    Content that can be detected
    Content matching conditions lists the content matching conditions that you can use without a Data Profile and index.

    Table 375: Content matching conditions

    Content rule type Description

    Content Matches Regular Match described content using regular expressions.


    Expression Introducing regular expression matching
    Configuring the Content Matches Regular Expression condition
    Content Matches Keyword Match described content using keywords, key phrases, and keyword dictionaries
    Introducing keyword matching
    Configuring the Content Matches Keyword condition
    Content Matches Data Identifier Match described content using Data Identifier patterns and validators.
    Introducing data identifiers
    Configuring the Content Matches data identifier condition

    Index-based content matching conditions lists the content matching conditions that require a Data Profile and index.
    Data Profiles
    Two-tier detection for DLP Agents

    Table 376: Index-based content matching conditions

    Content rule type Description

    Content Matches Exact Data From Match exact data profiled from a structured data source such as a database or CSV file.
    an Exact Data Profile (EDM) Introducing Exact Data Matching (EDM)
    Configuring the Content Matches Exact Data policy condition for EDM
    Note: This condition requires two-tier detection on the endpoint. About two-tier detection for
    EDM on the endpoint

    Content Matches Document Match files and file contents exactly or partially using fingerprinting
    Signature From an Indexed Introducing Indexed Document Matching (IDM)
    Document Profile (IDM) Configuring the Content Matches Document Signature policy condition
    Note: This condition requires two-tier detection on the endpoint. About the Indexed Document
    Profile

    Detect using Vector Machine Match file contents with features similar to example content you have trained.
    Learning profile (VML) Introducing Vector Machine Learning (VML)
    Configuring the Detector using Vector Machine Learning Profile condition

    807
    File property matching conditions
    Symantec Data Loss Prevention provides several conditions to match file properties, including file type, file size, and file
    name.
    Files that can be detected

    Table 377: File property match conditions

    Condition type Description

    Message Attachment or File Type Match specific file formats and document attachments.
    Match About file type matching
    Configuring the Message Attachment or File Type Match condition
    Message Attachment or File Size Match files or attachments over or under a specified size.
    Match About file size matching
    Configuring the Message Attachment or File Size Match condition
    Message Attachment or File Name Match files or attachments that have a specific name or match wildcards.
    Match About file name matching
    Configuring the Message Attachment or File Name Match condition
    Message/Email Properties and Classify Microsoft Exchange email messages based on specific message attributes (MAPI
    Attributes attributes).
    Custom File Type Signature Match custom file types based on their binary signature using scripting.
    About custom file type identification
    Enabling the Custom File Type Signature condition in the policy console

    Protocol matching condition for network


    Symantec Data Loss Prevention provides the single Protocol Monitoring condition to match network traffic for policy
    detection rules and exceptions.
    Protocols that can be monitored

    Table 378: Protocol matching condition for network monitoring

    Match condition Description

    Protocol Monitoring Match incidents on the network transmitted using a specified protocol, including SMTP, FTP,
    HTTP/S, IM, and NNTP.
    Introducing protocol monitoring for network
    Configuring the Protocol Monitoring condition for network detection

    Endpoint matching conditions


    Symantec Data Loss Prevention provides several conditions for matching endpoint events.
    Endpoint events that can be detected

    808
    Table 379: Endpoint matching conditions

    Condition Description

    Protocol or Endpoint Monitoring Match endpoint messages transmitted using a specified transport protocol or when data is
    moved or copied to a particular destination.
    Introducing endpoint event detection
    Configuring the Endpoint Monitoring condition
    Endpoint Device Class or ID Match endpoint events occurring on specified hardware devices.
    Introducing endpoint event detection
    Configuring the Endpoint Device Class or ID condition
    Endpoint Location Match endpoint events depending if the DLP Agent is on or off the corporate network.
    Introducing endpoint event detection
    Configuring the Endpoint Location condition

    Groups (identity) matching conditions


    Symantec Data Loss Prevention provides several conditions for matching the identity of users and groups, and message
    senders and recipients.
    The sender and recipient pattern rules are reusable across policies. The Directory Group Matching (DGM) rules let you
    match on sender and recipients derived from Active Directory (synchronized DGM) or from an Exact Data Profile (profiled
    DGM).
    Identities that can be detected
    Two-tier detection for DLP Agents

    Table 380: Available group rules for identity matching

    Group rule Description

    Sender/User Matches Pattern Match message senders and users by email address, user ID, IM screen name, and IP
    address.
    Introducing described identity matching
    Configuring the Sender/User Matches Pattern condition
    Recipient Matches Pattern Match message recipients by email or IP address, or Web domain.
    Introducing described identity matching
    Configuring the Recipient Matches Pattern condition
    Sender/User based on a Directory Match message senders and users from a synchronized directory server.
    Server Group Introducing synchronized Directory Group Matching (DGM)
    Configuring the Sender/User based on a Directory Server Group condition
    Sender/User based on a Directory Match message senders and users from a profiled directory server.
    from: an Exact Data Profile Introducing profiled Directory Group Matching (DGM)
    Configuring the Sender/User based on a Profiled Directory condition
    Note: This condition requires two-tier detection on the endpoint. About two-tier detection for
    profiled DGM

    809
    Group rule Description

    Recipient based on a Directory Match message recipients from a synchronized directory server.
    Server Group Introducing synchronized Directory Group Matching (DGM)
    Configuring the Recipient based on a Directory Server Group condition
    Note: This condition requires two-tier detection on the endpoint. About two-tier detection for
    synchronized DGM

    Recipient based on a Directory Match message recipients from a profiled directory server.
    from: an Exact Data Profile Configuring Exact Data profiles for DGM
    Configuring the Recipient based on a Profiled Directory condition
    Note: This condition requires two-tier detection on the endpoint. About two-tier detection for
    profiled DGM

    Detection Messages and Message Components


    Learn about mappings between the Server and the Endpoint components with the DLP 16.0 policy execution engine.
    Data Loss Prevention detection servers and DLP Agents receive input data for analysis in the form of messages. The
    system determines the message type; for example, an email or a Word document. Depending on the message type,
    the system either parses the message content into components (header, subject, body, attachments), or it leaves the
    message intact.
    The system evaluates the message or message components to see if any policy match conditions apply. If a condition
    applies and it supports component matching, the system evaluates the content against each selected message
    component. Component targeting is not supported when the condition applies to either message metadata (sender,
    recipients, protocol, and so on). Component target is also not supported when the condition can only ever apply to one
    component type (for example, attachments only).
    The new DLP 16.0 Execution Engine Enforces Component Matching on the Endpoint
    The following mappings between Server and Endpoint component are used by the new execution engine.
    For channels that allow full-component categorization; for example, the mail client and HTTP:

    Server Component Endpoint Component


    Envelope Envelope
    Subject Envelope
    Body Body
    Attachment Attachment

    For all other channels:

    Server Component Endpoint Component


    Envelope Envelope
    Subject Generic
    Body Generic
    Attachment Generic

    NOTE
    Definitions:

    810
    • “File” on the endpoint applies to file operations (for example, copy to USB) and to EDAR (Endpoint Data at
    Rest) scans.
    • The Endpoint does not have a subject component, so the subject component is mapped to the envelope.
    • A “Generic” component is a virtual endpoint component that matches on Subject, Body, Attachment, or File.

    Enforcing component matching on the endpoint can significantly alter the functional behavior for those policies that are not
    set to match on all components.
    Rules
    Policies that have rules set to match on a subset of the components generate fewer incidents. They generate fewer
    incidents because only the rules that have matches in the specified components are evaluated to true.
    Exceptions
    Policies that have rules set to match on a subset of the components generate more incidents. These policies generate
    more incidents because only the exceptions that have matches in the specified components exclude either the
    components or the entire message. If they are defined as a matched component only (MCO) or Entire Message,
    respectively.
    Enabling component matching on the Endpoint gives a more consistent policy enforcement among the Server, Cloud,
    and the Endpoint. However, since the subject on the Server is mapped to the envelope on the Endpoint, you can still see
    slightly different incident results.
    Two-Tier Detection (TTD) on the DLP Agent
    Unlike the previous DLP 15.8 execution engine, the DLP 16.0 execution engine evaluates all TTD policies on the server.
    The DLP 16.0 execution engine does not perform a partial policy evaluation on the Agent.
    With the new engine, you do not see duplicate incidents because of TTD. Also, you do not see any incidents using a
    policy that requires TTD on the Agent.
    When the New DLP 16.0 Execution engine is Enabled on the DLP 16.0 Endpoint Server
    A DLP 16.0 Endpoint server receives the same information from both the DLP 15.8 and DLP 16.0 agents. If the Agent
    is DLP 16.0, the DLP 16.0 Endpoint server evaluates the TTD request using the DLP 16.0 execution engine logic. If the
    Agent is pre-DLP 16.0, the DLP 16.0 Endpoint server evaluates the TTD request using the pre-DLP 16.0 execution logic.
    When the New Execution Engine is Disabled on the DLP 16.0 Endpoint Server
    The DLP 16.0 Endpoint server receives the same information from both types of agents and evaluates the TTD request
    using the pre-DLP 16.0 execution logic.
    NOTE
    Future major versions of Symantec Data Loss Prevention will not support the pre-DLP 16.0 execution engine.
    Selecting Components to Match On
    Message Components to Match On summarizes the component matching that is supported by each match condition type.

    Table 381: Message Components to Match On

    Condition Type Envelope Subject Body Attachments

    Described content (DCM) conditions match match match match


    for content detection:
    Keyword, Data Identifier, Regular
    Expression
    Exact Data Matching (EDM) match match match
    Indexed Document Matching (IDM) match match

    811
    Condition Type Envelope Subject Body Attachments

    Vector Machine Learning (VML) match match


    Form Recognition match
    File Size (DCM) match match
    File Type and File Name (DCM) match
    Protocol (DCM) match (entire message)
    Endpoint (DCM) match (entire message)
    Identity (DCM and DGM) match (entire message)
    Any condition evaluated by the DLP match (entire message)
    Agent
    User risk match (entire message)

    Exception Conditions
    Symantec Data Loss Prevention provides policy exceptions to exclude messages and message components from
    matching. You can use multiple exception conditions to refine the scope of your detection and group rules. The policy
    engine in DLP 16.0 allows you to create a many compound exceptions without large memory usage, both on the server
    and on the agent.
    The system evaluates an inbound message or message component in this order:
    1. First, the message, or message component, is evaluated against rules.
    2. Second, the entire message is evaluated against "entire message" exceptions, if present.
    3. Third, only the matched components are evaluated against "matched components only" exceptions, if present.
    If the exception supports cross-component matching (content-based exceptions), the exception can be configured to
    match on individual message components "matched component only" exceptions, if present. Otherwise, the exception
    matches on the entire message.
    If an exception is met, the system ejects the entire message or message component containing the content that triggered
    the exception. The ejected message or message component is no longer available for an evaluation against policy
    rules. The system discards the entire message or message component that contained the excepted item. The system
    does not discard only the matched content or data item.
    NOTE
    Symantec Data Loss Prevention does not support match-level exceptions, only component or message-level
    exceptions.
    For example, consider a policy that has a detection rule with one condition and an exception with one condition. The rule
    matches messages containing Microsoft Word attachments and generates an incident for each match. The exception
    excludes from matching messages from ceo@company.com. An email from ceo@company.com that contains a Word
    attachment is excepted from matching and does not trigger an incident. The detection exception condition excluding
    ceo@company.com messages take precedence over the detection rule match condition that would otherwise match on the
    message. If the content is from the same category, VML can be used as an exception.
    Use a limited number of exceptions to narrow detection scope
    Policy detection execution
    Adding an Exception to a Policy
    CAN-SPAM Act policy template
    Safe Listing File Contents to Exclude from Partial Matching

    812
    Compound rules
    A valid policy must declare at least one rule that defines at least one match condition. The condition matches input data
    to detect data loss. A rule with a single condition is a simple rule. Optionally, you can declare multiple conditions within a
    single detection or group rule. A rule with multiple conditions is a compound rule.
    For compound rules, each condition in the rule must match to trigger a violation. Thus, for a single policy that declares
    one rule with two conditions, if one condition matches but the other does not, detection does not report a match. If both
    conditions match, detection reports a match, assuming that the rule is set to count all matches. In programmatic terms,
    two or more conditions in the same rule are ANDed together.
    As with rules, you can declare multiple conditions within a single exception. In this case, all conditions in the exception
    must match for the exception to apply.
    Policy detection execution
    Use compound rules to improve match accuracy
    Exception conditions

    Policy Detection Execution


    You can include any combination of detection rules, group rules, and exceptions in a single policy. A detection server
    evaluates these elements in this order:
    1. First, the policy exception is evaluated against rules.
    2. Second, the entire message is evaluated against "entire message" exceptions, if present.
    3. Third, only the matched components are evaluated against "matched components only," exceptions, if present.
    If the message meets any exception, the entire message or the entire message component matching the exception is
    ejected; it is no longer available for policy matching.
    The detection server evaluates the detection and group rules in the policy on a per-rule basis. In programmatic terms,
    where you have a single policy definition, the connection between conditions in the same rule or exception is AND
    (compound rules). The connection between two or more rules of the same type is OR (for example, two detection rules).
    But, if you combine rules of a different type in a single policy (for example, one detection rule and one group rule), at least
    on from each tab should match. In this configuration, both rules must match to trigger an incident. However, exception
    conditions that are created across the Detection and Groups tabs are connected by an implicit OR.
    Compound rules
    Exception conditions
    Policy condition execution logic summarizes the policy condition execution logic for the detection server for various policy
    configurations.

    Table 382: Policy condition execution logic

    Policy configuration Logic Description

    Compound rules AND If a single rule or exception in a policy contains two or more match
    conditions, all conditions must match.
    Rules or exceptions of the same OR If there are two detection rules in a single policy, or two group rules in a
    type single policy, or two exceptions of the same type (detection or group),
    the rules or exceptions are independent of each other.
    Rules of a different type AND If one or more detection rules are combined with one or more group
    rules in a single policy, the rules are dependent.

    813
    Policy configuration Logic Description

    Exceptions of a different type OR If one or more detection exceptions are combined with one or more
    group exceptions in a single policy, the exceptions are independent.

    Two-Tier Detection for DLP Agents


    Symantec Data Loss Prevenetion uses a two-tier detection architecture to analyze activity on endpoints for some index-
    based match conditions.
    Two-tier detection requires communication and data transfer between the DLP Agent and the Endpoint Server to detect
    incidents. If a policy contains a condition that requires two-tier detection for correct processing, the DLP Agent does
    not evaluate the policy locally on the endpoint. Instead, the DLP Agent sends the data to the Endpoint Server for policy
    evaluation.
    Guidelines for Authoring Endpoint policies
    Two-tier detection delays the policy evaluation for the time it takes the data to be sent to the Endpoint Server and
    evaluated by the Endpoint Server. If the DLP Agent is not connected to the network or cannot communicate with the
    Endpoint Server, the condition requiring two-tier detection is evaluated when the DLP Agent connects. This delay can
    impact performance of the DLP Agent if the message is a large file or attachment.
    Troubleshooting Policies
    Two-tier detection has implications for the kinds of policies you author for endpoints. Reduce the potential bottleneck of
    two-tier detection by:
    • Considering the impact of the detection conditions that require two-tier detection
    • Authoring your endpoint policies to eliminate or reduce the need for two-tier detection
    Author Policies to Limit the Potential Effect of Two-Tier Detection
    Policy matching conditions requiring two-tier detection lists the detection conditions that require two-tier detection on the
    endpoi
    NOTE
    When two-tier detection is enabled, you cannot combine an Endpoint Prevent: Notify or Block response rule
    with two-tier match conditions. This edict applies to Exact Data Matching (EDM), and Directory Group Matching
    (DGM). Two-tier detection is not required for Indexed Document Matching (IDM), in most cases. If you combine
    an Endpoint Prevent: Notify or Block response rule with two-tier match conditions, the system displays a warning
    for both the detection condition and the response rule.

    Table 383: Policy Matching Conditions Requiring Two-tier Detection

    Detection Technology Match Condition Description

    Exact Data Matching (EDM) Content Matches Exact Data from an Introducing Exact Data Matching (EDM)
    Exact Data Profile About two-tier detection for EDM on the
    endpoint
    Profiled Directory Group Matching (DGM) Sender/User based on a Directory from Introducing profiled Directory Group
    an Exact Data Profile Matching (DGM)
    Recipient based on a Directory from an About two-tier detection for profiled DGM
    Exact Data Profile
    Synchronized Directory Group Matching Recipient based on a Directory Server Introducing synchronized Directory Group
    (DGM) Group Matching (DGM)
    About two-tier detection for synchronized
    DGM

    814
    Detection Technology Match Condition Description

    Indexed Document Matching (IDM) Content Matches Document Signature Introducing Indexed Document Matching
    from an Indexed Document Profile (IDM)
    Two-tier IDM detection
    Note: Two-tier detection for IDM only
    applies if it is enabled on the Endpoint
    Server (two_tier_idm = on). If Endpoint IDM
    is enabled (two_tier_idm = off), two-tier
    detection is not used.

    Creating a policy from a template


    You can create a policy from a system-provided template or from a template you import to the Enforce Server.

    Table 384: Create a policy from a template

    Action Description

    Add a policy from a template. Adding a new policy or policy template


    Choose the template you want to use. At the Manage > Policies > Policy List > New Policy - Template List screen the system lists
    all policy templates.
    System-provided template categories:
    • US Regulatory EnforcemenUt policy templates
    • General Data Protection Regulation (GDPR) policy templates
    • International Regulatory Enforcement policy templates
    • Customer and Employee Data Protection policy templates
    • Confidential or Classified Data Protection policy templates
    • Network Security Enforcement policy templates
    • Acceptable Use Enforcement policy templates
    • Columbia Personal Data Regulatory Enforcement policy template
    Imported Templates appear individually after import:
    • Importing policy templates
    Click Next to configure the policy. For example, select the Webmail policy template and click Next.
    Configuring policies
    Choose a Data Profile (if prompted). If the template relies on one or more Data Profiles, the system prompts you to select
    each:
    • Exact Data Profile
    Choosing an Exact Data Profile
    • Indexed Document Profile
    Choosing an Indexed Document Profile
    If you do not have a Data Profile, you can either:
    • Cancel the policy definition process, define the profile, and resume creating the policy from
    the template.
    • Click Next to configure the policy.
    On creation of the policy, the system drops any rules or exceptions that rely on the Data
    Profile.
    Note: You should use a profile if a template calls for it.

    815
    Action Description

    Edit the policy name or description If you intend to modify a system-defined template, you may want to change the name so you
    (optional). can distinguish it from the original.
    Configuring policies
    Note: If you want to export the policy as a template, the policy name must be less than 60
    characters. If it is more, the template does not appear in the Imported Templates section of
    the Template List screen.

    Select a policy group (if necessary). If you have defined a policy group, select it from the Policy Group list.
    Creating and modifying policy groups
    If you have not defined a policy group, the system deploys the policy to the Default Policy
    Group.
    Edit the policy rules or exceptions (if The Configure Policy screen displays the rules and exceptions (if any) provided by the policy.
    necessary). You can modify, add, and remove policy rules and exceptions to meet your requirements.
    Configuring Policy Rules
    Configuring policy exceptions
    Save the policy and export it Click Save to save the policy.
    (optional). You can export policy detection as a template for sharing or archiving.
    Exporting policy detection as a template
    For example, if you changed the configuration of a system-defined policy template, you may
    want to export it for sharing across environments.
    Test and tune the policy Test and tune the policy using data the policy should and should not detect.
    (recommended). Review the incidents that the policy generates. Refine the policy rules and exceptions as
    necessary to reduce false positives and false negatives.
    Add response rules (optional). Add response rules to the policy to report and remediate violations.
    Implementing response rules
    Note: Response rules are not included in policy templates.

    Policy templates
    Policy template import and export

    US Regulatory Enforcement policy Templates


    Symantec Data Loss Prevention provides several policy templates supporting US Regulatory Enforcement guidelines.

    Table 385: US Regulatory Enforcement policy Templates

    Policy template Description

    California Consumer Privacy Act Deals with the handling and protection of sensitive personal information
    that individuals provide in the course of everyday transactions.
    california-
    California Consumer Privacy Act Policy Template
    CAN-SPAM Act Establishes requirements for sending commercial email.
    CAN-SPAM Act policy template
    Defense Message System (DMS) GENSER Detects information classified as confidential.
    Classification Defense Message System (DMS) GENSER Classification policy template
    Export Administration Regulations (EAR) Enforces the U.S. Department of Commerce Export Administration
    Regulations (EAR).
    Export Administration Regulations (EAR) policy template

    816
    Policy template Description

    FACTA 2003 (Red Flag Rules) Enforces sections 114 and 315 (or Red Flag Rules) of the Fair and
    Accurate Credit Transactions Act (FACTA) of 2003.
    FACTA 2003 (Red Flag Rules) policy template
    Gramm-Leach-Bliley This policy limits sharing of consumer information by financial institutions.
    Gramm-Leach-Bliley policy template
    HIPAA and HITECH (including PHI) This policy enforces the US Health Insurance Portability and Accountability
    Act (HIPAA).
    HIPAA and HITECH (including PHI) policy template
    International Traffic in Arms Regulations (ITAR) This policy enforces the US Department of State ITAR provisions.
    International Traffic in Arms Regulations (ITAR) policy template
    Medicare and Medicaid (including PHI) This policy detects protected health information (PHI) associated with the
    United States Medicare and Medicaid programs.
    Medicare and Medicaid (including PHI)
    NASD Rule 2711 and NYSE Rules 351 and 472 This policy protects the name(s) of any companies that are involved in an
    upcoming stock offering.
    NASD Rule 2711 and NYSE Rules 351 and 472 policy template
    NASD Rule 3010 and NYSE Rule 342 This policy monitors brokers-dealers communications.
    NASD Rule 3010 and NYSE Rule 342 policy template
    NERC Security Guidelines for Electric Utilities This policy detects the information that is outlined in the North American
    Electric Reliability Council (NERC) security guidelines for the electricity
    sector.
    NERC Security Guidelines for Electric Utilities policy template
    Office of Foreign Assets Control (OFAC) This template detects communications involving targeted OFAC groups.
    Office of Foreign Assets Control (OFAC) policy template
    OMB Memo 06-16 and FIPS 199 Regulations This template detects information that is classified as confidential.
    OMB Memo 06-16 and FIPS 199 Regulations policy template
    Payment Card Industry Data Security Standard This template detects credit card number data.
    Payment Card Industry (PCI) Data Security Standard policy template
    Sarbanes-Oxley This template detects sensitive financial data.
    Sarbanes-Oxley policy template
    SEC Fair Disclosure Regulation This template detects data disclosure of material financial information.
    SEC Fair Disclosure Regulation policy template
    State Data Privacy This template detects breaches of state-mandated confidentiality.
    State Data Privacy policy template
    US States Drivers License Number This template detects the Driving License Numbers for US States.
    US Intelligence Control Markings (CAPCO) and DCID This template detects authorized terms to identify classified information in
    1/7 the US Federal Intelligence community.
    US Intelligence Control Markings (CAPCO) and DCID 1/7 policy template
    Virginia Consumer Data Protection Act This template establishes a framework for controlling and processing
    personal data in the US State of Virginia.
    Virginia Consumer Data Protection Act Policy Template

    Creating a policy from a template

    General Data Protection Regulation (GDPR) policy Templates


    The General Data Protection Regulation (GDPR) is a regulation by which the European Commission intends to strengthen
    and unify data protection for individuals within the EU. It also addresses export of personal data outside the EU. The

    817
    primary objectives of the GDPR are to give citizens back the control of their personal data and to simplify the regulatory
    environment for international business by unifying the regulation within the EU. The GDPR replaces the EU Data
    Protection Directives as of 25 May 2018.
    Symantec Data Loss Prevention provides several policy template for General Data Protection Regulation (GDPR)
    compliance.

    Table 386:

    Policy template Description

    General Data Protection Regulations (Banking and Finance) This policy protects personal identifiable information related to
    banking and finance.
    General Data Protection Regulation (Banking and Finance)
    General Data Protection Regulation (Digital Identity) This policy protects personal identifiable information related to
    digital identity.
    General Data Protection Regulation (Digital Identity
    General Data Protection Regulation (Government This policy protects personal identifiable information related to
    Identification) government identification.
    General Data Protection Regulation (Government Identification)
    General Data Protection Regulation (Healthcare and This policy protects personal identifiable information related to
    Insurance) healthcare and insurance.
    General Data Protection Regulation (Healthcare and Insurance)
    General Data Protection Regulation (Personal Profile) This policy protects personal identifiable information related to
    personal profile data.
    General Data Protection Regulation (Personal Profile)
    General Data Protection Regulation (Travel) This policy protects personal identifiable information related to
    travel.
    General Data Protection Regulation (Travel)

    Creating a policy from a template

    International Regulatory Enforcement policy Templates


    Symantec Data Loss Prevention provides several policy templates for International Regulatory Enforcement.

    Table 387: International Regulatory Enforcement policy Templates

    Policy template Description

    Caldicott Report This policy protects UK patient information.


    Caldicott Report policy template
    Data Protection Act 1998 This policy protects personal identifiable information.
    Data Protection Act 1998 policy template
    EU Data Protection Directives This policy detects personal data specific to the EU directives.
    Data Protection Directives (EU) policy template
    Note: The EU Data Protection Directives are replaced by the General Data Protection
    Regulation (GDPR) on 25 May 2018. General Data Protection Regulation (GDPR)
    policy templates

    Human Rights Act 1998 This policy enforces Article 8 of the act for UK citizens.
    Human Rights Act 1998 policy template

    818
    Policy template Description

    PIPEDA This policy detects Canadian citizen customer data.


    PIPEDA policy template

    Creating a policy from a template

    Customer and Employee Data Protection policy Templates


    Symantec Data Loss Prevention provides several policy templates for Customer and Employee Data Protection.
    Creating a policy from a template

    Table 388: Customer and Employee Data Protection policy Templates

    Policy template Description

    Canadian Social Insurance Numbers This policy detects patterns indicating Canadian social insurance numbers.
    Canadian Social Insurance Numbers policy template
    Credit Card Numbers This policy detects patterns indicating credit card numbers.
    Credit Card Numbers policy template
    Customer Data Protection This policy detects customer data.
    Customer Data Protection policy template
    Employee Data Protection This policy detects employee data.
    Employee Data Protection policy template
    Enhanced Credit Card Numbers with Individual This policy detects enhanced patterns indicating credit card numbers at risk of
    Issuers exposure.
    Enhanced Credit Card Numbers with Individual Users PolicyProfile Template
    Individual Taxpayer Identification Numbers (ITIN) This policy detects IRS-issued tax processing numbers.
    Individual Taxpayer Identification Numbers (ITIN) policy template
    SWIFT Codes This policy detects codes banks use to transfer money across international
    borders.
    SWIFT Codes policy template
    UK Drivers License Numbers This policy detects UK Drivers License Numbers.
    UK Drivers License Numbers policy template
    UK Electoral Roll Numbers This policy detects UK Electoral Roll Numbers.
    UK Electoral Roll Numbers policy template
    UK National Insurance Numbers This policy detects UK National Insurance Numbers.
    UK National Insurance Numbers policy template
    UK National Health Service Number This policy detects personal identification numbers issued by the NHS.
    UK National Health Service (NHS) Number policy template
    UK Passport Numbers This policy detects valid UK passports.
    UK Passport Numbers policy template
    UK Tax ID Numbers This policy detects UK Tax ID Numbers.
    UK Tax ID Numbers policy template
    US Social Security Numbers This policy detects patterns indicating social security numbers.
    US Social Security Numbers policy template

    Confidential or Classified Data Protection policy Templates


    Symantec Data Loss Prevention provides several policy templates for Confidential or Classified Data Protection.

    819
    Table 389: Confidential or Classified Data Protection policy Templates

    Policy template Description

    Confidential Documents This policy detects company-confidential documents.


    Confidential Documents policy template
    Design Documents This policy detects various types of design documents.
    Design Documents policy template
    Encrypted Data This policy detects the use of encryption by a variety of methods.
    Encrypted Data policy template
    Financial Information This policy detects financial data and information.
    Financial Information policy template
    Merger and Acquisition Agreements This policy detects information and communications about upcoming merger and
    acquisition activity.
    Merger and Acquisition Agreements policy template
    Price Information This policy detects specific SKU and pricing information.
    Price Information policy template
    Project Data This policy detects discussions of sensitive projects.
    Project Data policy template
    Proprietary Media Files This policy detects various types of video and audio files.
    Proprietary Media Files policy template
    Publishing Documents This policy detects various types of publishing documents.
    Publishing Documents policy template
    Resumes This policy detects active job searches.
    Resumes policy template
    Source Code This policy detects various types of source code.
    Source Code policy template
    Symantec DLP Awareness and Avoidance This policy detects any communications that refer to Symantec DLP or other data
    loss prevention systems and possible avoidance of detection.
    Symantec DLP Awareness and Avoidance policy template

    Creating a policy from a template

    Network Security Enforcement policy Templates


    Symantec Data Loss Prevention provides several policy templates for Network Security Enforcement.

    Table 390: Network Security Enforcement policy Templates

    Policy template Description

    Common Spyware Upload Sites This policy detects access to common spyware upload Web sites.
    Common Spyware Upload Sites policy template
    Network Diagrams This policy detects computer network diagrams.
    Network Diagrams policy template
    Network Security This policy detects evidence of hacking tools and attack planning.
    Network Security policy template
    Password Files This policy detects password file formats.
    Password Files policy template

    820
    Creating a policy from a template

    Acceptable Use Enforcement policy Templates


    Symantec Data Loss Prevention provides several policy templates for allowing acceptable uses of information.

    Table 391: Acceptable Use Enforcement policy Templates

    Policy template Description

    Competitor Communications This policy detects forbidden communications with competitors.


    Competitor Communications policy template
    Forbidden Websites This policy detects access to specified Web sites.
    Forbidden Websites policy template
    Gambling This policy detects any reference to gambling.
    Gambling policy template
    Illegal Drugs This policy detects conversations about illegal drugs and controlled substances.
    Illegal Drugs policy template
    Media Files This policy detects various types of video and audio files.
    Media Files policy template
    Offensive Language This policy detects the use of offensive language.
    Offensive Language policy template
    Racist Language This policy detects the use of racist language.
    Racist Language policy template
    Restricted Files This policy detects various file types that are generally inappropriate to send out of the
    company.
    Restricted Files policy template
    Restricted Recipients This policy detects communications with specified recipients.
    Restricted Recipients policy template
    Sexually Explicit Language This policy detects sexually explicit content.
    Sexually Explicit Language policy template
    Violence and Weapons This policy detects violent language and discussions about weapons.
    Violence and Weapons policy template
    Webmail This policy detects the use of a variety of Webmail services.
    Webmail policy template
    Yahoo Message Board Activity This policy detects Yahoo message board activity.
    Yahoo Message Board Activity policy template
    Yahoo and MSN Messengers on Port 80 This policy detects Yahoo IM and MSN Messenger activity.
    Yahoo and MSN Messengers on Port 80 policy template

    Creating a policy from a template

    Columbia Personal Data Regulatory Enforcement Policy Template


    Symantec Data Loss Prevention provides a policy templates for the enforcement of Columbian personal data regulations.

    821
    Table 392: Columbia Personal Data Regulatory Enforcement Policy Template

    Policy template Description

    Columbian Personal Data Protection Law 1581 This policy detects violations of the Columbian Personal Data
    Protection Law 1581.
    Colombian Personal Data Protection Law 1581 Policy Template

    Creating a policy from a template

    Choosing an Exact Data Profile


    If the policy template you select implements Exact Data Matching (EDM), the system prompts you to choose an Exact
    Data Profile. Policy templates that implement Exact Data Matching (EDM) lists the policy templates that are based on
    Exact Data Profiles.
    If you do not have an Exact Data Profile, you can cancel policy creation and define a profile. Or, you can choose not to
    use an Exact Data Profile. In this case the system disables the associated EDM detection rules in the policy template. You
    can use any DCM rules or exceptions the policy template provides.
    Introducing Exact Data Matching (EDM)
    About the Exact Data Profile and index
    To choose an Exact Data Profile
    1. Select an Exact Data Profile from the list of available profiles.
    2. Click Next to continue with creating the policy from the template.
    Click Previous to return to the list of policy templates.
    Creating a policy from a template

    NOTE
    When the system prompts you to select an Exact Data Profile, the display lists the data columns to include in the
    profile to provide the highest level of accuracy. If data fields in your Exact Data Profile are not represented in the
    selected policy template, the system displays those fields for content matching when you define the detection
    rule

    Table 393: Policy templates that implement Exact Data Matching (EDM)

    Policy template Description

    Caldicott Report Caldicott Report policy template


    Customer Data Protection Customer Data Protection policy template
    Data Protection Act 1988 Data Protection Act 1998 policy template
    Employee Data Protection Employee Data Protection policy template
    EU Data Protection Directives Data Protection Directives (EU) policy template
    Export Administration Regulations (EAR) Export Administration Regulations (EAR) policy template
    FACTA 2003 (Red Flag Rules) FACTA 2003 (Red Flag Rules) policy template
    General Data Protection Regulations (Banking General Data Protection Regulation (Banking and Finance)
    and Finance)
    General Data Protection Regulations (Digital General Data Protection Regulation (Digital Identity)
    Identity)

    822
    Policy template Description

    General Data Protection Regulations General Data Protection Regulation (Government Identification)
    (Government Identification)
    General Data Protection Regulations General Data Protection Regulation (Healthcare and Insurance)
    (Healthcare and Insurance)
    General Data Protection Regulations (Personal General Data Protection Regulation (Personal Profile)
    Profile)
    General Data Protection Regulations (Travel) General Data Protection Regulation (Travel)
    Gramm-Leach-Bliley Gramm-Leach-Bliley policy template
    HIPAA and HITECH (including PHI) HIPAA and HITECH (including PHI) policy template
    Human Rights Act 1998 Human Rights Act 1998 policy template
    International Traffic in Arms Regulations (ITAR) International Traffic in Arms Regulations (ITAR) policy template
    Payment Card Industry Data Security Standard Payment Card Industry (PCI) Data Security Standard policy template
    PIPEDA PIPEDA policy template
    Price Information Price Information policy template
    Resumes Resumes policy template
    State Data Privacy SEC Fair Disclosure Regulation policy template

    Choosing an Indexed Document Profile


    If the policy template you chose uses Indexed Document Matching (IDM) detection, the system prompts you to select the
    Document Profile.
    To use a Document Profile
    1. Select the Document Profile from the list of available profiles.
    2. Click Next to create the policy from the template.
    Creating a policy from a template

    If you do not have a Document Profile, you can cancel policy creation and define the Document Profile. Or, you can
    choose to not use a Document Profile. In this case the system disables any IDM rules or exceptions for the policy
    instance. If the policy template contains DCM rules or exceptions, you may use them.
    About the Indexed Document Profile

    Table 394: Policy templates that implement Indexed Document Matching (IDM)

    Policy template Description

    CAN-SPAM Act (IDM exception) CAN-SPAM Act policy template


    NASD Rule 2711 and NYSE Rules 351 and NASD Rule 2711 and NYSE Rules 351 and 472 policy template
    472
    NERC Security Guidelines for Electric NERC Security Guidelines for Electric Utilities policy template
    Utilities
    Sarbanes-Oxley Sarbanes-Oxley policy template
    SEC Fair Disclosure Regulation SEC Fair Disclosure Regulation policy template
    Confidential Documents Confidential Documents policy template
    Design Documents Design Documents policy template

    823
    Policy template Description

    Financial Information Financial Information policy template


    Project Data Project Data policy template
    Proprietary Media Files Proprietary Media Files policy template
    Publishing Documents Publishing Documents policy template
    Source Code Source Code policy template
    Network Diagrams Network Diagrams policy template

    Introducing Indexed Document Matching (IDM)


    Creating a policy from a template

    Adding a new policy or PolicyProfile Template


    As a policy author you can define a new policy from scratch or from a template.
    Workflow for implementing policies
    To add a new policy or a policy template
    1. Click New at the Manage > Polices > Policy List screen.
    Manage and add policies
    2. Choose the type of policy you want to add at the New Policy screen.
    3. Select Add a blank policy to add a new empty policy.
    Policy components
    4. Select Add a policy from a template to add a policy from a template.
    Policy templates
    5. Click Next to configure the policy or the policy template.
    6. Click Cancel to not add a policy and return to the Policy List screen.
    Configuring policies
    Creating a policy from a template.

    Configuring policies
    The Manage > Policies > Policy List > Configure Policy screen is the home page for configuring policies.
    Configuring policies describes the workflow for configuring policies.

    824
    Table 395: Configuring policies

    Action Description

    Define a new policy, or edit an existing policy. Add a new blank policy.
    Adding a new policy or policy template
    Create a policy from a template.
    Creating a policy from a template
    Select an existing policy at the Manage > Policies > Policy List screen
    to edit it.
    Manage and add policies
    Enter a policy Name and Description. The policy name must be unique in the policy group you deploy the
    policy to.
    Input character limits for policy configuration.
    Select the Policy Group from the list where the policy is to The Default Policy Group is selected if there is no policy group
    be deployed. configured.
    Creating and modifying policy groups
    Set the Status for the policy. You can enable (default setting) or disable a policy. A disabled policy is
    deployed but is not loaded into memory to detect incidents.
    Manage and add policies
    Add a rule to the policy, or edit an existing rule. Click Add Rule to add a rule.
    Adding a Rule to a Policy
    Select an existing rule to edit it.
    Configure the rule with one or more conditions. For a valid policy, you must configure at least one rule that declares at
    least one condition. Compound rules and exceptions are optional.
    Configuring Policy Rules
    Optionally, add one or more policy exceptions, or edit an Click Add Exception to add it.
    existing exception. Adding an Exception to a Policy
    Select an existing exception to edit it.
    Configure any exception(s). Configuring policy exceptions
    Save the policy configuration. Click Save to save the policy configuration to the Enforce Server
    database.
    Policy components
    Export the policy as a template. Optionally, you can export the policy rules and exceptions as a template.
    Exporting policy detection as a template
    Add one or more response rules to the policy. You configure response rules independent of policies.
    Adding an automated response rule to a policy

    Adding a Rule to a Policy


    Add one or more rules to a policy to indicate at least one match condition.
    You can add two types of rules to a policy: a detection rule and a group rule. If two or more rules in a policy are the same
    type, the system connects them by OR. If a rule includes conditions, the system connects them by AND.
    Policy detection execution
    NOTE
    Exceptions are added separate from rules.

    825
    Adding an Exception to a Policy
    1. Go to Manage > Policies > Policy List > Configure Policy – Add Rule.
    2. Choose the type of rule (detection or group) to add to the policy.
    • To add a detection rule, select the Detection tab and click Add Rule.
    • To add a group (identity) rule, select the Groups tab and click Add Rule.
    Policy matching conditions
    3. Select the detection or the group rule that you want to implement from the list of rules.
    Adding policy rules
    4. Select the prerequisite component, if necessary.
    If the policy rule requires a Data Profile, Data Identifier, or User Group select it from the list.
    5. Click Next to configure the policy rule.
    Configuring Policy Rules
    You can add the following types of rules:

    Rule Prerequisite For more information

    Content match conditions


    Content Matches Regular Expression Introducing regular expression matching
    Content Matches Exact Data Exact Data Profile About the Exact Data Profile and index
    Choosing an Exact Data Profile
    Content Matches Keyword Introducing keyword matching
    Content Matches Document Signature Indexed Document Profile Introducing Indexed Document Matching (IDM)
    Choosing an Indexed Document Profile
    Content Matches Data Identifier Data Identifier Introducing data identifiers
    Selecting a data identifier breadth
    Detect using Vector Machine Learning VML Profile Introducing Vector Machine Learning (VML)
    Configuring VML profiles and policy conditions
    Content Matches MIP classification MIP Configuring the Endpoint: MIP Classification action
    Content Matches Structured Data Structured Data Identifier Introducing Structured Data Identifiers
    Identifier
    Context match conditions
    Contextual Attributes (Cloud Cloud Detection Service Introducing contextual attributes for cloud applications
    Applications and API Detection or API Detection Appliance
    Appliance only)
    User Risk Score ICA as a user data source Introducing Contextual Attributes for User Risk Scores
    File Properties match conditions
    Message Attachment or File Type About file type matching
    Match
    Message Attachment or File Size About file size matching
    Match
    Message Attachment or File Name About file name matching
    Match

    826
    Rule Prerequisite For more information

    Custom File Type Signature Rule enabled About custom file type identification
    Custom script Enabling the Custom File Type Signature condition in the policy
    console
    Protocol and Endpoint match conditions
    Protocol Monitoring Custom protocols (if any) Introducing protocol monitoring for network
    Endpoint Monitoring About endpoint protocol monitoring
    Endpoint Device Class or ID Custom devices About endpoint device detection
    Endpoint Location About endpoint location detection
    Form Recognition
    Detect using Form Recognition Profile Form Recognition Profile About Form Recognition detection
    Configuring the Form Recognition detection rule
    Groups (Identities) match conditions
    Sender/User Matches Pattern Introducing described identity matching
    Recipient Matches Pattern
    Sender/User based on a Directory User Group Introducing synchronized Directory Group Matching (DGM)
    Server Group Configuring User Groups
    Recipient based on a Directory Server
    Group
    Sender/User based on a Directory Exact Data Profile Introducing profiled Directory Group Matching (DGM)
    from: Configuring Exact Data profiles for DGM
    Recipient based on a Directory from:

    Configuring Policy Rules


    You configure a policy rule with one or more match conditions. The configuration of each rule condition depends on its
    type.
    Go to the Manage > Policies > Policy List > Configure Policy – Edit Rule screen to configure a policy rule.
    Configuring policy match conditions

    Table 396: Configuring policy rules

    Step Action Description

    Step 1 Add a rule to a policy, or modify a Adding a Rule to a Policy


    rule. To modify an existing rule, select the rule in the policy builder interface at the
    Configure Policy – Edit Rule screen.
    Step 2 Name the rule, or modify a name. In the General section of the rule, enter a name in the Rule Name field, or modify
    the name of an existing rule.
    Step 3 Set the rule severity. In the Severity section of the rule, select or modify a "Default" severity level.
    In addition to the default severity, you can add multiple severity levels to a rule.
    Defining rule severity
    Step 4 Configure the match condition. In the Conditions section of the rule, you configure one or more match conditions
    for the rule. The configuration of a condition depends on its type.
    Configuring policy match conditions
    Step 5 Configure match counting (if If the rule calls for it, configure how you want to count matches.
    required). Configuring Match Counting

    827
    Step Action Description

    Step 6 Select components to match on (if If the rule is content-based, select one or more available content rules to match on.
    available). Selecting components to match on
    Step 7 Add and configure one or more To define a compound rule, Add another match condition from the Also Match list.
    additional match conditions Configure the additional condition according to its type (Step 4).
    (optional). Configuring compound rules
    Note: All conditions in a single rule must match to trigger an incident.
    Note: Policy detection execution

    Step 8 Save the policy configuration. When you are done configuring the rule, click OK.
    This action returns you to the Configure Policy screen where you can Save the
    policy.
    Manage and add policies

    The following table lists each of the available match conditions and provides links to topics for configuring each condition.

    Table 397: Configuring policy match conditions

    Rule For more information

    Content match conditions


    Content Matches Regular Expression Configuring the Content Matches Regular Expression condition
    Content Matches Exact Data from an Exact Configuring the Content Matches Exact Data policy condition for EDM
    Data Profile
    Content Matches Keyword Configuring the Content Matches Keyword condition
    Content Matches Document Signature Configuring the Content Matches Document Signature policy condition
    Content Matches Data Identifier Configuring the Content Matches data identifier condition
    Detect using Vector Machine Learning Configuring the Detect using Vector Machine Learning Profile condition
    profile
    Detect using Form Recognition profile Configuring the Form Recognition detection rule
    Context
    Contextual Attributes (Cloud Applications Introducing contextual attributes for cloud applications
    and API Detection Appliance only)
    User Risk Score Introducing Contextual Attributes for User Risk Scores
    File Properties match conditions
    Message Attachment or File Type Match Configuring the Message Attachment or File Type Match condition
    Message Attachment or File Size Match Configuring the Message Attachment or File Size Match condition
    Message Attachment or File Name Match Configuring the Message Attachment or File Name Match condition
    Custom File Type Signature Configuring the Custom File Type Signature condition
    Protocol match conditions
    Network Monitoring Configuring the Protocol Monitoring condition for network detection
    Endpoint Monitoring Configuring the Endpoint Monitoring condition
    Endpoint Device Class or ID Configuring the Endpoint Device Class or ID condition
    Endpoint Location Configuring the Endpoint Location condition
    Groups match conditions
    Sender/User Matches Pattern Configuring the Sender/User Matches Pattern condition

    828
    Rule For more information

    Recipient Matches Pattern Configuring the Recipient Matches Pattern condition


    Sender/User based on a Directory Server Configuring the Sender/User based on a Directory Server Group condition
    Group
    Sender/User based on a Directory from an Configuring the Sender/User based on a Profiled Directory condition
    Exact Data Profile
    Recipient based on a Directory Server Group Configuring the Recipient based on a Directory Server Group condition
    Recipient based on a Directory from an Configuring the Recipient based on a Profiled Directory condition
    Exact Data Profile

    Defining rule severity


    The system assigns a severity level to a policy rule violation. The default setting is "High." You can configure the default
    setting, and you can add one or more extra severity levels.
    Policy severity
    Configuring the Severity response condition
    Policy rule severity works with the Severity response rule condition. If you set the default policy rule severity level to
    "High" and define more severity levels, the system does not assign the added severity to the incident based on a match
    count. If you have a response rule set to a match count severity level that is less than the default "High" severity, the
    response rule does not execute.
    To define a policy rule severity
    1. Configure a policy rule.
    Configuring policy rules
    2. Select a Default level from the Severity list.
    The default severity level is the baseline level that the system reports. The system applies the default severity level to
    any rule match, unless other severity levels override the default setting.
    3. Click Add Severity to define other severity levels for the rule.
    If you add a severity level, it is based on the match count.
    4. Select the desired severity level, choose the match count range, and enter the match count.
    For example, you can set a Medium severity with X range to match after 100 matches have been counted.
    5. You can add another severity level, other than the built-in default severity.
    6. To remove a defined severity level, click the X icon beside the severity definition.

    Configuring Match Counting


    Some conditions let you specify how you want to count matches. Count all matches is the default behavior. You can
    configure the minimum number of matches required to cause an incident. Or, you can count all matches as one incident. If
    a condition supports match counting, you can configure this setting for both policy rules and exceptions.
    Conditions that support match counting

    829
    Table 398: Configuring match counting parameters and conditions

    Parameter Condition type Incident description

    Check for existence Simple Reports a match count of 1 if there are one or more matches; it does not count multiple
    matches.
    Compound Reports a match count of 1 if there are one or more matches; it does not count multiple
    matches.
    Count all matches Simple Reports a match count of the exact number of matches detected by the condition. For
    example, one incident with 10 matches.
    Compound Reports a match count of the sum of all condition matches in the rule. The default is one
    incident per policy. The default applies if any condition is set to count all matches. The
    configuration counts all the matches for all the conditions and reports them in one incident.
    Exception matches are never reported.
    For example, in a rule has two conditions and one is set to count all matches and detects four
    matches. The other condition is set to check for existence. As a result, the reported match
    count is five: four matches for the first rule that counts all matches, and one match for the
    second rule that checks for existence.
    Only report You can change the default of at least one match by specifying the minimum number of
    incidents with at matches required to report an incident.
    least _ matches For example, in a rule with two conditions, you should get an incident with five matches:
    four for the first rule that counts all matches, and one for the second rule that checks for
    existence. You must select this option for each condition in the rule or exception to achieve
    this behavior.
    Note: The count all matches setting applies to each message component you match on.
    For example, consider a policy where you specify a match count of three. You configure a
    keyword rule that matches on all four message components (default setting for this condition).
    If a message is received with two instances of the keyword in the body and one instance of
    the keyword in the envelope, the system does not report this as a match. However, if three
    instances of the keyword appear in an attachment (or any other single message component),
    the system reports it as a match.

    Count all unique Only count Unique match counting is available for Data Identifiers, keyword matching, and regular
    matches unique matches expression matching.
    About unique match counting

    Table 399: Conditions that support match counting

    Condition Description

    Content Matches Regular Expression Introducing regular expression matching


    Configuring the Content Matches Regular Expression condition
    Content Matches Keyword Introducing keyword matching
    Configuring the Content Matches Keyword condition
    Content Matches Document Signature Configuring the Content Matches Document Signature policy condition
    (IDM)
    Content Matches Data Identifier Introducing data identifiers
    Configuring the Content Matches data identifier condition
    Configuring unique match counting
    Recipient Matches Pattern Introducing described identity matching
    Configuring the Recipient Matches Pattern condition

    830
    Selecting components to match on
    The availability of one or more message components to match on depends on the type of rule or exception condition you
    implement.
    Detection Messages and Message Components

    Table 400: Match on components

    Component Description

    Envelope If the condition supports matching on the Envelope component, select it to match on the message metadata. The
    envelope contains the header, transport information, and the subject if the message is an SMTP email.
    If the condition does not support matching on the Envelope component, this option is grayed out.
    If the condition matches on the entire message, the Envelope is selected and cannot be deselected, and the
    other components cannot be selected. This occurs because certain conditions, such as sender and recipient, are
    locked to match on the envelope.
    Subject Certain detection conditions match on the Subject component for some types of messages. The subject is
    mapped on the header for the endpoint agent.
    Detection Messages and Message Components
    For the detection conditions that support subject component matching, you can match on the Subject for
    the following types of messages:
    • SMTP (email) messages from Network Monitor or Network Prevent for Email.
    • NNTP messages from Network Monitor.
    To match on the Subject component, you must select (check) the Subject component and uncheck (deselect)
    the Envelope component for the policy rule. If you select both components, the system matches the subject
    twice because the message subject is included in the envelope as part of the header.
    Body If the condition matches on the Body message component, select it to match on the text or content of the
    message.
    Attachment(s) If the condition matches on the Attachment(s) message component, select it to detect content in files sent by,
    downloaded with, or attached to the message. The attachment applies to single files as well as Discover scans
    (server), eDar (agent), and file operations (agent).

    Adding an Exception to a Policy


    You can add one or more exception conditions to a policy to exclude data from matching.
    Policy rules are executed before exceptions. Rules are evaluated first, then the entire message exceptions, then matched
    component only exceptions. If there is an exception match and the entire message is chosen, the Entire message is
    discarded. If there is an exception match and Matched Components Only is chosen, then only that component is
    discarded.
    Exception conditions
    NOTE
    You can create exceptions for all policy conditions, except the EDM condition Content Matches Exact Data
    From. In addition, Network Prevent for Web does not support synchronized DGM exceptions.
    1. Go to the Manage > Policies > Policy List > Configure Policy – Add Exception screen.
    2. Add an exception to a policy.
    • To add a detection rule exception, select the Detection tab and click Add Exception.
    • To add a group rule exception, select the Groups tab and click Add Exception.

    831
    3. Select the exception conditions to implement.
    The Add Detection Exception screen lists all available detection exceptions that you can add to a policy.
    The Add Group Exception screen lists all available group exceptions that you can add to a policy.
    Selecting a policy exception
    4. If necessary, choose the profile, data identifier, or user group.
    5. Click Next to configure the exception.
    You can add the following types of exception conditions:

    Exception Prerequisite For more information

    Content
    Content Matches Regular Introducing regular expression matching
    Expression
    Content Matches Keyword Introducing keyword matching
    Content Matches Document Indexed Document Choosing an Indexed Document Profile
    Signature Profile
    Content Matches Data Identifier Data Identifier Introducing data identifiers
    Selecting a data identifier breadth
    Detect using Vector Machine VML Profile Configuring VML policy exceptions
    Learning profile Configuring VML profiles and policy conditions
    Context
    Contextual Attributes (Cloud Cloud Detection Introducing contextual attributes for cloud applications
    Applications and API Detection Service
    Appliance only) or API Detection
    Appliance
    User Risk Score ICA as a user data Introducing Contextual Attributes for User Risk Scores
    source
    File Properties
    Message Attachment or File Type About file type matching
    Match
    Message Attachment or File Size About file size matching
    Match
    Message Attachment or File Name About file name matching
    Match
    Custom File Type Signature Condition enabled About custom file type identification
    Custom script added
    Protocol and Endpoint
    Network Protocol Introducing protocol monitoring for network
    Endpoint Protocol, Destination, About endpoint protocol monitoring
    Application
    Endpoint Device Class or ID About endpoint device detection
    Endpoint Location About endpoint location detection
    Form Recognition
    Detect using Form Recognition Form Recognition About Form Recognition detection
    Profile Profile Configuring the Form Recognition exception rule

    832
    Exception Prerequisite For more information

    Group (identity)
    Sender/User Matches Pattern Introducing described identity matching
    Recipient Matches Pattern
    Sender/User based on a Directory User Group Introducing synchronized Directory Group Matching (DGM)
    Server Group Configuring User Groups
    Recipient based on a Directory
    Note: Network Prevent for Web does not support this type of
    Server Group
    exception. Use profiled DGM instead.

    Sender/User based on a Directory Exact Data Profile Introducing profiled Directory Group Matching (DGM)
    from: Configuring Exact Data profiles for DGM
    Recipient based on a Directory
    from:

    Configuring Policy Exceptions


    At the Manage > Policies > Policy List > Configure Policy – Edit Exception screen, you configure one or more
    conditions for a policy exception.
    Policy exception conditions available for configuration
    When you choose the Matched Components Only option, if an exception condition matches, the system discards the
    matched component from the system. This component is no longer available for evaluation. If you choose the Entire
    message option, the entire message (all components) is discarded.
    Exception conditions

    Table 401: Configure policy exceptions

    Step Action Description

    Step 1 Add a new policy exception, or edit an Adding an Exception to a Policy


    existing exception. Select an existing policy exception to modify it.
    Step 2 Name the exception, or edit an In the General section, enter a unique name for the exception, or modify the
    existing name or description. name of an existing exception.
    Note: The exception name is limited to 60 characters.

    Step 3 Select the components to apply the If the exception is content-based, you can match on the entire message or on
    exception to (if available). individual message components.
    Detection Messages and Message Components
    Select one of the Apply Exception to options:
    • Entire Message
    This option applies the exception to the entire message.
    • Matched Components Only
    This option applies the exception to each matching message component
    that you select from the Match On options in the Conditions section of the
    exception.
    Step 4 Configure the exception condition. In the Conditions section of the Configure Policy - Edit Exception screen,
    define the condition for the policy exception. The configuration of a condition
    depends on the exception type.
    Policy exception conditions available for configuration

    833
    Step Action Description

    Step 5 Add one or more conditions to the You can add conditions until the exception is structured as desired.
    exception (optional). Configuring compound rules
    To add another condition to an exception, select the condition from the Also
    Match list.
    Click Add and configure the condition.
    Step 6 Save and manage the policy. Click OK to complete the exception definition process.
    Click Save to save the policy.
    Manage and add policies

    Policy exception conditions available for configuration lists the exception conditions that you can configure, with links to
    configuration details.

    Table 402: Policy exception conditions available for configuration

    Exception Description

    Content
    Content Matches Regular Expression Configuring the Content Matches Regular Expression condition
    Content Matches Keyword Configuring the Content Matches Keyword condition
    Content Matches Document Signature Configuring the Content Matches Document Signature policy condition
    Content Matches Data Identifier Configuring the Content Matches data identifier condition
    Detect using Vector Machine Learning Profile Configuring VML policy exceptions
    Context
    Contextual Attributes (Cloud Applications and Introducing contextual attributes for cloud applications
    API Detection Appliance only)
    File Properties
    Message Attachment or File Type Match Configuring the Message Attachment or File Type Match condition
    Message Attachment or File Size Match Configuring the Message Attachment or File Size Match condition
    Message Attachment or File Name Match Configuring the Message Attachment or File Name Match condition
    Custom File Type Signature Configuring the Custom File Type Signature condition
    Protocol and Endpoint
    Network Protocol Configuring the Protocol Monitoring condition for network detection
    Endpoint Protocol or Destination Configuring the Endpoint Monitoring condition
    Endpoint Device Class or ID Configuring the Endpoint Device Class or ID condition
    Endpoint Location Configuring the Endpoint Location condition
    Form Recognition
    Detect using Form Recognition profile Configuring the Form Recognition exception rule
    Group (identity)
    Sender/User Matches Pattern Configuring the Sender/User Matches Pattern condition
    Recipient Matches Pattern Configuring the Recipient Matches Pattern condition
    Sender/User based on a Directory Server Configuring the Sender/User based on a Directory Server Group condition
    Group
    Recipient based on a Directory Server Group Configuring the Recipient based on a Directory Server Group condition

    834
    Exception Description

    Sender/User based on a Directory from an EDM Configuring the Sender/User based on a Profiled Directory condition
    Profile
    Recipient based on a Directory from and EDM Configuring the Recipient based on a Profiled Directory condition
    Profile

    Configuring compound rules


    You can create compound rules and exceptions.
    The detection engine connects conditions with an AND. All conditions in the rule or exception must be met to trigger or
    except an incident.
    You are not limited to the number of match conditions you can include in a rule or exception. However, the multiple
    conditions you declare in a single rule or exception should be logically associated. Do not mistake compound rules or
    exceptions with multiple rules or exceptions in a policy.

    Table 403: Configure a compound policy rule or exception

    Step Action Description

    Step 1 Modify or configure an existing You can add one or more additional match conditions to a policy rule at the Configure
    policy rule or exception. Policy – Edit Rule screen.
    You can add one or more additional match conditions to a rule or exception at the
    Configure Policy – Edit Rule or Configure Policy – Edit Exception screen.
    Step 2 Select an additional match Select the additional match condition from the Also Match list.
    condition. This list appears at the bottom of the Conditions section for an existing rule or
    exception.
    Step 3 Review the available The system lists all available additional conditions you can add to a policy rule or
    conditions. exception.
    Adding a Rule to a Policy
    Adding an Exception to a Policy
    Step 4 Add the additional condition. Click Add to add the additional match condition to the policy rule or exception.
    Once added, you can collapse and expand each condition in a rule or exception.
    Step 5 Configure the additional Configuring Policy Rules
    condition. Configuring policy exceptions
    Step 6 Select the same or any If the condition supports component matching, specify where the data must match to
    component to match. generate or except an incident.
    Same Component – The matched data must exist in the same component as the other
    condition(s) that also support component matching to trigger a match.
    Any Component – The matched data can exist in any component that you have
    selected.
    About cross-component matching
    Step 6 Repeat this process to You can add as many conditions to a rule or exception as you need.
    additional match conditions to All conditions in a single rule or exception must match to trigger an incident, or to trigger
    the rule or exception. the exception.
    Step 7 Save the policy. Click OK to close the rule or exception configuration screen.
    Click Save to save the policy configuration.

    Configuring compound match conditions


    Policy detection execution

    835
    Use compound conditions to improve match accuracy

    Input character limits for policy configuration


    When configuring a policy, consider the following input character limits for policy configuration components.

    Table 404: Input character limits for policy configuration

    Configuration element Input character limit

    Name of a policy component, including: 60 characters


    • Policy Note: To import a policy as a template, the policy name must be less than 60
    • Rule characters, otherwise it does not appear in the Imported Templates list.
    • Exception
    • Group
    • Condition
    Description of policy component. 255 characters
    Name of Data Profile, including: 255 characters
    • Exact Data
    • Indexed Document
    • Vector Machine Learning
    • Form Recognition
    Data Identifier pattern limits 100 characters per line
    Using the data identifier pattern language

    Manage and add policies


    The Manage > Policies > Policy List screen is the home page for adding and managing policies. You implement policies
    to detect and report data loss.
    Workflow for implementing policies
    Policy List screen actions lists and describes the actions you can take at the Policy List screen.

    Table 405: Policy List screen actions

    Action Description

    Add a policy Click New to create a new policy.


    Adding a new policy or policy template
    Modify a policy Click the policy name or edit icon to modify an existing policy.
    Configuring policies
    Activate a policy Select the policy or policies you want to activate, then click Activate in the policy list toolbar.
    Make a policy inactive Select the policy or policies you want to make inactive, then click Suspend in the policy list toolbar.
    Note: By default, all solution pack policies are activated on installation of the solution pack.

    Sort policies Click any column header to sort the policy list.
    Filter policies You can filter your policy list by Status, Name, Description, or Policy Group.
    To filter your policy list, click Filter in the policy list toolbar, then select or enter your filter criteria in
    the appropriate column or columns.
    To remove filters from your policy list, click Clear in the policy list toolbar.

    836
    Action Description

    Remove a policy Select the policy or policies you want to remove, then click Delete in the policy list toolbar.
    You can also click the red X icon at the end of the policy row to delete an individual policy.
    Note: You cannot remove a policy that has active incidents.
    Removing policies and policy groups
    Import and export policies You can import and export policies using the Import and Export buttons in the policy list toolbar.
    Importing policies
    Exporting policies
    Export and import policy You can export and import policy templates for reuse when authoring new policies.
    templates Importing policy templates
    Exporting policy detection as a template
    Download policy details Click Download Details in the policy list toolbar to download details for the selected policies in
    the Policy List. Symantec Data Loss Prevention exports the policy details as HTML files in a ZIP
    archive. Open the archive to view and print policy details.
    Downloading policy details
    View and print policy details To view policy details for a single policy, click the printer icon at the end of the policy row. To print the
    policy details, use the print feature of your web browser.
    Viewing and printing policy details
    Clone a policy Select the policy or policies you want to clone, then click Clone in the policy list toolbar.
    Cloning policies
    Assign policies to a policy group You can assign individual or multiple policies to a policy group from the policy list page.
    Select the policy or policies you want to assign to a policy group, then click Assign Group in the
    policy list toolbar. Select the policy group from the drop-down list.
    Policy groups

    Policy List screen display fields lists and describes the display fields at the Policy List screen.

    Table 406: Policy List screen display fields

    Column Description

    Status The status column displays one of three states for the policy:
    • Misconfigured Policy:
    The policy icon is a yellow caution sign.
    Policy components
    • Active Policy:
    The policy icon is green. An active policy can detect incidents.
    • Suspended Policy
    The policy icon is red. A suspended policy is deployed but does not detect incidents.
    Name View and sort by the name of the policy.
    About Data Loss Prevention policies
    Description View the description of the policy.
    Policy templates
    Policy Group View and sort by the policy group to which the policy is deployed.
    Policy groups
    Last Modified View and sort by the date the policy was last updated.
    Policy authoring privileges

    837
    Manage and add policy groups
    The System > Servers and Detectors > Policy Groups screen lists the configured policy groups in the system.
    From the Policy Groups screen you manage existing policy groups and add new ones.

    Table 407: Policy Groups screen actions

    Action Description

    Add a policy group Click Add to define a new policy group.


    Policy groups
    Modify a policy group To modify an existing policy group, click the name of the group.
    Creating and modifying policy groups
    Remove a policy group Select the policy group then click Delete.
    Note: If you delete a policy group, you delete any policies that are assigned to that group.
    Removing policies and policy groups
    Find a policy group You can search for a policy group by applying entering a search term in the Search bar. You can filter
    your results by Name, Description, or Servers by selecting the filter then clicking Apply Filter.
    View policies in a group To view the policies deployed to an existing policy group, navigate to the System > Servers and
    Detectors > Policy Groups > Configure Policy Group screen.
    Creating and modifying policy groups

    Table 408: Policy Groups screen display fields

    Column Description

    Name The name of the policy group.


    Description The description of the policy group.
    Available Servers and The detection server or cloud detector to which the policy group is deployed.
    Detectors Policy deployment
    Last Modified The date the policy group was last modified.

    Creating and modifying policy groups


    At the System > Servers and Detectors > Policy Groups screen you configure a new policy group or modify an existing
    one.
    Policy groups
    To configure a policy group
    1. Add a new policy group, or modify an existing one.
    Manage and add policy groups
    2. Enter the Name of the policy group, or modify an existing name.
    Use an informative name. Policy authors and Enforce Server administrators rely on the policy group name when they
    associate the policy group with policies, roles, targets.
    The name value is limited to 256 characters.

    838
    3. Enter a Description of the policy group, or modify an exiting description of an existing policy group.
    4. Select one or more Servers and Detectors to assign the policy group to.
    The system displays a check box for each detection server currently configured and registered with the Enforce
    Server.
    • Select the All Servers or Detectors option to assign the policy group to all detection servers and cloud detectors
    in your system. If you leave this checkbox unselected, you can assign the policy group to individual servers.
    The All Discover Servers entry is not configurable because the system automatically assigns all policy groups to
    all Network Discover Servers. This feature lets you assign policy groups to individual Discover targets.
    • Deselect the All Servers or Detectors option to assign the policy group to individual detection servers.
    The system displays a check box for each server currently configured and registered with the Enforce Server.
    Select each individual detection server to assign the policy group.
    5. Click Save to save the policy group configuration.

    NOTE
    The Policies in this Group section of the Polices Group screen lists all the policies in the policy group. You
    cannot edit these entries. When you create a new policy group, this section is blank. After you deploy one or
    more policies to a policy group (during policy configuration), the Policies in this Group section displays each
    policy in the policy group.
    Configuring policies
    Policy deployment

    Importing policies
    You can export policies from an Enforce Server and import them to another Enforce Server. This feature makes it easier
    to move policies from one environment to another. For example, you can export policies from your test environment and
    import them into your production environment.

    About importing policies


    To import policies, you must have the Import Policies privilege. To enable this privilege, you must also have the Server
    Administration, Author Policies, Author Response Rules, and All Policy Groups privileges.
    Configuring Roles
    When you import a policy, please note the following points:
    • The policy is imported in the same state in which it was exported. For example, if a policy was active when it was
    exported, it will be active when you import it. The only exception to this behavior is for pre-existing policies on system
    to which you are importing the policy (the "target system"). If the existing policy is active, then the imported policy will
    also be active, regardless of its state on the exporting system.
    • Imported policies will overwrite existing policies that have the same name. You can change the name of the exported
    policy in the XML file if you want to import it without overwriting the existing policy.
    • If the policy group to which the exported policy belonged exists on the target system, the policy will be added to that
    policy group, or overwrite a policy of the same name in that group. If the policy group does not exist on the target
    system, it will be created upon import. If the policy exists on the target system, but it belongs to a different policy group,

    839
    the imported policy will be assigned to a newly created policy group on the target system, and will not overwrite the
    existing policy.
    • When you import a policy, you can choose whether or not to import its response rules if those rules conflict with
    existing response rules on the target system.
    • The Policy Import Preview page will display warnings about any policy elements that will be created or overwritten
    when you import the policy.
    • You can only import one policy at a time.
    To import a policy
    1. Navigate to Manage > Policies > Policy List.
    2. Click Import.
    The Import Policy page appears.
    3. Click Browse to select the exported policy file you want to import.
    4. Click Import Policy.
    The Policy import preview page appears. This page will warn you of any policy elements that may be overwritten
    when you import this policy. If the policy you are importing includes any response rules among the elements that may
    be overwritten, you can exclude those response rules from import on this page.
    5. Click Proceed with import.
    The policy is imported. If the policy has any unresolved references, the Policy References Check page appears.
    You can resolve any unresolved policy references on this page.
    About policy references

    About Policy References


    Policies are exported in XML format. The XML policy files contain policy metadata, references to any data profiles,
    response rules, data identifiers, and the detection and group rules and exceptions. The files do not contain the actual data
    profiles, directory connections, credentials, or FlexResponse plug-ins. You must provide those items on the system into
    which you are importing the policy.
    When you import a policy, Symantec Data Loss Prevention will alert you to any unresolved references on the Policy
    References Check page. The Policy References Check page displays at the end of the policy import process. You can
    also view this page by clicking the unresolved references icon on the Policy List and Policy Edit pages.
    To resolve policy references, click the edit (pencil) icon on the Policy References Check page. Symantec Data Loss
    Prevention displays the appropriate edit page for each unresolved reference. Resolving policy references provides
    information about resolving policy references.

    Table 409: Resolving Policy References

    Unresolved Policy Reference Resolution

    Policy group where no detection server is specified: Select detection servers for the policy group.
    Directory connection with missing credentials: Provide the credentials for the directory connection.
    EDM profile with missing source file and index: Specify the correct data source file.
    IDM profile with missing import path and file name: Specify the correct data source.
    Remote IDM profile with missing credentials: Provide the credentials for the remote IDM profile.
    VML profile with trained profile and related data missing: Provide the trained profile and its related data, train and accept
    the VML profile.

    840
    Unresolved Policy Reference Resolution

    Form Recognition profile with missing gallery ZIP archive: Provide the gallery ZIP archive.
    Endpoint quarantine response rule with missing saved credentials: Provide the credentials for the endpoint quarantine response rule.

    Exporting policies
    You can export your policy data to an XML file to easily share policies between Enforce Servers.

    About policy export


    Policies are exported in XML format. The XML policy files contain policy metadata, references to any data profiles,
    response rules, data identifiers, and the detection and group rules and exceptions. The files do not contain the actual data
    profiles, directory connections, credentials, or FlexResponse plug-ins. You must copy those items to the system into which
    you are importing the policy.
    You can export policies individually or multiply. To export policies, you must have the Author Policies privilege.
    Configuring Roles
    Exported policies include the following items:
    • Policy name, description, and policy group
    • Policy rules, including Form Recognition, EDM, IDM, and VML definitions
    • Endpoint locations and devices
    • Sender and recipient patterns
    • Response rules
    • Data identifiers
    • Custom protocols
    Exported policies do not include the following items:
    • Credentials
    • Form Recognition, EDM, IDM, or VML indexes
    • Form Recognition, EDM or IDM data source files
    • VML training files
    • FlexResponse plug-ins
    To export policies
    1. Navigate to Manage > Policies > Policy List.
    2. Take one of the following actions:
    • To export a single policy, click the export icon for that policy.
    • To export multiple policies to a ZIP archive, select the policies you want to export, then click Export.
    3. Symantec Data Loss Prevention exports your policy or policies using the following naming conventions:
    • For single policies, the naming convention is ENFORCEHOSTNAME-POLICYNAME-DATE-TIME.XML.
    • For bulk policy export, the naming convention is ENFORCEHOSTNAME-policies-DATE-TIME.ZIP.

    Cloning policies
    You can clone policies from the Policy List page.
    Cloned policies are exact copies of the original policy. They include the following items:
    • Modified policy name, description, and policy group.

    841
    Cloned policies appear in the Policy List as Copy N of original policy name.
    • Policy rules, including Form Recognition, EDM, IDM, and VML definitions
    • Endpoint locations and devices
    • Sender and recipient patterns
    • Response rules
    • Data identifiers
    • Custom protocols
    NOTE
    You must have policy authoring privileges to clone policies.
    For information about importing and exporting policies and policy templates, see these topics:
    Exporting policies
    Importing policies
    Exporting policy detection as a template
    Importing policy templates

    Importing Policy Templates


    You can import one or more policy templates to the Enforce Server. You must have policy system privileges to import
    policy templates.
    Policy template import and export
    Exporting policy detection as a template
    To import one or more policy templates to the Enforce Server
    1. Place one or more policy templates XML file(s) in the \Program Files\Symantec\DataLossPrevention
    \EnforceServer\16.0.10000\Protect\config\templates directory on the Enforce Server host.
    You can import multiple policy templates by placing them all in the templates directory.
    2. Make sure that the directory and file(s) are readable by the "protect" system user.
    3. Log on to the Enforce Server Administration Console with policy authoring privileges.
    4. Navigate to Manage > Policies > Policy List and click Add Policy.
    5. Choose the option Add a policy from a template and click Next.
    6. Scroll down to the bottom of the template list to the Imported Templates section.
    You should see an entry for each XML file you placed in the templates directory.
    7. Select the imported policy template and click Next to configure it.
    Configuring policies

    Exporting policy detection as a template


    You can export policy detection rules and exceptions in a template (XML file). You cannot export policy response rules.
    You can only export one policy template at a time.
    Policy template import and export
    To export a policy as a template

    842
    1. Log on to the Enforce Server administration console with administrator privileges.
    2. Navigate to the Manage > Policies > Policy List > Configure Policy screen for the policy you want to export.
    3. At the bottom of the Configure Policy screen, click the Export this policy as a template link.
    4. Save the policy to a local or network destination of your choice.
    For example, the system exports a policy named Webmail to the policy template file Webmail.xml which you can
    save to your local drive.

    Importing policy templates


    For information about importing, exporting, and cloning policies, see these topics:
    Exporting policies
    Importing policies
    Cloning policies

    Adding an automated response rule to a policy


    You can add one or more automated response rules to a policy to take action when that policy is violated.

    NOTE
    Smart response rules are executed manually and are not deployed with policies.
    To add an automated response rule to a policy
    1. Log on to the Enforce Server administration console with policy authoring privileges.
    Policy authoring privileges
    2. Navigate to the Manage > Policies > Policy List > Configure Policy screen for the policy you want to add a
    response rule to.
    3. Select the response rule you want to add from those available in the drop-down menu.
    Policies and response rules are configured separately. To add a response rule to a policy, the response rule must first
    be defined and saved independently.

    4. Click Add Response Rule to add the response rule to the policy.
    5. Repeat the process to add additional response rules to the policy.
    6. Save the policy when you are done adding response rules.
    7. Verify that the policy status is green after adding the response rule to the policy.
    Manage and add policies

    NOTE
    If the policy status is a yellow caution sign, the policy is misconfigured. The system does not support certain
    pairings of detection rules and automated response rule actions.

    Removing policies and policy groups


    Consider the following guidelines before you delete a policy or a policy group from the Enforce Server.

    843
    Table 410: Guidelines for removing policies and policy groups

    Action Description Guideline

    Remove a policy If you attempt to delete a policy that has If you want to delete a policy, you must first delete all incidents that
    associated incidents, the system does not let are associated with that policy from the Enforce Server.
    you remove the policy. Manage and add policies
    An alternative is to create an undeployed policy group (one that
    is not assigned to any detection servers). This method is useful to
    maintain legacy policies and incidents for review without keeping
    these policies in a deployed policy group.
    Policy template import and export
    Remove a policy If you attempt to delete a policy group that Before you delete a policy group, remove any policies from that
    group contains one or more policies, the system group by either deleting them or assigning them to different policy
    displays an error message. And, the policy groups.
    group is not deleted. Manage and add policy groups
    If you want to remove a policy group, create a maintenance
    policy group and move the policies you want to remove to the
    maintenance group.
    Creating and modifying policy groups

    About Data Loss Prevention policies


    Policy groups

    Viewing and printing policy details


    You can view and print policy details for a single policy from the Policy List screen.
    You must have the Author Policies privilege for the policies you want to view and print.
    Policy authoring privileges
    Viewing, printing, and downloading policy details
    To view and print policy details
    1. Navigate to Manage > Policies > Policy List and click the printer icon at the end of the policy row.
    The Policy Snapshot screen appears.
    2. View the general policy information, detection rules, and response rules on the Policy Snapshot screen.
    3. To print the policy details, use the Print command in your web browser from the Policy Snapshot screen.

    Downloading policy details


    You can download a ZIP archive of details for policies in the Policy List. The ZIP archive contains HTML
    documents with details for each selected policy on the Policy List, as well as an index file to make it easier to
    find the policy details you want. The files are titled using the policy ID, such as 123.html. The index file is titled
    downloaded_policies_DATE.html, and it contains the policy name, description, status, policy group, and last
    modified date of all selected policies in the download, as well as links to the policy details.
    You must have the Author Policies privilege for the policies you want to download.
    Policy authoring privileges
    Viewing, printing, and downloading policy details
    To download policy details

    844
    1. Navigate to Manage > Policies > Policy List, select the policy or policies you want, then click Download Details.
    2. In the Open File dialog box, click select Save File, then click OK.
    3. To view details for a policy, extract the files from the ZIP archive, then open the file you want to view. Use the index file
    to search through the downloaded policies by policy name, description, status, policy group, or last modified date.
    The Policy Snapshot screen appears.
    4. To print the policy details, use the Print command in your web browser from the Policy Snapshot screen.

    Troubleshooting policies
    Log files for troubleshooting policies lists log files to consult for troubleshooting policies.

    Table 411: Log files for troubleshooting policies

    Log file Description

    SymantecDLPDetectionServer.log Logs when policies and profiles are sent from the Enforce Server to detection
    servers and endpoint servers. Displays JRE errors.
    detection_operational.log Log the loading of policies and detection execution.
    detection_operational_trace.log
    FileReader.log Logs when an index file is loaded into memory. For EDM, look for the line
    "loaded database profile." For IDM look for the line: "loaded document profile."
    Indexer.log Logs the operations of the Indexer process to generate EDM and IDM indexes.

    Log files for troubleshooting VML training and policy detection

    Updating EDM and IDM profiles to the latest version


    You must reindex your data and document sources when you upgrade. Before deploying an index into production, test the
    updated profile and policies based on the profile to ensure that they detect data loss as expected on the upgraded system.
    Reindexing requirements for EDM and IDM data profiles lists the reindexing requirements for updating your EDM and IDM
    profiles and provides links for more information.

    845
    Table 412: Reindexing requirements for EDM and IDM data profiles

    Technology and features Required action(s) More information

    Exact Data Matching (EDM) If you have existing Exact Data profiles supporting EDM Updating EDM indexes to the latest version
    • Multi-token matching policies and you want to use new EDM features, before
    • Proportional proximity range upgrading the detection server(s) you must:
    • Reindex each structured data source using the
    latest EDM indexer, and
    • Load each index into a newly-generated Exact Data
    profile.
    Indexed Document Matching If you have existing Indexed Document profiles
    (IDM) supporting IDM policies and you want to use Agent
    • Exact match IDM on the IDM, after upgrading you must:
    endpoint (Agent IDM) • Disable two-tier detection on the Endpoint Server,
    and
    • Reindex each document data source so that the
    endpoint index is generated and deployed to the
    Endpoint Server for download by the DLP Agent.

    Updating policies after upgrading to the latest version


    Several policy templates were updated at Symantec Data Loss Prevention 15.1. When you upgrade to version 15.1, the
    system updates the system-defined policy templates. Policies you have created based on an upgraded policy template
    are not changed so that configurations you have made are not overwritten. If you have created policies based on one or
    more of the updated policy templates, you should update your policies so that they are current.
    The General Data Protection Regulation (GDPR) policy templates were updated to include several new European data
    identifiers. The keyword lists were also updated.
    Policy templates that use data identifier patterns to detect Social Security Numbers (SSNs) were updated to use the
    Randomized US SSN data identifier in Symantec Data Loss Prevention 12.5. The Radomized US SSN data identifier
    detects both traditional and randomized SSNs. Symantec recommends that you update your SSN policies to use the
    Randomized US SSN data identifier if you have not done so already.
    Updating policies to use the Randomized US SSN data identifier
    Policy templates updated in Data Loss Prevention version 12.5 lists the policy templates updated for this release of
    Symantec Data Loss Prevention.

    Table 413: Policy templates updated in Data Loss Prevention version 12.5

    Updated template Updated component(s) Policy description

    General Data Protection Data identifiers This policy protects personal identifiable information related
    Regulations (Banking and Keyword lists to banking and finance.
    Finance) General Data Protection Regulation (Banking and Finance)
    General Data Protection Data identifiers This policy protects personal identifiable information related
    Regulation (Digital Identity) Keyword lists to digital identity.
    General Data Protection Regulation (Digital Identity)
    General Data Protection Data identifiers This policy protects personal identifiable information related
    Regulation (Government Keyword lists to government identification.
    Identification) General Data Protection Regulation (Government
    Identification)

    846
    Updated template Updated component(s) Policy description

    General Data Protection Data identifiers This policy protects personal identifiable information related
    Regulation (Healthcare and Keyword lists to healthcare and insurance.
    Insurance) General Data Protection Regulation (Healthcare and
    Insurance)
    General Data Protection Data identifiers This policy protects personal identifiable information related
    Regulation (Personal Profile) Keyword lists to personal profile data.
    General Data Protection Regulation (Personal Profile)
    General Data Protection Data identifiers This policy protects personal identifiable information related
    Regulation (Travel) Keyword lists to travel.
    General Data Protection Regulation (Travel)

    About Installing Remote Indexers


    You install Symantec Data Loss Prevention remote indexers on one or more systems where the confidential files that you
    want to index are stored.
    The steps to install remote indexers are different depending on the operating system.
    NOTE
    The indexer that is available on the Enforce Server administration console does not require a separate
    installation. The indexer is installed when you install the Enforce Server.
    If you install a remote indexer on Windows, you can run a silent installation. You can also run the graphical user interface
    method to install.
    Installing a remote indexer on Windows
    On Linux, you install RPM files, then you configure the installation. You can configure the installation using the silent
    method or by running a command prompt to enter configuration parameters.
    Installing a remote indexer on Linux
    You can install the Remote Indexer on all supported Windows and Linux platforms. See Supported operating systems for
    the EMDI, EDM, and IDM Remote Indexers for platform details.
    NOTE
    You must log on as administrator (Windows) or root (Linux) to install the remote indexers. There is an issue with
    the permissions on the remote indexers. You must follow a workaround procedure to assure that users other
    than administrator or root can run the remote indexers.
    Permissions for users to run the remote indexers (EDM)
    Installing a remote indexer on Windows

    Installing a remote indexer on Windows


    Follow this procedure to install the remote indexer software on a remote indexer computer. You specify the type of remote
    indexer during the configuration process that follows this installation process.
    NOTE
    The following instructions assume that the indexer installer (Indexers.msi) has been copied from the Enforce
    Server to a local directory on the remote computer. The Indexers.msi file is included in your software
    download (DLPDownloadHome) directory. It should have been copied to a local directory on the Enforce Server
    during the Enforce Server installation process.

    847
    Using the graphical user interface method to install does not generate log information. To generate log information, run the
    installation using the following command:
    C:\msiexec /i Indexers.msi /L*v c:\indexers_install.log

    You can complete the installation silently from the command line. Enter values with information specific to your installation
    for the following:

    Table 414: Indexer installation parameters for Windows

    Command Description

    INSTALLATION_DIRECTORY Specifies where the remote indexer is installed. The


    default location is C:\Program Files\Symantec
    \DataLossPrevention.
    DATA_DIRECTORY Defines where Symantec Data Loss Prevention stores files that
    are updated while the indexer is running (for example, logs and
    licenses). The default location is
    C:\ProgramData\Symantec\DataLossPrevention
    \Indexer\.
    JRE_DIRECTORY Specifies where the JRE resides.
    FIPS_OPTION Defines whether to disable (Disabled) or enable (Enabled) FIPS
    encryption.
    The default is disabled.

    The following is an example of what the completed command might look like:
    msiexec /i Indexers.msi /qn /norestart /L*v Indexers.log
    FIPS_OPTION=Disabled
    INSTALLATION_DIRECTORY="C:\Program Files\Symantec\DataLossPrevention"
    DATA_DIRECTORY="C:\ProgramData\Symantec\DataLossPrevention\Indexer\"

    To install a remote indexer on Windows


    1. Log on as Administrator to the system on which you intend to install the remote indexer.
    2. Go to the folder where you copied the Indexers.msi file.
    NOTE
    Using the graphical user interface method to install does not generate log information. To generate log
    information, run the installation using the following command:
    C:\msiexec /i Indexers.msi /L*v c:\indexer_install.log

    3. Double-click Indexers.msi to open the file, and click OK.


    4. In the Welcome panel, click Next.
    5. After you review the license agreement, select I accept the agreement, and click Next.
    6. In the Destination Folder panel, accept the default destination directory, or enter an alternate directory, and click
    Next. The default installation directory is:
    c:\Program Files\Symantec\DataLossPrevention\
    Symantec recommends that you use the default destination directory. References to the "installation directory" in
    Symantec Data Loss Prevention documentation are to this default location.

    848
    7. In the JRE Directory panel, accept the default JRE location (or click Browse to locate it), and click Next.
    8. In the FIPS Cryptography Mode panel, select whether to disable or enable FIPS encryption.
    9. Click Next.
    10. Click Install.

    About the Remote EDM Indexer


    About the Remote IDM Indexer
    Installing a remote indexer on Linux

    Installing a remote indexer on Linux


    Follow this procedure to install the remote indexer software on a remote indexer computer. You specify the type of remote
    indexer during the configuration process that follows this installation process.
    NOTE
    The following instructions assume that the Indexers.zip file has been copied into the /opt/temp/ directory
    on the server computer.
    To install an indexer on Linux
    1. Log on as root to the computer on which you intend to install the remote indexer.
    2. Copy the remote indexer installer (Indexers.zip) from the Enforce Server to a local directory on the remote indexer
    computer. The Indexers.zipfile is included in your software download (DLPDownloadHome) directory. It should
    have been copied to a local directory on the Enforce Server during the Enforce Server installation process.
    3. Navigate to the directory where you copied the Indexers.zip file (/opt/temp/).
    4. Unzip the file to the same directory.
    5. Confirm file dependencies for RPM files by running the following command:
    rpm -qpR symantec-dlp-15-1-indexers-15.5-1.el6.x86_64.rpm

    6. Run the following command to install all RPM files in the folder:
    rpm -ivh *.rpm

    Configuring a remote indexer on Linux

    Configuring a Remote Indexer on Linux


    After you install a remote indexer, you configure it by running the Remote indexer configuration utility.
    You can complete the installation silently. Indexer installation parameters on Linux lists the installation parameters you use
    during the remote indexer silent installation.

    Table 415: Indexer installation parameters on Linux

    Command Description

    jreDirectory Specifies where the JRE resides.


    fipsOption Defines whether to disable (Disabled) or enable (Enabled) FIPS
    encryption.

    The following is an example of what the completed command might look like:

    849
    ./IndexersConfigurationUtility -silent
    -jreDirectory=/opt/Symantec/DataLossPrevention/Server\ JRE/1.8.0_202/
    -fipsOption=Disabled

    To configure a remote indexer on Linux


    1. Navigate to the installation directory:
    /opt/Symantec/DataLossPrevention/Indexers/16.0.10000/Protect/install
    2. Run the remote indexer configuration utility. Use the following command to launch the utility:
    ./IndexersConfigurationUtility

    3. Enter the following information in the Remote indexer configuration utility:

    JRE directory Enter the JRE directory.


    The default directory is /opt/Symantec/
    DataLossPrevention/Server JRE/[JRE version].
    Note: If you install the JRE before running ./
    IndexersConfigurationUtility, then you do not enter the JRE
    directory. The Remote Indexer Configuration Utility automatically
    defines the JRE path.

    FIPS encryption Select whether to disable or enable FIPS encryption.

    About the Remote EDM Indexer


    About the Remote IDM Indexer

    Best practices for authoring policies


    This section provides general policy authoring best practices for Symantec Data Loss Prevention. This section assumes
    that you have general familiarity with policy authoring; including the configuration, testing, and deployment of policies,
    detection rules, match conditions, and policy exceptions.
    About Data Loss Prevention policies
    Detecting data loss
    Best practices are not intended to provide detailed troubleshooting guidance. Rather, the goal of this section is to provide
    best practices that reduce the need for policy troubleshooting and support.

    Table 416: Summary of policy authoring best practices

    Best practice Description

    Develop a policy strategy that supports your data security Develop a policy strategy that supports your data security
    objectives. objectives
    Use a limited number of policies to get started. Use a limited number of policies to get started
    Use policy templates but modify them to meet your requirements. Use policy templates but modify them to meet your requirements
    Use policy groups to manage the policy lifecycle. Use policy groups to manage policy lifecycle
    Use the appropriate match condition for your data loss prevention Use the appropriate match condition for your data loss prevention
    objectives. objectives
    Test and tune policies to improve match accuracy. Test and tune policies to improve match accuracy
    Start with high match thresholds to reduce false positives. Start with high match thresholds to reduce false positives

    850
    Best practice Description

    Use a limited number of exceptions to narrow detection scope. Use a limited number of exceptions to narrow detection scope
    Use compound rules to improve match accuracy. Use compound conditions to improve match accuracy
    Author policies to limit the potential effect of two-tier detection. Author policies to limit the potential effect of two-tier detection
    Follow detection-specific best practices. Follow detection-specific best practices

    Develop a policy strategy that supports your data security objectives


    The goal of detection is to achieve accurate results based on true policy matches. Well-authored policies should
    accurately detect the data you want to protect with minimal false positives. Through the use of well-defined policies that
    implement the right type and combination of rules, conditions, and exceptions, you can achieve accurate detection results
    and prevent the loss of the most critical data in your enterprise
    There are two general approaches to developing a data loss prevention policy strategy:
    • Information-driven – Identify sensitive data and author policies to prevent it from being lost.
    • Regulation-driven– Review government and industry regulations and author policies to comply with them.
    Policy detection approaches describes these two approaches in more detail.

    Table 417: Policy detection approaches

    Approach Description

    Information-driven With this approach you start by identifying specific data items and data combinations you want to protect.
    Examples of such data may include fields profiled from a database, a list of keywords, a set of users, or a
    combination of these elements. You then group similar data items together and create policies to identify
    and protect them. This approach works best when you have limited access to the data or no particular
    concerns about a given regulation.
    Regulation-driven With this approach you begin with a policy template based on the regulations with which you must comply.
    Examples of such templates may include HIPAA or FACTA. Also, begin with a large set of data (such as
    customer or employee data). Use the high-level requirements stipulated by the regulations as the basis
    for this approach. Then, decide what sensitive data items and documents in your enterprise meet these
    requirements. These data items become the conditions for the detection rules and exceptions in your
    policies.

    Use a limited number of policies to get started


    The policy detection rules you implement are based on your organization's information security objectives. The actions
    you take in response to policy violations are based on your organization's compliance requirements. In general you
    should start small with policy detection. Enable one or two policy templates, or a few simple conditions, such as keyword
    matching. Review the incidents each policy detects. Tune the results before you implement response rules to take action.
    Generally it is better to have fewer policies that are configured to address specific data loss prevention objectives rather
    than many policies that attempt to address all of your security requirements. Having too many policies can impact the
    performance of the system and can lead to too many false positives.
    Test and tune policies to improve match accuracy

    Use policy templates but modify them to meet your requirements


    Policy templates provide an excellent starting point for authoring policies. Symantec Data Loss Prevention provides 65
    pre-built policy templates that contain detection rules and conditions for many different types of use cases, including
    regulatory compliance, data protection, security enforcement, and acceptable use scenarios.

    851
    You should use the system-provided policy templates as starting points for your policies. Doing so will save time and
    help you avoid errors and information gaps in your policies since the detection methods are predefined. However, for
    most situations you will want to modify the policy template and tailor it for your specific environment. Deploying a policy
    template out-of-the-box without configuring it for your environment is not recommended.
    Creating a policy from a template

    Use the appropriate match condition for your data loss prevention
    objectives
    To prevent data loss, it is necessary to accurately detect all types of confidential data wherever that data is stored, copied,
    or transmitted. To meet your data security objectives, you need to implement the appropriate detection methods for the
    type of data you want to protect. The recommendation is to determine the detection methods that work best for you, and
    tune the policies as necessary based on the results of your detection testing.
    Match conditions compared describes the primary use case for each type of policy match condition provided by Data Loss
    Prevention.

    Table 418: Match conditions compared

    Type of data you want to protect Condition Matching

    Personally Identifiable Information (PII), such as SSNs, EDM Exact profiled data
    CCNs, and Driver's License numbers Data Identifiers Described, validated data patterns
    Confidential documents, such as Microsoft Word, IDM Exact file contents
    PowerPoint, PDF, etc. Partial file contents (derivative)
    VML Similar file contents
    Confidential files and images, such as CAD drawings IDM Exact file
    File Properties File context (type, name, size)
    Words and phrases, such as "Confidential" or "Proprietary" Keywords Exact words, phrases, proximity
    Characters, strings, text Regular Expressions Described text
    Network and endpoint communications Protocol and Endpoint Protocols, destinations, monitoring
    Determined by the identity of the user, sender, recipient Synchronized DGM Exact identity from LDAP server
    Profiled DGM Exact profiled identity
    Sender/user, recipient Described identity patterns
    Describes a document, such as author, title, date, etc. Content-based conditions File type metadata

    Test and tune policies to improve match accuracy


    When you create detection policies, there are two common detection problems to avoid. If you create a policy that is too
    general or too broad, it generates incidents when no real match has occurred (false positive). On the other hand, if a
    policy has rules that are too specific or narrow about the data it detects, the policy may miss some of the matches you
    intend to catch (false negatives). Common detection problems to avoid describes these common problems in more detail.
    To reduce false positives and negatives, you need to tune your policies. The best way to tune detection is to identify a
    single, specific use case that is a priority, such as protecting source code for a particular product. You then create a single
    policy—either from scratch or based on a template, depending on your DLP strategy—containing one or two detection
    rules and test the policy to see how many (quantity) and the types (quality) of incidents the policy generates. Based on
    these initial results, you adjust the detection rule(s) as needed. If the policy generates more false positives than you want,

    852
    make the detection rule(s) more specific by fine-tuning the existing match conditions, adding additional match conditions,
    and creating policy exceptions. If the policy does not detect some incidents, make the detection condition(s) less specific.
    As your policies mature, it is important to continuously test and tune them to ensure ongoing accuracy.
    Follow detection-specific best practices

    Table 419: Common detection problems to avoid

    Problem Cause Description

    False positives Policy rules too False positives create high costs in time and resources that are required to investigate and
    general or broad resolve apparent incidents that are not actual incidents. Since many organizations do not
    have the capacity to manage excess false positives, it is important that your policies define
    contextual rules to improve accuracy.
    For example, a policy is designed to protect customer names and generates an incident for
    anything that contains a first and last name. Since most messages contain a name—in many
    cases both first and last names—this policy is too broad and general. Although it may catch
    all instances of customer names being sent outside the network, this policy will return too
    many false positives by detecting email messages that do not divulge protected information.
    First and last names require a much greater understanding of context to determine if the data
    is confidential
    False negatives Policy rules too tight False negatives obscure gaps in security by allowing data loss, the potential for financial
    or narrow losses, legal exposure, and damage to the reputation of an organization. False negatives are
    especially dangerous because you do not know you have lost sensitive data.
    For example, a policy that contains a keyword match on the word "confidential" but also
    contains a condition that excludes all Microsoft Word documents would be too narrow and
    be suspect to false negatives because it would likely miss detecting many actual incidents
    contained in such documents

    Start with high match thresholds to reduce false positives


    Use a limited number of exceptions to narrow detection scope
    Use compound conditions to improve match accuracy

    Start with high match thresholds to reduce false positives


    For content-based detection rules, there is a configuration setting that lets you "count all matches" but only report an
    incident after a threshold number of matches has been reached. The general recommendation is to start with high match
    thresholds for your content-based detection policies. As you tune your policies you can reduce the match thresholds to be
    more precise.
    Configuring match counting

    Use a limited number of exceptions to narrow detection scope


    You can implement exception conditions for any detection rule, except EDM rules. The limited use of exception conditions
    can help to reduce false positives by narrowing the scope of policy detection. However, if you must use several exceptions
    in a single policy to achieve the desired detection results, reconsider the design of the policy. Make sure that the policy is
    well defined and uses the proper match conditions. You can now define many exceptions on both the server and on the
    agent.
    Understand how exception conditions work so that you can use them properly. Exception conditions disqualify messages
    from creating incidents. Exception conditions are checked first by the detection server before match conditions. If the
    exception condition matches, the system immediately discards the entire message or message component that met the

    853
    exception. There is no support for match-level exceptions. Once the message or message component is discarded by
    meeting an exception, the data is no longer available for policy evaluation.
    Exception conditions
    Use compound rules to improve match accuracy

    Use compound rules to improve match accuracy


    Compound rules can help you improve the match accuracy of your policies. Suppose you are concerned about Microsoft
    Word documents leaving the network. Initially, you add a policy that uses an attachment type condition to catch all
    Word files. You quickly discover that too many messages contain Word file attachments that do not divulge protected
    information. When you examine the incidents more closely, you realize that you are more concerned with Word files that
    contain the word CONFIDENTIAL. In this case, you can convert the attachment type condition to a compound rule by
    adding a keyword rule for the word CONFIDENTIAL. Such a configuration achieves more accurate detection results.
    Compound conditions

    Author policies to limit the potential effect of two-tier detection


    The Exact Data Matching (EDM) and profiled Directory Group Matching (DGM) conditions require two-tier detection. For
    these conditions, the DLP Agent must send the data to the Endpoint Server for evaluation. If Indexed Document Matching
    (IDM) is enabled, it uses two-tier detection.
    Two-tier detection for DLP Agents
    DLP executes the least expensive rules first. If you are deploying a policy that requires two-tier detection, you can author
    the policy in such a way as to limit the potential effect of two-tier detection.
    Policy configurations for two-tier detection rules provides some considerations for authoring policies to limit the potential
    effect of two-tier detection.
    Detection Messages and Message Components

    Table 420: Policy configurations for two-tier detection rules

    Two-tier match condition Policy configuration

    Exact Data Matching (EDM) For EDM policies, consider including Data Identifier rules OR'd with EDM rules. For example,
    for a policy that uses an EDM condition to match social security numbers, you could add
    a second rule that uses the SSN Data Identifier condition. The Data Identifier does not
    require two-tier detection and is evaluated locally by the DLP Agent. If the DLP Agent is not
    connected to the Endpoint Server when the DLP Agent receives the data, the DLP Agent can
    still perform SSN pattern matching based on the Data Identifier condition.
    Combine Data Identifiers with EDM rules to limit the impact of two-tier detection
    For example, policy configurations, each of the policy templates that provide EDM conditions
    also provide corresponding Data Identifier conditions.
    Choosing an Exact Data Profile
    Indexed Document Matching (IDM) For IDM policies that match file contents, consider using VML rules OR'd with IDM rules. VML
    rules do not require two-tier detection and are executed locally by the DLP Agent. If you do
    not need to match file contents exactly, you may want to use VML instead of IDM.
    Use the appropriate match condition for your data loss prevention objectives
    If you are only concerned with file matching, not file contents, consider using compound file
    property rules instead of IDM. File property rules do not require two-tier detection.
    Use compound file property rules to protect design and multimedia files

    854
    Two-tier match condition Policy configuration

    Directory Group Matching (DGM) For the synchronized DGM Recipient condition, consider including a Recipient Matches
    Pattern condition OR'd with the DGM condition. The pattern condition does not require two-tier
    detection and is evaluated locally by the DLP Agent.
    About two-tier detection for synchronized DGM

    Use policy groups to manage policy lifecycle


    Use policy groups to test policies before using them in production. Create a test policy group to which only you have
    access. Then, create policies and add them to the test policy group. Review the incidents your test policies capture. After
    you tune the policies and confirm that they capture the expected incidents, you can rename the policy group and grant the
    appropriate roles access to it. You can also use policy groups to manage legacy policies, as well as policies you want to
    import or export.
    Policy groups
    Removing policies and policy groups

    Follow detection-specific best practices


    In additional to these general policy authoring considerations, you should be aware of and keep in mind policy tuning
    considerations specific to each type of match condition.
    Best practices for specific detection methods lists detection specific considerations, with links to topics for more
    information.

    Table 421: Best practices for specific detection methods

    Detection method Description

    EDM Best practices for using EDM


    IDM Best practices for using IDM
    VML Best practices for using VML
    Data identifiers Best practices for using data identifiers
    Keywords Best practices for using keyword matching
    Regular expressions Best practices for using regular expression matching
    Non-English language Best practices for detecting non-English language content
    detection
    File properties Best practices for using file property matching
    Network protocols Best practices for using network protocol matching
    Endpoint events Best practices for using endpoint detection
    Described identities Best practices for using described identity matching
    Synchronized DGM Best practices for using synchronized DGM
    Profiled DGM Best practices for using profiled DGM
    Metadata detection Best practices for using metadata detection

    Introducing Structured Data Identifiers


    New Structured Data Identifiers are available for structured data matching in Symantec Data Loss Prevention 16.0.

    855
    Structured Data Identifiers are a powerful and convenient method of detecting private or proprietary personally identifiable
    information (PII), and other identity information, in tabular documents. Data structured in the form of tables that is
    embedded in an otherwise unstructured document can be detected. With this new feature, you don't have to go through
    the iterative process of tuning your policies to catch PII, financial information, and healthcare data. Structured data
    matching also reduces false positives for such data.
    Using Structured Data Identifiers helps you to meet compliance regulations for protecting personally identifiable
    information, healthcare data, and sensitive financial information. SDI detection helps you to comply with standards such
    as GDPR, HIPAA, PCI, and so on.
    You can create detection rules using Structured Data Identifiers. You can also specify a combination of structured
    identifiers and other conditions to create rules. You can specify a narrow, wide, or medium breadth for each structured
    identifier in the rule.
    Incidents that are created with the SDI rules are listed in incident reports. Columns with data matches are highlighted.
    • Structured Data Identifiers Requirements and Options
    • Creating a Content Matches Structured Data Identifier Rule
    • Advanced Configuration Settings for Structured Data Matching
    Structured Data Identifiers Requirements and Options
    Use Symantec Data Loss Prevention Structured Data Identifiers (SDIs) to detect personally identifiable information (PII),
    healthcare information, and financial information.
    NOTE
    Some terms that are used with SDIs are specific to Structured Data Matching (SDM) detection. For example, the
    breadth setting in an SDI rule is a threshold for detection. The SDI breadth determines how much of the table
    must contain matching data to generate an incident. Matches in an SDI incident represent the number of rows in
    a table that contain data that matches the SDI.
    Symantec Data Loss Prevention provides four structured data identifiers for detecting personally identifiable and other
    information. You can select Structured Data Identifiers to detect the following information.

    Table 422: Structured Data Identifiers Matching Criteria

    Structured Data Identifier (SDI) Detects

    PII Personally identifiable information, such as


    • first and last names
    • email addresses
    • US Social Security Numbers
    Likely PII Information that when combined with other information is likely to identify a person, such as
    • date
    • location
    • postal code
    • mailing address
    Financial Information Banking information, such as
    • bank account numbers
    • tax IDs
    • credit card numbers
    Healthcare Information Medical information, such as
    • Medicare beneficiary numbers
    • health insurance claim numbers
    • national provider identification numbers

    856
    Document Types Supported for SDI Detection
    SDI supports popular document types and structured data (in a tabular format) in text formatted email bodies. Limited
    support is available for email bodies. Currently, we support email bodies in text format.
    NOTE
    SDI is not supported on the endpoint channel.
    Document types include:
    • Excel (.xlsx)
    • Comma-Separated Values (.csv)
    • PDF (.pdf)
    Other document types such as legacy Office (.doc and .xls) are not fully supported because of the way that they handle
    tables.
    Table Layouts Supported for SDI Detection
    The following figures show two examples of supported table layouts. An example of another layout that is partially
    supported is included.
    Figure 17: Supported: Multiple tables laid out one after another in the same document
    Multiple tables with symmetric rows are also supported.

    857
    858
    Figure 18: Supported: Tables with interspersed text

    Figure 19: Partially supported: Overlapping tables


    Overlapping tables are partially supported for detection by SDI. The tables are split into multiple tables. The number of
    tables depends on the number of fields in any given row of data.

    859
    Viewing SDI Matches in Incident Reports
    In SDI incident reports, all columns that contain an SDI match are highlighted. In the following figure, you can see that the
    columns containing SDI matches are highlighted. One column to the right and one column to the left of the highlighted
    matching columns are provided for context.
    The match count that is displayed is the number of total rows present in the table where SDI matches are found. Unlike in
    other rules, match count is not the total number of keyword matches or data identifier matches detected on the table.
    Figure 20:
    Viewing SDI Matches in the Enforce Server administration console

    Creating a Content Matches Structured Data Identifier Rule

    860
    Creating a Content Matches Structured Data Identifier Rule
    Adding a Content Matches Structured Data Identifier detection rule in the Enforce Server administration console.
    You can add a detection rule that automatically detects structured data at the Manage > Policies > Policy List >
    Configure Policy page. Click the radio button for the new Content Matches Structured Data Identifier rule.
    NOTE
    The Content Matches Structured Data Identifier detection rule can currently only be used on DLP servers. SDM
    rules are not supported on Endpoints.
    Follow this step-by-step procedure for creating an SDI rule for an existing policy on the Add Detection Rule page.
    1. Go to Manage > Policies > Policy List.
    2. Choose a policy. The Configure Policy screen appears.
    3. Scroll down to the Detection tab.
    4. Click Add Rule.
    5. Select Content Matches Structured Data Identifier in the Rule Type - Content area.
    6. Go to the Choose Structured Data Identifier dropdown menu.
    7. Choose one of the following options:
    – Healthcare Information
    – Financial Information
    – PII
    – Likely PII
    – US Social Security Number
    – Japan PII
    8. Click Next.
    9. Add a Rule Name.
    10. Set the Severity (High, Medium, Low).
    11. Set Conditions.
    – Choose a Match Threshold Breadth:
    a. Wide
    b. Medium
    c. Narrow
    – Choose what to Match On. SDIs only match on tabular data, so you can only choose Body or Attachments.
    Envelopes and Subject do not contain tabular data.
    12. Click OK.
    See Advanced Configuration Settings for Structured Data Matching.

    Advanced Configuration Settings for Structured Data Matching


    You can change the following setting to customize Symantec DLP SDI detection.

    Table 423: Advanced Configuration Setting for a SDI in a component

    Default
    Setting Name Type of Setting Purpose
    Value
    StructuredDataIdentifier.MaxViolations 10 Advanced setting Sets the maximum number
    of violations for a SDI in a
    component.

    861
    Introducing Exact Match Data Identifiers (EMDI)
    Exact Match Data Identifier (EMDI) detection is a powerful exact matching detection technology that enables you to detect
    structured data, especially personally-identifiable information (PII), with a high degree of accuracy. You can use EMDI to
    exactly match indexed records across all Data Loss Prevention channels. Fast performing and secure, EMDI can help
    you reduce false positives when compared to data identifiers and regular expressions. EMDI provides better matching
    performance and greater memory efficiency than Exact Data Matching (EDM).
    Before you proceed with EMDI, it's important for you to have a good understanding of data identifiers and how they are
    used in Symantec Data Loss Prevention.
    About using EMDI to protect content

    About using EMDI to protect content


    EMDI works as an additional validation check against data identifier pattern matchers. With EMDI, Data Loss Prevention
    doesn't rely on the Credit Card Number data identifier to match any pattern that looks like a credit card number and
    passes a Luhn check. Instead, EMDI enables customers to exactly match only the credit card numbers that are contained
    within their index of records. To exactly match, you can use the Credit Card Number and at least one additional column
    of identifying information within the index of records, such as the Issuing Bank Number that corresponds to that record in
    the data source that the EMDI profile uses. Since data sources can contain more than two kinds of information, you could
    also use the Card Expiration Date as a third field to ensure an accurate match. Both system (built-in) and custom data
    identifiers are supported.
    EMDI covers every EDM detection use case that involves two or more columns with at least one column that has highly
    unique data that matches a highly discriminatory pattern (that is expressible with a data identifier). These columns are
    known as "key columns."
    EMDI supports up to 4 million rows and 32 columns per index. These larger indexes are always deployed to detection
    servers, appliances, and cloud services. Indexes larger than 100 MB are not distributed to DLP Agents by default, but this
    maximum limit can be configured. All existing system data identifiers and most custom data identifiers are supported.
    You configure EMDI at Manage Data Profiles > Exact Data > Add Exact Match Data Identifier Profile. provides the
    steps you need to take for implementation.
    To configure EMDI
    1. You identify and prepare the data you want to protect.
    2. You create an Exact Match Data Identifier profile and identify data source columns as Required, Optional, or Ignore
    to generate a match. Required columns must be mapped to either a built-in system data identifier or a custom data
    identifier.
    3. You enable the index as an Exact Match Data Identifier validator either inline in a policy as part of a data identifier
    condition, or as part of the configuration of the data identifier.
    4. When you add an EMDI validator to an existing data identifier validator, EMDI is used each time the existing validator
    is used in a policy.
    5. You index the structured data source using the Enforce Server administration console, or remotely using the Remote
    EMDI Indexer. During the indexing process, the system indexes record data that is contained within tabular CSV files.
    You can schedule indexing on a regular basis to ensure that the EMDI index reflects the current data.

    About EMDI and key columns

    About EMDI policy features


    EMDI policy matching includes validation of matching data identifier patterns using an indexed data source. It searches
    for indexed content in a given message or file. Then it generates an incident if a match is found within a proximity window

    862
    before and after the data identifier match. A proximity window of 50 tokens before and 50 tokens after the data identifier
    match is the default value and maximum value. This value is configurable; you can change it from 1 to 50.
    Policy matching requirements and features of EMDI include the following:
    • You must specify one required column that can be matched by a highly discriminating data identifier. This column is
    referred to as the "key column."
    • The key column must be highly variable (with few repeating values).
    • A minimum of two columns are required for a match; a required "key" column and an optional column.
    • For highly variable data (with few repeated values in the index) the EMDI algorithm generates fewer than one false
    positive per 1000 data identifier matches. Common repeated values in key or non-key columns may result in higher
    rates of false positives.
    • The number of rows per index is limited to 4 million.
    • The system provides match highlighting at the incident snapshot screen. Tokens from matching rows are highlighted,
    not only the matching data identifier value.
    • EMDI supports single-token and multi-token cell indexing and matching. A multi-token is a cell that contains two or
    more words. Since a single CJK (Chinese, Japanese, Korean) character is regarded as a token, two or more CJK
    characters are treated as a multi-token.
    EMDI compared to EDM

    EMDI compared to EDM


    EMDI relies on a different underlying detection technology than EDM, and is neither a substitute nor a replacement for
    EDM. However, one of the advantages of EMDI over EDM is that EMDI is available as a locally-executed exact matching
    technology on the DLP Agent. EDM is only available on the DLP Agent in two-tier detection mode.EMDI compared to
    EDM lists comparisons between EMDI and EDM.

    Table 424: EMDI compared to EDM

    EMDI EDM

    EMDI can support EDM detection scenarios that involve matching against two or There is no requirement that EDM must
    more columns of a data source when at least one of those columns matches a data match against a column that can be
    identifier. EMDI supports both system and custom data identifiers. represented by a data identifier.
    EMDI scans an entire data source, within the stated limits. By default, EDM scans only the first 30,000
    tokens for inspected content, though this limit
    can be increased.
    EMDI performs matching locally on the DLP Agent, so there is no need to implement EDM is only available on the DLP Agent in
    two-tier detection. two-tier detection mode.
    Available on all channels, including detection servers, appliances, the cloud, and DLP EDM is available on detection servers,
    Agents (including disconnected DLP Agents). appliances, and the cloud. EDM is only
    available on the endpoint in two-tier detection
    mode.
    Supports blocking, user notification, and encryption on the DLP Agent. EDM is only available on the DLP Agent in
    two-tier detection mode. When operating
    in two-tier detection mode, the DLP Agent
    does not support synchronous response
    actions such as blocking, user notification, or
    encryption.
    The memory footprint for EMDI is 1/5 of the memory footprint for EDM for the same EDM memory footprint is about 5 times that of
    indexed data source. the memory footprint for EMDI.

    863
    EMDI EDM

    EMDI supports up to 4 million rows x 32 columns per index up to 128 million cells per EDM supports hundreds of millions of rows x
    index. 32 columns up to 6 billion cells per index.
    EMDI has a stringent security model that makes it suitable for profile deployment on EDM profiles are never deployed on the DLP
    the DLP Agent. Agent.
    There is no natural language processing for Chinese, Japanese, and Korean for EMDI EDM supports natural language processing
    matching. for Chinese, Japanese, and Korean.

    You can use either EMDI or EDM for some exact matching cases that have at least two source columns and where one
    column has values that can be expressed with a data identifier. The following recommendations detail when it is better to
    use EMDI rather than EDM, and vice versa.
    Use EMDI instead of EDM if:
    • You already use data identifiers and you want to improve detection accuracy with exact matching.
    • You need exact matching and detection-time enforcement on your DLP Agents, such as blocking, user notification, or
    encryption.
    • You have a need to be more flexible with the identifier detection. For example, you need to detect identifiers with
    nonstandard separator characters (for example, match 123*456 or 123/456 or 123_456).
    • You need to use exact matching in an exception.
    Use EDM instead of EMDI if:
    • You need to exclude specific combinations of columns from a match. For example, you need to match three of the
    following four columns: Identification Number, Last Name, City, and Postal Code; but you need to exclude the Last
    Name, City, and Postal Code combination.
    • You need to use more discriminating policy features, such as data owner exception and the where clause.
    • You need to protect against indexes with a large number of rows (greater than 4 million).
    About the Exact Match Data Identifier profile and index

    About the Exact Match Data Identifier profile and index


    The Exact Match Data Identifier Profile is the user-defined configuration that you create to index the data source.
    The index is a secure file that contains hashes of the exact data values from each field in your data source, along with
    information about those data values. The index does not contain the data values themselves.
    The index that is generated consists of one binary source file called EmdiDataSource.rdx. By default,
    Symantec Data Loss Prevention stores index files in C:\ProgramData\Symantec\DataLossPrevention
    \ServerPlatformCommon\16.0.10000\index (on Windows) or in /var/Symantec/DataLossPrevention/
    ServerPlatformCommon/16.0.10000/index (on Linux) on the Enforce Server. Symantec Data Loss Prevention
    automatically deploys all EMDI indexes (*.rdx files) to the index directory on all detection servers.
    The Enforce Server deploys the endpoint index (EmdiDataSource.rdx) to each designated Endpoint Server; in
    addition, the Enforce Server also sends a patch file to each Endpoint Server, which contains the differences between the
    old index and the new index. When a DLP Agent connects to the Endpoint Server, the DLP Agent downloads the index.
    If the agent already has the latest version of the index, nothing happens. If there are changes to the index, the agent
    downloads only the patch that contains data about the differences between the old and the new indexes. Because only
    the updates and not an entire new index is sent to endpoints, network bandwidth consumption is kept to a minimum.
    The indexes are saved in an encrypted binary format in the endpoint database.
    When an active policy that references an EMDI profile is deployed to a detection server, the detection server loads the
    corresponding EMDI index into RAM. If a new detection server is added after an index has been created, the *.rdx files

    864
    in the index folder on the Enforce Server are deployed to the index folder on the new detection server. You cannot
    manually deploy index files to detection servers.
    About the Exact Match Data Identifier source file

    About the Exact Match Data Identifier source file


    The data source file is a tabular file containing data in a standard delimited format (comma, semicolon, pipe, or tab). You
    extract the data from a database, spreadsheet, or other structured data source. You also cleanse the data for profiling.
    You upload the data source file to the Enforce Server when you define the Exact Match Data Identifier Profile. For
    example, you can convert an Excel spreadsheet to a comma-separated values (CSV) format. The resulting *.csv file can
    be used as the data source for your EMDI profile.
    Cleanse the EMDI data source file of blank columns and duplicate rows
    Creating the Exact Match Data Identifier source file
    You can use the SQL preindexer to index the data source directly. However, this approach has limitations because in most
    cases the data must first be cleansed before it is indexed.
    The data source file must contain at least one key column that contains largely unique values that can be expressed as a
    data identifier. The parameters affecting the uniqueness of the key columns can be edited in the Indexer.properties
    file located at \Program Files\Symantec\DataLossPrevention\EnforceServerProtect\config
    \Indexer.properties (Windows) or/Symantec/DataLossPrevention/EnforceServer/16.0.10000/
    Protect/config/Indexer.properties (Linux).
    These parameters are listed in Parameters affecting indexer sensitivity to key-column uniqueness .

    Table 425: Parameters affecting indexer sensitivity to key-column uniqueness

    Parameters in Indexer.properties Function

    EMDI.MaxDuplicateCellsPercentage=1 Maximum percentage of duplicated key column cells in the index;


    the default value is 1%.
    EMDI.MaxNonMatchingDIPercentage=1 Maximum percentage of key column cells that don’t match the
    data identifier that is assigned to this profile; the default value is
    1%.

    Non-configurable limits for EMDI: The same value can appear no more than five times in a key column in a given EMDI
    index. This is a different number than EMDI.MaxDuplicateCellsPercentage, which instead indicates the total number of
    duplicates in the index.
    Best practices for using EMDI
    NOTE
    The format for the data source file should be a text-based format using commas, semicolons, pipes, or tabs as
    delimiters. You should avoid using a spreadsheet format for the data source file (such as XLS or XLSX) because
    such programs use scientific notation to render numbers.
    About cleansing the Exact Match Data Identifier source file

    About cleansing the Exact Match Data Identifier source file


    Once you have created the data source file, you must prepare the data for indexing by cleansing it. You must cleanse the
    data source file to ensure that your EMDI policies are as accurate as possible. You can use tools such as Stream Editor
    (sed) and awk to cleanse the data source file. Melissa Data provides tools for normalizing data in the data source, such as
    addresses.

    865
    Workflow for cleansing the data source file provides the steps you must take to cleanse the data source file for indexing.

    Table 426: Workflow for cleansing the data source file

    Step Action Description

    1 Prepare the data source file for indexing. Preparing the Exact Match Data Identifier source for indexing
    2 Ensure that you have specified a key column that About EMDI and key columns
    can be matched by a highly variable data identifier.
    Ensure that the key column contains reasonably
    unique data.
    4 Remove incomplete and duplicate records. Do not
    fill empty cells with fake data.
    5 Remove improper characters. Remove ambiguous character types from the EMDI data source file
    6 Verify that the data source file is below the error Preparing the Exact Match Data Identifier source for indexing
    threshold. The error threshold is the maximum
    percentage of rows that contain errors before
    indexing stops.

    About EMDI index scheduling

    About EMDI and key columns


    An important concept for EMDI is the "key column." When using EMDI, you must specify two or more columns with
    at least one "key column" that has highly unique and discriminatory values that matches a distinctive pattern (that is
    expressible with a data identifier).
    In the following examples the data in the first (bold) "key" column is used as a data identifier pattern that must be in a
    match.
    • Detect two (or more) out of
    (Account Number, Routing Number First Name, Last Name, Last 4 SSN)
    • Detect two (or more) out of
    (Driver's License Number, First Name, Last Name, DOB, Address, City, State)
    • Detect two (or more) out of
    (Medical Record Number, First Name, Last Name, Last 4 SSN)
    • Detect two (or more) out of
    (Credit Card Number, Issuing Bank Name, CVV, Card Expiration Date)
    • Detect both of
    (Part Number, Part Description)
    About EMDI policy features

    About EMDI index scheduling


    After you have indexed an exact data source extract, its schema cannot be changed. If the data source changes, or the
    number of columns or data mapping of the exact data source file changes, you must create a new EMDI index and update
    the policies that reference the changed data. In this case you can schedule the indexing to keep the index in sync with the
    data source.
    Here is a typical use case: You extract data from a database to a file and cleanse it to create your data source file. Using
    the Enforce Server administration console you define an Exact Match Data Identifier profile and index the data source
    file. The system generates the *.rdx index files and deploys them to one or more detection servers, appliances, cloud

    866
    services, and agents. If you know that the data changes frequently, you need to generate a new data source file regularly
    to keep up with the changes to the database. In this case, you can use index scheduling to automate the indexing of
    the data source file so you do not have to return to the Enforce Server administration console and reindex the updated
    data source. Your only task is to provide an updated and cleansed data source file to the Enforce Server for scheduled
    indexing.
    Configuring Exact Match Data Identifier profiles

    Configuring Exact Match Data Identifier profiles


    To implement EMDI, you create the Exact Match Data Identifier Profile and index the data source. You also need to edit
    an existing data identifier or create a new custom data identifier. Then, for each data identifier breadth, you must add and
    configure EMDI as an optional validator and enable an EMDI validation check during policy creation or on the Manage >
    Policies > Data Identifiers page. Implementing Exact Match Data Identifier matching details the steps in this process.
    About the Exact Match Data Identifier profile and index

    Table 427: Implementing Exact Match Data Identifier matching

    Step Action Description

    1 Create the data source file. Export the source data from the database (or other data repository) to a tabular
    text file with delimited fields.
    About the Exact Match Data Identifier source file
    Creating the Exact Match Data Identifier source file
    2 Prepare the data source file for Cleanse the data source file.
    indexing. Cleanse the EMDI data source file of blank columns and duplicate rows
    3 Upload the data source file to the You can copy or upload the data source file to the Enforce Server, or access it
    Enforce Server. remotely.
    Uploading the Exact Match Data Identifier source files to the Enforce Server
    4 Edit an existing data identifier or Adding an EMDI check to a built-in or custom data identifier condition in a policy
    create a new custom data identifier to
    add EMDI as a validator.
    5 Create an Exact Match Data Identifier An Exact Match Data Identifier profile is required to use Exact Match Data
    profile. Identifier matching. The Exact Match Data Identifier profile specifies the data
    source, data field types, and the indexing schedule.
    Adding Exact Match Data Identifier Profiles
    Creating and modifying the Exact Match Data Identifier profiles
    6 Mark each column in the data source Use the slider to mark each index column (data source field) as Ignore,
    as Ignore, Optional, or Required, in Optional, or Required. Each index must contain at least one required ("key")
    the data source. column that is mapped to a system data identifier or custom data identifier. It
    must also contain at least one optional column.
    Adding Exact Match Data Identifier Profiles
    Creating and modifying the Exact Match Data Identifier profiles
    7 Enable the policy as an Exact Match After the policy is created, it must be enabled as an Exact Match Data
    Data Identifier check. Identifier Check for data identifier validation.
    Adding an EMDI check to a built-in or custom data identifier condition in a policy
    8 Index the data source, or schedule Schedule the indexing to keep the index in sync with the data source.
    indexing. About EMDI index scheduling
    Scheduling EMDI profile indexing

    Creating the Exact Match Data Identifier source file

    867
    Creating the Exact Match Data Identifier source file
    The first step in the EMDI indexing process is to create the data source. A data source is a tabular file containing data in a
    standard delimited format, with data delimited by commas, semicolons, pipes, or tabs.
    See Create the exact match data identifier source file for instructions.

    Table 428: Create the exact match data identifier source file

    Step Description

    1 Export the data you want to protect from a database or other tabular data format, such as an Excel spreadsheet, to a
    tabular text file. The data source file you create must be a tabular text file that contains rows of data from the original
    source. Each row from the original source is included as a row in the data source file. Delimit columns using a tab,
    a comma, a semi-colon, or a pipe. Pipe is preferred. Comma should not be used if your data source fields contain
    numbers.
    About the exact data source file
    The data source file cannot exceed 32 columns or 4 million rows. If you plan to upload the data source file to the
    Enforce Server, browser capacity limits the data source size to 2 GB. For file sizes larger than this size you can copy
    the file to the Enforce Server using FTP/S, SCP, SFTP, CIFS, or NFS.
    2 For all EMDI implementations, make sure that the data source contains at least one column of unique data
    values (Required column) and one Optional column. Three or more columns (including one Required column) are
    recommended.
    3 Prepare the exact match data identifier source file for indexing.
    Preparing the Exact Match Data Identifier source for indexing

    See Preparing the Exact Match Data Identifier source for indexing for instructions.

    Preparing the Exact Match Data Identifier source for indexing


    Once you create the Exact Match Data Identifier source file, you must prepare it so that you can index your data. When
    you index an EMDI profile, the Enforce Server keeps track of empty cells and any misplaced data that count as errors.
    EMDI is designed to detect combinations of globally unique data fields. Your EMDI index must include at least one column
    of data that contains nearly unique values for each record in the row. Column data such as account numbers, social
    security numbers, and credit card numbers are often highly unique. On the other hand, states or ZIP Codes are not
    unique, nor are names. If you do not include at least one column of unique data (a key column) in your index, your EMDI
    profile does not accurately detect the data you want to protect.
    Table 1-17 describes the various types of unique data to include in your EMDI indexes, as well as fields that are not
    unique. You can include the non-unique fields in your EMDI indexes as long as you have at least one unique column field.

    868
    Table 429: Examples of unique data for EMDI policies

    Unique data for EMDI Non-unique data for EMDI

    The following data fields are often unique: The following data fields are not unique:
    • Account number • First name
    • Bank Card number • Last name
    • Phone number • City
    • Social security number • State
    • Tax ID number • ZIP Code
    • Drivers license number • Password
    • Employee number • PIN
    • Insurance number

    When you index an EMDI profile, the Enforce Server keeps track of empty cells and any misplaced data which count as
    errors. For example, an error may be a name that appears in a column for phone numbers. Errors can constitute a certain
    percentage of the data in the profile (five percent, by default). If this default error threshold is met, Symantec Data Loss
    Prevention stops indexing. It then displays an error to warn you that your data may be unorganized or corrupted.
    To prepare the exact match data identifier source for EMDI indexing
    1. Make sure that the data source file is formatted as follows:
    • The data source must have at least two columns and at least one column that can be mapped to a data identifier.
    One of the columns should contain unique values. For example, credit card numbers, driver’s license numbers, or
    account numbers (as opposed to first and last names, which are generic).
    Ensure data source has at least one column of unique data (EDM)
    • Verify that you have delimited the data source using commas, pipes ( | ), tabs, or semicolons. If the data source file
    uses commas as delimiters, remove any commas that do not serve as delimiters.
    Do not use the comma delimiter if the data source has number fields (EDM)
    • Verify that data values are not enclosed in quotes.
    • Remove single-character and abbreviated data values from the data source. For example, remove the column
    name and all values for a column in which the possible values are Y and N. You should also remove values such
    as "CA" for California, or other abbreviations for states.
    • Remove columns with frequently repeating values.
    • Optionally, remove any columns that contain numeric values with fewer than five digits, as these can cause false
    positives in production deployments.
    Remove ambiguous character types from the data source file (EDM)
    • A field delimiter should not appear in a field value.
    • Eliminate duplicate records.
    Cleanse the data source file of blank columns and duplicate rows (EDM)
    2. Once you have prepared the exact match data identifier source file, proceed with the next step in the EMDI process:
    upload the exact data source file to the Enforce Server for profiling the data you want to protect.

    Uploading the Exact Match Data Identifier source files to the Enforce Server

    Uploading the Exact Match Data Identifier Source Files to the Enforce Server
    After you have prepared the data source file for indexing, load it to the Enforce Server so the data source can be indexed.
    Creating and modifying the Exact Match Data Identifier profiles
    Listed here are the options you have for making the data source file available to the Enforce Server. Consult with your
    database administrator to determine the best method for your needs.

    869
    Table 430: Uploading the exact match data identifier source file to the Enforce Server for indexing

    Upload option(s) Use case Description

    Upload Data Source to Data source file If you have a smaller data source file (less than 50 MB), upload the data source file to the
    Server Now is less than 50 Enforce Server using the Enforce Server administration console. When creating the Exact
    MB. Match Data Identifier Profile, you can specify the file path or browse to the directory and
    upload the data source file.
    Note: Due to browser capacity limits, the maximum file size that you can upload is 2 GB.
    However, uploading any file over 50 MB is not recommended, since files over this size
    can take a long time to upload. If your data source file is over 50 MB, consider copying
    the data source file to the datafiles directory using the next option.

    Reference Data Data source file If you have a large data source file (over 50 MB), copy it to the datafiles directory on
    Source on Manager is over 50 MB. the host where the Enforce Server is installed.
    Host On Windows this directory is located at
    C:\ProgramData\Symantec\DataLossPrevention
    \16.0.10000ServerPlatformCommon\\datafiles.
    On Linux this directory is located at
    /var/Symantec/DataLossPrevention/
    ServerPlatformCommon/16.0.10000/datafiles.
    This option is convenient because it makes the data file available through a drop-down
    list during configuration of the Exact Match Data Identifier Profile. If it is a large file, use
    a third-party solution (such as Secure FTP) to transfer the data source file to the Enforce
    Server.
    Note: Ensure that the Enforce Server user (usually called "protect") has modify
    permissions (on Windows) or rw permissions (on Linux) for all files in the datafiles
    directory.

    Use This File Name Data source You may want to create an EMDI profile before you have created the exact match data
    file is not yet identifier source file. In this case you can create a profile template and specify the name
    created. of the data source file you plan to create. This option lets you define EMDI policies using
    the EMDI profile template before you index the data source. The policies do not operate
    until the data source is indexed.
    When you have created the data source file you place it in the
    \ProgramData\Symantec\DataLossPrevention
    \ServerPlatformCommon\16.0.10000\datafiles
    directory on Windows or
    /var/Symantec/DataLossPrevention/
    ServerPlatformCommon/16.0.10000/datafiles
    on Linux and index the data source immediately on save or schedule indexing.
    Creating and modifying the Exact Match Data Identifier profiles

    870
    Upload option(s) Use case Description

    Use This File Name Data source is In some environments it may not be secure or feasible to copy or upload the data source
    and to be indexed file to the Enforce Server. In this situation you can index the data source remotely using
    Load Externally remotely and the Remote EMDI Indexer.
    Generated Index copied to the This utility lets you index an exact match data identifier source on a computer other than
    Enforce Server. the Enforce Server host. This feature is useful when you do not want to copy the data
    source file to the same computer as the Enforce Server. As an example, consider a
    situation where the originating department wants to avoid the security risk of copying the
    data to an extra-departmental host. In this case you can use the Remote EMDI Indexer.
    First you create an EMDI profile template where you choose the Use this File Name and
    the Number of Columns options. You must specify the name of the exact match data
    identifier source file and the number of columns it contains.
    You then use the Remote EMDI Indexer to remotely index the data source and copy the
    index files to the Enforce Server host and load the externally generated index. The Load
    Externally Generated Index option is only available after you have defined and saved
    the profile. Remote indexes are loaded on Windows from these directories:
    \ProgramData\Symantec\DataLossPrevention \EnforceServer
    \16.0.10000\index
    and on Linux from the
    /var/Symantec\DataLossPrevention/EnforceServer/16.0.10000/
    index
    on the Enforce Server host.
    Uploading the Exact Match Data Identifier source files to the Enforce Server

    Adding Exact Match Data Identifier Profiles

    Adding Exact Match Data Identifier Profiles


    The Manage > Data Profiles > Exact Data > Add Exact Match Data Identifier Profile screen is the home page for
    managing and adding Exact Match Data Identifier profiles. An Exact Match Data Identifier profile is required to implement
    data identifier conditions with EMDI optionally enabled as a validator. An Exact Match Data Identifier profile specifies the
    data source, the indexing parameters, and the indexing schedule. Once you have created the EMDI profile, you index the
    data source and add the data identifier validation on the Manage > Policies > Data Identifiers page or on the Manage >
    Data Profiles > Exact Data > Add Exact Match Data Identifier Profile page.
    Creating and modifying the Exact Match Data Identifier profiles

    Creating and Modifying the Exact Match Data Identifier Profiles


    Configuring Exact Match Data Identifier profiles
    1. Make sure that you have created the data source file.
    Creating the Exact Match Data Identifier source file
    2. Make sure that you have prepared the data source file for indexing.
    Preparing the Exact Match Data Identifier source for indexing
    3. In the Enforce Server administration console, navigate to Manage > Data Profiles > Exact Data.
    4. Click Add Exact Match Data Identifier Profile.
    5. Enter a unique, descriptive Name for the profile (limited to 256 characters).
    For easy reference, choose a name that describes the data content and the index type (for example, Employee Data
    EMDI).

    871
    If you modify an existing Exact Match Data Identifier profile you can change the profile name.
    6. Select one of the following Data Source options to make the data source file available to the Enforce Server:
    • Upload Data Source to Server Now
    If you want to create a new profile, click Browse and select the data source file, or enter the full path to the data
    source file.
    If you want to modify an existing profile, select Upload Now.
    Uploading the Exact Match Data Identifier source files to the Enforce Server
    • Reference Data Source on Manager Host
    If you copied the data source file to the datafiles directory on the Enforce Server, it appears in the drop-down
    list for selection.
    Uploading the Exact Match Data Identifier source files to the Enforce Server
    • Use This File Name
    Select this option if you have not yet created the data source file but want to configure EMDI policies using a
    placeholder EMDI profile. Enter the file name of the data source you plan to create, including the Number of
    Columns it is to have. When you do create the data source, you must copy it to the datafiles directory.
    NOTE
    Use this option with caution. Be sure to remember to create the data source file and copy it to the
    datafiles directory. Name the data source file exactly the same as the name you enter here and
    include the exact number of columns you specify here.
    • Load Externally Generated Index
    Select this option if you have created an index on a remote computer using the Remote EMDI Indexer. This
    option is only available after you have defined and saved the profile. Profiles are loaded on Windows from the
    \ProgramData\Symantec\DataLossPrevention\ServerPlatformCommon\16.0.10000\index directory
    and on Linux from the /var/Symantec\DataLossPrevention/ServerPlatformCommon/16.0.10000/
    index directory on the Enforce Server host.
    7. If the first row of your data source contains Column Names, select Read first row as column names.
    8. Specify the Error Threshold, which is the maximum percentage of rows that contain errors before indexing stops.
    A data source error is either an empty cell, a cell with the wrong type of data, or extra cells in the data source. For
    example, a name in a column for phone numbers is an error. If errors exceed a certain percentage of the overall data
    source (by default, 5%), the system quits indexing and displays an indexing error message. The index is not created if
    the data source has more invalid records than the error threshold value allows. Although you can change the threshold
    value, more than a small percentage of errors in the data source can indicate that the data source is corrupt, is in an
    incorrect format, or cannot be read. If you have a significant percentage of errors (10% or more), stop indexing and
    cleanse the data source.
    Preparing the Exact Match Data Identifier source for indexing
    9. Select the Column Separator Char (delimiter) that you have used to separate the values in the data source file. The
    delimiters you can use are tabs, commas, semicolons, or pipes.
    10. Select one of the following encoding values for the content to analyze, which must match the encoding of your data
    source:
    • ISO-8859-1 (Latin-1) (default value)
    Standard 8-bit encoding for Western European languages using the Latin alphabet.
    • UTF-8
    Use this encoding for all languages that use the Unicode 4.0 standard (all single- and double-byte characters),
    including those in East Asian languages.
    • UTF-16

    872
    Use this encoding for all languages that use the Unicode 4.0 standard (all single- and double-byte characters),
    including those in East Asian languages.
    NOTE
    Make sure that you select the correct encoding. The system does not prevent you from creating an EMDI
    profile using the wrong encoding. The system only reports an error at run-time when the EMDI policy
    attempts to match inbound data. To make sure that you select the correct encoding, after you click Next,
    verify that the column names appear correctly. If the column names do not look correct, you chose the wrong
    encoding.
    11. Click Next to go to the second Add Exact Match Data Identifier Profile screen.

    Scheduling EMDI profile indexing

    Scheduling EMDI profile indexing


    When you configure an Exact Match Data Identifier profile, you can set a schedule for indexing the data source (Submit
    Indexing on Job Schedule).
    About EMDI index scheduling
    Before you set up a schedule, consider the following recommendations:
    • If you update your data sources occasionally (for example, less than once a month), there is no need to create a
    schedule. Index the data each time you update the data source.
    • Schedule indexing for times of minimal system use. Indexing affects performance throughout the Symantec Data Loss
    Prevention system, and large data sources can take time to index.
    • Index a data source as soon as you add or modify the corresponding exact data profile, and re-index the data source
    whenever you update it. For example, consider a scenario whereby every Wednesday at 2:00 A.M. you update the
    data source. In this case you should schedule indexing every Wednesday at 3:00 A.M. Do not index data sources daily
    as daily indexing can degrade performance.
    • If you need to update indexes frequently (for example, daily), Symantec recommends that you use the Remote EMDI
    Indexer.
    • Monitor results and modify your indexing schedule accordingly. If performance is good and you want more timely
    updates, schedule more frequent data updates and indexing.
    The Indexing section lets you index the Exact Match Data Identifier profile as soon as you save it (recommended). You
    can also index on a regular schedule as follows:

    Table 431: Scheduling indexing for Exact Match Data Identifier Profiles

    Parameter Description

    Submit Indexing Job Select this option to index the Exact Match Data Identifier profile.
    on Save
    Submit Indexing Job Select this option to schedule an indexing job. The default option is No Regular Schedule. If you want to index
    on Schedule according to a schedule, select a desired schedule period, as described.
    Index Once On – Enter the date to index the document profile in the format MM/DD/YY. You can also click the date widget
    and select a date.
    At – Select the hour to start indexing.
    By Minute Every– Select the minute frequency to start indexing.
    Until – Select this check box to specify a date in the format MM/DD/YY when the indexing should stop. You can
    also click the date widget and select a date.

    873
    Parameter Description

    Hourly Every – Select the hourly frequency to start indexing.


    Until – Select this check box to specify a date in the format MM/DD/YY when the indexing should stop. You can
    also click the date widget and select a date.
    Daily At – Select the hour to start indexing.
    Until – Select this check box to specify a date in the format MM/DD/YY when the indexing should stop. You can
    also click the date widget and select a date.
    Weekly Day of the week – Select the day(s) to index the document profile.
    At – Select the hour to start indexing.
    Until – Select this check box to specify a date in the format MM/DD/YY when the indexing should stop. You can
    also click the date widget and select a date.
    Monthly Day – Enter the number of the day of each month you want the indexing to occur. The number must be 1
    through 28.
    At – Select the hour to start indexing.
    Until – Select this check box to specify a date in the format MM/DD/YY when the indexing should stop. You can
    also click the date widget and select a date.

    Associating data identifiers with your data source (EMDI)

    Associating data identifiers with your data source (EMDI)


    On this screen you associate data identifiers with your data source.
    To continue configuring your Exact Match Data Identifier profiles
    1. Designate columns in your data source as Required, Optional, or Ignored. You must associate Required columns
    with an existing data identifier.
    Confirm that the column names in your data source are accurately represented in the Data Source Field column. If
    you selected the Column Names option, the Data Source Field column lists the names in the first row of your data
    source. If you did not select the Column Names option, the column lists Col 1, Col 2, and so on.
    2. In the Indexing section of the screen, select one of the following options:
    • Submit Indexing Job on Save
    Select this option to begin indexing the data source when you save the exact data profile.
    • Submit Indexing Job on Schedule
    Select this option to index the data source according to a specific schedule. Make a selection from the Schedule
    drop-down list and specify days, dates, and times as required.
    Scheduling EMDI profile indexing
    3. Click Finish.
    After Symantec Data Loss Prevention finishes indexing, it deletes the original data source from the Enforce Server.
    After you index a data source, you cannot change its schema. If you change column designations for a data source
    after you index it, you must create a new EMDI profile.
    You can add Exact Match Data Identifier validators to existing data identifier policies.

    Adding an EMDI check to a built-in or custom data identifier condition in a policy

    874
    Adding an EMDI check to a built-in or custom data identifier condition in a policy
    You can add an EMDI validation check to an existing data identifier, or you can create a custom data identifier that
    includes an EMDI validation check.
    1. Go to Manage > Policies > Policy List.
    2. Check the box to choose an existing policy.
    3. Double-click the policy to begin editing.
    4. Rename the policy to indicate that uses EMDI as a validator.
    5. Verify the Wide, Medium, or Narrow breadth.
    6. Click Optional Validators.
    7. Click Exact Match Data Identifier Check.
    8. Select a Profile. When you scroll to view profiles, you only see profiles where the key column matches the data
    identifier in use.
    9. Select at least one Required column that must be matched.
    10. Choose how many other optional columns to match. You must have at least one optional column.
    11. Select the desired Proximity using the slider. The maximum proximity for EMDI is 50 tokens before or after the data
    identifier or pattern match. You can select a lower level.
    12. Verify a Match Counting value. Your options are:
    Check for existence (don't count multiple matches)
    Count all matches
    Count all unique matches.
    13. Select a value for Only report incidents with at least [n] matches.
    14. Click what to match on:
    Envelope
    Subject
    Body
    Attachments.
    15. Click OK.
    16. Click Save.

    You can also create a custom data identifier that includes an EMDI validation check. To review the steps to create a
    custom data identifier, see Creating custom data identifiers. Then follow the steps to add an EMDI validator.
    Related Links
    Configuring policies on page 824

    Optimized Index Distribution to Endpoints for EMDI


    EMDI indexes are optimized for distribution to endpoints in Symantec Data Loss Prevention 16.0.1.

    875
    Creating an incremental index for EMDI
    EMDI indexes are automatically optimized when you reindex.
    The tool compares the last modified date of the file. If the file has been modified after the file that was preindexed, the
    tool updates the preindex with the changes that were made to the file. If the date the file was modified is the same, the
    pre-index is not updated. If you change any include, exclude, or size filters in your existing preindex file, those filters
    are applied to any previously indexed files. For example, for a remote data source with ten .docx files and ten .pptx
    files, if your first remote indexing job has no filters, all files are indexed. If you add an exclude filter for .docx files (-
    exclude_filter=*.docx) and run the indexing job again, the .docx files are removed from the index and only the
    .pptx files remain.
    When you use an EMDI profile file (.emdi) which meets one of following conditions, a valid incremental index (.inc) file
    is created:
    • The EMDI profile file is downloaded after the latest index is created on Enforce.
    • The same EMDI profile file is reused from a previous creation of a remote index.

    Using keep_all_files=true for EMDI


    You can use keep_all_files=true at the command line for Windows and Linux when you want to incrementally add
    multiple data sources to the same preindex file. It keeps files which are in the previous preindex, but not in the current
    data source. It also enables you to incrementally add multiple data sources to the same preindex file. You can also
    use keep_all_files if you have a folder containing content that is moved and you want to keep the old content in the
    preindex file.

    Understanding the limitations of incremental indexing with EMDI


    In the following circumstances, a dummy incremental index file (of approximately 36 bytes), rather than a valid incremental
    index file, is created:
    • The index is created by the Remote Indexer.
    • You are creating the first version of an index.
    • A previous version of index does not exist.
    • The index has 10% more short-term elements than the previous index.
    • The index has 10% more long-term elements than the previous index.
    • The index has 10% more rows than the previous index.
    • The index has 10% more unique key-column cells than the previous index.
    The Endpoint Server transfers the full index file to the endpoint, but does not transfer an incremental file, if one of
    following conditions are met:
    • The remote endpoint doesn't have an index of a profile.
    • The remote endpoint has a version of the index that is at least two versions older than the version of index on the
    server.
    The index data is retained on the endpoint database at least 24 hours after the EMDI profile is deleted on the Enforce
    Server. The index stored in the endpoint database is deleted under one of following conditions:
    1. A new version of a profile is inserted and the old version was deleted before insertion.
    2. A delete request for the same version was received over 24 hours from the first delete request.
    3. The agent is restarted and it has been 24 hours since first delete request.

    876
    Configuring parameters for EMDI
    You can configure various parameters for EMDI in the Indexer.properties file. Use caution when modifying these
    settings. Changes to these settings do not take effect until after the server or endpoint is restarted.

    Table 432:

    EMDI parameter Default Description

    EMDI.MaxDuplicateCellsPercentage=1 1 Maximum percentage of duplicated key column cells in the index,


    default value is 1%
    MaxNonMatchingDIPercentage=1 1 Maximum percentage of key column cells that don’t match the
    data identifier assigned to this profile, default value is 1% EMDI.

    A maximum of 5 values in the key column can have the same value. This is a different number than
    EMDI.MaxDuplicateCellsPercentage that instead indicates the total number of duplicates in the index. This is a non-
    configurable limit for EMDI.

    Memory requirements for EMDI


    Using EMDI for DLP Symantec Data Loss Prevention deployments affects hardware memory requirements for Symantec
    Data Loss Prevention. In particular, EMDI affects the memory required to index the data size as well as the memory
    required to load the index on the detection server, the appliance, and the endpoint.
    Once you have established what your specific EMDI memory requirements are, you can evaluate how those
    requirements affect the general system requirements for your Data Loss Prevention deployment. See #unique_1430/
    unique_1430_Connect_42_v15630551 for details about general requirements.
    EMDI memory configuration and limitations

    EMDI memory configuration and limitations


    The memory requirements for EMDI are related to several factors, including:
    • Number of indexes you are building
    • Total size of the indexes
    • Number of cells in each index
    These size limitations apply to EMDI indexes:
    • The maximum number of rows supported is 4 million. This count does not include invalid rows.
    • The maximum number of columns is 32.
    • The number of invalid entries allowed is configurable in the Indexer.properties file. The default is 1%.
    • A value from the required column can have a maximum of 5 duplicates. A specific value in the required column
    cannot appear more than 5 times. This is not configurable to a greater value. The total number of duplicate
    values in each required (or "key") column cannot exceed 1% of the values. This is configurable by editing
    EMDI.MaxDuplicateCellsPercentage=1 in the properties file.
    • The maximum number of supported cells is 128 million.
    • If any of these limits are exceeded the index creation is terminated.
    Workflow for determining memory requirements for EMDI indexes gives an overview of the steps that you can follow to
    determine and set memory requirements for EMDI.

    877
    Table 433: Workflow for determining memory requirements for EMDI indexes

    Step Action For more information

    1 Determine the memory that Determining requirements for both local indexers and remote indexers for
    is required to index the data EMDI
    source.
    2 Determine the memory that is Detection server memory requirements for EMDI
    required to load the index on the
    detection server or the endpoint.
    3 Increase the detection server or Increasing the memory for the detection server (File Reader) for EMDI
    endpoint memory according to Properties file settings for EMDI
    your calculations.
    4 Repeat for each EMDI index you
    want to deploy.

    Overview of configuring memory and indexing the data source for EMDI

    Overview of configuring memory and indexing the data source for EMDI
    Memory requirements for indexing the data source for EMDI provides the steps for determining how much memory is
    needed to index the data source.

    Table 434: Memory requirements for indexing the data source for EMDI

    Step Action Details

    1 Estimate the memory requirements for the Determining requirements for both local indexers and remote indexers
    indexer. for EMDI
    2 Increase the indexer memory. The next step is to increase the memory allocated to the indexer. The
    procedure for increasing the indexer memory differs depending on
    whether you use the EMDI indexer local to the Enforce Server or the
    Remote EMDI Indexer.
    3 Restart the Symantec DLP Manager You must restart this service after you have changed the memory
    service. allocation.
    4 Index the data source. The last step is to index the data source. You need to index before you
    calculate remaining memory requirements.
    Configuring Exact Data profiles for EDM

    Determining requirements for both local indexers and remote indexers for EMDI

    Determining requirements for both local indexers and remote indexers for EMDI
    This topic provides an overview of memory requirements for both the EMDI indexer that is local to the Symantec Data
    Loss Prevention Enforce Server and for the Remote EMDI indexer.
    You do not need to change the EMDI indexer default value of 2048 MB. Make sure that the system has enough free
    additional memory in case of parallel indexing. The additional memory that is required depends on the number of required
    and optional columns as well as the number of cells. In the following examples,
    R – Number of required columns
    P – Number of optional columns

    878
    B – Bytes per cell
    The general formula is: B = 4 * R * P / (P+1)
    Example 1
    For an index with 5 million cells (1 million rows x 5 columns), 1 required column, and 4 optional columns:
    The formula is: B = 4 * 1 * 4/5 = 3.2 bytes x cell
    The total memory that is required for this index = 5 million * 3.2 = 16 MB
    Example 2
    For an index with 40 million cells (4 million rows x 10 columns), 1 required column, and 9 optional columns:
    The formula is: B = 4 * 1 * 9/10 = 3.6 bytes x cell
    The total memory that is required for this index = 40 million * 3.6 = 144 MB
    Example 3
    For an index with 128M cells (4M rows x 32 columns), 1 required column, and 31 option columns:
    The formula is B = 4 * 1 * 31/32 = 3.875 bytes x cell
    The total memory that is required for this index = 128 million * 3.875 = 496 MB
    Detection server memory requirements for EMDI

    Detection server memory requirements for EMDI


    The detection server should not use more than 60% of the memory of the computer. For example, if your detection server
    needs 6 GB of memory to run, make sure that you have 10 GB on that server.
    Default configuration for a detection server
    The default configuration for detection server has 4 GB and eight message chains. See the following formulas and EMDI
    detection server Java heap memory settings and additional system memory examples to determine how to calculate your
    actual memory requirements.
    To load the index, the detection server needs, on average, 3.5 bytes per cell for system memory plus 1 GB Java heap
    memory for each message chain in the detection server. The following examples show scenarios for a customer who has
    three indexes that are all under the same schedule.
    For Java heap memory requirements, the formula is:
    Java heap memory requirement = the number of message chains * 1 GB.
    For system memory requirements, the general formula is:
    System memory requirement = number of cells * 3.5 bytes.
    Detection Server memory settings
    The Advanced Server settings property for the number of message chains is:
    MessageChain.NumChains.

    The Java heap memory settings for a detection server are set in the Enforce Server administration console at the Server
    Detail - Advanced Server Settings page, using the BoxMonitor.FileReaderMemory property. The format is -Xrs -
    Xms1200M -Xmx4G. You don't need to change the system memory setting, but make sure that the detection server has
    enough free memory available.

    879
    NOTE
    When you update this setting, only change the -Xmx value in this property. For example, only change "4G." to a
    new value, and leave all other values the same.
    The examples in EMDI detection server Java heap memory settings and additional system memory examples show the
    settings for five different situations.

    Table 435: EMDI detection server Java heap memory settings and additional system memory examples

    Boxmonitor.FileReaderMemory Additional system


    Example Calculation
    setting memory required
    Example 1: Java heap memory -Xmx2G 16 MB
    2 message chains, a 5 million requirement:
    cell index 2 GB (default
    system memory requirement:
    5 million * 3.2 = 16 MB
    Example 2: Java heap memory -Xmx4G 720 MB
    4 message chains, five 40 requirement:
    million cell indexes 4 * 1 GB = 4 GB
    system memory requirement:
    5 * 40 million * 3.6 = 720 MB
    Example 3: Java heap memory -Xmx24G 4.96 GB
    24 message chains, five 40 requirement:
    million cells indexes 24 * 1 GB = 24 GB
    system memory requirement:
    10 * 128 million = 3.875 =
    4960 MB

    Increasing the memory for the detection server (File Reader) for EMDI

    Increasing the memory for the detection server (File Reader) for EMDI
    This topic provides instructions for increasing the File Reader memory allocation for a detection server. These instructions
    assume that you have performed the necessary calculations.
    Determining requirements for both local indexers and remote indexers for EMDI
    To increase the memory for detection server processing
    1. In the Enforce Server administration console, navigate to the Server Detail - Advanced Server Settings screen for
    the detection server where the EMDI index is deployed or to be deployed.
    2. Locate the following setting: BoxMonitor.FileReaderMemory.
    3. Change the -Xmx4G value in the following string to match the calculations you have made.
    -Xrs -Xms1200M -Xmx4G -XX:PermSize=128M -XX:MaxPermSize=256M
    For example: -Xrs -Xms1200M -Xmx11G -XX:PermSize=128M -XX:MaxPermSize=256M
    4. Save the configuration and restart the detection server.

    Profile size limitations on the DLP Agent for EMDI

    880
    Profile size limitations on the DLP Agent for EMDI
    By default, no profiles larger than 100 MB are sent to the DLP Agent. To change this default, edit the
    EMDI.MaxEndpointProfileMemoryInMB = in the Protect.properties file.

    Properties file settings for EMDI


    There is no limit on the number of 100 MB profiles that are sent to the agent. If you increase the default value for the
    index or plan to deploy multiple indexes, you need to provision extra memory on your DLP Agents to accommodate these
    increases.
    NOTE
    By default, deployment of EMDI profiles to DLP Agents is set to false. To enable EMDI deployments to DLP
    Agents, set EMDI.EnabledOnAgents property in the Protect.properties file to true for each DLP Agent.

    EMDI memory configuration and limitations


    The memory requirements for EMDI are related to several factors, including:
    • Number of indexes you are building
    • Total size of the indexes
    • Number of cells in each index
    These size limitations apply to EMDI indexes:
    • The maximum number of rows supported is 4 million. This count does not include invalid rows.
    • The maximum number of columns is 32.
    • The number of invalid entries allowed is configurable in the Indexer.properties file. The default is 1%.
    • A value from the required column can have a maximum of 5 duplicates. A specific value in the required column
    cannot appear more than 5 times. This is not configurable to a greater value. The total number of duplicate
    values in each required (or "key") column cannot exceed 1% of the values. This is configurable by editing
    EMDI.MaxDuplicateCellsPercentage=1 in the properties file.
    • The maximum number of supported cells is 128 million.
    • If any of these limits are exceeded the index creation is terminated.
    Workflow for determining memory requirements for EMDI indexes gives an overview of the steps that you can follow to
    determine and set memory requirements for EMDI.

    Table 436: Workflow for determining memory requirements for EMDI indexes

    Step Action For more information

    1 Determine the memory that Determining requirements for both local indexers and remote indexers for
    is required to index the data EMDI
    source.
    2 Determine the memory that is Detection server memory requirements for EMDI
    required to load the index on the
    detection server or the endpoint.
    3 Increase the detection server or Increasing the memory for the detection server (File Reader) for EMDI
    endpoint memory according to Properties file settings for EMDI
    your calculations.
    4 Repeat for each EMDI index you
    want to deploy.

    881
    Overview of configuring memory and indexing the data source for EMDI

    Properties File Settings for EMDI


    The settings for EMDI in EMDI parameters configurable in properties files can be configured in the Index.properties,
    ProfileIndexConfiguration.properties, and Protect.properties files. These settings enable EMDI on the
    DLP Agent, and control other EMDI metrics for columns, cells, log files, and profile memory usage.
    The Protect.properties and the ProfileIndexConfiguration.properties files are available on the Enforce
    Server and the detection server.
    The Indexer.properties file is available on the Enforce Server and only if you install the Remote Indexer for EMDI, or
    IDM, or EDM.
    After you edit the properties file settings, make sure that you restart the service to implement your changes.
    NOTE
    The EMDI.MaxEndpointProfileMemoryInMB = setting in the Protect.properties file can be adjusted
    both on the Enforce Server and on the detection server. The setting on the Enforce Server is used by the UI
    to indicate if the profile is too large to be shipped to the DLP Agent. The setting on the detection server is the
    actual profile limit. You must keep both settings identical on the Enforce Server and on the detection servers to
    avoid confusion.

    Table 437: EMDI parameters configurable in properties files

    EMDI parameter and file location Default Description

    Protect.properties
    On the Enforce Server:
    C:\Program Files\Symantec\DataLossPrevention
    \EnforceServer\16.0.10000\Protect\config
    \Protect.properties (Windows)
    /opt/Symantec/DataLossPrevention/EnforceServer/
    16.0.10000/Protect/config/Protect.properties (Linux)
    On the detection server:
    C:\Program Files\Symantec\DataLossPrevention
    \DetectionServer\16.0.10000\Protect\config
    \Protect.properties (Windows)
    /opt/Symantec/DataLossPrevention/
    DetectionServer/16.0.10000/Protect/config/
    Protect.properties (Linux)
    EMDI.EnabledOnAgents = false EMDI is disabled by default on DLP
    Agents. To enable EMDI on DLP
    Agents, set this property to true.
    EMDI.MaxEndpointProfileMemoryInMB = 100 Endpoint EMDI per profile maximum
    memory usage in megabytes. This
    limit is per profile; not for all profiles
    combined.

    882
    EMDI parameter and file location Default Description

    Indexer.properties
    On the Enforce Server:
    C:\Program Files\Symantec\DataLossPrevention
    \EnforceServer\16.0.10000\Protect\config
    \Indexer.properties (Windows)
    opt/Symantec/DataLossPrevention/
    EnforceServer/16.0.10000/Protect/config/
    Indexer.properties (Linux)
    emdi_indexer_log_max_files = 100 The maximum number of log files for
    the EMDI indexer.
    MaxDuplicateCellsPercentage = 1 The maximum integer percentage
    of duplicate cells in an index as a
    function of the number of rows EMDI.
    MaxNonMatchingDIPercentage = 1 The maximum integer percentage of
    key column values that don't match a
    profile data identifier as a function of
    the number of rows EMDI.
    ProfileIndexConfiguration
    On the Enforce Server:
    C:\Program Files\Symantec\DataLossPrevention
    \EnforceServer\16.0.10000\Protect\config\ProfileIndex
    Configuration.properties (Windows)
    /opt/Symantec/DataLossPrevention/
    EnforceServer/16.0.10000/Protect/config/
    ProfileIndexConfiguration.properties (Linux)
    On the detection server:
    C:\Program Files\Symantec\DataLossPrevention\
    DetectionServer\16.0.10000\Protect\config\ProfileIndex
    Configuration.properties (Windows)
    /opt/Symantec/DataLossPrevention/
    EnforceServer/16.0.10000/Protect/config/
    ProfileIndexConfiguration.properties (Linux)
    emdi_matcher_log_max_files = 100 The maximum number of log files for
    the EMDI matcher.

    Best practices for using EMDI


    Consider the recommendations in this section when you implement EMDI, to ensure that your EMDI policies are as
    accurate as possible. Best practices are not intended to provide detailed troubleshooting guidance. Following these best
    practices enables you to create a solid implementation and reduces the need for troubleshooting and support.

    Table 438: Summary of EMDI Best Practices

    Best Practice More information

    Never use any personally identifiable information (PII) as an Never use a personal identifier as an optional column in EMDI
    optional column.
    Use three or more columns in a match. Use three or more columns in a match for EMDI
    Don’t use EMDI validators as both optional and required for a Don’t use EMDI validators as both optional and required for a
    given data identifier in a policy. given data identifier in a policy
    Use additional validators with EMDI where possible. Use additional validators with EMDI where possible

    883
    Best Practice More information

    Limit the required number of columns to no more than two or Limit the required number of columns to two or three for EMDI
    three.
    When matching with only a single optional column, avoid adding When matching with only a single optional column, avoid adding
    low-variability values as optional columns. low-variability values as optional columns with EMDI
    Use full disk encryption on endpoint deployments. Use full disk encryption on EMDI endpoint deployments
    Eliminate duplicate rows and blank columns before indexing. Cleanse the EMDI data source file of blank columns and duplicate
    rows
    To reduce false positives, avoid single characters, quotes, Remove ambiguous character types from the EMDI data source
    abbreviations, numeric fields with fewer than 5 digits, and dates. file
    Clean up your data source for multi-token cell matching. Clean up your EMDI data source for multi-token matching
    Use the pipe (|) character to delimit columns in your data source. Do not use the comma delimiter if the EMDI data source has
    number fields
    Ensure that the EMDI data source is clean for indexing. Ensure that the EMDI data source is clean for indexing
    Include the column headers as the first row of the data source file. Include column headers as the first row of the EMDI data source
    file
    Check the system alerts to tune Exact Match Data Identifier Check the EMDI system alerts to tune profile accuracy
    profiles.
    Automate profile updates with scheduled indexing. Use scheduled indexing to automate EMDI profile updates

    Never use a personal identifier as an optional column in EMDI


    Map any personal identifier as a required column. Never use any personal identifier such as an SSN, Credit Card Number,
    or Bank Account Number as an optional column.

    Use three or more columns in a match for EMDI


    Use three or more columns in a match to minimize false positives.

    Don’t use EMDI validators as both optional and required for a given data
    identifier in a policy
    Do not use an EMDI validator in-line in a policy for a data identifier condition when the data identifier has already been
    configured to use an EMDI validator.

    Use additional validators with EMDI where possible


    Use an additional validator, such as a Luhn check for a Credit Card. These additional validators are applied before the
    EMDI lookup and reduce the number of false positives, as well as improving performance.

    Limit the required number of columns to two or three for EMDI


    Try to limit the required number of columns to no more than two or three. The memory used by a profile grows linearly
    with the number of required columns.

    884
    When matching with only a single optional column, avoid adding low-variability
    values as optional columns with EMDI
    When matching with a single optional column, avoid adding very low-variability values such as States or 5-digit ZIP Codes
    as optional columns. Low variability values increase the likelihood of false positives.

    Use full disk encryption on EMDI endpoint deployments


    For endpoint deployments, we recommend full disk encryption on the device.

    Cleanse the EMDI data source file of blank columns and duplicate rows
    The data source file should be as clean as possible before you create the EMDI index, otherwise the resulting profile may
    create false positives.
    When you create the data source file, avoid including empty cells or blank columns. Blank columns or fields count as
    errors when you generate the EMDI profile. A data source error is either an empty cell or a cell with the wrong type of
    data (a name appearing in a phone number column). The error threshold is the maximum percentage of rows that contain
    errors before indexing stops. If the errors exceed the error threshold percentage for the profile (by default, 5%), the
    system stops indexing and displays an indexing error message.
    The best practice is to remove blank columns and empty cells from the data source file, rather than increasing the error
    threshold. Keep in mind that if you have many empty cells, it may require a 100% error threshold for the system to create
    the profile. If you specify 100% as the error threshold, the system indexes the data source without checking for errors.
    In addition, do not fill empty cells or blank fields with fake data so that the error threshold is met. Adding fake or "null" data
    to the data source file reduces the accuracy of the EMDI profile and is discouraged. Content you want to monitor should
    be legitimate and not null.
    Do not use the comma delimiter if the EMDI data source has number fields

    Remove ambiguous character types from the EMDI data source file
    You cannot have extraneous spaces, punctuation, and inconsistently populated fields in the data source file. You can
    use tools such as Stream Editor (sed) and AWK to remove these items from your data source file or files before indexing
    them.
    Characters to avoid in the EMDI data source file list characters to avoid in the data source file.

    Table 439: Characters to avoid in the EMDI data source file

    Characters to avoid Second column header: Explanation

    Single characters Single character fields should be eliminated from the data source
    file. These are more likely to cause false positives, since a single
    character appears frequently in normal communications.
    Abbreviations Abbreviated fields should be eliminated from the data source file
    for the same reason as single characters.
    Quotes Text fields should not be enclosed in quotes.
    Small numbers Indexing numeric fields that contain fewer than 5 digits is not
    recommended because it likely yields many false positives.

    885
    Characters to avoid Second column header: Explanation

    Dates Date fields are also not recommended. Dates are treated like a
    string, so if you index a date, such as 12/6/2007, the string has
    to match exactly. The indexer only matches 12/6/2007, and not
    any other date formats, such as Dec 6, 2007, 12-6-2007, or 6 Dec
    2007. It must be an exact match.

    Clean up your EMDI data source for multi-token matching


    An EMDI validator performs a full-text search in a proximity of 50 tokens from a Data Identifier match, checking each
    token (except those that are excluded because of ignored columns in the data source) for potential matches.
    If a cell in the data profile contains multiple words that are separated by spaces, punctuation, or alternative Latin and
    Chinese, Japanese, and Korean (CJK) language characters, the cell is a multi-token cell. The sub-token parts of a multi-
    token cell obey the same rules as single-token cells: they are normalized according to their pattern where normalization
    can apply.
    If a cell contains a multi-token, the multi-token must match exactly. For example, a column field with the value “Joe Brown”
    is a multi-token cell (assuming that multi-token matching is enabled). At run-time the processor looks to match the exact
    string "Joe Brown,” including the space (multiple spaces are normalized to one). The system does not match on "Joe" and
    "Brown" if they are detected as single tokens.
    Finally, do not change the WIP setting from "true" to "false" unless you are sure that is the result you want to achieve. You
    should only set WIP = false when you need to loosen the matching criteria, such as account numbers where formatting
    may change across messages. Make sure that you test detection results to ensure that you get the matches that you
    expect.
    NOTE
    For the sake of brevity, the Lexer.IncludePunctuationInWords parameter is referred to by the three-letter
    acronym "WIP."

    Do not use the comma delimiter if the EMDI data source has number fields
    Of the four types of column delimiters that you can choose from for separating the fields in the data source file (pipe, tab,
    semicolon, or comma), the pipe, semicolon, or tab (default) are recommended. The comma delimiter is ambiguous and
    should not be used, especially if one or more fields in your data source contain numbers. If you use a comma-delimited
    data source file, make sure there are no commas in the data set other than those used as column delimiters.
    NOTE
    The system also treats the pound sign, equals sign, plus sign, and colon characters as separators, but you
    should not use these because like the comma their meaning is ambiguous.

    Ensure that the EMDI data source is clean for indexing


    The following list summarizes a cleansed data source that is ready for indexing:

    886
    • It contains at least one Required (key) column and one Optional column.
    • It is not a single-column data source; it has two or more columns.
    • Empty cells and rows and blank columns are removed.
    • Incomplete and duplicate records are removed.
    • The number of faulty cells is below the default error rate (5%) for indexing.
    • Fake data is not used to fill in blank cells or rows.
    • Improper and ambiguous characters are removed.
    • Multi-tokens comply with space and memory requirements.
    • Column fields are validated against the system-defined patterns that are available.
    • Mappings are validated against policy templates where applicable.

    Include column headers as the first row of the EMDI data source file
    When you extract the source data to the data source file, you should include the column headers as the first row in the
    data source file. Including the column headers makes it easier for you to identify the data you want to use in your policies.
    The column names reflect the column mappings that were created when the exact data profile was added. If there is an
    unmapped column, it is called Col X, where X is the column number (starting with 1) in the original data profile.

    Check the EMDI system alerts to tune profile accuracy


    You should always review the system alerts after creating the Exact Match Data Identifier profile. The system alerts
    provide very specific information about problems you encounter when you create the profile. For example, an SSN in an
    address field affects accuracy.

    Use scheduled indexing to automate EMDI profile updates


    When you configure an Exact Match Data Identifier Profile, you can set a schedule for indexing the data source file.
    Index scheduling lets you decide when you want to index the data source file. For example, instead of indexing the
    data source at the same time that you define the profile, you can schedule it for a later date. Alternatively, if you need to
    reindex the data source on a regular basis, you can schedule indexing to occur on a regular basis. Before you set up an
    index schedule, consider the following:
    • If you update your data sources occasionally (for example, less than once a month), generally there is no need to
    create a schedule. Index the data each time you update the data source.
    • Schedule indexing for times of minimal system use. Indexing affects performance throughout the Symantec Data Loss
    Prevention system, and large data sources can take time to index.
    • Index a data source as soon as you add or modify the corresponding exact data profile, and re-index the data source
    whenever you update it. For example, consider a scenario whereby every Wednesday at 2:00 P.M. you generate an
    updated data source file. In this case you could schedule indexing every Wednesday at 3:00 P.M. This would give you
    enough time to cleanse the data source file and copy it to the Enforce Server.
    • Do not index data sources daily, Daily indexing can degrade performance.
    • Monitor results and modify your indexing schedule accordingly. If performance is good and you want more timely
    updates. For example, schedule more frequent data updates and indexing.

    Never use a personal identifier as an optional column in EMDI


    Map any personal identifier as a required column. Never use any personal identifier such as an SSN, Credit Card Number,
    or Bank Account Number as an optional column.

    887
    Use three or more columns in a match for EMDI
    Use three or more columns in a match to minimize false positives.

    Don’t use EMDI validators as both optional and required for a given data
    identifier in a policy
    Do not use an EMDI validator in-line in a policy for a data identifier condition when the data identifier has already been
    configured to use an EMDI validator.

    Use additional validators with EMDI where possible


    Use an additional validator, such as a Luhn check for a Credit Card. These additional validators are applied before the
    EMDI lookup and reduce the number of false positives, as well as improving performance.

    Limit the required number of columns to two or three for EMDI


    Try to limit the required number of columns to no more than two or three. The memory used by a profile grows linearly
    with the number of required columns.

    When matching with only a single optional column, avoid adding low-variability
    values as optional columns with EMDI
    When matching with a single optional column, avoid adding very low-variability values such as States or 5-digit ZIP Codes
    as optional columns. Low variability values increase the likelihood of false positives.

    Use full disk encryption on EMDI endpoint deployments


    For endpoint deployments, we recommend full disk encryption on the device.

    Remove ambiguous character types from the EMDI data source file
    You cannot have extraneous spaces, punctuation, and inconsistently populated fields in the data source file. You can
    use tools such as Stream Editor (sed) and AWK to remove these items from your data source file or files before indexing
    them.
    Characters to avoid in the EMDI data source file list characters to avoid in the data source file.

    Table 440: Characters to avoid in the EMDI data source file

    Characters to avoid Second column header: Explanation

    Single characters Single character fields should be eliminated from the data source
    file. These are more likely to cause false positives, since a single
    character appears frequently in normal communications.
    Abbreviations Abbreviated fields should be eliminated from the data source file
    for the same reason as single characters.
    Quotes Text fields should not be enclosed in quotes.
    Small numbers Indexing numeric fields that contain fewer than 5 digits is not
    recommended because it likely yields many false positives.

    888
    Characters to avoid Second column header: Explanation

    Dates Date fields are also not recommended. Dates are treated like a
    string, so if you index a date, such as 12/6/2007, the string has
    to match exactly. The indexer only matches 12/6/2007, and not
    any other date formats, such as Dec 6, 2007, 12-6-2007, or 6 Dec
    2007. It must be an exact match.

    Clean up your EMDI data source for multi-token matching


    An EMDI validator performs a full-text search in a proximity of 50 tokens from a Data Identifier match, checking each
    token (except those that are excluded because of ignored columns in the data source) for potential matches.
    If a cell in the data profile contains multiple words that are separated by spaces, punctuation, or alternative Latin and
    Chinese, Japanese, and Korean (CJK) language characters, the cell is a multi-token cell. The sub-token parts of a multi-
    token cell obey the same rules as single-token cells: they are normalized according to their pattern where normalization
    can apply.
    If a cell contains a multi-token, the multi-token must match exactly. For example, a column field with the value “Joe Brown”
    is a multi-token cell (assuming that multi-token matching is enabled). At run-time the processor looks to match the exact
    string "Joe Brown,” including the space (multiple spaces are normalized to one). The system does not match on "Joe" and
    "Brown" if they are detected as single tokens.
    Finally, do not change the WIP setting from "true" to "false" unless you are sure that is the result you want to achieve. You
    should only set WIP = false when you need to loosen the matching criteria, such as account numbers where formatting
    may change across messages. Make sure that you test detection results to ensure that you get the matches that you
    expect.
    NOTE
    For the sake of brevity, the Lexer.IncludePunctuationInWords parameter is referred to by the three-letter
    acronym "WIP."

    Cleanse the EMDI data source file of blank columns and duplicate rows
    The data source file should be as clean as possible before you create the EMDI index, otherwise the resulting profile may
    create false positives.
    When you create the data source file, avoid including empty cells or blank columns. Blank columns or fields count as
    errors when you generate the EMDI profile. A data source error is either an empty cell or a cell with the wrong type of
    data (a name appearing in a phone number column). The error threshold is the maximum percentage of rows that contain
    errors before indexing stops. If the errors exceed the error threshold percentage for the profile (by default, 5%), the
    system stops indexing and displays an indexing error message.
    The best practice is to remove blank columns and empty cells from the data source file, rather than increasing the error
    threshold. Keep in mind that if you have many empty cells, it may require a 100% error threshold for the system to create
    the profile. If you specify 100% as the error threshold, the system indexes the data source without checking for errors.
    In addition, do not fill empty cells or blank fields with fake data so that the error threshold is met. Adding fake or "null" data
    to the data source file reduces the accuracy of the EMDI profile and is discouraged. Content you want to monitor should
    be legitimate and not null.
    Do not use the comma delimiter if the EMDI data source has number fields

    889
    Do not use the comma delimiter if the EMDI data source has number fields
    Of the four types of column delimiters that you can choose from for separating the fields in the data source file (pipe, tab,
    semicolon, or comma), the pipe, semicolon, or tab (default) are recommended. The comma delimiter is ambiguous and
    should not be used, especially if one or more fields in your data source contain numbers. If you use a comma-delimited
    data source file, make sure there are no commas in the data set other than those used as column delimiters.
    NOTE
    The system also treats the pound sign, equals sign, plus sign, and colon characters as separators, but you
    should not use these because like the comma their meaning is ambiguous.

    Ensure that the EMDI data source is clean for indexing


    The following list summarizes a cleansed data source that is ready for indexing:
    • It contains at least one Required (key) column and one Optional column.
    • It is not a single-column data source; it has two or more columns.
    • Empty cells and rows and blank columns are removed.
    • Incomplete and duplicate records are removed.
    • The number of faulty cells is below the default error rate (5%) for indexing.
    • Fake data is not used to fill in blank cells or rows.
    • Improper and ambiguous characters are removed.
    • Multi-tokens comply with space and memory requirements.
    • Column fields are validated against the system-defined patterns that are available.
    • Mappings are validated against policy templates where applicable.

    Include column headers as the first row of the EMDI data source file
    When you extract the source data to the data source file, you should include the column headers as the first row in the
    data source file. Including the column headers makes it easier for you to identify the data you want to use in your policies.
    The column names reflect the column mappings that were created when the exact data profile was added. If there is an
    unmapped column, it is called Col X, where X is the column number (starting with 1) in the original data profile.

    Check the EMDI system alerts to tune profile accuracy


    You should always review the system alerts after creating the Exact Match Data Identifier profile. The system alerts
    provide very specific information about problems you encounter when you create the profile. For example, an SSN in an
    address field affects accuracy.

    Use scheduled indexing to automate EMDI profile updates


    When you configure an Exact Match Data Identifier Profile, you can set a schedule for indexing the data source file.
    Index scheduling lets you decide when you want to index the data source file. For example, instead of indexing the
    data source at the same time that you define the profile, you can schedule it for a later date. Alternatively, if you need to
    reindex the data source on a regular basis, you can schedule indexing to occur on a regular basis. Before you set up an
    index schedule, consider the following:

    890
    • If you update your data sources occasionally (for example, less than once a month), generally there is no need to
    create a schedule. Index the data each time you update the data source.
    • Schedule indexing for times of minimal system use. Indexing affects performance throughout the Symantec Data Loss
    Prevention system, and large data sources can take time to index.
    • Index a data source as soon as you add or modify the corresponding exact data profile, and re-index the data source
    whenever you update it. For example, consider a scenario whereby every Wednesday at 2:00 P.M. you generate an
    updated data source file. In this case you could schedule indexing every Wednesday at 3:00 P.M. This would give you
    enough time to cleanse the data source file and copy it to the Enforce Server.
    • Do not index data sources daily, Daily indexing can degrade performance.
    • Monitor results and modify your indexing schedule accordingly. If performance is good and you want more timely
    updates. For example, schedule more frequent data updates and indexing.

    Match on two or more optional columns in an EMDI condition to increase


    detection accuracy
    In a structured data format such as a database, each row represents one record, with each record containing related
    values for each column data field. Thus, for an EMDI policy rule condition to match, all the data must come from the same
    row or record of data.
    When you define an EMDI rule, you must select the fields that must be present to be a match. We recommend that you
    match on at least two more optional columns, in addition to the required column.
    Consider the following example. You want to create an EMDI policy condition based on an Exact Match Data Profile that
    contains the following five columns of indexed data:
    • First Name
    • Last Name
    • Social security number (SSN) - Key column
    • Phone Number
    • Email Address
    If you select all four optional columns to be included in the policy, consider the possible results based on the number of
    fields you require for each match.
    If you choose "one additional column" to match, the policy might generate a large number of false positives because the
    name is not unique enough. If you choose "two additional optional columns" (or more) to match, the policy is much more
    accurate. Using two optional columns is more accurate because the combinations that generate an incident (for example,
    SSN + First + Last, SSN + Phone Number + Email Address, SSN + First + phone number, and so on) provide enough
    discrimination.
    Whatever number of fields you choose to match, ensure that you include the column with the most unique data, and that
    you match at least one optional column.

    Use the minimum matches field to fine-tune EMDI rules


    The minimum matches field (matching count threshold) is useful for fine-tuning the sensitivity of an EMDI rule. For
    example, one employee’s first and last name in an outgoing email may be acceptable. However, the first and last names
    of 100 employees constitute a serious breach. Another example might be a last name and social security number policy.
    The policy might allow an employee to send information to a doctor, but the sending of two last names and social security
    numbers is suspicious.

    891
    EMDI Troubleshooting
    Scan the following problems and solutions before you call Symantec support. Also, follow EMDI Best Practices to avoid
    problems in your EMDI deployment.
    Best practices for using EMDI

    The EMDI index doesn’t get published to the Endpoint Agent


    Solution: Verify that the parameter EMDI.EnabledOnAgents = true in the Protect.properties file on each endpoint
    server.

    The EMDI index doesn’t get published to the Endpoint Agent and the
    EnabledOnAgents setting is true
    Solution: Verify that the EMDI.MaxEndpointProfileMemoryInMB parameter in the Protect.properties file on each
    endpoint server is set to a value larger than the index size.

    A key column that is in an EMDI index doesn’t generate an incident


    Solution: If the Data Identifier in the key (required) column is associated with other validators, make sure that the value
    passes these validators. Disable the validation against the EMDI profile to see if an incident is generated against the same
    file or message.

    EMDI generates an unexpectedly high number of false positives


    Solution: Increase the minimum number of optional columns required for a match or remove any optional columns that
    contain a large number of repeated values (for example, state or ZIP Code).

    The EMDI index doesn’t get published to the Endpoint Agent


    Solution: Verify that the parameter EMDI.EnabledOnAgents = true in the Protect.properties file on each endpoint
    server.

    The EMDI index doesn’t get published to the Endpoint Agent and the
    EnabledOnAgents setting is true
    Solution: Verify that the EMDI.MaxEndpointProfileMemoryInMB parameter in the Protect.properties file on each
    endpoint server is set to a value larger than the index size.

    A key column that is in an EMDI index doesn’t generate an incident


    Solution: If the Data Identifier in the key (required) column is associated with other validators, make sure that the value
    passes these validators. Disable the validation against the EMDI profile to see if an incident is generated against the same
    file or message.

    EMDI generates an unexpectedly high number of false positives


    Solution: Increase the minimum number of optional columns required for a match or remove any optional columns that
    contain a large number of repeated values (for example, state or ZIP Code).

    892
    Introducing Exact Data Matching (EDM)
    Exact Data Matching (EDM) is designed to protect your most sensitive content. You can use EDM to detect structured,
    tabular data, including personally identifiable information (PII). EDM is designed to find records that are part of an indexed
    data source in either structured or unstructured targets. Some examples are social security numbers, bank account
    numbers, and credit card numbers. You can also detect confidential customer and employee records, price list entries,
    parts from a parts list, and other confidential data stored in a structured data source, such as a database, directory server,
    or a structured data file such as CSV or spreadsheet.
    To implement EDM policies, you identify and prepare the data you want to protect. You create an Exact Data Profile and
    index the structured data source using the Enforce Server administration console, or remotely using the Remote EDM
    Indexer. During the indexing process, the system indexes the data by accessing and extracting the text-based content,
    normalizing it, and securing it using a nonreversible hash. You can schedule indexing on a regular basis after you have
    pulled current data from the data source to ensure that the EDM index reflects the current data.
    Once you have profiled the data, you configure the Content Matches Exact Data condition to match individual pieces
    of the indexed data. For increased accuracy you can configure the condition to match combinations of data fields from a
    particular record. The EDM policy condition matches on data coming from the same row or record of data. For example,
    you can configure the EDM policy condition to look for any three of First Name, Last Name, SSN, Account Number, or
    Phone Number occurring together in a message and corresponding to a record from your customer database.
    Once the policy is deployed to one or more detection servers, cloud detection services, or appliances, the system can
    detect the data fields (or records) that you have profiled in either structured or unstructured format. For example, you
    could deploy the EDM policy to a Network Discover Server and scan data repositories for confidential data matching
    data records in the index. Your could also deploy the EDM policy to a Network Prevent for Email Server to detect records
    in email communications and attachments, such as Microsoft Word files. If the attachment is a spreadsheet, such as
    Microsoft Excel, the EDM policy can detect the presence of confidential records there as well.
    About the Exact Data Profile and index

    About using EDM to protect content


    To understand how EDM works, consider the following example. Your company maintains an employee database
    that contains the following column fields:
    • First Name
    • Last Name
    • SSN
    • Date of Hire
    • Salary
    In a structured data format such as a database, each row represents one record, with each record containing values for
    each column data field. In this example, each row in the database contains information for one employee, and you can
    use EDM to protect each record. For example, one row in the data source file contains the following pipe ("|") delimited
    record:
    First Name | Last Name | SSN | Date of hire | Salary
    Bob | Smith | 123-45-6789 | 05/26/99 | $42500

    You create an Exact Data Profile and index the data source file. When you configure the profile, you map the data field
    columns to system-defined patterns and validate the data. You then configure the EDM policy condition that references
    the Exact Data Profile. In this example, the condition matches if a message contains all five data fields.
    The detection server reports a match if it detects the following in any inbound message:
    Bob Smith 123-45-6789 05/26/99 $42500
    But, a message containing the following does not match because that record is not in the index:

    893
    Betty Smith 000-00-0000 05/26/99 $42500
    If you limited the condition to matching only the Last Name, SSN, and Salary column fields, the following message is a
    match because it meets the criteria:
    Robert, Smith, 123-45-6789, 05/29/99, $42500
    Finally, the following message contents do not match because the value for the SSN is not present in the profile:
    Bob, Smith, 415-789-0000, 05/26/99, $42500
    Configuring Exact Data profiles for EDM

    EDM policy features


    EDM policy matching involves searching for indexed content in a given message or file and generating an
    incident if a match is found within the defined proximity range. The proximity range can be changed by editing the
    EDM.SimpleTextProximityRadius Advanced Server setting.

    Policy matching features of EDM include the following:


    • You can select any number of columns to be matched from a given data source.
    • You can define excluded combinations so that matches against those combinations are not reported.
    • When the system creates the index, it provides pattern validation for social security numbers, credit card numbers,
    U.S. and Canada phone numbers and ZIP codes, email and IP addresses, numbers, percents, and fields containing
    other values.
    • There is an editable stopword dictionary you can use to prevent single-token stopwords from matching and prevents
    EDM from treating articles and prepositions as possible field matches. Stopwords are common words, such as articles
    and prepositions. Stopwords are not indexed.
    • The system provides match highlighting at the incident snapshot screen: tokens from matching rows are highlighted.
    • You can use a WHERE clause in the EDM rule and matches that do not satisfy the WHERE clause are ignored. For
    example, you can use a WHERE clause to only match on records where the customer's country is the United States.
    • You can use Data Owner Exception to ignore detection based on the sender or recipient's email address or domain.
    Data owner exception lets you tag or authorize a specific field in an Exact Data Profile as the data owner. At run-time if
    the sender or recipient of the data is authorized as a data owner, the condition does not trigger a match and the data is
    sent or received by the data owner.
    • You can use profiled Directory Group Matching (DGM) to match on senders or recipients of data based on email
    address or Windows user name.
    • Proximity matching range that is proportional to the number of required matches set in the policy condition.
    • Full support for single- and multi-token cell indexing and matching. A multi-token is a cell that is indexed that contains
    two or more words. Since a single CJK (Chinese, Japanese, Korean) character is regarded as a token, two or more
    CJK characters are regarded as a multi-token.
    EDM policy templates

    EDM policy Templates


    Symantec Data Loss Prevention provides several policy templates that feature EDM. If you use one of these
    templates, the system lets you validate your Exact Data Profile against the template when you are configuring the
    profile.
    • Caldicott Report
    Caldicott Report policy template
    • Customer Data Protection
    Customer Data Protection policy template
    • Data Protection Act 1988

    894
    Data Protection Act 1998 policy template
    • Employee Data Protection
    Employee Data Protection policy template
    • EU Data Protection Directives
    Data Protection Directives (EU) policy template
    • Export Administration Regulations (EAR)
    Export Administration Regulations (EAR) policy template
    • FACTA 2003 (Red Flag Rules)
    • General Data Protection Regulation (GDPR) Banking and Finance
    General Data Protection Regulation (Banking and Finance)
    • General Data Protection Regulation (GDPR) Digital Identity
    General Data Protection Regulation (Banking and Finance)
    • General Data Protection Regulation (GDPR) Government Identification
    General Data Protection Regulation (Government Identification)
    • General Data Protection Regulation (GDPR) Healthcare and Insurance
    General Data Protection Regulation (Healthcare and Insurance)
    • General Data Protection Regulation (GDPR) Personal Profile
    General Data Protection Regulation (Personal Profile)
    • General Data Protection Regulation (GDPR) Travel
    General Data Protection Regulation (Travel)
    • Gramm-Leach-Bliley
    Gramm-Leach-Bliley policy template
    • HIPAA and HITECH (including PHI)
    HIPAA and HITECH (including PHI) policy template
    • Human Rights Act 1998
    Human Rights Act 1998 policy template
    • International Traffic in Arms Regulations (ITAR)
    International Traffic in Arms Regulations (ITAR) policy template
    • Payment Card Industry Data Security Standard
    Payment Card Industry (PCI) Data Security Standard policy template
    • PIPEDA
    PIPEDA policy template
    • Price Information
    Price Information policy template
    • Resumes
    Resumes policy template
    • State Data Privacy
    SEC Fair Disclosure Regulation policy template
    Creating and modifying Exact Data Profiles for EDM
    Leverage EDM policy templates when possible

    About the Exact Data Profile and index


    The Exact Data Profile is the user-defined configuration that you create before indexing to index the data source. The
    index is a set of secure files that contain hashes of the exact data values from each field in your data source, along with
    information about those data values. The index does not contain the data values themselves.

    895
    The index that is generated consists of 19 binary DataSource.rdx files, each with space to fit into random access
    memory (RAM) on the detection server(s). By default, Symantec Data Loss Prevention stores index files in C:
    \ProgramData\Symantec\DataLossPrevention\ServerPlatformCommon\16.0.10000\Protect\index (on
    Windows) or in /var/Symantec/DataLossPrevention/ServerPlatformCommon/16.0.10000/Protect/index
    (on Linux) on the Enforce Server.
    Symantec Data Loss Prevention automatically deploys all EDM indexes (*.rdx files) to the index directory on all
    detection servers. When an active policy that references an EDM profile is deployed to a detection server, the detection
    server loads the corresponding EDM index into RAM. If a new detection server is added after an index has been created,
    the *.rdx f iles in the index folder on the Enforce Server are deployed to the index folder on the new detection server.
    You cannot manually deploy index files to detection servers.
    At run-time during detection, the system converts extracted content into hashed data values using the same algorithm it
    employs for indexes. It then compares data values from input content to those in the appropriate index file(s), identifying
    matches.
    Creating and modifying Exact Data Profiles for EDM
    Memory requirements for EDM

    About the exact data source file


    The data source file is a tabular file containing data in a standard delimited format (comma, semicolon, pipe, or tab) that
    has been extracted from a database, spreadsheet, or other structured data source, and cleansed for profiling. You upload
    the data source file to the Enforce Server when you are defining the Exact Data Profile. For example, you can convert an
    Excel spreadsheet to a comma-separated values (CSV) format and the resulting *.csv file can be used as the data source
    for your EDM profile.
    About cleansing the exact data source file for EDM
    Creating the exact data source file for EDM
    You can use the SQL pre-indexer to index the data source directly. However, this approach has limitations because in
    most cases the data must first be cleansed before it is indexed.
    Remote EDM indexing
    The data source file must contain at least one unique column field. A unique column field is a column that has mostly
    unique values. It can have duplicate values, but not more than the number set in term_commonority_threshold. The
    default value for this setting is 10. Some examples of unique column fields include social security number, drivers license
    number, and credit card number.
    Best practices for using EDM
    The maximum number of columns for a single data source file is 32. If the data source file has more than 32 columns, the
    Enforce Server administration console produces an error message at the profile screen, and the data source file is not
    indexed. The maximum number of rows is 4,294,967,294 and the total number of cells in a single data source file cannot
    exceed 6 billion cells. If your data source file is larger than this, split it into multiple files and index each separately.
    EDM data source file size limitations summarizes size limitations for EDM data source files.
    NOTE
    The format for the data source file should be a text-based format using commas, semicolons, pipes, or tabs
    as delimiters. In general you should avoid using a spreadsheet format for the data source file (such as XLS or
    XLSX) because such programs use scientific notation to render numbers.

    896
    Table 441: EDM data source file size limitations

    Data source file Limit Description

    Columns 32 The data source file cannot have more than 32 columns. If it does, the system does not
    index it.
    Cells 6 billion The data source file cannot have more than 6 billion data cells. If it does, the system does
    not index it.
    Rows 4,294,967,294 The maximum number of rows supported is 4,294,967,294.

    About cleansing the exact data source file for EDM


    Once you have created the data source file, you must prepare the data for indexing by cleansing it. It is critical that you
    cleanse the data source file to ensure that your EDM policies are as accurate as possible. You can use tools such as
    Stream Editor (sed) and awk to cleanse the data source file. Melissa Data provides good tools for normalizing data in the
    data source, such as addresses.
    Workflow for cleansing the data source file for EDM provides the workflow for cleansing the data source file for indexing.

    Table 442: Workflow for cleansing the data source file for EDM

    Step Action Description

    1 Prepare the data source file for indexing. Preparing the exact data source file for indexing for EDM
    2 Ensure that the data source has at least one column Ensure data source has at least one column of unique data (EDM)
    that is unique data.
    3 Remove incomplete and duplicate records. Do not Cleanse the data source file of blank columns and duplicate rows
    fill empty cells with bogus data. (EDM)
    4 Remove improper characters. Remove ambiguous character types from the data source file
    (EDM)
    5 Verify that the data source file is below the error Preparing the exact data source file for indexing for EDM
    threshold. The error threshold is the maximum
    percentage of rows that contain errors before
    indexing stops.

    About EMDI and key columns


    An important concept for EMDI is the "key column." When using EMDI, you must specify two or more columns with
    at least one "key column" that has highly unique and discriminatory values that matches a distinctive pattern (that is
    expressible with a data identifier).
    In the following examples the data in the first (bold) "key" column is used as a data identifier pattern that must be in a
    match.
    • Detect two (or more) out of
    (Account Number, Routing Number First Name, Last Name, Last 4 SSN)
    • Detect two (or more) out of
    (Driver's License Number, First Name, Last Name, DOB, Address, City, State)
    • Detect two (or more) out of
    (Medical Record Number, First Name, Last Name, Last 4 SSN)
    • Detect two (or more) out of

    897
    (Credit Card Number, Issuing Bank Name, CVV, Card Expiration Date)
    • Detect both of
    (Part Number, Part Description)
    About EMDI policy features

    About using System Fields for data source validation with EDM
    Column headings in your data source are useful for visual reference. However, they do not tell Symantec Data Loss
    Prevention what kind of data the columns contain. To do this, you use the Field Mappings section of the Exact Data
    Profile to specify mappings between fields in your data source. You can also use field mappings to specify fields that
    the system recognizes in the system-provided policy templates. The Field Mappings section also gives you advanced
    options for specifying custom fields and validating the data in those fields.
    Mapping Exact Data Profile fields for EDM
    Consider the following example use of field mappings. Your company wants to protect employee data, including employee
    social security numbers. You create a Data Loss Prevention policy based on the Employee Data Protection template. The
    policy requires an exact data index with fields for social security numbers and other employee data. You prepare your
    data source and then create the Exact Data Profile. To validate the data in the social security number field, you map this
    column field in your index to the "Social Security Number" system field pattern. The system then validates all data in that
    field using the Social Security Number validator to ensure that each data item is a social security number.
    Using the system-defined field patterns to validate your data is critical to the accuracy of your EDM policies. If there is no
    system-defined field pattern that corresponds to one or more data fields in your index, you can define custom fields and
    choose the appropriate validator to validate the data.
    Map data source column to system fields to leverage validation (EDM)

    About index scheduling for EDM


    After you have indexed an exact data source extract, its schema cannot be changed because the *.rdx index file is
    binary. If the data source changes, or the number of columns or data mapping of the exact data source file changes, you
    must create a new EDM index and update the policies that reference the changed data. In this case you can schedule the
    indexing to keep the index in sync with the data source.

    The typical use case is as follows. You extract data from a database to a file and cleanse it to create your data source
    file. Using the Enforce Server administration console you define an Exact Data Profile and index the data source file. The
    system generates the *.rdx index files and deploys them to one or more detection servers. However, if you know that
    the data changes frequently, you need to generate a new data source file weekly or monthly to keep up with the changes
    to the database. In this case, you can use index scheduling to automate the indexing of the data source file so you do not
    have to return to the Enforce Server administration console and reindex the updated data source. Your only task is to drop
    an updated and cleansed data source file to the Enforce Server for scheduled indexing.
    NOTE
    You must reindex after upgrading to the latest version of Symantec Data Loss Prevention.
    Configuring Exact Data profiles for EDM
    Scheduling Exact Data Profile indexing for EDM
    Use scheduled indexing to automate profile updates (EDM)

    898
    About the Content Matches Exact Data From condition for EDM
    The Content Matches Exact Data From an Exact Data Profile condition is the detection component you use to
    implement EDM policy conditions. When you define this condition, you select the EDM profile on which the condition is
    based. You also select the columns you want to use in your condition, as well as any WHERE clause limitations.
    NOTE
    You cannot use the Content Matches Exact Data From an Exact Data Profile condition as a policy exception.
    Symantec Data Loss Prevention does not support the use of the EDM condition as a policy exception.
    Configuring the Content Matches Exact Data policy condition for EDM

    About Data Owner Exception for EDM


    Although EDM does not support the explicit use of match exceptions in policies, EDM does support criteria-based
    matching exceptions. This feature of EDM is known as Data Owner Exception. Data owner exception lets you tag or
    authorize a specific field in an Exact Data Profile as the data owner. At run-time if the sender or recipient of the data is
    authorized as a data owner, the condition does not trigger a match and the data is sent or received by the data owner.
    You implement data owner exception by including either the email address field or domain address field in your Exact
    Data Profile. In the EDM policy condition, you specify the field as either the sender or recipient data owner. An authorized
    data owner, identified by email address or a domain address, who is a sender can send confidential information without
    triggering an EDM match or incident. This means that the sender can send any information that is contained in the row
    where the sender's email address or domain is specified. Authorized data owner recipients can be specified individually or
    all recipients in the list can be allowed to receive the data without triggering a match.
    As a policy author, data owner exception gives you the flexibility to allow data owners to use their own data legitimately.
    For example, if data owner exception is enabled, an employee can send an email containing their confidential information
    (such as an account number) without triggering a match or an incident. Similarly, if data owner exception is configured for
    a recipient, the system does not trigger an EDM match or incident if the data owner receives their own information, such
    as when someone outside the company sends an email to the data owner containing the data owner's account number.
    About upgrading EDM deployments
    Creating the exact data source file for Data Owner Exception for EDM
    Configuring Data Owner Exception for EDM policy conditions

    About profiled Directory Group Matching (DGM) for EDM


    Profiled Directory Group Matching (DGM) is a specialized implementation of EDM that is used to detect the exact identity
    of a message user, sender, or recipient that has been profiled from a directory server or database.
    Profiled DGM leverages EDM technology to detect identities that you have indexed from your database or directory server
    using an Exact Data Profile. For example, you can use profiled DGM to identify network user activity or to analyze content
    associated with particular users, senders, or recipients. Or, you can exclude certain email addresses from analysis. Or,
    you might want to prevent certain people from sending confidential information by email.
    To implement profiled DGM, your exact data source file must contain one or more of the following fields:
    • Email address
    • IP address
    • Windows user name
    • IM name
    If you include the email address field in the DGM profile, the field appears in the Directory EDM drop-down list at the
    incident snapshot screen in the Enforce Server administration console, which facilitates remediation.

    899
    Creating the exact data source file for profiled DGM for EDM
    Include an email address field in the Exact Data Profile for profiled DGM (EDM)
    Use profiled DGM for Network Prevent for Web identity detection (EDM)

    About Two-tier Detection for EDM on the Endpoint


    The EDM index is server-based. If you deploy a policy containing an EDM condition to the DLP Agent on the endpoint, the
    system uses two-tier detection to evaluate data for matching. The EDM detection condition is not evaluated locally by the
    DLP Agent. Instead, the DLP Agent sends the data to the Endpoint Server for evaluation against the index. If the endpoint
    is offline, the message cannot be sent until the server is available, which can affect endpoint performance. In addition,
    two-tier detection has no ability to block, encrypt, or notify. Symantec does not recommend two-tier detection.
    Two-tier detection for DLP Agents
    To check if you are using two-tier detection, read the C:\ProgramData\Symantec\DataLossPrevention
    \DetectionServer\16.0.10000\logs\debug\FileReader.log on the Endpoint Server to see if any EDM
    indexes are loaded. Look for the line "loaded database profile."
    Troubleshooting policies

    About upgrading EDM deployments


    To take advantage of the latest EDM enhancements, you must upgrade your servers to the latest version of Symantec
    Data Loss Prevention version and you must reindex your EDM data sources using the latest version of the EDM Indexer.
    Reindexing should be done after you upgrade all of your servers. In that case, the old detection servers can continue to
    work with the old indexes while you upgrade.
    About Data Owner Exception for EDM
    Updating EDM indexes to the latest version
    Memory requirements for EDM
    EDM index out-of-date error codes

    Configuring Exact Data profiles for EDM


    To implement EDM, you create the Exact Data Profile, index the data source, and define one or more Content Matches
    Exact Data conditions to match profiled data exactly.
    About the Exact Data Profile and index

    900
    Table 443: Implementing Exact Data Matching with EDM

    Step Action Description

    1 Create the data source file. Export the source data from the database (or other data repository) to a tabular
    text file with delimited fields.
    If you want to except data owners from matching, you need to include specific
    data items in the data source file.
    About the exact data source file
    If you want to match identities for profiled Directory Group Matching (DGM), you
    need to include specific data items in the data source files.
    Creating the exact data source file for EDM
    Creating the exact data source file for profiled DGM for EDM
    2 Prepare the data source file for Cleanse the data source file.
    indexing. Preparing the exact data source file for indexing for EDM
    3 Upload the data source file to the You can copy or upload the data source file to the Enforce Server, or access it
    Enforce Server. remotely.
    Uploading exact data source files for EDM to the Enforce Server
    4 Create an Exact Data Profile. An Exact Data Profile is required to implement Exact Data Matching (EDM)
    policies. The Exact Data Profile specifies the data source, data field types, and
    the indexing schedule.
    Creating and modifying Exact Data Profiles for EDM
    5 Map and validate the data fields. You map the source data fields to system or custom data types that the system
    validates. For example, a social security number data field needs to be nine
    digits.
    About using System Fields for data source validation with EDM
    Mapping Exact Data Profile fields for EDM
    6 Index the data source, or schedule Schedule the indexing to keep the index in sync with the data source.About
    indexing. index scheduling for EDM
    Scheduling Exact Data Profile indexing for EDM
    7 Configure and tune one or more Configuring the Content Matches Exact Data policy condition for EDM
    Content Matches Exact Data policy
    conditions.

    Creating the exact data source file for EDM


    The first step in the EDM indexing process is to create the data source. A data source is a tabular file containing data in a
    standard delimited format, where data is delimited by commas, semicolons, pipes, or tabs.
    If you plan to use a policy template, review it before creating the data source file to see which data fields the policy uses.
    For relatively small data sources, include as many suggested fields in your data source as possible. However, note that
    the more fields you include, the more memory the resulting index requires. This consideration is important if you have a
    large data source. When you create the data profile, you can confirm how well the fields in your data source match against
    the suggested fields for the template.
    Create the exact data source file

    901
    Table 444: Create the exact data source file

    Step Description

    1 Export the data you want to protect from a database or other tabular data format, such as an Excel spreadsheet, to a
    tabular text file. The data source file you create must be a tabular text file that contains rows of data from the original
    source. Each row from the original source is included as a row in the data source file. Delimit columns using a tab, a
    comma, or a pipe. Pipe is preferred. Comma should not be used if your data source fields contain numbers.
    About the exact data source file
    You must maintain all the structured data that you exported from the source database table or table-like format in one
    data source file. You cannot split the data source across multiple files.
    The data source file cannot exceed 32 columns, 4,294,967,294 rows, or 6 billion cells. If you plan to upload the data
    source file to the Enforce Server, browser capacity limits the data source size to 2 GB. For file sizes larger than this
    size you can copy the file to the Enforce Server using FTP/S, SCP, SFTP, CIFS, or NFS.
    2 Include required data fields for specific EDM implementations:
    • Unique data
    For all EDM implementations, make sure that the data source contains at least one column of unique data.
    Ensure data source has at least one column of unique data (EDM)
    • Data Owner Exception
    Make sure that the data source contains the email address field or domain field, if you plan to use data owner
    exceptions.
    Creating the exact data source file for Data Owner Exception for EDM
    • Directory Group Matching
    Make sure that the data source includes one or more sender/recipient identifying fields.
    Creating the exact data source file for profiled DGM for EDM
    3 Prepare the data source file for indexing.
    Preparing the exact data source file for indexing for EDM

    Creating the exact data source file for Data Owner Exception for EDM
    To implement Data Owner Exception and ignore data owners from detection, you must explicitly include each user's
    email address or domain address in the Exact Data Profile. Each expected domain (for example, symantec.com) must
    be explicitly added to the Exact Data Profile. The system does not automatically match on subdomains (for example,
    support.symantec.com). Each subdomain must be explicitly added to the Exact Data Profile.
    To implement the data owner exception feature, you must include either or both of the following fields in your
    data source file:
    • Email address, such as john_smith@symantec.com
    • Domain address, such as symantec.com
    About Data Owner Exception for EDM
    Configuring Data Owner Exception for EDM policy conditions

    Creating the Exact Data Source File for Profiled DGM


    Profiled DGM uses Exact Data Matching (EDM) technology to precisely detect identities. Here are some common identity-
    related attributes:

    902
    • IP address
    • email address
    • user name
    • business unit
    • department
    • managers
    • title
    • employment status
    • consent to be monitored
    • access to sensitive information
    To implement profiled DGM, you must include at least one required data field in your data source.
    About the Exact Data Profile and index
    Profiled DGM data source fields for EDM lists the required fields for profiled DGM. The data source file must contain at
    least one of these fields.

    Table 445: Profiled DGM Data Source Fields for EDM

    Field Description

    Email address If you use an email address column field in the data source file, the email address appears in the Directory
    EDM drop-down list at the incident snapshot screen.
    IP address For example: 172.24.56.33
    Windows user name If you use a Windows user name field in your data source, the data must be in the following format: domain
    \user; for example: ACME\john_smith.
    AOL IM name IM screen name
    Skype name For example: myscreenname123

    Microsoft Office
    Communicator name

    Preparing the exact data source file for indexing for EDM
    Once you create the exact data source file, you must prepare it so that you can efficiently index the data you want to
    protect.
    When you index an exact data profile, the Enforce Server keeps track of empty cells and any misplaced data which count
    as errors. For example, an error may be a name that appears in a column for phone numbers. Errors can constitute a
    certain percentage of the data in the profile (five percent, by default). If this default error threshold is met, Symantec Data
    Loss Prevention stops indexing. It then displays an error to warn you that your data may be unorganized or corrupt.
    To prepare the exact data source for EDM indexing
    1. Make sure that the data source file is formatted as follows:
    • If the data source has more than 200,000 rows, verify that it has at least two columns of data. One of the columns
    should contain unique values. For example, credit card numbers, driver’s license numbers, or account numbers (as
    opposed to first and last names, which are generic).
    Ensure data source has at least one column of unique data (EDM)
    • Verify that you have delimited the data source using pipes ( | ) or tabs. If the data source file uses commas as
    delimiters, remove any commas that do not serve as delimiters.

    903
    Do not use the comma delimiter if the data source has number fields (EDM)
    • Verify that data values are not enclosed in quotes.
    • Remove single-character and abbreviated data values from the data source. For example, remove the column
    name and all values for a column in which the possible values are Y and N.
    • Optionally, remove any columns that contain numeric values with less that five digits, as these can cause false
    positives in production.
    Remove ambiguous character types from the data source file (EDM)
    • Verify that numbers, such as credit card or social security, are delimited internally by dashes, or spaces, or none
    at all. Make sure that you do not use a data-field delimiter such as a comma as an internal delimiter in any such
    numbers. For example: 123-45-6789, or 123 45 6789, or 123456789 are valid, but not 123,45,6789.
    Do not use the comma delimiter if the data source has number fields (EDM)
    • Eliminate duplicate records, which can cause duplicate incidents in production.
    Cleanse the data source file of blank columns and duplicate rows (EDM)
    • Do not index common values. EDM works best with values that are unique. Think about the data you want to
    index (and thus protect). Is this data truly valuable? If the value is something common, it is not useful as an EDM
    value. For example, suppose that you want to look for "US states." Since there are only 50 states, if your exact
    data profile has 300,000 rows, the result is a lot of duplicates of common values. Symantec Data Loss Prevention
    indexes all values in the exact data profile, regardless of if the data is used in a policy or not. It is good practice to
    use values that are less common and preferably unique to get the best results with EDM.
    Ensure data source has at least one column of unique data (EDM)
    2. Once you have prepared the exact data source file, proceed with the next step in the EDM process: upload the exact
    data source file to the Enforce Server for profiling the data you want to protect.
    Uploading exact data source files for EDM to the Enforce Server

    Uploading Exact Data Source Files for EDM to the Enforce Server
    After you have prepared the data source file for indexing, load it to the Enforce Server so the data source can be indexed.
    Creating and modifying Exact Data Profiles for EDM
    Listed here are the options you have for making the data source file available to the Enforce Server. Consult with your
    database administrator to determine the best method for your needs.

    904
    Table 446: Uploading the data source file for EDM to the Enforce Server for indexing

    Upload option(s) Use case Description

    Upload Data Source to Data source file is If you have a smaller data source file (less than 50 MB), upload the data source
    Server Now less than 50 MB file to the Enforce Server using the Enforce Server administration console (web
    interface). When creating the Exact Data Profile, you can specify the file path or
    browse to the directory and upload the data source file.
    Note: Due to browser capacity limits, the maximum file size that you can upload
    is 2 GB. However, uploading any file over 50 MB is not recommended since files
    over this size can take a long time to upload. If your data source file is over 50 MB,
    consider copying the data source file to the datafiles directory using the next
    option.

    Reference Data Source Data source file is If you have a large data source file (over 50 MB), copy it to the datafiles
    on Manager Host over 50 MB. directory on the host where Enforce is installed.
    • On Windows this directory is located at C:\ProgramData
    \Symantec\DataLossPrevention\ServerPlatformCommon
    \16.0.10000\datafiles.
    • On Linux this directory is located at /var/Symantec/
    DataLossPrevention/ServerPlatformCommon/16.0.10000/
    datafiles.
    This option is convenient because it makes the data file available through a drop-
    down list during configuration of the Exact Data Profile. If it is a large file, use a
    third-party solution (such as Secure FTP) to transfer the data source file to the
    Enforce Server.
    Note: Ensure that the Enforce user (usually called "protect") has modify
    permissions (on Windows) or rw permissions (on Linux) for all files in the
    datafiles directory.
    Use This File Name Data source file is You may want to create an EDM profile before you have created the data
    not yet created. source file. In this case you can create a profile template and specify the
    name of the data source file you plan to create. This option lets you define
    EDM policies using the EDM profile template before you index the data
    source. The policies do not operate until the data source is indexed. When
    you have created the data source file you place it in the \ProgramData
    \Symantec\DataLossPrevention \ServerPlatformCommon
    \16.0.10000\datafiles directory (Windows) or /var/Symantec/
    DataLossPrevention /ServerPlatformCommon/16.0.10000/
    Protect/datafiles (Linux) and index the data source immediately on save
    or schedule indexing.
    Creating and modifying Exact Data Profiles for EDM

    905
    Upload option(s) Use case Description

    Use This File Name Data source is to be In some environments it may not be secure or feasible to copy or upload the data
    and indexed remotely source file to the Enforce Server. In this situation you can index the data source
    Load Externally and copied to the remotely using Remote EDM Indexer.
    Generated Index Enforce Server. Remote EDM indexing
    This utility lets you index an exact data source on a computer other than the
    Enforce Server host. This feature is useful when you do not want to copy the
    data source file to the same computer as the Enforce Server. As an example,
    consider a situation where the originating department wants to avoid the security
    risk of copying the data to an extra-departmental host. In this case you can use the
    Remote EDM Indexer.
    First you create an EDM profile template where you choose the Use this File
    Name and the Number of Columns options. You must specify the name of the
    data source file and the number of columns it contains.
    Creating an EDM profile template for remote indexing
    You then use the Remote EDM Indexer to remotely index the data source
    and copy the index files to the Enforce Server host and load the externally
    generated index. The Load Externally Generated Index option is only available
    after you have defined and saved the profile. Remote indexes are loaded
    from the \Program Files\Symantec\DataLossPrevention
    \16.0.10000\EnforceServer\Protect\index directory on the Enforce
    Server host.
    Copying and loading remote EDM index files to the Enforce Server

    Creating and modifying Exact Data Profiles for EDM


    The Manage > Data Profiles > Exact Data > Add Exact Data Profile screen is the home page for managing and adding
    Exact Data Profiles. An Exact Data Profile is required to implement an instance of the Content Matches Exact Data
    conditions. An Exact Data Profile specifies the data source, the indexing parameters, and the indexing schedule. Once
    you have created the EDM profile, you index the data source and configure one or more Content Matches Exact Data
    conditions that can be added to rules to use the profile and detect exact content matches.
    NOTE
    If you are using the Remote EDM Indexer to generate the Exact Data Profile, see Configuring Exact Data
    profiles for EDM.
    To create or modify an Exact Data Profile
    1. Make sure that you have created the data source file.
    Creating the exact data source file for EDM
    2. Make sure that you have prepared the data source file for indexing.
    Preparing the exact data source file for indexing for EDM
    3. Make sure that the data source contains the email address field or domain field, if you plan to use data owner
    exceptions.
    About Data Owner Exception for EDM
    4. In the Enforce Server administration console, navigate to Manage > Data Profiles > Exact Data.
    5. Click Add Exact Data Profile.
    6. Enter a unique, descriptive Name for the profile (limited to 256 characters).
    For easy reference, choose a name that describes the data content and the index type (for example, Employee Data
    EDM).

    906
    If you modify an existing Exact Data Profile you can change the profile name.
    7. Select one of the following Data Source options to make the data source file available to the Enforce Server:
    • Upload Data Source to Server Now
    If you are creating a new profile, click Browse and select the data source file, or enter the full path to the data
    source file.
    If you are modifying an existing profile, select Upload Now.
    Uploading exact data source files for EDM to the Enforce Server
    • Reference Data Source on Manager Host
    If you copied the data source file to the datafiles directory on the Enforce Server, it appears in the drop-down
    list for selection.
    Uploading exact data source files for EDM to the Enforce Server
    • Use This File Name
    Select this option if you have not yet created the data source file but want to configure EDM policies using a
    placeholder EDM profile. Enter the file name of the data source you plan to create, including the Number of
    Columns it is to have. When you do create the data source, you must copy it to the datafiles directory.
    Uploading exact data source files for EDM to the Enforce Server
    NOTE
    Use this option with caution. Be sure to remember to create the data source file and copy it to the
    datafiles directory. Name the data source file exactly the same as the name you enter here and
    include the exact number of columns you specify here.
    • Load Externally Generated Index
    Select this option if you have created an index on a remote computer using the Remote EDM Indexer. This option
    is only available after you have defined and saved the profile. Profiles are loaded from the \Program Files
    \Symantec\DataLossPrevention\EnforceServer\16.0.10000\Protect\index directory (Windows) or
    the /var/Symantec/DataLossPrevention/EnforceServer/16.0.10000/index directory (Linux) on the
    Enforce Server host.
    Uploading exact data source files for EDM to the Enforce Server
    8. If the first row of your data source contains Column Names, select Read first row as column names.
    9. Specify the Error Threshold, which is the maximum percentage of rows that contain errors before indexing stops.
    A data source error is either an empty cell, a cell with the wrong type of data, or extra cells in the data source. For
    example, a name in a column for phone numbers is an error. If errors exceed a certain percentage of the overall data
    source (by default, 5%), the system quits indexing and displays an indexing error message. The index is not created if
    the data source has more invalid records than the error threshold value allows. Although you can change the threshold
    value, more than a small percentage of errors in the data source can indicate that the data source is corrupt, is in an
    incorrect format, or cannot be read. If you have a significant percentage of errors (10% or more), stop indexing and
    cleanse the data source.
    Preparing the exact data source file for indexing for EDM
    10. Select the Column Separator Char (delimiter) that you have used to separate the values in the data source file. The
    delimiters you can use are tabs, commas, or pipes.
    11. Select one of the following encoding values for the content to analyze, which must match the encoding of your data
    source:
    • ISO-8859-1 (Latin-1) (default value)
    Standard 8-bit encoding for Western European languages using the Latin alphabet.
    • UTF-8

    907
    Use this encoding for all languages that use the Unicode 4.0 standard (all single- and double-byte characters),
    including those in East Asian languages.
    • UTF-16
    Use this encoding for all languages that use the Unicode 4.0 standard (all single- and double-byte characters),
    including those in East Asian languages.
    NOTE
    Make sure that you select the correct encoding. The system does not prevent you from creating an EDM
    profile using the wrong encoding. The system only reports an error at run-time when the EDM policy
    attempts to match inbound data. To make sure that you select the correct encoding, after you click Next,
    verify that the column names appear correctly. If the column names do not look correct, you chose the wrong
    encoding.
    12. Click Next to go to the second Add Exact Data Profile screen.
    13. The Field Mappings section displays the columns in the data source and the field to which each column is mapped in
    the Exact Data Profile. Field mappings in existing Exact Data Profiles are fixed and, therefore, are not editable.
    About using System Fields for data source validation with EDM
    Mapping Exact Data Profile fields for EDM
    Confirm that the column names in your data source are accurately represented in the Data Source Field column. If
    you selected the Column Names option, the Data Source Field column lists the names in the first row of your data
    source. If you did not select the Column Names option, the column lists Col 1, Col 2, and so on.
    14. In the System Field column, select a field from the drop-down list for each data source field. This step is required if
    you use a policy template, or if you want to check for errors in the data source.
    For example, for a data source field that is called SOCIAL_SECURITY_NUMBER, select Social Security Number
    from the corresponding drop-down list. The values in the System Field drop-down lists include all suggested fields for
    all policy templates.
    15. Optionally, specify and name any custom fields (that is, the fields that are not pre-populated in the System Field drop-
    down lists). To do so, perform these steps in the following order:
    • Click Advanced View to the right of the Field Mappings heading. This screen displays two additional columns
    (Custom Name and Type).
    • To add a custom system field name, go to the appropriate System Field drop-down list. Select Custom, and type
    the name in the corresponding Custom Name text field.
    • To specify a pattern type (for purposes of error checking), go to the appropriate Type drop-down list and select the
    wanted pattern. To see descriptions of all available pattern types, click Description at the top of the column.
    16. Check your field mappings against the suggested fields for the policy template you plan to use. To do so, go to the
    Check Mappings Against drop-down list, select a template, and click Check now on the right.
    The system displays a list of all template fields that you have not mapped. You can go back and map these fields now.
    Alternatively, you may want to expand your data source to include as many expected fields as possible, and then re-
    create the exact data profile. Symantec recommends that you include as many expected data fields as possible.
    17. In the Indexing section of the screen, select one of the following options:
    • Submit Indexing Job on Save
    Select this option to begin indexing the data source when you save the exact data profile.
    • Submit Indexing Job on Schedule
    Select this option to index the data source according to a specific schedule. Make a selection from the Schedule
    drop-down list and specify days, dates, and times as required.
    About index scheduling for EDM

    908
    Scheduling Exact Data Profile indexing for EDM
    18. Click Finish.
    After Symantec Data Loss Prevention finishes indexing, it deletes the original data source from the Enforce Server.
    After you index a data source, you cannot change its schema. If you change column mappings for a data source after
    you index it, you must create a new exact data profile.
    After the indexing process is complete you can create new Content Matches Exact Data conditions that can be added
    to a rule that references the Exact Data Profile you have created.

    Configuring the Content Matches Exact Data policy condition for EDM

    Mapping Exact Data Profile fields for EDM


    After you have added and configured the data source file and settings, the Manage > Data Profiles > Exact Data > Add
    Exact Data Profile screen lets you map the fields from the data source file to the Exact Data Profile you configure.
    To enable error checking on a field in a data source or to use the index with a policy template that uses a system field,
    you must map the field in the data source to the system field. The Field Mappings section lets you map the columns in the
    original data source to system fields in the Exact Data Profile.

    Table 447: Field mapping options

    Field Description

    Data Source Field If you selected the Column Names option at the Add Exact Data Profile screen, this column lists the values
    that are found in the first row from the data source. If you did not select this option, this column lists the
    columns by generic names (such as Col 1, Col 2, and so on).
    Note: If you implement a data owner exception, you must map either or both the email address and domain
    fields.
    Configuring the Content Matches Exact Data policy condition for EDM
    System Field Select the system field for each column.
    A system field value (except None Selected) cannot be mapped to more than one column.
    Some system fields have system patterns associated with them (such as social security number) and some
    do not (such as last name).
    Using system-provided pattern validators for EDM profiles
    Check mappings against Select a policy template from the drop-down list to compare the field mappings against and then click
    policy template Check now.
    All policy templates that implement EDM appear in the drop-down menu, including any you have imported.
    Choosing an Exact Data Profile
    If you plan to use more than one policy template, select one and check it, and then select another and
    check it, and so on.
    If there are any fields in the policy template for which no data exists in the data source, a message appears
    listing the missing fields. You can save the profile anyway or use a different Exact Data Profile.
    Advanced View If you want to customize the schema for the exact data profile, click Advanced View to display the
    advanced field mapping options.
    Advanced View options for EDM lists and describes the additional columns you can specify in the
    Advanced View screen.
    Indexing Select one of the indexing options.
    Scheduling Exact Data Profile indexing for EDM
    Finish Click Finish when you are done configuring the Exact Data Profile.

    909
    From the Advanced View you map the system and data source fields to system patterns. System patterns map the
    specified structure to the data in the Exact Data Profile and enable efficient error checking and hints for the indexer.

    Table 448: Advanced View options for EDM

    Field Description

    Custom Name If you select Custom Name for a System Field, enter a unique name for it and then select a value for Type.
    The name is limited to 60 characters.
    Type If you select a value other than Custom for a System Field, some data types automatically select a value
    for Type. For example, if you select Birth Date for the System Field, Date is automatically selected as the
    Type. You can accept it or change it.
    Some data types do not automatically select a value for Type. For example, if you select Account Number
    for the System Field, the Type remains unselected. You can specify the data type of your particular account
    numbers.
    Using system-provided pattern validators for EDM profiles
    Description Click the link (description) beside the Type column header to display a pop-up window containing the
    available system data types.
    Using system-provided pattern validators for EDM profiles
    Simple View Click Simple View to return to the Simple View (with the Custom Name and Type columns hidden).

    Creating and modifying Exact Data Profiles for EDM

    Using system-provided pattern validators for EDM profiles


    System-provided data validators for EDM profiles lists and describes the system-provided data validators for EDM profiles.

    Table 449: System-provided data validators for EDM profiles

    Type Description

    Credit Card Number The Credit Card pattern is built around knowledge about various international credit cards, their registered
    prefixes, and number of digits in account numbers. The following types of Credit Cards patterns are
    validated: MasterCard, Visa, America Express, Diners Club, Discover, Enroute, and JCB.
    Optional spaces in designated areas within credit cards numbers are recognized. Note that only spaces
    in generally accepted locations (for example, after every 4th digit in MC/Visa) are recognized. Note that
    the possible location of spaces differs for different card types. Credit card numbers are validated using
    checksum algorithm. If a number looks like a credit card number (that is, it has correct number of digits and
    correct prefix), but does not pass checksum algorithm, it is not considered a credit card, but just a number.
    Email Email is a sequence of characters that looks like the following: string@string.tld, where string may
    contain letters, digits, underscore, dash, and dot, and 'tld' is one of the approved DNS top-level generic
    domains, or any two letters (for country domains).
    IP Address IP Address is a collection of 4 sequences of between 1 and 3 digits, separated by dots.
    Number Number is either float or integer, either by itself or in round brackets (parenthesis).
    Percent Percent is a number immediately followed by the percent sign ("%"). No space is allowed between a
    number and a percent sign.

    910
    Type Description

    Phone Only US and Canadian telephone numbers are recognized. The phone number must start with any digit but
    1, with the exception of numbers that include a country code.
    Phone number can be one of the following formats:
    • 7 digits (no spaces or dashes)
    • Same as above, preceded by 3 digits, or by 3 digits in round brackets, followed by spaces or dashes
    • 3 digits, followed by optional spaces or dashes, followed by 4 digits
    • Same as above, preceded by the number 1, followed by spaces or dashes
    All of these cases can be optionally followed by an extension number, preceded by spaces or dashes. The
    extension number is 2 to 5 digits preceded by any of the following (case insensitive): 'x' 'ex' 'ext' 'exten'
    'extens' 'extensions' optionally followed by a dot and spaces.
    Note: The system does not recognize the pattern XXX-XXX-XXXX as a valid phone number format
    because this format is frequently used in other forms of identification. If your data source contains a column
    of phone numbers in that format, select None Selected to avoid confusion between phone numbers and
    other data.

    Postal Code Only US ZIP codes and Canadian Postal Codes are recognized. The US ZIP code is a sequence of 5
    digits, optionally followed by dash, followed by another 4 digits. The Canadian Postal Code is a sequence
    like K2B 8C8, that is, "letter-digit-letter-space-digit-letter-digit" where space(s) in the middle is optional.
    Social Security Number Only US Social Security Numbers are recognized. The SOCIAL SECURITY NUMBER is 3 digits, optionally
    followed by spaces or dashes, followed by 2 digits, optionally followed by spaces or dashes, followed by 4
    digits.

    Scheduling Exact Data Profile indexing for EDM


    When you configure an Exact Data Profile, you can set a schedule for indexing the data source (Submit Indexing on Job
    Schedule).
    About index scheduling for EDM
    Before you set up a schedule, consider the following recommendations:
    • If you update your data sources occasionally (for example, less than once a month), there is no need to create a
    schedule. Index the data each time you update the data source.
    • Schedule indexing for times of minimal system use. Indexing affects performance throughout the Symantec Data Loss
    Prevention system, and large data sources can take time to index.
    • Index a data source as soon as you add or modify the corresponding exact data profile, and re-index the data source
    whenever you update it. For example, consider a scenario whereby every Wednesday at 2:00 A.M. you update the
    data source. In this case you should schedule indexing every Wednesday at 3:00 A.M. Do not index data sources daily
    as this can degrade performance.
    • If you need to update indexes frequently (for example, daily), Symantec recommend that you use the Remote EDM
    Indexer.
    • Monitor results and modify your indexing schedule accordingly. If performance is good and you want more timely
    updates, for example, schedule more frequent data updates and indexing.
    The Indexing section lets you index the Exact Data Profile as soon as you save it (recommended) or on a regular
    schedule as follows:

    911
    Table 450: Scheduling indexing for Exact Data Profiles for EDM

    Parameter Description

    Submit Indexing Job Select this option to index the Exact Data Profile when you click Save.
    on Save
    Submit Indexing Job Select this option to schedule an indexing job. The default option is No Regular Schedule. If you want to index
    on Schedule according to a schedule, select a desired schedule period, as described.
    Index Once On – Enter the date to index the document profile in the format MM/DD/YY. You can also click the date widget
    and select a date.
    At – Select the hour to start indexing.
    By Minute Every – Select the minute frequency to start indexing.
    Until – Select this check box to specify a date in the format MM/DD/YY when the indexing should stop. You can
    also click the date widget and select a date.
    Hourly Every – Select the hour to start indexing.
    Until – Select this check box to specify a date in the format MM/DD/YY when the indexing should stop. You can
    also click the date widget and select a date.
    Index Weekly Day of the week – Select the day(s) to index the document profile.
    At – Select the hour to start indexing.
    Until – Select this check box to specify a date in the format MM/DD/YY when the indexing should stop. You can
    also click the date widget and select a date.
    Index Monthly Day – Enter the number of the day of each month you want the indexing to occur. The number must be 1
    through 28.
    At – Select the hour to start indexing.
    Until – Select this check box to specify a date in the format MM/DD/YY when the indexing should stop. You can
    also click the date widget and select a date.

    Mapping Exact Data Profile fields for EDM


    Creating and modifying Exact Data Profiles for EDM

    Managing and adding Exact Data Profiles for EDM


    You manage and create Exact Data Profiles for EDM at the Manage > Data Profiles > Exact Data screen. Once a
    profile has been created, the Exact Data screen lists all Exact Data Profiles configured in the system.
    About the Exact Data Profile and index

    Table 451: Exact Data screen actions for EDM

    Action Description

    Add EDM profile Click Add Exact Data Profile to define a new Exact Data Profile.
    Configuring Exact Data profiles for EDM
    Edit EDM profile To modify an existing Exact Data Profile, click the name of the profile, or click the pencil icon at the far right
    of the profile row.
    Creating and modifying Exact Data Profiles for EDM
    Remove EDM profile Click the red X icon at the far right of the profile row to delete the Exact Data Profile from the system. A
    dialog box confirms the deletion.
    Note: You cannot edit or remove a profile if another user currently modifies that profile, or if a policy exists
    that depends on that profile.

    912
    Action Description

    Download EDM profile Click the download profile link to download and save the Exact Data Profile.
    This is useful for archiving and sharing profiles across environments. The file is in the binary *.edm format.
    Refresh EDM profile Click the refresh arrow icon at the upper right of the Exact Data screen to fetch the latest status of the
    status indexing process.
    If you are in the process of indexing, the system displays the message "Indexing is starting." The system
    does not automatically refresh the screen when the indexing process completes.

    Table 452: Exact Data screen details for EDM

    Column Description

    Exact Data Profile The name of the exact data profile.


    Last Active Version The version of the exact data profile and the name of the detection server that runs the profile.
    Status The current status of the exact data profile, which can be any of the following:
    • Next scheduled indexing (if it is not currently indexing)
    • Sending an index to a detection server
    • Indexing
    • Deploying to servers
    In addition, the current status of the indexing process for each detection server, which can be any of
    the following:
    • Completed, including a completion date
    • Pending index completion (waiting for the Enforce Server to finish indexing the exact data source file)
    • Replicating indexing
    • Creating index (internally)
    • Building caches
    Error messages The Exact Data screen displays any error messages in red.
    For example, if the Exact Data Profile is corrupt or does not exist, the system displays an error message.

    Configuring EDM policies


    This section describes how to configure EDM policy conditions.
    Configuring the Content Matches Exact Data policy condition for EDM
    Configuring Data Owner Exception for EDM policy conditions
    Configuring the Sender/User based on a Profiled Directory policy condition for EDM
    Configuring the Recipient based on a Profiled Directory policy condition for EDM
    Configuring Advanced Settings for EDM policies

    Configuring the Content Matches Exact Data policy condition for EDM
    Once you have defined the Exact Data Profile and indexed the data source, you configure one or more Content Matches
    Exact Data conditions in policy rules.
    About the Content Matches Exact Data From condition for EDM

    913
    Table 453: Configure the Content Matches Exact Data policy condition for EDM

    Steps Action Description

    1 Configure an EDM policy Create a new EDM detection rule in a policy, or modify an existing EDM rule.
    detection rule. Configuring policies
    Configuring Policy Rules
    Match Data Rows when All of these match
    2 Select the fields to match. When you configure the EDM condition, first select each data field that you want the
    condition to match. You can select all or deselect all fields at once. The system displays all
    the fields or columns that were included in the index. You do not have to select all the fields;
    you should select at least 2 or 3 fields, One of the fields must be unique, such as social
    security number, credit card number, and so forth.
    Best practices for using EDM
    3 Choose the number of Choose the number of the selected fields to match from the dropdown menu. This number
    selected fields to match. represents the number of selected fields that must be present in a message to trigger a
    match. You must select at least as many fields to match as the number of data fields you
    check. For example, if you choose 2 of the selected fields from the menu, you must have
    checked at least two fields present in a message for detection.
    Ensure data source has at least one column of unique data (EDM)
    4 Select the WHERE clause The WHERE clause option matches on the specified field value. You specify a WHERE
    to enter specific field clause value by selecting an exact data field from the menu and by entering a value for that
    values to match (optional). field in the adjacent text box. If you enter more than one value, separate the values with
    commas.
    Use a WHERE clause to detect records that meet specific criteria (EDM)
    For example, consider an Exact Data Profile for "Employees" with a "State" field containing
    state abbreviations. In this example, to implement the WHERE clause, you select (check)
    WHERE, choose "State" from the drop-down list, and enter CA,NV in the text box. This
    WHERE clause then limits the detection server to matching messages that contain either CA
    or NV as the value for the State field.
    Note: You cannot specify a field for WHERE that is the same as one of the selected matched
    fields.

    Ignore Data Rows when Any of these match


    5 Ignore data owners Selecting this option implements Data Owner Exception.
    (optional). Configuring Data Owner Exception for EDM policy conditions
    6 Exclude data field You can use the exclude data field combinations to specify combinations of data values that
    combinations (optional). are exempted from detection. If the data appears in exempted pairs or groups, it does not
    cause a match. Excluded combinations are only available when matching 2 or 3 fields. To
    enable this option, you must select 2 or 3 fields to match from the _ of the selected fields
    menu at the top of the condition configuration.
    Leverage exception tuples to avoid false positives (EDM)
    To implement excluded combinations, select an option from each Field N column that
    appears. Then click the right-arrow icon to add the field combination to the Excluded
    Combinations list. To remove a field from the list, select it and click the left-arrow icon.
    Note: Hold down the Ctrl key to select more than one field in the right-most column.

    Additional match condition parameters

    914
    Steps Action Description

    7 Select an incident Enter or modify the minimum number of matches required for the condition to report an
    minimum. incident.
    For example, consider a scenario where you specify 1 of the selected fields for a social
    security number field and an incident minimum of 5. In this situation, the engine must detect
    at least five matching social security numbers in a single message to trigger an incident.
    Match count variant examples (EDM)
    8 Select components to Select one or more message components to match on:
    match on. • Envelope – The header of the message.
    • Subject – (Not available for EDM.)
    • Body – The content of the message.
    • Attachments – The content of any files that are attached to the message or transported
    by the message.
    Selecting components to match on
    9 Select one or more Select this option to create a compound rule. All conditions must match for the rule to trigger
    conditions to also match. an incident.
    You can Add any available condition from the list.
    Configuring compound rules
    10 Test and troubleshoot the Test and tune policies to improve match accuracy
    policy. Troubleshooting policies

    Configuring the Data Owner Exception for EDM policy conditions


    To except data owners from detection, you must include in your Exact Data Profile either an email address or a domain
    address field (for example, broadcom.com). Once Data Owner Exception (DOE) is enabled, if the sender or recipient of
    confidential information is the data owner (by email address or domain), the detection server allows the data to be sent or
    received without generating an incident
    To configure DOE for an EDM policy condition
    1. When you are configuring the Content Matches Exact Data condition, select the Ignore data owners option.
    2. Select one of the following options:
    • Sender matches — Select this option to EXCLUDE the data sender from detection.
    • Any or All Recipient matches — Select one of these options to EXCLUDE any or all data recipient(s) from
    detection.

    NOTE
    When you configure DOE for the EDM condition, you cannot select a value for Ignore Sender/Recipient that is
    the same as one of the matched fields.
    About Data Owner Exception for EDM

    Configuring the Sender/User based on a Profiled Directory policy condition for


    EDM
    The Sender/User based on a Directory from detection rule lets you create detection rules based on sender identity or
    (for endpoint incidents) user identity. This condition requires an Exact Data Profile.
    Creating the exact data source file for profiled DGM for EDM
    After you select the Exact Data Profile, when you configure the rule, the directory you selected and the sender identifier(s)
    appear at the top of the page.

    915
    Configuring the Sender/User based on a Directory from an EDM Profile condition describes the parameters for configuring
    the Sender/User based on a Directory from an EDM Profile condition.

    Table 454: Configuring the Sender/User based on a Directory from an EDM Profile condition

    Parameter Description

    Where Select this option to have the system match on the specified field values. Specify the values by selecting a field
    from the drop-down list and typing the values for that field in the adjacent text box. If you enter more than one
    value, separate the values with commas.
    For example, for an Employees directory group profile that includes a Department field, you would select
    Where, select Department from the drop-down list, and enter Marketing,Sales in the text box. If the condition is
    implemented as a rule, in this example a match occurs only if the sender or user works in Marketing or Sales (as
    long as the other input content meets all other detection criteria). If the condition is implemented as an exception,
    in this example the system ignores from matching messages from a sender or user who works in Marketing or
    Sales.
    Is Any Of Enter or modify the information you want to match. For example, if you want to match any sender in the Sales
    department, select Department from the drop-down list, and then enter Sales in this field (assuming that your
    data includes a Department column). Use a comma-separated list if you want to specify more than one value.

    Configuring the Recipient based on a Profiled Directory policy condition for EDM
    The Recipient based on a Directory from condition lets you create detection methods based on the identity of the
    recipient. This method requires an Exact Data Profile.
    Creating the exact data source file for profiled DGM for EDM
    After you select the Exact Data Profile, when you configure the rule, the directory you selected and the recipient
    identifier(s) appear at the top of the page.
    Configuring the Recipient based on a Directory from an EDM profile condition describes the parameters for configuring
    Recipient based on a Directory from an EDM profile condition.

    Table 455: Configuring the Recipient based on a Directory from an EDM profile condition

    Parameter Description

    Where Select this option to have the system match on the specified field values. Specify the values by selecting a field
    from the drop-down list and typing the values for that field in the adjacent text box. If you enter more than one
    value, separate the values with commas.
    For example, for an Employees directory group profile that includes a Department field, you would select
    Where, select Department from the drop-down list, and enter Marketing, Sales in the text box. For a detection
    rule, this example causes the system to capture an incident only if at least one recipient works in Marketing or
    Sales (as long as the input content meets all other detection criteria). For an exception, this example prevents the
    system from capturing an incident if at least one recipient works in Marketing or Sales.
    Is Any Of Enter or modify the information you want to match. For example, if you want to match any recipient in the Sales
    department, select Department from the drop-down list, and then enter Sales in this field (assuming that your
    data includes a Department column). Use a comma-separated list if you want to specify more than one value.

    About configuring natural language processing for Chinese, Japanese, and


    Korean for EDM policies

    916
    Introducing EDM token matching
    Symantec Data Loss Prevention detection servers support natural language processing for Chinese, Japanese, and
    Korean (CJK) in policies that use Exact Data Matching (EDM) detection. When natural language processing for CJK
    languages is enabled, the detection server validates CJK tokens before reporting a match, which improves matching
    accuracy.

    EDM token matching examples for CJK languages


    EDM token matching examples for CJK provides EDM token matching examples for Chinese, Japanese, and Korean
    languages. All examples assume that the keyword condition is configured to match on whole words only.
    If token verification is enabled, the message size must be sufficient for the token verifier to recognize the language. For
    example: the message “東京都市部の人口” is too small for a message for the token verification process to recognize the
    language of the message. The following message is a sufficient size for token verification processing:
    今朝のニュースによると東京都市部の人口は増加傾向にあるとのことでした。 全国的な人口減少の傾向の中、東京への
    一極集中を表しています。

    Table 456: EDM token matching examples for CJK

    Matches on server with Matches on server with


    Language Keyword
    token validation ON token validation OFF
    Chinese 通信 数字无线通信 数字无线通信 交通信息 网站
    Japanese 京都市 京都府京都市左京区 京都府京都市左京区 東京都市部の人

    Korean 정부 정부의 방침 정부의 방침 의정부 경전철

    Enabling and using CJK token verification for EDM


    To use token verification for Chinese, Japanese, and Korean (CJK) languages you must enable it on each detection
    server by setting the advanced server setting EDM.TokenVerifierEnabled to true. In addition, there must be a sufficient
    amount of message text for the system to recognize the language.
    EDM token verification parameter lists and describes the detection server parameter that lets you enable token verification
    for CJK languages.

    Table 457: EDM token verification parameter

    Setting Default Description

    EDM.TokenVerifierEnabled false Default is disabled (false).


    If enabled (true), the server validates tokens for Chinese, Japanese,
    and Korean language keywords.

    Enable keyword token verification for CJK describes how to enable and use token verification for CJK keywords.
    Enable EDM token verification for CJK
    1. Log on to the Enforce Server as an administrative user.
    2. Navigate to the System > Servers and Detectors > Overview > Server/Detector Detail - Advanced Settings
    screen for the detection server you want to configure.
    Advanced Server Settings

    917
    3. Locate the parameter EDM.TokenVerifierEnabled.
    4. Change the value to true from false (default).
    Setting the server parameter EDM.TokenVerifierEnabled = true enables token validation for CJK token detection.
    5. Save the detection server configuration.
    6. Recycle the detection server.

    Configuring Advanced Settings for EDM policies


    EDM has various advanced settings available at the System > Servers and Detectors > Overview > Server/Detector
    Detail - Advanced Settings screen for the chosen detection server. Use caution when modifying these settings on a
    server. Check with Symantec Data Loss Prevention Support before changing any of the settings on this screen. Changes
    to these settings do not take effect until after the server is restarted.

    Table 458: Advanced Settings for EDM indexing and detection

    EDM parameter Default Description

    EDM.MatchCountVariant 3 This setting specifies how matches are counted.


    • 1 - Counts the number of token sets matched regardless of use of the
    same tokens across several matches.
    • 2 - Counts the number of unique token sets.
    • 3 - Counts the number of unique supersets of token sets. (default)
    Match count variant examples (EDM)
    EDM.MaximumNumberOfMatches 100 Defines a top limit on the number of matches returned from each RAM
    ToReturn index search. For multi-file indices, this limit is applied to each sub-index
    search independently before the search results are combined. As a result the
    number of actual matches can exceed this limit for multiple file indices.
    EDM.RunProximityLogic true If true (default), this setting runs the token proximity check. The free-form text
    proximity is defined by the setting EDM.SimpleTextProximityRadius.
    The tabular text proximity is defined by belonging to the same table row.
    Note: Disabling proximity is not recommended because it can negatively
    affect the performance of the system.

    EDM.SimpleTextProximityRadius 35 Provides the baseline range for proximity checking a matched token. This
    value is multiplied by the number of required matches to equal the complete
    proximity check range.
    To keep the same "required match density," the proximity check range
    behaves like a moving window in a text page. D is defined as the
    proportionality factor for the window and is set in the policy condition by
    choosing how many fields to match on for the EDM condition. N is the
    SimpleTextProximityRadius value. A number of tokens are in the proximity
    range if the first token in is within N x D words from the last token. The
    proximity check range is directly proportional to the number of matches by a
    factor of D.
    Proximity matching example for EDM
    Note: Increasing the radius value higher than the default can negatively affect
    system performance and is not recommended.

    EDM.TokenVerifierEnabled false Default is disabled (false).


    If enabled (true), the server validates tokens for Chinese, Japanese, and
    Korean language keywords.

    918
    EDM parameter Default Description

    Lexer.IncludePunctuationInWords true If true, during detection punctuation characters are considered as part of a
    token.
    If false, during detection punctuation within a token or multi-token is treated
    as white space.
    Multi-token with punctuation (EDM)
    Note: This setting applies to detection content, not to indexed content.

    Lexer.MaximumNumberOfTokens 30000 Maximum number of tokens extracted from each message component for
    detection. Applicable to all detection technologies where tokenization is
    required (EDM, profiled DGM, and the system patterns supported by those
    technologies). Increasing the default value may cause the detection server to
    run out of memory and restart.
    Lexer.Validate true If true, performs system pattern-specific validation during indexing. Setting
    this to false is not recommended.
    Using system-provided pattern validators for EDM profiles
    MessageChain.NumChains Varies This number varies depending on detection server type. It is either 4 or
    8. The number of messages, in parallel, that the filereader processes.
    Setting this number higher than 8 (with the other default settings) is not
    recommended. A higher setting does not substantially increase performance
    and there is a much greater risk of running out of memory. Setting this to less
    than 8 (in some cases 1) helps when processing big files, but it may slow
    down the system considerably.

    NOTE
    Maximum tokens per multi-token and stopwords are calculated and evaluated respectively during indexing.
    TheLexer.MaxTokensPerMultiToken and Lexer Stopword Languages Advanced Server settings are no longer
    necessary. The stopword language on the Enforce Server is specified in the indexer.properties file at
    C:\Program Files\Symantec\Data Loss Prevention\Indexer\16.0.10000\Protect\config
    \Indexer.properties. In English, the property is stopword_languages = en.

    Using multi-token matching with EDM


    EDM policy matching is based on tokens in the index. For languages based on the Latin alphabet, a token is a word
    or string of alphanumeric characters delimited by spaces. For Chinese, Japanese, and Korean languages, a token is
    determined by other means. Tokens are normalized so that formatting and case are ignored. At run-time the server
    performs a full-text search against an inbound message, checking each word against the index for potential matches. The
    matching algorithm compares each word in the message with the contents of each token in the index.
    A multi-token cell is a cell in the index that contains multiple words separated by spaces, leading or trailing punctuation,
    or alternative Latin and Chinese, Japanese, or Korean language characters. The sub-token parts of a multi-token cell
    obey the same rules as single-token cells: they are normalized according to their pattern where normalization can
    apply. Inbound message data must match a multi-token cell exactly, including whitespace, punctuation, and stopwords
    (assuming the default settings).
    For example, an indexed cell containing the string "Bank of America" is a multi-token comprising 3 sub-token parts. During
    detection, the inbound message "bank of america" (normalized) matches the multi-token cell, but "bank america" does
    not.
    Multi-token matching is enabled by default. Multi-token cells are more computationally expensive than single-token cells.
    If the index includes multi-token cells, you must verify that you have enough memory to index, load, and process the EDM
    profile.
    Characteristics of multi-token cells (EDM)

    919
    Memory requirements for EDM

    Characteristics of multi-token cells (EDM)


    Characteristics of multi-tokens for EDM lists and describes characteristics of multi-token matching.
    Using multi-token matching with EDM

    Table 459: Characteristics of multi-tokens for EDM

    Characteristic Description

    The number of tokens in a single cell is limited to 200 tokens. The number of characters is not limited. In the case of a CJK
    token, each character is treated as a single token and the number
    of CJK characters is limited to 200 characters.
    Whitespace in Latin multi-token cells is considered, but multiple Multi-token with spaces (EDM)
    whitespaces are normalized to 1.
    Punctuation immediately preceding and following a token or sub- Multi-token with punctuation (EDM)
    token is always ignored. Additional examples for multi-token cells with punctuation (EDM)
    You can configure how punctuation within a token or multi-token Lexer.IncludePunctuationInWords = true
    is treated during detection. For most cases the default setting Configuring Advanced Settings for EDM policies
    ("true") is appropriate. If set to "false," punctuation is treated as
    whitespace.
    For proximity range checking the sub-token parts of a multi-token Proximity matching example for EDM
    are counted as single tokens.
    The system does not consider stopwords when matching multi- Multi-token with stopwords (EDM)
    tokens. In other words, stopwords are not excluded.
    Multi-tokens are more computationally expensive than single Memory requirements for EDM
    tokens and require additional memory for indexing, loading, and
    processing.

    Multi-token with spaces (EDM)


    Multi-token cell with spaces examples shows examples of multi-tokens with spaces.

    Table 460: Multi-token cell with spaces examples

    Description Indexed content Detected content Explanation

    Cell contains space Bank of America Bank of America Cell with spaces is multi-token.
    Multi-token must match exactly.
    Cells contains multiple spaces Bank of America Bank of America Multiple spaces are normalized
    to one.
    Cells contain space between 傠傫 傠傫 傠傫 傠傫 White spaces between CKJ
    CKJ characters 傠傫傠傫 characters are ignored.
    Cells contain space between EDM 傠傫 EDM 傠傫 White spaces between Latin and
    Latin and CJK characters EDM傠傫 CJK characters are ignored.

    Multi-token with Stopwords (EDM)


    Stopwords are common words, such as articles and prepositions. When creating single-tokens, the EDM indexing process
    ignores words found in the EDM stopword list (\Program Data\Symantec\DataLossPrevention\EnforceServer

    920
    \16.0.10000\config\stopwords), as well as single letters. However, when creating multi-tokens, stopwords and
    single letters are not ignored. Instead, they are part of the multi-token.
    Cell contains stopwords or single letter or single digit (EDM) shows multi-token matches with stopwords, single letters,
    and single digits.

    Table 461: Cell contains stopwords or single letter or single digit (EDM)

    Description Cell content Should match Explanation

    Cell contains stopword. throw other ball throw other ball Common word ("other") is
    filtered out during indexing but
    not when it is part of a multi-
    token.
    Cell contains single letter. throw a ball throw a ball Single letter ("a") is filtered out,
    but not when it is part of a multi-
    token.
    Cell contains single digit. throw 1 ball throw 1 ball Unlike single-letter words that
    are stopwords, single digits are
    never ignored.

    Multi-token with mixed language characters (EDM)


    Multi-token cell with Latin and CJK characters examples (EDM) shows examples of multi-tokens with mixed Latin and CJK
    characters.

    Table 462: Multi-token cell with Latin and CJK characters examples (EDM)

    Description Cell content Should match Explanation

    Cell includes Latin and CJK ABC傠傫 ABC傠傫 Mixed Latin-CJK cell is multi-
    characters with no spaces. 傠傫ABC 傠傫ABC token.
    Also matches with: Whitespace between Latin and
    ABC 傠傫 CJK characters is ignored.
    傠傥 ABC
    EDM ignores whitespace
    between the Latin characters
    and the CJK token.
    Cell includes Latin and CJK with ABC 傠傫 ABC 傠傫 Multiple spaces are ignored.
    one or more spaces. 傠傥 ABC 傠傥 ABC
    Also matches with:
    ABC傠傫
    傠傫ABC
    Cell contains Latin or CJK with 什仁 仂仃 仄仅 仇仈仉 147(什仂 什仁 仂仃 仄仅 仇仈仉 147(什仂 Single-token cell.
    numbers. 仅 51-1) 仅 51-1)

    Multi-token with punctuation (EDM)


    Punctuation is always ignored if it comes at the beginning (leading) or end (trailing) of a token or multi-token. Whether
    punctuation included in a token or multi-token is required for matching depends on the Advanced Server Setting
    Lexer.IncludePunctuationInWords, which by default is set to true (enabled).

    Multi-token punctuation characters (EDM)

    921
    NOTE
    For convenience purposes the Lexer.IncludePunctuationInWords parameter is referred to by the three-letter
    acronym "WIP" throughout this section.
    The WIP setting operates at detection-time to alter how matches are reported. For most EDM policies you should not
    change the WIP setting. For a few limited situations, such as account numbers or addresses, you may need to set
    IncludePunctuationInWords = false depending on your detection requirements.

    Multi-token punctuation characters (EDM)


    Multi-token punctuation table (EDM) lists and explains how multi-token matching works with punctuation.

    Table 463: Multi-token punctuation table (EDM)

    Indexed Detected
    WIP setting Match Explanation
    content content
    a.b a.b TRUE Yes The indexed content and the detected content are exactly the
    same.
    FALSE No The detected content is treated as "a b" and is therefore not a
    match.
    a.b ab TRUE No The indexed content and the detected content are different.
    FALSE No The indexed content and the detected content are different.
    ab a.b TRUE No The indexed content and the detected content are different.
    FALSE Yes The detected content is treated as "a b" and is therefore a
    match.
    ab ab TRUE Yes The indexed content and the detected content are exactly the
    same
    FALSE Yes The indexed content and the detected content are exactly the
    same

    Additional examples for multi-token cells with punctuation (EDM)


    Additional use cases for multi-token cells with punctuation (EDM) lists and describes some additional examples for multi-
    token cells with punctuation. In these examples, the main thing to keep in mind is that during indexing, if a token includes
    punctuation marks between characters the punctuation is always retained. This means that EDM cannot detect that cell
    if the WIP setting is false. In other words, if indexed data has cell which has a token with internal punctuation, the WIP
    setting should be set to true.

    922
    Table 464: Additional use cases for multi-token cells with punctuation (EDM)

    Description Indexed content Detected content Explanation

    Cell contains a physical address 346 Guerrero St., Apt. #2 346 Guerrero St., Apt. #2 The indexed content is a multi-
    with punctuation. 346 Guerrero St Apt 2 token cell.
    Both match because the
    punctuation comes at the
    beginning or end of the sub-
    token parts and is therefore
    ignored.
    Cell contains internal O'NEAL ST. O'NEAL ST The indexed content is a multi-
    punctuation with no space token cell.
    before or after. Internal punctuation is included
    (assuming WIP is true), and
    leading or trailing punctuation
    is ignored (assuming there
    is a space delimiter after the
    punctuation).
    Cell contains Asian language 傠傫##傠傫 傠傫##傠傫 (if WIP true) The indexed content is a single
    characters (CJK) with indexed token cell.
    internal punctuation. During detection, Asian
    language characters (CJK) with
    internal punctuation is affected
    by the WIP setting. Thus, in this
    example 傠傫##傠傫 matches
    only if the WIP setting is true.
    If the WIP setting is false, 傠傫
    ##傠傫 is considered a multi-
    token because the internal
    punctuation is treated as
    whitespace. Thus, no content
    can match.
    Cell contains Asian language 傠傫 傠傫 傠傫 傠傫 The indexed content is a multi-
    characters (CJK) without 傠傫##傠傫 (if WIP false) token cell.
    indexed internal punctuation. The detected content matches
    as indexed. If the WIP setting
    is false, the detected content
    matches 傠傫##傠傫 because
    internal punctuation is ignored.
    Cell contains mix of Latin and EDM##傠傫 EDM 傠傫 The indexed content is a multi-
    CJK characters with punctuation token cell.
    separating the Latin and Asian A cell with alternate Latin and
    characters. CJK characters is always a
    multi-token and punctuation
    between Latin and Asian
    characters is always treated as
    a single white space regardless
    of the WIP setting.

    923
    Description Indexed content Detected content Explanation

    Cell contains mix of Latin and DLP##EDM 傠傫##傠傥 DLP##EDM##傠傫##傠傥 (if The indexed content is a multi-
    CJK characters with internal WIP true) token cell.
    punctuation. DLP##EDM 傠傫##傠傥 (if WIP During detection, punctuation
    true) between the Latin and Asian
    characters is treated as a single
    whitespace and leading and
    trailing punctuation is ignored.
    If the WIP setting is true the
    punctuation internal to the Latin
    characters and internal to the
    Asian character is retained.
    If the WIP setting is false, no
    content can match because
    internal punctuation is ignored.
    Cell contains mix of Latin and DLP EDM 傠傫 傠傥 DLP EDM 傠傫 傠傥 The indexed content is a multi-
    CJK characters with internal DLP#EDM 傠傫#傠傥 (if WIP token cell.
    punctuation. false) During detection, punctuation
    DLP#EDM##傠傫#傠傥 (if WIP between the Latin and Asian
    false) characters is treated as a single
    whitespace and leading and
    trailing punctuation is ignored.
    Thus, it matches as indexed.
    If the WIP setting is false, it
    matches DLP;EDM##傠傫#傠傥
    because internal punctuation is
    ignored.

    Some special use cases for system-recognized data patterns (EDM)


    EDM provides validation for and recognition of the following special data patterns:
    • Credit card number
    • Email address
    • IP address
    • Number
    • Percent
    • Phone number (US, Canada)
    • Postal code (US, Canada)
    • Social security number (US SSN)
    Using system-provided pattern validators for EDM profiles
    NOTE
    It is a best practice to always validate your index against the recognized system patterns when the data source
    includes one or more such column fields. Map data source column to system fields to leverage validation (EDM)
    The general rule for system-recognized patterns is that the WIP setting does not apply during detection. Instead, the
    rules for that particular pattern apply. In other words, if the pattern is recognized during detection, the WIP setting is not
    checked. This is always true if the pattern is a string of characters such as an email address, and if the cell contains a
    number that conforms to one of the recognized number patterns (such as CCN or SSN).
    In addition, even if the pattern is a generic number such as account number that does not conform to one of the
    recognized number patterns, the WIP setting may still not apply. To ensure accurate matching for generic numbers that
    do not conform to one of the system-recognized patterns, you should not include punctuation in these number cells. If the

    924
    cell contents conforms to one of the system-recognized patterns, the punctuation rules for that pattern apply and the WIP
    setting does not.
    Do not use the comma delimiter if the data source has number fields (EDM)
    Some special use cases for system-recognized data patterns (EDM) lists and describes examples for detecting system-
    recognized data patterns.
    CAUTION
    This list is not exhaustive. It is provided for informational purposes only to ensure that you are aware that data
    that matches system-defined patterns takes precedence and the WIP setting is ignored. Before deploying your
    EDM policies into production, you must test detection accuracy and adjust the index accordingly to ensure that
    the data that you have indexed matches as expected during detection.

    Table 465: Some special use cases for system-recognized data patterns (EDM)

    Description Indexed content Detected content Explanation

    Cell contains an email address. person@example.com person@example.com An email address is indexed


    and detected as a single-token
    regardless of the WIP setting. It
    must match exactly as indexed.
    If you were to set WIP to false,
    "person example com" would
    not match as a multi-token and
    does not match the indexed
    single-token.
    Cells contains a 10-digit account ########## ########## The WIP setting is ignored
    number. (###) ### #### because the number conforms
    (###) ###-#### to the phone number pattern
    and its rules take precedence.
    ## ###### ## ## ###### ## Must match exactly. The pattern
    ##-######-## does not match
    even if WIP is set to false.
    ### #### ### ### #### ### Must match exactly. The pattern
    ###-####-### does not match
    even if WIP is set to false.

    Multi-token punctuation characters (EDM)


    In EDM, a multi-token cell is any cell that has been indexed that contains punctuation (as well as spaces or alternative
    Latin words and CJK characters).
    Characters treated as punctuation for indexing (EDM)
    Using multi-token matching with EDM lists the symbols that are identified and treated as punctuation during EDM
    indexing.

    Table 466: Characters treated as punctuation for indexing (EDM)

    Punctuation name Character representation

    Apostrophe '
    Tilde ~
    Exclamation point !

    925
    Punctuation name Character representation

    Ampersand &
    Dash -
    Single quotation mark '
    Double quotation mark "
    Period (dot) .
    Question mark ?
    At sign @
    Dollar sign $
    Percent sign %
    Asterisk *
    Caret symbol ^
    Open parenthesis (
    Close parenthesis )
    Open bracket [
    Close bracket ]
    Open brace {
    Close brace }
    Forward slash /
    Back slash \
    Pound sign #
    Equal sign =
    Plus sign +

    Match count variant examples (EDM)


    The default value for the Advanced Server setting EDM.MatchCountVariant eliminates the matches that consist of the
    same set of tokens from some other match. Rarely is there a need to change the default value, but if necessary you can
    configure how EDM matches are counted using this parameter.
    SeeAdvanced Server Settings.
    Match count variant examples (EDM) provides examples for match counting. All examples assume that the policy is set to
    match three out of four column fields and that the profile index contains the following cell contents:
    Kathy | Stevens | 123-45-6789 | 1111-1111-1111-1111
    Kathy | Stevens | 123-45-6789 | 2222-2222-2222-2222
    Kathy | Stevens | 123-45-6789 | 3333-3333-3333-3333

    Table 467: Match count variant examples (EDM)

    Match
    Inbound message contents count Number of matches Explanation
    variant
    Kathy Stevens 123-45-6789 1 3 Records matched in the profile: first name,
    last name, and SSN.

    926
    Match
    Inbound message contents count Number of matches Explanation
    variant
    2 1 Number of unique token sets matched.
    3 1 Number of unique supersets of token sets.
    Kathy Stevens 123-45-6789 1 3 If EDM.HighlightAllMatchesInProximity =
    1111-1111-1111-1111 2 1: if EDM.HighlightAllMatchesInProximity false, EDM matches the left-most tokens for
    Kathy Stevens 123-45-6789 each profile data row. The token set for each
    = false (default)
    row is as follows:
    2: if EDM.HighlightAllMatchesInProximity
    Row # 1: Kathy Stevens 123-45-6789
    = true
    Row # 2: Kathy Stevens 123-45-6789
    3 1 Row # 3: Kathy Stevens 123-45-6789
    If EDM.HighlightAllMatchesInProximity = true,
    EDM matches all tokens within the proximity
    window. The token set for each row is as
    follows:
    Row # 1: Kathy Stevens 123-45-6789
    1111-1111-1111-1111 Kathy Stevens
    123-45-6789
    Row # 2: Kathy Stevens 123-45-6789 Kathy
    Stevens 123-45-6789
    Row # 3: Kathy Stevens 123-45-6789 Kathy
    Stevens 123-45-6789
    1111-1111-1111-1111 Kathy 1 3 If EDM.HighlightAllMatchesInProximity =
    Stevens 123-45-6789 2 2 false, EDM matches the left-most tokens for
    each profile data row. The token set for each
    3 2: if EDM.HighlightAllMatchesInProximity row is as follows:
    = false (default) Row # 1: 1111-1111-1111-1111 Kathy Stevens
    1: if EDM.HighlightAllMatchesInProximity Row # 2: Kathy Stevens 123-45-6789
    = true Row # 3: Kathy Stevens 123-45-6789
    If EDM.HighlightAllMatchesInProximity = true,
    EDM matches all tokens within the proximity
    window. The token set for each row is as
    follows:
    Row # 1: 1111-1111-1111-1111 Kathy Stevens
    123-45-6789
    Row # 2: Kathy Stevens 123-45-6789
    Row # 3: Kathy Stevens 123-45-6789

    Proximity matching example for EDM


    EDM protects confidential data by correlating uniquely identifiable information, such as SSN, with data that are not unique,
    such as last name. When correlating data, it is important to ensure that terms are related. In natural languages, it is more
    likely that when two words appear close together they are being used in the same context and are therefore related.
    Based on the premise that word proximity indicates relatedness, EDM employs a proximity-matching radius or range to
    limit how much freeform content the system examines when searching for matches. EDM proximity matching is designed
    to reduce false positives by ensuring that matched terms are proximate.
    The proximity range is proportional to the policy definition. The proximity range is determined by the proximity radius that
    is multiplied by the number of matches required by the EDM policy condition. The radius is set by the Advanced Server
    Setting parameter EDM.SimpleTextProximityRadius. The default value is 35. In addition, proximity matching applies to
    both free-form text and tabular data. There is no distinction at run time between the two. Thus, tabular data is treated the
    same as free text data and the proximity check is performed beyond the scope of the length of the row contents.

    927
    For example, assuming the default radius of 35 and a policy set to match 3 out of 4 column fields, the proximity range is
    105 tokens (3 x 35). If the policy matches 2 out of 3 the proximity range is 70 tokens (35 x 2).
    WARNING
    While you can decrease the value of the proximity radius, Symantec does not recommend increasing this value
    beyond the default (35). Doing so may cause performance issues. Configuring Advanced Settings for EDM
    policies
    Proximity example for EDM shows a proximity matching example that is based on the default proximity radius setting. In
    this example, the detected content produces one unique token set match, described as follows:
    • The proximity range window is 105 tokens (35 x 3).
    • The proximity range window starts at the leftmost match ("Stevens") and ends at the rightmost match ("123-45-6789").
    • The total number of tokens from "Stevens" to the SSN (including both) is 105 tokens.
    • The stopwords "other" and "a" are counted for proximity range purposes.
    • "Bank of America" is a multi-token. Each sub-token part of a multi-token is counted as a single token for proximity
    purposes.

    Table 468: Proximity example for EDM

    Indexed data Policy Proximity Detected content

    Last_Name | Employer | SSN Match 3 of 3 Radius = 35 Zendrerit inceptors Kathy Stevens lorem ipsum pharetra
    Stevens | Bank of America | tokens (default) convallis leo suscipit ipsum sodales rhoncus, vitae dui nisi
    123-45-6789 volutpat augue maecenas in, luctus id risus magna arcu
    maecenas leo quisque. Rutrum convallis tortor urna morbi
    elementum hac curabitur morbi, nunc dictum primis elit
    senectus faucibus convallis surfrent. Aptentnour gravida
    adipiscing iaculis himenaeos, himenaeos a porta etiam
    viverra. Class torquent uni other tristique cubilia in Bank of
    America. Dictumst lorem eget ipsum. Hendrerit inceptos
    other sagittis quisque. Leo mollis per nisl per felis, nullam
    cras mattis augue turpis integer pharetra convallis suscipit
    hendrerit? Lubilia en mictumst horem eget ipsum. Inceptos
    urna sagittis quisque dictum odio hendrerit convallis suscipit
    ipsum wrdsrf 123-45-6789.

    Updating EDM indexes to the latest version


    When you upgrade to the latest version of Symantec Data Loss Prevention, you must update each Exact Data profile by
    reindexing the data source using the latest EDM Indexer. You need to verify the amount of memory that is required for
    indexing the data source, and loading and processing the index at run-time on the detection server.
    About upgrading EDM deployments
    Memory requirements for EDM
    If you do not reindex the data source file, the system presents error messages indicating that the Exact Data profile is out-
    of-date. You must reindex the Exact Data profile, and re-calculate memory requirements.
    EDM index out-of-date error codes
    Two primary upgrade scenarios exist for EDM:
    • You use the Remote EDM Indexer to create indexes remotely and copy them to the Enforce Server.

    928
    Update process using the Remote EDM Indexer
    • You already have a data source file that is current and cleansed that you can copy to the upgraded Enforce Server for
    indexing.
    Update process using the Enforce Server for EDM

    Update process using the Remote EDM Indexer


    You can use the following procedure for upgrading your EDM deployments to the latest version of Symantec Data Loss
    Prevention. This procedure assumes that you can remotely index the data source and copy the index file to the Enforce
    Server.
    Remote EDM indexing
    If remote indexing is not possible, the other option for upgrade is to copy the data source file to the Enforce Server.
    Update process using the Enforce Server for EDM

    Table 469: Update process using the Remote EDM Indexer

    Step Action Description

    1 Upgrade the Enforce Server to See Upgrading DLP.


    the latest version. Do not upgrade the EDM detection server(s) now.
    The latest Enforce Server can continue to receive incidents from older detection servers
    during the upgrade process. Policies and other data cannot be pushed out to older
    detection servers. There is one-way communication only between the latest version of
    Enforce and previous versions of detection servers.
    2 Create a newly-generated Using the latest Enforce Server administration console, create a new EDM profile
    remote EDM profile template. template for remote EDM indexing.
    Download the *.edm profile template and copy it to the remote data source host
    system.
    Downloading and copying the EDM profile file to a remote system
    3 Install the latest version of the Install the latest version of the Symantec Data Loss Prevention Remote EDM Indexer
    Remote EDM Indexer on the on the remote data source host so that you can index the data source.
    remote data source host. Remote EDM indexing
    4 Calculate the memory that Calculate the memory that is required for indexing before you attempt to index the data
    is required to index the data source. The Remote EDM Indexer is allocated sufficient memory to index most data
    source and adjust the indexer sources. If you have a very large index you may have to allocate more memory.
    memory setting. Memory requirements for EDM
    5 Index the data source using the The result of this process is multiple latest-version compatible *.rdx files that you can
    latest Remote EDM Indexer. load into the latest version of the Enforce Server.
    If you have a data source file prepared, run the Remote EDM Indexer and index it.
    Remote indexing examples using data source file (EDM)
    If the data source is an Oracle database and the data is clean, use the SQL Preindexer
    to pipe the data to the Remote EDM Indexer.
    Remote indexing examples using SQL Preindexer (EDM)
    6 Calculate the memory that is You need to calculate how much RAM the detection server requires to load and process
    required to load and process the the index at run-time. These calculations are required for each EDM index you want to
    index and adjust the detection deploy.
    server memory setting for each Memory requirements for EDM
    EDM detection server host.

    929
    Step Action Description

    7 Update the EDM profile by Copy the *.pdx and *.rdx files from the remote host to the latest Enforce Server
    loading the latest version of the host file system.
    index. Load the index into the EDM profile you created in Step 2.
    Copying and loading remote EDM index files to the Enforce Server
    8 Upgrade one or more EDM Once you have created the latest-version compliant EDM profiles and upgraded the
    detection servers to the latest Enforce Server, you can then upgrade the detection servers.
    version. See Upgrading to a new release.
    Make sure that you have calculated and verified the memory requirements for loading
    and processing multi-token indexes on the detection server.
    Memory requirements for EDM
    9 Test and verify the updated To test the upgraded system and updated index, you can create a new policy that
    index. references the updated index.
    10 Remove out-of-date EDM Once you have verified the new EDM index and policy, you can retire the legacy EDM
    indexes. index and policy.

    Update process using the Enforce Server for EDM


    Use the following index update procedure if remote indexing is not possible and you have a current data source file that
    you can copy to the Enforce Server.

    Table 470: Update process using the Enforce Server

    Step Action Description

    1 Upgrade the Enforce See Upgrading DLP.


    Server to the latest Do not upgrade the EDM detection servers now.
    version. The Enforce Server can continue to receive incidents from older detection servers during the
    upgrade process. Policies and other data cannot be pushed out to older detection servers (one-way
    communication only between the current version of Enforce and older detection servers).
    2 Create, prepare, and Copy the data source file to the opt/Symantec/DataLossPrevention/
    copy the data source EnforceServer/16.0.10000/datafiles (Linux) or ProgramData\Symantec
    file to the 16.0 Enforce \DataLossPrevention\ServerPlatformCommon\16.0.10000\datafiles (Windows)
    Server host. directory on the upgraded 16.0 Enforce Server host file system.
    Creating the exact data source file for EDM
    Preparing the exact data source file for indexing for EDM
    Uploading exact data source files for EDM to the Enforce Server
    3 Calculate memory the Calculate the memory that is required for indexing before you attempt to index the data source.
    memory that is required Memory requirements for EDM
    to index the data source
    and update the indexer
    memory setting.
    4 Create a new latest- Create a new EDM profile using the latest version of the Enforce Server administration console.
    version-compliant EDM Choose the option Reference Data Source on Manager Host for uploading the data source file
    profile and index the data (assuming that you copied it to the /datafiles directory).
    source file. Index the data source file on save of the profile.
    Creating and modifying Exact Data Profiles for EDM

    930
    Step Action Description

    5 Calculate the memory You need to calculate how much RAM the detection server requires to load and process the index
    that is required to load and run-time. These calculations are required for each EDM index you want to deploy and the
    and process the index memory adjustments are cumulative.
    at run-time. Adjust the Memory requirements for EDM
    memory settings for each
    EDM detection server
    host.
    6 Upgrade the EDM See Upgrading DLP.
    detection servers to the Once you have created the latest-version-compliant EDM profile you can then upgrade the detection
    latest version. servers.
    Make sure that you have calculated and verified the memory requirements for loading and
    processing multi-token indexes on the detection server.
    Memory requirements for EDM
    7 Test and verify the To test the upgraded system and updated index, you can create a new policy that references the
    updated index. updated index.
    8 Remove out-of-date Once you have verified the new EDM index and policy, you can retire the legacy EDM index and
    EDM indexes. policy.
    Remote EDM indexing

    EDM index out-of-date error codes


    The latest version of Symantec Data Loss Prevention provided several enhancements for EDM. You must reindex the
    data source for each Exact Data profile using the latest EDM Indexer.
    If your EDM index is not compliant with the current version, the system returns error codes. These error codes are listed in
    Error messages for non-compliant Exact Data Profiles.

    Table 471: Error messages for non-compliant Exact Data Profiles

    Error message type Error code Error message

    Enforce Server error event 2928 One or more profiles are out of date and must be reindexed.
    Updating EDM indexes to the latest version
    Memory requirements for EDM
    Enforce Server error event 2928 Check the Manage > Data Profiles > Exact Data page for more details. The
    detail following EDM profiles are out of date: Profile X, Profile XY, and so on.
    System Event error 2928 One or more profiles are out of date and must be reindexed.
    Exact Data Profile error N/A This profile is out of date, and must be reindexed.

    Memory requirements for EDM


    Using EDM for Symantec Data Loss Prevention deployments affects hardware memory requirements for Symantec
    Data Loss Prevention deployments. In particular, EDM affects the memory required to index the data size as well as the
    memory required to load the index on the detection server.
    Once you have established what your specific EDM memory requirements are, you can evaluate how those requirements
    affect the general system requirements for your Data Loss Prevention deployment. See the Symantec Data Loss
    Prevention System Requirements and Compatibility Guide for details about general requirements and potential EDM
    deployment impact.

    931
    About memory requirements for EDM
    The memory requirements for EDM are related to several factors, including:
    • Number of indexes you are building
    • Total size of the indexes
    • Number of cells in each index
    • Number of message chains
    These size limitations apply to EDM indexes:
    • The maximum number of rows supported is 4,294,967,294.
    • The maximum number of supported cells is 6 billion.
    Workflow for determining memory requirements for EDM indexes gives an overview of the steps that you can follow to
    determine and set memory requirements for EDM.

    Table 472: Workflow for determining memory requirements for EDM indexes

    Step Action For more information

    1 Determine the memory that Overview of configuring memory and indexing the data source for EDM
    is required to index the data
    source.
    2 Increase the indexer memory Determining requirements for both local and remote indexers for EDM
    according to your calculations.
    3 Determine the memory that is Detection server memory requirements for EDM
    required to load the index on the
    detection server.
    4 Increase the detection server Increasing the memory for the detection server (File Reader) for EDM
    memory according to your
    calculations.
    5 Repeat for each EDM index you
    want to deploy.

    Determining requirements for both local and remote indexers for EDM
    This topic provides an overview of memory requirements for both the EDM indexer that is local to the Symantec Data Loss
    Prevention Enforce Server and for the Remote EDM Indexer.
    With the default settings, both EDM indexers can index any data source with 500 million cells or less. For any data source
    with more than 500 million cells, an additional 3 bytes per cell is needed to index the data source.
    You can schedule indexing for multiple indexes serially (at different times) or in parallel (at the same time). When indexing
    serially, you need to allocate memory to accommodate the indexing of the biggest index. When indexing in parallel, you
    need to allocate memory to accommodate the indexing of all indexes that you are creating at that time.
    Serial indexing
    If you create the indexes serially (no two are created in parallel), the memory requirement for the biggest index is:
    2 billion cells – 0 .5 billion default x 3 bytes = 4.5 GB rounded to 5 GB additional memory.
    This memory requirement includes the 2 GB (2048 MB) default memory for the Enforce Server and the 5 GB additional
    system memory.

    932
    Examples for indexer memory requirements-serial indexing for EDM provides examples for how the data source size
    affects indexer memory requirements for serial indexes.

    Table 473: Examples for indexer memory requirements-serial indexing for EDM

    Indexer memory
    Data source size Description
    requirement
    100 million cells 2048 MB (default) No additional RAM is needed for the indexer.
    500 million cells 2048 MB (default) No additional RAM is needed for the indexer.
    1 billion cells 4 GB If you have a single data source with 1 billion cells (for example, 10 columns
    by 100 million rows), you need extra system memory for 0.5 billion cells
    (1 billion cells – 0.5 million default) 0.5 million x 3 bytes, or 1.5 GB of RAM
    (rounded to 2 GB) to index the data source. This amount is added to the
    default indexer RAM allotment.
    2 billion cells 7 GB If you have a single data source with 2 billion cells (for example, 10 columns
    by 200 million rows), you need extra system memory for 1.5 billion cells
    (2 billion cells – 0.5 million default) 1.5 million x 3 bytes, or 4.5 GB of RAM
    (rounded to 5 GB) to index the data source.

    Parallel indexing with EDM


    If you index these four files in Examples for indexer memory requirements-serial indexing for EDM simultaneously (in
    parallel), you are indexing more than 500 million cells. So, the additional memory (3.6 billion cells – 0.5 billion cells
    provided by default) required is as follows:
    3.1 billion cells x 3 bytes = 9.3 GB rounded to 10 GB additional memory.
    As explained in detail later, you set wrapper.java.maxmemory to 12 GB. This memory requirement includes 2048 MB
    default memory for the Enforce Server and an additional 9 GB system memory from the additional memory calculation
    above.
    NOTE
    For CJK language indexes, or indexes that are predominantly multi-token, these formulas should use a multiplier
    of 4 bytes instead of 3 bytes. In both of these cases, a 350-million cell data source is supported by default.
    Increasing the memory for the Enforce Server EDM indexer

    Overview of configuring memory and indexing the data source for EDM
    Memory requirements for indexing the data source for EDM provides the steps for determining how much memory is
    needed to index the data source.

    Table 474: Memory requirements for indexing the data source for EDM

    Step Action Details

    1 Estimate the memory requirements for the Determining requirements for both local and remote indexers for EDM
    indexer.
    2 Increase the indexer memory. The next step is to increase the memory allocated to the indexer. The
    procedure for increasing the indexer memory differs depending on
    whether you are using the EDM indexer local to the Enforce Server or
    the Remote EDM Indexer.
    Increasing the memory for the Enforce Server EDM indexer
    Increasing the Memory for the Remote EDM Indexer

    933
    Step Action Details

    3 Restart the Symantec DLP Manager You must restart this service after you have changed the memory
    service. allocation.
    4 Index the data source. The last step is to index the data source. You need to do this before you
    calculate remaining memory requirements.
    Configuring Exact Data profiles for EDM

    Increasing the memory for the Enforce Server EDM indexer


    Complete the following steps to increase the memory for the Enforce Server indexer.
    These steps assume that you have performed the indexer calculations.
    To increase the memory for the Enforce Server indexer
    1. Open the \Symantec\Data Loss Prevention\protect\config\Symantec\Data Loss Prevention
    \Manager.conf file.
    2. Locate the following Initial Java Heap Size (in MB) parameter.
    wrapper.java.maxmemory = 2048 (the default value is 2048 MB (2 GB); your value may be different if you have
    already changed it)
    3. Add the value of your calculation to the maxmemory setting.
    For example, if by your calculation you determine that you need an additional 2.6 GB of RAM, you increase the value
    by an additional 2662 MB.
    NOTE
    This result is added to the existing memory setting; it is not used to replace the existing memory setting.
    wrapper.java.maxmemory = 4710 (the default value 2048 plus the additional calculation of 2662)

    4. Save the SymantecDLPManager.conf file.


    5. Restart the SymantecDLPManagerService service.

    Increasing the Memory for the Remote EDM Indexer


    The Remote EDM Indexer runs with the default JVM settings. This means that the Remote EDM Indexer is allocated
    approximately 25% of the total RAM that the computer has installed. For most data sources, the default memory settings
    are sufficient for remote indexing.
    You set the JVM heap size for the Remote EDM Indexer process by creating a *.vmoptions file and deploying it to the
    Remote EDM Indexer host.
    The *.vmoptions file accepts one JVM option per line. For example, you can specify the following option in a file you
    save as RemoteEDMIndexer.vmoptions:
    -Xmx11G

    Overview of configuring memory and indexing the data source for EDM
    To deploy the *.vmoptions file, copy it to the following locations:
    For Linux: /opt/Symantec/DataLossPrevention/Indexer/16.0.10000/Protect/bin/
    RemoteEDMIndexer.vmoptions
    For Windows: \Program Files\Symantec\Data Loss Prevention\Indexer\16.0.10000\Protect\bin
    \RemoteEDMIndexer.exe.vmoptions
    Generating remote index files for EDM

    934
    Detection server memory requirements for EDM
    The detection server should not use more than 60% of the memory of the computer. For example, if your detection server
    needs 6 GB memory to run, make sure you have 10 GB on that server.
    Default configuration for a detection server
    The default configuration for detection server has 4GB and 8 message chains. See the following formulas and EDM
    detection server Java heap memory settings and addition system memory examples to determine how to calculate
    your actual memory requirements. In addition, you can use the provided spreadsheet to determine your actual memory
    requirements. Click the following link to download a ZIP file that contains the spreadsheet.
    EDM_Memory_Requirements_Spreadsheet.zip
    To load the index, the detection server needs 13 bytes per cell for system memory plus 1 GB Java heap memory for each
    message chain in the detection server. The following examples show scenarios for a customer who has three indexes that
    are all under the same schedule.
    For Java heap memory requirements, the formula is:
    Java heap memory requirement = the number of message chains * 1 GB.
    For system memory requirements, the general formula is:
    System memory requirement = number of cells * 13 bytes.
    Detection Server memory settings for EDM
    The Advanced Server Settings property for the number of message chains is:
    MessageChain.NumChains.
    The Java heap memory settings for a detection server are set in the Enforce Server administration console at the Server
    Detail - Advanced Server Settings page, using the BoxMonitor.FileReaderMemory. property. The format is -Xrs -
    Xms1200M -Xmx4G. You don't needed to change the system memory setting, but make sure that the detection server has
    enough free memory available.
    NOTE
    When you update this setting, only change the -Xmx value in this property. For example, only change "4G." to a
    new value, and leave all other values the same.
    The examples in EDM detection server Java heap memory settings and addition system memory examples show the
    settings for five different situations.

    935
    Table 475: EDM detection server Java heap memory settings and addition system memory examples

    Boxmonitor.FileReaderMemory Additional system


    Example Calculation
    setting memory required
    Example 1: Single small Java Heap memory -Xmx6G 25 MB
    index with 2 million cells to requirement:
    load 1 * 1 GB = 2 GB
    System memory is:
    2 million * 13 bytes = 25 MB
    Example 2: Java heap memory -Xmx28G 37.2 GB
    3 indexes when running 24 requirement is:
    chains: 24 * 1GB = 24 GB
    • Index 1: 100 million cells System Memory requirement
    • Index 2: 1 billion cells is:
    • Index 3: 2 billion cells For 100 million cells index:
    100 million * 13 bytes = 1.2
    GB
    For 1 billion cells index:
    1 billion * 13 bytes = 12 GB
    For 2 billion cells index:
    2 billion * 13 bytes = 24GB
    Total system memory
    requirement is:
    1.2 GB + 12 GB + 24 GB =
    37.2 GB
    Example 3: One single index Java Heap memory -Xmx28G 60.5 GB
    with 5 billion cells and 24 requirement is:
    message chains 24 * 1GB = 24 GB
    System memory requirement
    is:
    5 billion * 13 bytes = 60.5 GB
    Example 4: One single index Java heap memory -Xmx28G 19.3 GB
    with 1.6 billion cells and 24 requirement is:
    message chains 24 * 1GB = 24 GB
    System memory requirement
    is:
    1.6 billion * 13 bytes = 19.3
    GB
    Example 5: One single index Java heap memory -Xmx12G 6.1 GB
    with 500 million cells and 8 requirement is:
    message chains 8 * 1 GB = 8 GB
    System memory requirement
    is:
    500 million * 13 bytes = 6.1
    GB

    Increasing the memory for the detection server (File Reader) for EDM
    This topic provides instructions for increasing the File Reader memory allocation for a detection server. These instructions
    assume that you have performed the necessary calculations.
    To increase the memory for detection server processing

    936
    1. In the Enforce Server administration console, navigate to the Server Detail - Advanced Server Settings screen for
    the detection server where the EDM index is deployed or to be deployed.
    2. Locate the following setting: BoxMonitor.FileReaderMemory.
    3. Change the -Xmx4G value in the following string to match the calculations you have made.
    -Xrs -Xms1200M -Xmx4G -XX:PermSize=128M -XX:MaxPermSize=256M
    For example: -Xrs -Xms1200M -Xmx11G -XX:PermSize=128M -XX:MaxPermSize=256M
    4. Save the configuration and restart the detection server.

    Using the EDM Memory Requirements Spreadsheet


    The EDM Memory Requirements Spreadsheet is a tool that you can use to determine the additional system memory
    needed on the detection server to run your indexes. Click the following link to download a ZIP file that contains the
    spreadsheet:
    EDM Memory Requirements Spreadsheet.zip
    Here's an example of the spreadsheet with four message chains and three indexes:

    To compute the additional system memory required to run your indexes:


    1. Obtain the number of cells in each index (you can specify up to 10 indexes).
    2. Enter that number into # of cells in Index.
    When you change any value, the spreadsheet updates the Required RAM field.
    The value in the Required RAM field is the additional system memory that is required to run the indexes specified.

    Remote EDM indexing


    An EDM index maps the data you want to protect to the Exact Data profile. The typical EDM workflow for creating the
    EDM index is to upload the data source file to the Enforce Server, create the Exact Data profile, and index the data
    source. Instead of uploading the data source file to the Enforce Server for indexing, you can index the data source locally
    and securely using the Remote EDM Indexer.
    About the Exact Data Profile and index
    For example, if copying the confidential data source file to the Enforce Server presents a potential security or logistical
    issue, you can use the Remote EDM Indexer to create the cryptographic index directly on the data source host before
    moving the index to the Enforce Server. If you are upgrading to the latest Symantec Data Loss Prevention version you
    may want to use the Remote EDM Indexer to update your existing EDM indexes.
    About the Remote EDM Indexer
    About the SQL Preindexer for EDM
    The Remote EDM Indexer is a standalone tool that lets you index the data source file directly on the data source host.
    System requirements for remote EDM indexing

    937
    About the Remote EDM Indexer
    The Remote EDM Indexer utility converts a data source file to an EDM index. The utility is similar to the local EDM Indexer
    used by the Enforce Server. However, the Remote EDM Indexer is designed for use on a computer that is not part of the
    Symantec Data Loss Prevention server configuration.
    Using the Remote EDM Indexer to index a data source on a remote machine has the following advantages over
    using the EDM Indexer on the Enforce Server:
    • It enables the owner of the data, rather than the Symantec Data Loss Prevention administrator, to index the data.
    • It shifts the system load that is required for indexing onto another computer. The CPU and RAM on the Enforce Server
    is reserved for other tasks.
    About the SQL Preindexer for EDM
    Workflow for remote EDM indexing

    About the SQL Preindexer for EDM


    You use the SQL Preindexer utility with the Remote EDM Indexer to run SQL queries against Oracle databases and pipe
    the resulting data to the Remote EDM Indexer for indexing.
    System requirements for remote EDM indexing
    The SQL Preindexer utility is installed in the C:\Program Files\Symantec\DataLossPrevention
    \ServerPlatformCommon\Indexer\16.0.10000\Protect\bin directory during installation of the Remote EDM
    Indexer. The SQL Preindexer utility generates an index directly from an Oracle SQL database. The SQL Preindexer
    processes the database query and passes it to the standard input of the Remote EDM Indexer utility.
    To use the SQL Preindexer the data source must be relatively clean since the query result data is piped directly to the
    Remote EDM Indexer.
    About the Remote EDM Indexer

    System requirements for remote EDM indexing


    The Remote EDM Indexer runs on the Windows and Linux operating system versions that are supported for Symantec
    Data Loss Prevention servers. See Operating system requirements for servers for more information about operating
    system support.
    The SQL Preindexer supports Oracle databases and requires a relatively clean data source.
    About the SQL Preindexer for EDM
    The RAM requirements for using the Remote EDM Indexer vary according to the size of the data source being indexed
    and the number of multi-token columns in the data source.
    Memory requirements for EDM

    Workflow for Remote EDM Indexing


    This section summarizes the steps to index a data file on a remote machine and then use the index in Symantec Data
    Loss Prevention.
    About the Exact Data Profile and index

    938
    Table 476: Steps to use the Remote EDM Indexer

    Step Action Description

    Step 1 Install the Remote EDM Indexer Installing the Remote EDM Indexer
    on a computer that is not part
    of the Symantec Data Loss
    Prevention system.
    Step 2 Create an Exact Data Profile on On the Enforce Server, generate an EDM Profile template using the *.edm file name
    the Enforce Server to use with extension and specifying the exact number of columns to be indexed.
    the Remote EDM Indexer. Creating an EDM profile template for remote indexing
    Step 3 Copy the Exact Data Profile Download the profile template from the Enforce Server and copy it to the remote data
    file to the computer where the source host computer.
    Remote EDM Indexer resides. Downloading and copying the EDM profile file to a remote system
    Step 4 Run the Remote EDM Indexer If you have a cleansed data source file, use the RemoteEDMIndexer with the -data, -
    and create the index files. profile and -result options.
    If the data source is an Oracle database, use the SqlPreindexer and the
    RemoteEDMIndexer to index the data source directly with the -alias (oracle DB host),
    -username and -password credentials, and the -query string or -query_path
    Generating remote index files for EDM
    Step 5 Copy the index files from the Copy the resulting *.pdx and *.rdx files from the remote machine to the Enforce
    remote machine to the Enforce Server host at C:\ProgramData\Symantec\DataLossPrevention
    Server. \EnforceServer\16.0.10000\Protect\index.
    Copying and loading remote EDM index files to the Enforce Server
    Step 6 Load the index files into the Update the EDM profile by loading the externally generated index.
    Enforce Server. Submit the profile for indexing.
    Copying and loading remote EDM index files to the Enforce Server
    Step 7 Troubleshoot any problems Verify that indexing is started and completes.
    that occur during the indexing Check the system events for Code 2926 ("Created Exact Data Profile" and "Data source
    process. saved").
    The ExternalDataSource.<name>.rdx and *.pdx files are removed
    from the index directory and replaced by the file DataSource.<profile
    id>.<version>.rdxver.
    Troubleshooting remote indexing errors for EDM
    Step 8 Create policy with EDM You should see the column data for defining the EDM condition.
    condition. Configuring the Content Matches Exact Data policy condition for EDM

    About installing and running the Remote EDM Indexer and SQL Preindexer
    utilities
    The Remote EDM Indexer is installed from the same installation program as the other Symantec Data Loss Prevention
    components. The SQL Preindexer is installed automatically when you install the Remote EDM Indexer. Both utilities are
    run from the command line and are stored at opt/Symantec/DataLossPrevention/Indexer/15.7/Protect/bin.
    Generating remote index files for EDM
    To install the Remote EDM Indexer, copy the ProtectInstaller.exe (Windows) or the ProtectInstaller.sh
    (Linux) file to the remote computer where the data to be indexed resides. When running the installer, choose to install the
    "Indexer" only and no other components. The Linux installer for the Remote EDM Indexer is a program that you run from
    the command console.
    Installing the Remote EDM Indexer

    939
    Both the Remote EDM Indexer and the SQL Preindexer run from the command line. If you are on a Linux system, change
    users to the “protect” user before running the SQL Preindexer. (The installation program creates the “protect” user.)
    Generating remote index files for EDM
    NOTE
    For two- and three-tier Data Loss Prevention installations, you should not install the Remote EDM Indexer on the
    same system that hosts a detection server.

    Creating an EDM profile template for remote indexing


    The EDM Indexer uses an Exact Data Profile when it runs to ensure that the data is correctly formatted. You must create
    the Exact Data Profile before you use the Remote EDM Indexer. The profile is a template that describes the columns
    that are used to organize the data. The profile does not need to contain any data. After creating the profile, copy it to the
    computer that runs the Remote EDM Indexer.
    About the Exact Data Profile and index
    To create an EDM profile for remote indexing
    1. From the Enforce Server administration console, navigate to the Manage > Data Profiles > Exact Data screen.
    2. Click Add Exact Data Profile.
    3. In the Name field, enter a name for the profile.
    4. In the Data Source field, select Use This File Name, and enter the name of the index file to create with the *.edm
    extension.
    You must select this option since you are only creating the profile template at this point. Later you will then index the
    profile with data source using the Remote EDM Indexer. Enter the file name of the data source you plan to create for
    remote EDM indexing. Be sure to name the data source file exactly the same as the name you enter here.
    Uploading exact data source files for EDM to the Enforce Server
    Once you have copied the generated remote index back to the Enforce Server, you use the Load Externally
    Generated Index option to load the remote index into the profile template
    Copying and loading remote EDM index files to the Enforce Server
    5. In the Number of Columns text box, specify the number of columns in the data source to be indexed.
    For remote EDM indexing purposes you must specify the exact Number of Columns the index is to have. Be sure to
    include the exact number of columns you specify here in the data source file.
    Uploading exact data source files for EDM to the Enforce Server
    6. If the first row of the data source contains the column names, select the option Read first row as column names.
    7. In the Error Threshold text box, enter the maximum percentage of rows that can contain errors.
    If, during indexing of the data source, the number of rows with errors exceeds the percentage that you specify here,
    the indexing operation fails.
    8. In the Column Separator Char field, select the type of character that is used in your data source to separate the
    columns of data.
    9. In the File Encoding field, select the character encoding that is used in your data source.
    If Latin characters are used, select the ISO-8859-1 option. For East Asian languages, use either the UTF-8 or UTF-16
    options.

    940
    10. Click Next to map the column headings from the data source to the profile.
    11. In the Field Mappings section, map the Data Source Field to the System Field for each column by selecting the
    column name from the System Field drop-down list.
    The Data Source Field lists the number of columns you specified at the previous screen. The System Field contains
    a list of standard column headings. If any of the column headings in your data source match the choices available in
    the System Field list, map each accordingly. Be sure that you match the selection in the System Field column to its
    corresponding numbered column in the Data Source Field.
    For example, for a data source that you have specified in the profile as having three columns, the mapping
    configuration may be:

    Data Source Field System Field

    Col 1 First Name


    Col 2 Last Name
    Col 3 Social Security Number

    12. If a Data Source Field does not map to a heading value in the options available from the System Field column, click
    the Advanced View link.
    In the Advanced View the system displays a Custom Name column beside the System Field column.
    Enter the correct column name in the text box that corresponds to the appropriate column in the data source.
    Optionally, you can specify the data type for the Custom Name you entered by selecting the data type from the Type
    drop-down list. These data types are system-defined. Click the description link beside the Type name for details on
    each system-defined data type.
    13. If you intend to use the Exact Data Profile to implement a policy template that contains one or more EDM rules, you
    can validate your profile mappings for the template. To do this, select the template from the Check mappings against
    policy template drop-down list and click Check now. The system indicates any unmapped fields that the template
    requires.
    14. Do not select any Indexing option available at this screen, since you intend to index remotely.
    15. Click Finish to complete the profile creation process.

    Downloading and copying the EDM profile file to a remote system


    Download and copy the EDM profile to the remote system
    1. Configure an Exact Data Profile.
    Creating an EDM profile template for remote indexing
    2. Download the EDM profile by selecting the download profile link at the Manage > Data Profiles > Exact Data
    screen.
    The system prompts you to save the EDM profile as a file. The file extension is *.edm.
    3. Save the file.
    If the data source host computer where you intend to run the Remote EDM Indexer is available on the same subnet
    as the Enforce Server you can browse to that computer and select it as the destination. Otherwise, manually copy the
    profile to the remote system.
    4. Use the profile to index the data source using the Remote EDM Indexer.
    Generating remote index files for EDM

    941
    Generating remote index files for EDM
    You use the command-line Remote EDM Indexer utility to generate an EDM index for importing to the Enforce Server.
    You can use the Remote EDM Indexer to index data source file that you have generated and cleansed. Or you can pipe
    the output from the SQL Preindexer to the standard input of the Remote EDM Indexer. The SQL Preindexer requires an
    Oracle DB data source and clean data.
    When the indexing process completes, the Remote EDM Indexer generates several files in the specified result directory.
    These files are named after the data file that was indexed, with one file having the .pdx extension and another file with
    the .rdx extension. The system generates 12 .rdx files named ExternalDataSource.<DataSourceName>.rdx.0
    - ExternalDataSource.<DataSourceName>.rdx.11.

    Table 477: Options for generating remote EDM indexes

    Use case Description Remarks

    Remote EDM Indexer with data source file. Specify data source file, EDM profile, output Use when you have a cleansed data source
    directory. file; use for upgrading to the latest vesion.
    Remote indexing examples using data
    source file (EDM)
    Remote EDM Indexer with SQL Preindexer Query DB and pipe output to stdin of Requires Oracle DB and clean data.
    Remote EDM Indexer. Remote indexing examples using SQL
    Preindexer (EDM)

    Remote indexing examples using data source file (EDM)


    To use the Remote EDM Indexer to index a flat data source file you have generated and cleansed, you specify the local
    data source file name and path (-data), the local EDM profile file name and path (-profile), and the output directory for
    the generated index files (-result).
    The syntax for using the Remote EDM Indexer to generate an index from a cleansed data source tabular text file is as
    follows:
    RemoteEDMIndexer -data=<local data source filename and path>
    -profile=<local *.edm profile file name and path>
    -result=<local output directory for *.rdx and *pdx index files>

    For example:
    RemoteEDMIndexer -data=C:\EDMIndexDirectory\CustomerData.dat
    -profile=C:\EDMIndexDirectory\RemoteEDMProfile.edm
    -result=C:\EDMIndexDirectory\

    This command generates an EDM index using the local data source tabular text file CustomerData.dat and the
    local RemoteEDMProfile.edm file that you generated and copied from the Enforce Server to the remote host, where
    \EDMIndexDirectory is the directory for placing the generated index files.
    When the generation of the indexes is successful, the utility displays the message "Successfully created index" as the last
    line of output.
    In addition, the following index files are created and placed in the -result directory:
    • ExternalDataSource.CustomerData.pdx
    • ExternalDataSource.CustomerData.rdx

    942
    Twelve files, named ExternalDataSource.<DataSourceName>.rdx.0 -
    ExternalDataSource.<DataSourceName>.rdx.11 are always generated. Copy these files to the Enforce Server
    and update the EDM profile using the remote index.
    Remote EDM Indexer command options

    Remote indexing examples using SQL Preindexer (EDM)


    If your data source is an Oracle DB and has clean data you can index the data source directly using the SQL Preindexer
    with the Remote EDM Indexer.
    The syntax is as follows:
    SqlPreindexer -alias=<oracle connect string: //host:port/SID>
    -username=<DB user> -password=<DB password> -query=<sql to run> |
    RemoteEDMIndexer -profile=<*.edm profile file name and path>
    -result=<output directory for index files>
    For example:
    SqlPreindexer -alias=@//myhost:1521/orcl -username=scott -password=tiger
    -query="SELECT name, salary FROM employee" |
    RemoteEDMIndexer -profile=C:\ExportEDMProfile.edm -result=C:\EDMIndexDirectory\
    With this command the SQL Preindexer utility connects to the Oracle database and runs the SQL query to retrieve name
    and salary data from the employee table. The SQL Preindexer returns the result of the query to stdout (the command
    console). The SQL query must be in quotes. The Remote EDM Indexer command runs the utility and reads the query
    result from the stdin console. The Remote EDM Indexer indexes the data using the ExportEDMProfile.edm profile as
    specified by the profile file name and local file path.
    When the generation of the indexes is successful, the utility displays the message "Successfully created index" as the last
    line of output.
    In addition, the utility places the following generated index files in the EDMIndexDirectory -result directory:
    • ExternalDataSource.CustomerData.pdx
    • ExternalDataSource.CustomerData.rdx
    Here is another example using SQL Preindexer and Remote EDM Indexer commands:
    SqlPreindexer -alias=@//localhost:1521/CUST -username=cust_user -password=cust_pword
    -query="SELECT account_id, amount_owed, available_credit FROM customer_account" -verbose
    |
    RemoteEDMIndexer -profile=C:\EDMIndexDirectory\CustomerData.edm
    -result=C:\EDMIndexDirectory\ -verbose
    Here the SQL Preindexer command queries the CUST.customer_account table in the database for the account_id,
    amount_owed, and availble_credit records. The result is piped to the Remote EDM Indexer which generates the index
    files based on the CustomerData.edm profile. The -verbose option is used for troubleshooting.
    As an alternative to the -query SQL string you can use the -query_path option and specify the file path and name for the
    SQL query (*.sql). If you do not specify a query or query path the entire DB is queried.
    SqlPreindexer -alias=@//localhost:1521/cust -username=cust_user -password=cust_pwrd
    -query_path=C:\EDMIndexDirectory\QueryCust.sql -verbose |
    RemoteEDMIndexer -profile=C:\EDMIndexDirectory\CustomerData.edm
    -result=C:\EDMIndexDirectory\ -verbose
    SQL Preindexer command options (EDM)

    943
    Copying and loading remote EDM index files to the Enforce Server
    The following files are created in the -result directory when you remotely index a data source:
    • ExternalDataSource.<DataSourceName>.pdx
    • ExternalDataSource.<DataSourceName>.rdx.0 - ExternalDataSource.<DataSourceName>.rdx.11
    After you create the index files on a remote machine, the files must be copied to the Enforce Server, loaded into the
    previously created remote EDM profile, and indexed.
    Creating an EDM profile template for remote indexing
    To copy and load the files on the Enforce Server
    1. Go to the directory where the index files were generated. (This directory is the one specified in the -result option.)
    2. Copy all of the index files with .pdx and .rdx extensions to the index directory on the Enforce
    Server. This directory is located at C:\ProgramData\Symantec\DataLossPrevention
    \ServerPlatformCommon\16.0.10000\index (Windows) or /var/Symantec/DataLossPrevention/
    ServerPlatformCommon/16.0.10000/index (Linux).
    3. From the Enforce Server administration console, navigate to the Manage > Policies > Exact Data screen.
    This screen lists all the Exact Data Profiles in the system.
    4. Click the name of the Exact Data Profile you used with the Remote EDM Indexer.
    5. To load the new index files, go to the Data Source section of the Exact Data Profile and select Load Externally
    Generated Index.
    6. In the Indexing section, select Submit Indexing Job on Save.
    As an alternative to indexing immediately on save, consider scheduling a job on the remote machine to run the
    Remote EDM Indexer on a regular basis. The job should also copy the generated files to the index directory on the
    Enforce Server. You can then schedule loading the updated index files on the Enforce Server from the profile by
    selecting Load Externally Generated Index and Submit Indexing Job on Schedule and configuring an indexing
    schedule.
    Use scheduled indexing to automate profile updates (EDM)
    7. Click Save.

    SQL Preindexer command options (EDM)


    On install the SQL Preindexer utility is available at C:\Program Files\Symantec\Data Loss Prevention
    \Indexer\15.1\Protect\bin (Windows) and /Symantec/DataLossPrevention/Indexer/15.1/Protect/
    bin (Linux).
    The SQL Preindexer provides a command-line interface. The syntax for running the utility is as follows:
    SqlPreindexer -alias=<@//oracle_host:port/SID> -username=<DB_user> [options]
    Note the following about the arguments:
    • The SQL Preindexer requires the -alias and -username arguments.
    • If you omit the -password option, the user is prompted to enter it.
    • If you use the -query option, the SQL query string must be in quotes.
    • If you omit the -query option, the utility indexes the entire database.
    • To query using wildcards, use the -qeury_path option. The SQL Preindexer does not support the use of wildcards
    from the command line using the -query option. For example: "select * from CUST_DATA" does not work with -query;
    you must query each individual column field: "select cust_ID, cust_Name, cust_SSN from CUST_DATE." The query
    "select * from CUST_DATA" works using the -qeury_path command.

    944
    Remote indexing examples using SQL Preindexer (EDM)
    SQL Preindexer command options (EDM) lists the command options for the SQL Preindexer.

    Table 478: SQL Preindexer command options (EDM)

    Option Summary Description

    -alias Oracle DB connect string Specifies the database alias that is used to connect to the database in
    Required the following format: @//oracle_DB_host:port/SID
    For example:
    -alias=@//myhost:1521/ORCL
    -alias=@//localhost:1521/CUST
    -driver Oracle JDBC driver class Specifies the JDBC driver class, for example:
    oracle.jdbc.driver.OracleDriver.
    -encoding Character encoding Specifies the character encoding of the data to index. The default is
    (iso-8859-1) iso-8859-1.
    Data with non-English characters should use UTF-8 or UTF-16.
    -password Oracle DB password Specifies the password to the database.
    If this option is not specified, the password is read from stdin.
    -query-query_path SQL query This option specifies the SQL query to perform. The statement must be
    enclosed in quotes.
    If you omit the -query option the utility indexes the entire database.
    SQL script Specifies the file name and local path that contains a SQL query to
    run. Must be full path.
    This option can be used as an alternative to the -query option when
    the query is a long SQL statement.
    -separator Output column separator (tab) Specifies whether the output column separator is a comma, pipe, or
    tab. The default separator is a tab.
    To specify a comma separator or pipe separator, enclose the separator
    character in quotation marks: "," or "|".
    -subprotocol Oracle thin driver Specifies the JDBC connect string subprotocol (for example,
    oracle:thin).
    -username Oracle DB user Specifies the name of the database user.
    Required
    -verbose Print verbose output for Displays a statistical summation of the operation when it is complete.
    debugging. Troubleshooting preindexing errors for EDM

    Remote EDM Indexer command options


    On install, the Remote EDM Indexer utility is available at \Program Files\Symantec\Data Loss Prevention
    \Indexer\15.1\Protect\bin (Windows) and opt/Symantec/DataLossPrevention/Indexer/15.1/
    Protect/bin (Linux).
    If you are on Linux, change users to the “SymantecDLP” user before running the Remote EDM Indexer. (The installation
    program creates the “SymantecDLP” user.)
    The Remote EDM Indexer provides a command line interface. The syntax for running the utility is as follows:
    RemoteEDMIndexer -profile=<file *.edm> -result=<out_dir> [options]

    Note the following about the syntax:

    945
    • The Remote EDM Indexer requires the -profile and -result arguments.
    • If you use a flat data source file as input, you must specify the file name and local path using the -data option.
    • The -data option is omitted when you use the SQL Preindexer to pipe the data to the Remote EDM Indexer.
    Remote indexing examples using data source file (EDM)
    Remote EDM Indexer command options describes the command options for the Remote EDM Indexer.

    Table 479: Remote EDM Indexer command options

    Option Summary Description

    -data Data source to be indexed Specifies the data source to be indexed. If this option is not specified,
    (stdin) the utility reads data from stdin.
    Required if you use a tabular Required if using data source file and not the SQL Preindexer.
    text file
    -encoding Character encoding of data to Specifies the character encoding of the data to index. The default is
    be indexed (ISO-8859-1) ISO-8859-1.
    Use UTF-8 or UTF-16 if the data contains non-English characters.
    -ignore_date Ignore expiration date of the Overrides the expiration date of the Exact Data Profile if the profile
    EDM profile has expired. (By default, an Exact Data Profile expires after 30 days.)
    -profile File containing the EDM profile Specifies the Exact Data Profile to be used. This profile is the one that
    Required is selected by clicking the “download link” on the Exact Data screen in
    the Enforce Server management console
    -result Directory to place the resulting Specifies the directory where the index files are generated.
    indexes
    Required
    -verbose Display verbose output Displays a statistical summation of the indexing operation when the
    index is complete.
    Troubleshooting preindexing errors for EDM

    Troubleshooting preindexing errors for EDM


    If you receive an error that the SQL Preindexer was unable to perform query or failed to prepare for indexing, verify that
    the -query string is in quotes. You can test your -query string by running only the SQL Preindexer command. If the
    command is correct the data queried from the database is displayed to the console as stdout.
    You may encounter errors when you index large amounts of data. Often the set of data contains a data record that is
    incomplete, inconsistent, or inaccurate. Data rows that contain more columns than expected or incorrect column data
    types often cannot be properly indexed and are unrecognized.
    The SQL Preindexer can be configured to provide a summary of information about the indexing operation when it
    completes. To do so, specify the verbose option when running the SQL Preindexer.
    To see the rows of data that the Remote EDM Indexer did not index, adjust the configuration in the
    Indexer.properties file using the following procedure.
    To record those data rows that were not indexed

    946
    1. Locate the Indexer.properties file at \Program Files\Symantec\Data Loss Prevention\Indexer
    \15.1\Protect\config\Indexer.properties (Windows) or /Symantec/DataLossPrevention/
    Indexer/15.1/Protect/config/Indexer.properties (Linux).
    2. Open the file in a text editor.
    3. Locate the create_error_file property and change the “false” setting to “true.”
    4. Save and close the Indexer.properties file.
    The Remote EDM Indexer logs errors in a file with the same name as the data file being indexed and the .err suffix.
    The rows of data that are listed in the error file are not encrypted. Safeguard the error file to minimize any security risk
    from data exposure.

    About the SQL Preindexer for EDM

    Troubleshooting remote indexing errors for EDM


    The Remote EDM Indexer displays a message that indicates whether the indexing operation was successful or not. If the
    Remote EDM Indexer successfully creates the index, the console displays the message "Successfully created index" as
    the last line of output. In addition, *.pdx and *.rdx files are created in the -result directory.
    The result depends on the error threshold that you specify in the EDM profile. Any error percentage under the threshold
    completes successfully. Detailed information about the indexing operation is available with the -verbose option.
    Remote EDM Indexer command options
    If the index generation is not successful, try these troubleshooting tips:

    Table 480: Remote Indexer troubleshooting tips for EDM

    Error Symptom Description

    Index files not Use the -verbose option in the Specifying the verbose option when running the Remote EDM Indexer
    generated command to reveal error message. provides a statistical summary of information about the indexing
    operation after it completes. This information includes the number of
    errors and where the errors occurred.
    "Failed to create index" Verify file and path names. Verify that you included the full path and proper file name for the -data
    "Cannot compute file and the -profile file (*.edm). The paths must be local to the
    index" host.
    "Unable to generate
    index"
    "Destination is not a Directory path not correct. Verify that you properly entered the full path to the destination directory
    directory" for the required -result argument.
    *.idx file instead of Did not use -data argument The -data option is required if you are using a data source file and not
    *.rdx file the SQL Preindexer. In other words, the only time you do not use the -
    data argument is when you are using the SQL Preindexer.
    If you run the Remote EDM Indexer without the -data option and no
    SQL Preindexer query, you get an *.idx and *.rdx file that cannot
    be used as for the EDM index. Rerun the index using the -data option
    or a SQL Preindexer -query or -query-path.

    In addition, you may encounter errors when you index large amounts of data. Often the set of data contains a data record
    that is incomplete, inconsistent, or incorrectly formatted. Data rows that contain more columns than expected or incorrect
    data types often cannot be properly indexed and are unrecognized during indexing. The rows of data with errors cannot
    be indexed until those errors are corrected and the Remote EDM Indexer rerun. Symantec provides a couple of ways to
    get information about any errors and the ultimate success of the indexing operation.

    947
    To see the actual rows of data that the Remote EDM Indexer failed to index, modify the Indexer.properties file.
    To modify the Indexer.properties file and view remote indexing errors
    1. Locate the Indexer.properties file at \Program Files\Symantec\Data Loss Prevention\Indexer
    \15.1\Protect\config\Indexer.properties (Windows) or /opt/Symantec/DataLossPrevention/
    Indexer/15.1/Protect/config/Indexer.properties (Linux).
    2. To edit the file, open it in a text editor.
    3. Locate the create_error_file property parameter and change the “false” value to “true.”
    4. Save and close the Indexer.properties file.
    The Remote EDM Indexer logs errors in a file with the same name as the indexed data file and with an .err
    extension. This error file is created in the logs directory.
    The rows of data that are listed in the error file are not encrypted. Encrypt the error file to minimize any security risk
    from data exposure.

    Installing the Remote EDM Indexer


    You install the Remote EDM Indexer on one or more systems where the confidential files that you want to index are
    stored. The process for installing a remote indexer is the same for EMDI, EDM, and IDM.
    About installing remote indexers
    You can install the Remote EDM Indexer on all supported Windows and Linux platforms. See Supported operating
    systems for the EMDI, EDM, and IDM Remote Indexers for platform details.

    Permissions for users to run the remote indexers (EDM)


    You must be logged on as Administrator (Windows) or root (Linux) to install the remote indexers.
    On Linux, there are issues that prevent you from logging on as "SymantecDLP." Instead, log on as "root." Then use the su
    command to switch to another user and run the remote indexers. Once you switch users, and run the remote indexer as
    this user, you can get the index file.

    Best practices for using EDM


    EDM is the most accurate form of detection. It is also the most complex to set up and maintain. To ensure that your EDM
    policies are as accurate as possible, consider the recommendations in this section when you are implementing your EDM
    profiles and policies.
    The following table provides a summary of the EDM policy considerations discussed in this chapter, with links to individual
    topics for more details.

    Table 481: Summary of EDM best practices

    Best practice Description

    Ensure that the data source file contains at least one column of Ensure data source has at least one column of unique data (EDM)
    unique data.
    Eliminate duplicate rows and blank columns before indexing. Cleanse the data source file of blank columns and duplicate rows
    (EDM)
    To reduce false positives, avoid single characters, quotes, Remove ambiguous character types from the data source file
    abbreviations, numeric fields with less than 5 digits, and dates. (EDM)
    Understand multi-token indexing and clean up as necessary. Understand how multi-token cell matching functions (EDM)

    948
    Best practice Description

    Use the pipe (|) character to delimit columns in your data source. Do not use the comma delimiter if the data source has number
    fields (EDM)
    Review an example cleansed data source file. Ensure that the data source is clean for indexing (EDM)
    Map data source column to system fields to leverage validation Map data source column to system fields to leverage validation
    during indexing. (EDM)
    Leverage EDM policy templates whenever possible. Leverage EDM policy templates when possible
    Include the column headers as the first row of the data source file. Include column headers as the first row of the data source file
    (EDM)
    Check the system alerts to tune Exact Data Profiles. Check the system alerts to tune profile accuracy (EDM)
    Use stopwords to exclude common words from matching. Use stopwords to exclude common words from detection (EDM)
    Automate profile updates with scheduled indexing. Use scheduled indexing to automate profile updates (EDM)
    Match on two or three columns in an EDM rule. Match on 3 columns in an EDM condition to increase detection
    accuracy
    Leverage exception tuples to avoid false positives. Leverage exception tuples to avoid false positives (EDM)
    Use a WHERE clause to detect records that meet a specific Use a WHERE clause to detect records that meet specific criteria
    criteria. (EDM)
    Use the minimum matches field to fine tune EDM rules. Use the minimum matches field to fine tune EDM rules
    Consider using Data Identifiers in combination with EDM rules. Combine Data Identifiers with EDM rules to limit the impact of two-
    tier detection
    Include an email address field in the Exact Data Profile for profiled Include an email address field in the Exact Data Profile for profiled
    DGM. DGM (EDM)
    Use profiled DGM for Network Prevent for Web identity detection Use profiled DGM for Network Prevent for Web identity detection
    (EDM)

    Ensure data source has at least one column of unique data (EDM)
    EDM is designed to detect combinations of data fields that are globally unique. At a minimum, your EDM index must
    include at least one column of data that contains a unique value for each record in the row. Column data such as account
    number, social security number, and credit card number are inherently unique, whereas state or zip code are not unique,
    nor are names. If you do not include at least one column of unique data in your index, your EDM profile will not accurately
    detect the data you want to protect.
    A unique column field is a column that has mostly unique values. It can have duplicate values, but not more than the
    number set in term_commonority_threshold. The default value for this setting is 10.
    Examples of unique data for EDM policies describes the various types of unique data to include in your EDM indexes, as
    well as fields that are not unique. You can include the non-unique fields in your EDM indexes as long as you have at least
    one column field that is unique.

    949
    Table 482: Examples of unique data for EDM policies

    Unique data for EDM Non-unique data

    The following data fields are usually unique: The following data fields are not unique:
    • Account number • First name
    • Bank Card number • Last name
    • Phone number • City
    • Email address • State
    • Social security number • Zip code
    • Tax ID number • Password
    • Drivers license number • PIN number
    • Employee number
    • Insurance number

    Cleanse the data source file of blank columns and duplicate rows (EDM)
    The data source file should be as clean as possible before you create the EDM index, otherwise the resulting profile may
    create false positives.
    When you create the data source file, avoid including empty cells or blank columns. Blank columns or fields count as
    “errors” when you generate the EDM profile. A data source error is either an empty cell or a cell with the wrong type
    of data (a name appearing in a phone number column). The error threshold is the maximum percentage of rows that
    contain errors before indexing stops. If the errors exceed the error threshold percentage for the profile (by default, 5%),
    the system stops indexing and displays an indexing error message.
    The best practice is to remove blank columns and empty cells from the data source file, rather than increasing the error
    threshold. Keep in mind that if you have many empty cells, it may require a 100% error threshold for the system to create
    the profile. If you specify 100% as the error threshold, the system indexes the data source without checking for errors.
    In addition, do not fill empty cells or blank fields with bogus data so that the error threshold is met. Adding fictitious or
    "null" data to the data source file will reduce the accuracy of the EDM profile and is strongly discouraged. Content you
    want to monitor should be legitimate and not null.
    About cleansing the exact data source file for EDM
    Preparing the exact data source file for indexing for EDM
    Ensure that the data source is clean for indexing (EDM)

    Remove ambiguous character types from the data source file (EDM)
    You cannot have extraneous spaces, punctuation, and inconsistently populated fields in the data source file. You can use
    tools such as Stream Editor (sed) and AWK to remove these items from you data source file or files before indexing them.

    Table 483: Characters to avoid in the data source file

    Characters to avoid Explanation

    Single characters Single character fields should be eliminated from the data source file. These are more likely
    to cause false positives, since a single character is going to appear frequently in normal
    communications.
    Abbreviations Abbreviated fields should be eliminated from the data source file for the same reason as single
    characters.
    Quotes Text fields should not be enclosed in quotes.

    950
    Characters to avoid Explanation

    Small numbers Indexing numeric fields that contain less than 5 digits is not recommended because it will likely
    yield many false positives.
    Dates Date fields are also not recommended. Dates are treated like a string, so if you are indexing
    a date, such as 12/6/2007, the string will have to match exactly. The indexer will only match
    12/6/2007, and not any other date formats, such as Dec 6, 2007, 12-6-2007, or 6 Dec 2007. It
    must be an exact match.

    Understand how multi-token cell matching functions (EDM)


    An EDM rule performs a full-text search against the message, checking each word (except those that are excluded by way
    of the columns you choose to match in the policy) for potential matches. The matching algorithm compares each individual
    word in the message with the contents of each token in the data profile.
    If a cell in the data profile contains multiple words separated by spaces, punctuation, or alternative Latin and Chinese,
    Japanese, and Korean (CJK) language characters, the cell is a multi-token cell. The sub-token parts of a multi-token cell
    obey the same rules as single-token cells: they are normalized according to their pattern where normalization can apply.
    If a cell contains a multi-token, the multi-token must match exactly. For example, a column field with the value “Joe Brown”
    is a multi-token cell (assuming multi-token matching is enabled). At run-time the processor looks to match the exact string
    "Joe Brown,” including the space (multiple spaces are normalized to one). The system does not match on "Joe" and
    "Brown" if they are detected as single tokens.
    In addition, multi-token cells are more computationally expensive than single-token cells. If the index includes multi-token
    cells, you must verify that you have enough memory to index, load, and process the EDM profile.
    If multi-token matching is enabled, any punctuation that is next to a space is ignored. Therefore, punctuation before and
    after a space is ignored.
    Lastly, do not change the WIP setting from "true" to "false" unless you are sure that is the result you want to achieve. You
    should only set WIP = false when you need to loosen the matching criteria, such as account numbers where formatting
    may change across messages. Make sure you test detection results to ensure you are getting the matches you expect.
    Memory requirements for EDM

    Do not use the comma delimiter if the data source has number fields (EDM)
    Of the three types of column delimiters that you can choose from for separating the fields in the data source file (pipe,
    tab, semicolon, or comma), the pipe, semicolon, or tab (default) is recommended. The comma delimiter is ambiguous and
    should not be used, especially if one or more fields in your data source contain numbers. If you use a comma-delimited
    data source file, make sure there are no commas in the data set other than those used as column delimiters.
    NOTE
    Although the system also treats the pound sign, equals sign, plus sign, semicolon, and colon characters as
    separators, you should not use these because like the comma their meaning is ambiguous.

    Map data source column to system fields to leverage validation (EDM)


    When you create the Exact Data Profile, you can validate how well the fields in your data source match against system-
    defined patterns for that field. For example, if you map a field to the credit card system pattern, the system will validate
    that the data matches the credit card system pattern. If it does not, the system will create an error for every record that
    contains an invalid credit card number. Mapping data source fields in your index to system-defined field patterns helps you
    ensure that the fields in your index meet the data type criteria.

    951
    If there is no corresponding system field to map to a data source column, consider creating a custom field to map data
    source column data. You can use the description field to annotate both system and custom fields.
    Mapping Exact Data Profile fields for EDM
    Creating and modifying Exact Data Profiles for EDM

    Ensure that the data source is clean for indexing (EDM)


    The following list summarizes a cleansed data source that is ready for indexing:
    • It contains at least one unique column field.
    • It is not a single-column data source; it has two or more columns.
    • Empty cells and rows and blank columns are removed.
    • Incomplete and duplicate records are removed.
    • The number of faulty cells is below the default error rate (5%) for indexing.
    • Bogus data is not used to fill in blank cells or rows.
    • Improper and ambiguous characters are removed.
    • Multi-tokens comply with space and memory requirements.
    • Column fields are validated against the system-defined patterns that are available.
    • Mappings are validate against policy templates where applicable.
    Ensure data source has at least one column of unique data (EDM)
    Cleanse the data source file of blank columns and duplicate rows (EDM)
    Remove ambiguous character types from the data source file (EDM)
    Understand how multi-token cell matching functions (EDM)
    Map data source column to system fields to leverage validation (EDM)

    Leverage EDM policy templates when possible


    Symantec Data Loss Prevention provides several policy templates that implement EDM rules. The general
    recommendation is to use policy templates whenever possible when implementing EDM. If you do use a policy template
    for EDM, you should validate the index against the template when you configure the Exact Data Profile.
    EDM policy templates
    Creating and modifying Exact Data Profiles for EDM

    Include column headers as the first row of the data source file (EDM)
    When you extract the source data to the data source file, you should include the column headers as the first row in the
    data source file. Including the column headers will make it easier for you to identify the data you want to use in your
    policies.
    The column names reflect the column mappings that were created when the exact data profile was added. If there is an
    unmapped column, it is called Col X, where X is the column number (starting with 1) in the original data profile.
    If the Exact Data Profile is to be used for DGM, the file must have a column with a heading of email, or the DGM will not
    appear in the Directory EDM drop-down list (at the remediation page).

    952
    Check the system alerts to tune profile accuracy (EDM)
    You should always review the system alerts after creating the Exact Data Profile. The system alerts provide very specific
    information about problems encountered when creating the profile, such as a SSN in an address field, which will affect
    accuracy.

    Use stopwords to exclude common words from detection (EDM)


    During indexing, words found in stopword files are ignored. Stopwords are common words that are excluding from
    matching. For example, the stopwords file contains common words such as articles, prepositions, and so forth. You can
    adjust the stopwords file by adding to or removing words from the file. It is recommended that you back up the original
    before changing it.
    Stopword files are found in the following directories:On the Enforce ServerC:\Program Data\Symantec
    \DataLossPrevention\EnforceServer\15.7\Protect\config\stopwordsOn the Remote IndexerC:
    \Program Data\Symantec\DataLossPrevention\Indexers\15.7\Protect\config\stopwords
    By default, the system uses the stopwords_en.txt file. This file is the English language version. Other language
    stopword files are in this same directory. You can change the default stopword language file by updating the
    stopword_languages = en property in C:\Program Files\Symantec\DataLossPrevention\EnforceServer
    \15.7\Protect\config\Indexer.properties file on the Enforce Server.

    Use scheduled indexing to automate profile updates (EDM)


    When you configure an Exact Data Profile, you can set a schedule for indexing the data source file. Index scheduling
    lets you decide when you want to index the data source file. For example, instead of indexing the data source at the same
    time that you define the profile, you can schedule it for a later date. Alternatively, if you need to reindex the data source on
    a regular basis, you can schedule indexing to occur on a regular basis.
    Before you set up an index schedule, consider the following:
    • If you update your data sources occasionally (for example, less than once a month), generally there is no need to
    create a schedule. Index the data each time you update the data source.
    • Schedule indexing for times of minimal system use. Indexing affects performance throughout the Symantec Data Loss
    Prevention system, and large data sources can take time to index.
    • Index a data source as soon as you add or modify the corresponding exact data profile, and re-index the data source
    whenever you update it. For example, consider a scenario whereby every Wednesday at 2:00 P.M. you generate an
    updated data source file. In this case you could schedule indexing every Wednesday at 3:00 P.M., giving you enough
    time to cleanse the data source file and copy it to the Enforce Server.
    • Do not index data sources daily as this can degrade performance.
    • Monitor results and modify your indexing schedule accordingly. If performance is good and you want more timely
    updates, for example, schedule more frequent data updates and indexing.
    Consider using scheduled indexing with remote EDM indexing to keep an EDM profile up to date. For example, you can
    schedule a cron job on the remote machine to run the Remote EDM Indexer on a regular basis. The job can also copy the
    generated index files to the index directory on the Enforce Server. You can then configure the Enforce Server to load the
    externally generated index and submit it for indexing on a scheduled basis.
    About index scheduling for EDM
    Scheduling Exact Data Profile indexing for EDM
    Copying and loading remote EDM index files to the Enforce Server

    953
    Match on 3 columns in an EDM condition to increase detection accuracy
    In a structured data format such as a database, each row represents one record, with each record containing related
    values for each column data field. Thus, for an EDM policy rule condition to match, all the data must come from the same
    row or record of data. When you define an EDM rule, you must select the fields that must be present to be a match.
    Although there is no limit to the number of columns you can select to match in a row (up to the total number of columns
    in the index, which is a maximum of 32), it is recommended that you match on at least 2 or 3 columns, one of which must
    be unique. Generally matching on 3 fields is preferred, but if one of the columns contains a unique value such as SSN or
    Credit Card number, 2 columns may be used
    Consider the following example. You want to create an EDM policy condition based on an Exact Data Profile that
    contains the following 5 columns of indexed data:
    • First Name
    • Last Name
    • Social security number (SSN)
    • Phone Number
    • Email Address
    If you select all 5 columns to be included in the policy, consider the possible results based on the number of fields you
    require for each match.
    If you choose "1 of the selected fields" to match, the policy will undoubtedly generate a large number of false positives
    because the record will not be unique enough. (Even if the condition only matches the SSN field, there may still be false
    positives because there are other types of nine-digit numbers that may trigger a match.)
    If you choose "2 of the selected fields" to match, the policy will still produce false positives because there are potential
    worthless combinations of data: First Name + Last Name, Phone Number + Email Address, or First Name + Phone
    Number.
    If you choose to match on 4 or all 5 of the column fields, you will not be able to exclude certain data field combinations
    because that option is only available for matches on 2 or 3 fields.
    Leverage exception tuples to avoid false positives (EDM)
    In this example, to ensure that you generate the most accurate match, the recommendation is that you choose "3 of the
    selected fields to match." In this way you can reduce the number of false positives while using one or more exceptions to
    exclude the combinations that do not present a concern, such as First Name + Last Name + Phone Number
    Whatever number of fields you choose to match, ensure that you are including the column with the most unique data, and
    that you are matching at least 2-column fields.

    Leverage exception tuples to avoid false positives (EDM)


    The EDM policy condition lets you define exception tuples to exclude combinations on data. You must select 2 or 3
    columns to match to leverage exception tuples.
    EDM allows detection based on any combination of columns in a given row of data (that is, N of M fields from a given
    record). It can trigger on "tuples," or specified sets of data types. For example, a combination of the first name and SSN
    fields could be acceptable, but a combination of the last name and SSN fields would not. EDM also allows more complex
    rules such as looking for N of M fields, but excluding specified tuples. For example, this type of rule definition is required
    to identify incidents in violation of state data privacy laws, such as California SB 1386, which requires a first name and last
    name in combination with any of the following: SSN, bank account number, credit card number, or driver's license number.
    While exception tuples can help you reduce false positives, if you are using several exception tuples, it may be a sign your
    index is flawed. In this case, consider redoing your index so you do not have to use so many excluded combinations to
    achieve the desired matches.

    954
    Use a WHERE clause to detect records that meet specific criteria (EDM)
    Another configuration parameter of the EDM policy condition is the "Where" clause option. This option matches on the
    exact value you specify for the field you select. You can enter multiple values by separating each with commas. Using a
    WHERE clause to detect records that meet specific criteria helps you improve the accuracy of your EDM policies.
    For example, if you wanted to match only on an Exact Data Profile for "Employees" with a "State" field containing certain
    states, you could configure the match where "State" equals "CA,NV". This rule then causes the detection engine to match
    a message that contains either CA or NV as content.

    Use the minimum matches field to fine tune EDM rules


    The minimum matches field is useful for fine-tuning the sensitivity of an EDM rule. For example, one employee's first and
    last name in an outgoing email may be acceptable. However, 100 employees' first and last names is a serious breach.
    Another example might be a last name and social security number policy. The policy might allow an employee to send
    information to a doctor, but the sending of two last names and social security numbers is suspicious.

    Combine Data Identifiers with EDM rules to limit the impact of two-tier detection
    When implementing EDM policies, you should combine Data Identifiers (DIs) rules with the EDM condition to form
    compound rules. All system-provided policy templates that implement EDM rules also implement Data Identifier rules in
    the same policy.
    Data Identifiers and EDM are both designed to protect personally identifiable information (PII). Include Data Identifiers with
    your EDM rules to make your policies more robust and reusable across detection servers. Data Identifiers are executed
    on the endpoint and do not require two-tier detection. Thus, if an endpoint is off the network, the Data Identifier rules can
    protect PII such as SSNs.
    Data Identifier rules are also useful to use in your EDM policies while you are gathering and preparing your confidential
    data for EDM indexing. For example, a policy might contain the US SSN Data Identifier and an EDM rule for as yet
    unindexed or unknown SSNs.

    Include an email address field in the Exact Data Profile for profiled DGM (EDM)
    You must include the appropriate fields in the Exact Data Profile to implement profiled DGM.
    Creating the exact data source file for profiled DGM for EDM
    If you include the email address field in the Exact Data Profile for profiled DGM and map it to the email data validator,
    email address will appear in the Directory EDM drop-down list (at the remediation page).

    Use profiled DGM for Network Prevent for Web identity detection (EDM)
    If you want to implement DGM for Network Prevent for Web, use one of the profiled DGM conditions to implement identity
    matching. For example, you may want to use identity matching to block all web traffic for a specific users. For Network
    Prevent for Web, you cannot use synchronized DGM conditions for this use case.
    Creating the exact data source file for profiled DGM for EDM
    Configuring the Sender/User based on a Profiled Directory condition

    Introducing Indexed Document Matching (IDM)


    You use Indexed Document Matching (IDM) to protect confidential information that is stored as unstructured data in
    documents and files. For example, you can use IDM to detect financial report data stored in Microsoft Office documents,

    955
    merger and acquisition information stored in PDF files, and source code stored in text files. You can also use IDM to
    detect binary files, such as JPEG images, CAD designs, and multimedia files. In addition, you can use IDM to detect
    derived content such as text that has been copied from a source document to another file.
    Supported forms of matching for IDM
    About the Indexed Document Profile

    About using IDM


    To use IDM you collect the documents and files that you want to protect and index the files and documents using the
    Enforce Server. During the indexing process the system uses an algorithm to fingerprint each file or file contents. You then
    create a policy that contains one or more IDM conditions that reference the index. The system then checks files against
    the index for matches.
    For example, consider a document source you have collected that includes several confidential Microsoft Office
    documents (Word, Excel, PowerPoint) and image files (JPEG, BMP). You create an Indexed Document Profile and
    index the documents and files. You then configure the Content Matches Document Signature policy condition with a
    Minimum Document Exposure setting of 50%. The IDM policy and index are deployed to a detection server.
    In production the detection server checks inbound files against the index for matches. If an inbound text-based file that
    the system can extract the contents from contains 50% or more of content indexed from one of the source documents,
    the system records a match. And, if an inbound image file has the same binary signature as one of the files that has been
    indexed, the system records a match. The server and agent perform exact file matching automatically on binary (non-
    extractable) files even though the policy condition is configured for partial matching.
    NOTE
    The Mac Agent is substantially the same as the Windows Agent, except that the Mac Agent does not support
    two-tier detection, and different channels are supported on the Mac Agent and Windows Agent.
    Types of IDM detection
    About the Indexed Document Profile

    Supported forms of matching for IDM


    IDM supports three forms of matching: exact file, exact file contents, and partial file contents. Detection servers support all
    three forms of matching. The DLP Agent supports exact file and partial file contents matching locally on the endpoint.
    Forms of matching for IDM summarizes the forms of matching by the platforms that IDM supports.

    Table 484: Forms of matching for IDM

    Type of matching Description Platform

    Partial file contents Match of discrete passages of extracted and normalized file Detection server
    contents. DLP Agent
    Using IDM to detect exact and partial file contents
    Exact file Match is based on the binary signature of the file. Detection server
    Using IDM to detect exact files DLP Agent
    Exact file contents Match is an exact match of the extracted and normalized file Detection server
    contents.
    Note: Symantec recommends that
    Using IDM to detect exact and partial file contents you use partial file contents matching
    rather than exact file contents
    matching.

    956
    Types of IDM detection
    There are three types of IDM detection implementations: agent, server, and two-tier. The type you choose is based on
    your data loss prevention requirements.
    Types of IDM detection summarizes the three types of IDM detection.

    Table 485: Types of IDM detection

    Type Description Details

    Agent IDM The DLP Agent supports partial contents matching in addition to Agent IDM detection
    exact file matching locally on the endpoint.
    Server IDM The detection server performs exact file matching, exact file Server IDM detection
    contents matching, and partial file contents matching.
    Two-tier IDM The DLP Agent sends the data to the detection server for policy Two-tier IDM detection
    evaluation.

    Agent IDM detection


    With Agent IDM detection the DLP Agent evaluates documents locally in real time for partial file contents and exact file
    matches. Agent IDM lets you use the block, notify, and user cancel response rules on the endpoint with IDM policies.
    Symantec Data Loss Prevention also supports detection on stream-based channels such as Printing or Copying/Pasting
    from the Clipboard.
    Supported forms of matching for IDM
    Agent IDM is enabled by default for a newly installed Endpoint Server. Agent IDM for macOS is enabled by default for
    newly installed Endpoint Servers, but disabled if you upgrade. In the case of all upgrades, if you want to use agent IDM
    you must enable it and reindex your IDM profiles so that the endpoint index is generated and made available for download
    by DLP Agents.

    Server IDM detection


    With server IDM detection, the IDM index is deployed to one or more detection servers and all detection processing
    occurs on the server or servers. You can use server IDM to perform exact file matching and file contents matching. For
    file contents matching, you can choose to match file contents exactly or partially (10% to 90%) according to the Minimum
    Document Exposure set for the IDM condition.
    Supported forms of matching for IDM

    Two-tier IDM detection


    Two-tier is a method of detection that requires communication and data transfer between the DLP Agent and the Endpoint
    Server to detect incidents. It is recommended only if you have very large indexes and the agents do not have enough
    space to support the profiles. Two-tier detection has more latency than local detection and requires substantially more
    network bandwidth. As a result, it does not support inline response rules for blocking or pop-up notifications.
    With two-tier IDM the DLP Agent sends the data to the Endpoint Server for matching against the server index. If two-tier
    detection is enabled for IDM, the server supports all forms of matching, including exact file, exact file contents, and partial
    file contents.
    NOTE
    Two-tier detection is not supported on agents running on macOS endpoints.

    957
    If you use two-tier detection for IDM on the Windows endpoint, make sure that you understand the performance
    implications of two-tier detection.
    Two-tier detection for DLP Agents

    About the Indexed Document Profile


    The Indexed Document Profile is the user-defined configuration for creating and generating IDM indexes. You define
    an Indexed Document Profile using the Enforce Server administration console. You reference the profile in one or more
    IDM policy rules or exceptions. The profile is reusable across policies: you can create one document profile and reference
    it in multiple policies. When you create the Indexed Document Profile, you have the option of indexing the document
    source immediately on save of the profile or at a scheduled time. However, you must index the document source before
    you can detect policy violations.
    Creating and modifying Indexed Document Profiles
    For example, consider a scenario where you want to create an IDM index to detect when exact versions of certain
    documents are found, or when passages or sections of the documents are exposed. When you define the Indexed
    Document Profile, you can upload the documents to the Enforce Server, or you can index the documents using the
    Remote IDM Indexer. You can also use file name and file size filters in the document profile to include or ignore certain
    files during indexing.

    About the document data source


    The document data source is the collection of documents you want to index and detect using IDM. The indexing algorithm
    uses a fixed amount of memory per document, so it is bound by the number of documents, rather than their total size.
    With a profile using 2 GB when loaded in memory, approximately 1,000,000 documents can be indexed. The exact
    number of documents the system permits depends on how many documents have text that can be extracted.
    Preparing the document data source for indexing
    For smaller document sets (50 MB or less), you can upload the source files to the Enforce Server using a ZIP file. For
    larger document sets (up to 2 GB), you can copy the source files to the host file system where the Enforce Server is
    installed, either encapsulated within a single ZIP file or as individual files. You can use FTP/S to transfer the files to the
    Enforce Server. Alternatively, you can use the Remote IDM Indexer to remotely index documents.
    About indexing remote documents
    The document data source can contain any file type and any combination of files. If the system can extract the contents of
    the file, IDM detects file contents, either exactly or partially depending on the platform and the policy configuration. If the
    system cannot extract the contents of the file, IDM detects the exact file.
    Supported forms of matching for IDM

    About the indexing process


    The IDM indexer is a separate process that installs with and runs on the Enforce Server. Partial matching is disabled by
    default on the Agent, and enabled by default on the Detection Server. Configure endpoint partial content matching
    The number of documents you can index has increased to up to 1,000,000 on the Server and up to 30,000 on
    the Agent. These values are based on initial default limits of 2 GB/60 MB. You can change the 60 MB limit on
    the Configure Partial Matching page. While it is possible to reconfigure the 2 GB limit by changing the size of
    com.vontu.profiles.documents.maxIndexSize in \Program Files\Symantec\DataLossPrevention
    \EnforceServer\16.0.10000\Protect\config\indexer.properties, Symantec recommends that you contact
    Symantec Support before reconfiguring properties files.

    958
    During indexing, the system stores the document source by changing \Program Files\Symantec
    \DataLossPrevention\ServerPlatformCommon\16.0.10000\Protect\documentprofiles (on Windows) or
    /var/Symantec/DataLossPrevention/ServerPlatformCommon/16.0.10000/documentprofiles (on Linux).
    The result of the indexing process is four separate indexes: one for detection servers (the server index) and three for
    DLP Agents (the endpoint indexes). All indexes are generated regardless of whether or not you are licensed for Endpoint
    Prevent or Endpoint Discover. On the Enforce Server, the system stores the indexes in \Program Files\Symantec
    \DataLossPrevention\EnforceServer\16.0.10000\Protect\index (on Windows) or /var/Symantec/
    DataLossPrevention/EnforceServer/16.0.10000/index (on Linux).
    About the server index files and the agent index files
    For most IDM deployments there is no need to configure the indexer. If necessary you can configure key settings
    for the indexer using the file \Program Files\Symantec\DataLossPrevention\EnforceServer
    \16.0.10000\Protect\config\Indexer.properties.
    NOTE
    Symantec recommends that you contact Symantec Support for guidance if you decide to modify a properties file.
    Modifying properties incorrectly can cause serious issues with the operation of Symantec Data Loss Prevention.

    About indexing remote documents


    IDM indexing can be done on the Enforce Server or remotely, using the Remote IDM Indexer.
    Creating and modifying Indexed Document Profiles
    Using the CIFS protocol you can remotely index documents that are stored on one or more file shares in a Microsoft
    Windows-networked environment. You provide the Universal Naming Convention (UNC) path to a shared network folder
    resource and index the documents that stored in that folder or subfolders depending on the level of permission granted.
    Using the remote SMB share option to index file shares
    WebDAV provides extensions to the HTTP 1.1 protocol that enable collaborative editing and management of files that are
    stored on remote web servers. You can index such documents remotely by exposing them to the Enforce Server using
    WebDAV. For example, you can use the remote SMB option with a UNC address and a WebDAV client to index Microsoft
    SharePoint or OpenText Livelink documents.
    Using the remote SMB share option to index SharePoint documents
    NOTE
    To index documents on a SharePoint server using the Remote SMB Share option, you must deploy the Enforce
    Server to a supported Windows Server operating system host. Data Loss Prevention depends on Windows
    NTLM services to mount a WebDAV server.

    About the server index files and the agent index files
    When you create an Indexed Document Profile and index a document data source, the system generates four index
    files, one for the server and three for the endpoint. The indexes are generated regardless of whether or not you are
    licensed for a particular detection server or the DLP Agent.
    About index deployment and logging
    The server index is a binary file named DocSource.rdx. The server index supports exact file, exact file contents, and
    partial file contents matching. If the document data source is large, the server index may span multiple *.rdx files.
    The endpoint index is comprised of one secure binary file, either EndpointDocSource.rdx or
    LegacyEndpointDocSource.rdx for backward compatibility with 14.0 and 12.5 Agents. The endpoint index supports
    exact file and partial file contents matching. EncryptedDocSource.rdx is for endpoint partial matching.

    959
    Supported forms of matching for IDM
    To create the index entries for exact file and exact file contents matching, the system uses the MD5 message-digest
    algorithm. This algorithm is a one-way hash function that takes as input a message of arbitrary length and produces
    as output a 128-bit message-digest or "fingerprint" of the input. If the message input is a text-based document that the
    system can extract contents from, such as a Microsoft Word file, the system extracts all of the file content, normalizes it by
    removing whitespace, punctuation, and formatting, and creates a cryptographic hash. Otherwise, if the message input is a
    file that the system cannot extract the contents from, such as an image file, small file, or unsupported file type, the system
    creates a cryptographic hash based on the binary signature of the file.

    NOTE
    To improve accuracy across different versions of the Enforce Server and DLP Agent, only binary matching MDF
    is supported on the agent, whether or not the file contains text.
    Using IDM to detect exact files
    Using IDM to detect exact and partial file contents
    In addition, for file formats the system can extract the contents from, the indexer creates hashes for discrete sections of
    content or text passages. These hashes are used for partial matching for both server and agent indexes. The system uses
    a selection method to store hashed sections of partial content so that not all extractable text is indexed. The hash function
    ensures that the server index does not contain actual document content. Types of matching supported by the endpoint
    and server indexes summarizes the types of matching supported by the endpoint and server indexes.

    Table 486: Types of matching supported by the endpoint and server indexes

    Message input Output Matches Included in index file

    A single cryptographic hash derived Exact file contents DocSource.rdx


    from all of the extracted and LegacyEndpointDocSource.rdx
    Text-based file that the normalized file contents
    system can extract the One or more rolling hashes based on Partial file contents DocSource.rdx
    contents from discrete passages of extracted and (10% to 90%) EndpointDocSource.rdx
    normalized content using a selection EncryptedDocSource.rds
    method
    Binary file, custom file, small A single cryptographic hash based on Exact file binary DocSource.rdx
    file, encapsulated file the binary signature of the file EndpointDocSource.rdx
    Agent only: Text-based file LegacyEndpointDocSource.rdx
    that the system can extract
    the contents from.

    About index deployment and logging


    The Enforce Server is responsible for deploying the IDM server and endpoint indexes to the detection and Endpoint
    Servers. You cannot manually deploy the indexes.
    The system deploys the server index to each designated detection server in the folder \Program Files\Symantec
    \DataLossPrevention\EnforceServer\16.0.10000\Protect\index (on Windows) or /var/Symantec/
    DataLossPrevention/EnforceServer/16.0.10000/index (on Linux). At run-time, the detection server loads the
    server index into random access memory (RAM) when an active IDM policy that references that index is deployed to that
    detection server.
    The system deploys the endpoint index (either EndpointDocSource.rdx or LegacyEndpointDocSource.rdx) to
    each designated Endpoint Server. When a DLP Agent connects to the Endpoint Server, the DLP Agent downloads the

    960
    endpoint index. Assuming agent IDM is enabled, the DLP Agent loads the endpoint index into memory when the index is
    required by an active local policy.
    Estimating endpoint memory use for agent IDM
    You cannot manually deploy either the server or endpoint index files by copying the *.rdx file or files from the Enforce
    Server to a detection server. The detection server does not monitor the index destination folder for new index files; the
    detection server must be notified by the Enforce Server that an index has been deployed. If a detection server is offline
    during the index deployment process, the Enforce Server stops trying to deploy the index. When the detection server
    comes back online the Enforce Server deploys the index to the detection server. The same is true for DLP Agents. There
    is no way to manually copy the endpoint index to the endpoint host and have the DLP Agent recognize the index.
    IDM index deployment and logging summarizes how IDM indexes are deployed and the logs files to check to troubleshoot
    index deployment.

    Table 487: IDM index deployment and logging

    Platform Index file Deployment Logged

    Server DocSource.rdx Sent automatically by the Enforce Server detection_operational.log


    to each designated detection server after Use to identify if the index profile was
    the index is generated. deployed to the detection server.
    Loaded by the detection server into RAM FileReader.log
    at run-time. Use to determine if the index profile is
    loaded into memory.
    Agent EndpointDocSource.rdxBoth of these files are sent by the Enforce endpoint_server_operational.log
    or Server to each designated Endpoint Use to identify if the index profile was
    LegacyEndpoint Server. The agent selects the appropriate deployed to the Endpoint Server.
    DocSource.rdx file, based on the version of the agent. Pull the agent logs to see if the index profile
    LegacyEndpointDocSource.rdx is loaded into memory.
    is for backward compatibility with 14.0 and
    12.5 Agents
    Downloaded by the DLP Agent based on
    the agent connection interval.
    Loaded into RAM at run-time when a local,
    active policy requires the index.

    Using IDM to detect exact files


    The system performs exact file matching automatically on all binary files. In addition, if the file format is text-based but the
    system is unable to c extract the contents from the file, the system performs exact file matching. This behavior is true even
    if you select a Minimum Document Exposure percentage for the IDM condition that is less than Exact. The DLP Agent
    performs exact file matching on all files, both binary files and files with extractable text.
    About the server index files and the agent index files
    For example, an IDM rule with a minimum document exposure set to 50% automatically attempts to match a binary
    file exactly because the Minimum Document Exposure setting only applies to files that the system cannot extract the
    contents from. In addition, the system performs exact file matching for files containing a very small amount of text, as well
    as files that were encapsulated when indexed, even if text-based.
    As an optimization for exact file type matching in Endpoint IDM detection, the system checks the byte size of the file
    before computing the run-time hash for comparison against the index. If the byte size does not match size of the indexed
    file there is no need to compute the exact file hash. The system does not consider the file format when creating the exact
    file fingerprint.
    Requirements for using IDM to detect files summarizes exact file type matching behavior.

    961
    Table 488: Requirements for using IDM to detect files

    File format Example Description

    File format from which the Proprietary or non-supported If the system cannot extract the contents from the file format,
    system cannot extract the document format you can use IDM to detect that specific file using exact
    contents binary matching.
    Do not compress files in the document source
    Binary file GIF, MPG, AVI, CAD design, JPEG You can use IDM to detect binary file types from which you
    files, audio/video files cannot extract the contents, such as images, graphics,
    JPEGs, etc. Binary file detection is not supported on stream-
    based channels.
    File containing a small amount CAD files and Visio diagrams A file containing a small amount of text is treated as a binary
    of text file even if the contents are text-based and can have their
    contents extracted.
    Using IDM to detect exact and partial file contents
    Encapsulated file Any file that is encapsulated when If a document data source file is encapsulated in an archive
    indexed (even if text-based and can file, the file contents of the subfile cannot be extracted and
    have their contents extracted); for only the binary signature of the file can be fingerprinted. This
    example, Microsoft Word file archived does not apply to document archive that are indexes.
    in a ZIP file About the document data source

    Using IDM to Detect Exact and Partial File Contents


    The primary use case for IDM is to detect file contents (as distinguished from binary files, such as audio or video
    files, for example). On both the server and the endpoint, you can use IDM to match files exactly or partially (10% to
    90%). Additionally, on the server, file contents can be matched exactly. Symantec recommends that you use partial
    content match because it is much more reliable than exact content match. File contents include text-based content of
    any document type the system can extract the file contents from, such as Microsoft Office documents (Word, Excel,
    PowerPoint), PDF, and many more.
    Supported formats for content extraction
    An exact file contents match means that the normalized extracted content from the file matches exactly the content of a
    file that has been indexed. With partial matching on the endpoint, using a 90% threshold generates 90% to 100% content
    matches. These are less strict than the previous exact content matches and may, in some cases, match even if there are
    some minor differences between the scanned file and the indexed file.
    The system does not consider the file format or file size when creating the cryptographic hash for the index or when
    checking for an exact file contents match against the index. A document might contain much more content, but the
    system detects only the file contents that are indexed as part of the Indexed Document Profile. For example, consider
    a situation where you index a one-page document, and that one-page document is included as part of a 100-page
    document. The 100-page document is considered an exact match because its content matches the one-page document
    exactly.
    About the server index files and the agent index files
    For text-based files from which you can extract the contents, in addition to creating the MD5 fingerprint for exact file
    contents matching, the system uses a rolling hash algorithm to register discrete sections or passages of content. In this
    case the system uses a selection method to store hashed sections of content; not all text is hashed in the index. The
    index does not contain actual document content.
    Requirements for using IDM to detect content lists the requirements to match file contents using IDM.

    962
    Table 489: Requirements for using IDM to detect content

    Requirement Description

    File formats from which The system must be able to extract the the file format and extract file content. Data Loss Prevention
    you can extract the supports content extraction for over 100 file types.
    contents Supported formats for content extraction
    Unencapsulated file To match file contents, the source file cannot be encapsulated in an archive file when the source file is
    indexed. If a file in the document source is encapsulated in an archive file, the system does not index
    the file contents of the encapsulated file. Any encapsulated file is considered for exact matches only, like
    image files and other unsupported file formats.
    Do not compress files in the document source
    Note: The exception to this is the main ZIP file that contains the document data source, for those upload
    methods that use an archive file. Creating and modifying Indexed Document Profiles

    Minimum amount of text For exact file contents matching, the source file must contain at a minimum 50 characters of normalized
    text before the extracted coProgram Files\Symantec\DataLossPrevention\EnforceServertent is
    indexed. Normalization involves the removal of punctuation and whitespace. A normalized character
    therefore is either a number or a letter. This size is set by the min_normalized_size=50 parameter
    in the file \Program Files\Symantec\DataLossPrevention \EnforceServer
    \16.0.10000\Protect\config\Indexer.properties. If file contains less than 50
    normalized characters, the system performs an exact file match against the file binary.
    Note: Symantec advises that you consult with Symantec Support for guidance if you need to change
    an advanced setting or edit a properties file. Incorrectly updating a properties file can have unintended
    consequences.
    For partial file contents matching, there must be at least 300 normalized characters. However, the exact
    length is variable depending on the file contents and encoding.
    Do not index empty documents
    Maximum amount of text The default maximum size of the document that can be processed for content extraction at run-time is
    30,000,000 bytes. If your document is over 30,000,000 bytes you need to increase the default maximum
    size in Advanced server settings. Contact Symantec Support for assistance when changing Advanced
    server settings, to avoid any unintended consequences.

    About using the Content Matches Document Signature policy condition


    You use the IDM condition Content Matches Document Signature From to implement IDM detection rules and
    exceptions in your policies.
    Configuring the Content Matches Document Signature policy condition
    When you configure this condition, you specify the IDM index to use and how the condition should match against the
    index using the Minimum Document Exposure setting. You can select either Exact or partial between 10% to 90%. For
    example, if you select 70% for the Minimum Document Exposure, a match occurs only if 70% or more of the hashed file
    contents is detected.
    Use parallel IDM rules to tune match thresholds
    If a file is not text-based, its content is not extractable, is very small, or is encapsulated in an archive file, the file
    is matched exactly based on its binary signature. This form of matching is performed automatically by the system,
    regardless of what configuration option you choose for the Minimum Document Exposure setting. This setting only
    applies to partial file contents matching.
    Using IDM to detect exact files
    Minimum document exposure settings for the IDM condition describes the matching supported by the Content Matches
    Document Signature From policy condition.

    963
    Table 490: Minimum document exposure settings for the IDM condition

    Configuration setting File contents Match Example

    Exact file matching File contents All of the extracted and Microsoft Word
    Using IDM to detect exact and normalized file contents, if the
    partial file contents file is text-based and from which
    the content is not extractable
    Exact content matching The endpoint performs binary Microsoft Word, JPG, MP3
    matching on all files.
    Partial content matching File contents Discrete passages of text Microsoft Word
    Using IDM to detect exact and
    partial file contents

    About Safe Listing Partial File Contents


    Often sensitive documents contain a standard boilerplate text that does not require protection, including front matter,
    headers, and footers. Information that is contained in document headers and footers is likely to cause false positives.
    Boilerplate text, such as standard language and non-proprietary corporate content that is repeated across confidential
    documents, can cause false positives.
    Safe Listing File Contents to Exclude from Partial Matching
    Removing non-sensitive boilerplate or header/footer content before indexing is not feasible, especially if you have a large
    document data set. In this case, you can configure the system to exclude ("safe list") non-sensitive text. Add the text to
    ignore to the safe list file. During indexing, any safe listed content that is found in the source files is ignored. At run time,
    the content does not cause false positives because it has been excluded.
    Use Safe Listing to Exclude Non-Sensitive Content from Partial Matching
    NOTE
    The safe listing file is not checked at run time when the system computes the cryptographic hashes for exact file
    contents matching.

    Configuring IDM Profiles and Policy Conditions


    Implementing IDM provides the workflow for creating IDM profiles and configuring IDM policies. Complete the steps to
    ensure that your IDM rules are properly implemented and are as accurate and efficient as possible.

    Table 491: Implementing IDM

    Step Action Description

    1 Identify the content you want to protect and collect Using IDM to detect exact and partial file contents
    the documents that contain this content. Using IDM to detect exact files
    2 Prepare the documents for indexing. Preparing the document data source for indexing
    3 Safe list headers, footers, and boilerplate text. Safe Listing File Contents to Exclude from Partial Matching
    4 Create an Indexed Document Profile and specify Creating and modifying Indexed Document Profiles
    the document source.
    5 Configure any document source filters. Filtering documents by file name
    6 Schedule indexing as necessary. Scheduling document profile indexing

    964
    Step Action Description

    7 Configure one ore more IDM policy conditions or Configuring the Content Matches Document Signature policy
    exceptions. condition
    8 Test and troubleshoot your IDM implementation. Troubleshooting policies

    Preparing the document data source for indexing


    You must collect and prepare the documents you want to index. These documents are known as the document data
    source.
    About the document data source
    A document data source is a ZIP archive file that contains the documents to index. It can also be the files stored in a file
    share on a local or remote computer. A document data source ZIP file can contain any file type and any combination of
    files. If you have a file share that already contains the documents you want to protect, you can reference this share in the
    document profile.

    Table 492: Preparing the document source for indexing

    Step Action Description

    1 Collect all of the documents you Collect all of the documents you want to index and put them in a folder.
    want to protect. About the document data source
    2 Uncompress all the files you The files you index should be in their unencapsulated, uncompressed state. Check the
    want to index. document collection to make sure none of the files are encapsulated in an archive file,
    such as ZIP, TAR, or RAR. If a file is embedded in an archive file, extract the source
    file from the archive file and remove the archive file.
    Using IDM to detect exact and partial file contents
    3 Separate the documents if you To protect a large amount of content and files, create separate collections for each
    have more than 1,000,000 files set of documents over 1,000,000 files in size, with all files in their unencapsulated,
    to index. uncompressed state. For example, if you have 15,000,000 documents you want
    to index, separate the files by folders, one folder containing 750,000 files, and
    another folder containing the remaining 750,000 files. or, you can change the value of
    com.vontu.profiles.documents.maxIndexSize in the Indexer.properties to
    accommodate larger data sets. The rule of thumb is 2 GB/1 million documents.
    Create separate profiles to index large document sources
    4 Decide how you are going to The indexing process is a separate process that runs on the Enforce Server. To index
    make the document source files the document source you must make the files accessible to the Enforce Server. You
    available to the Enforce Server. have several options. Decide which one works best for your needs and proceeding
    accordingly.
    Uploading a document archive to the Enforce Server
    Referencing a document archive on the Enforce Server
    Using local path on Enforce Server
    Using the remote SMB share option to index file shares
    5 Configure the document profile. The next step is to configure the document profile, or, alternatively, if you want to
    exclude specific document content from detection, whitelist it.
    Creating and modifying Indexed Document Profiles
    White listing file contents to exclude from partial matching

    Safe Listing File Contents to Exclude from Partial Matching


    You use safe listing to exclude unimportant or noncritical content, such as standard boilerplate text, document headers,
    and document footers, from the IDM index. Safe listing such content helps to reduce false positives.

    965
    About Safe Listing Partial File Contents
    To exclude content from matching, you copy the content that you want to exclude to a text file and save the file as
    safelisted.txt. By default, the file must contain at least 300 non-whitespace characters to have its content
    fingerprinted for safe listing purposes. When you index the document source, the Enforce Server or the Remote IDM
    Indexer looks for the safelisted.txt file.
    Use Safe Listing to Exclude Non-Sensitive Content from Partial Matching
    Table 493: Safe Listing Non-Sensitive Content describes the process for excluding document content using safe listing.

    Table 493: Safe Listing Non-Sensitive Content

    Step Action Description

    1 Copy the content that you want to Copy only noncritical content that you want to exclude, such as standard
    exclude from matching into a text file. boilerplate text and document headers and footers, to the text file. By default,
    for file contents matching the file to be indexed must contain at least 300
    characters. This default setting applies to the safelisted.txt file as
    well. You can change this default setting for safe listed text.
    Changing the default indexer properties
    2 Save the text file as The safelisted.txt file is the source file for storing content that you want
    safelisted.txt. to exclude from matching.
    3 Save the file to the safelisted Save the file to \ProgramData\Symantec\DataLossPrevention
    directory on the Enforce Server host \ServerPlatformCommon\16.0.10000\documentprofiles
    file system. (on Windows) or /var/Symantec/DataLossPrevention/
    ServerPlatformCommon /16.0.10000/documentprofiles/
    safelisted (on Linux).
    4 Configure the Indexed Document When you index the document data source, the Enforce Server looks for
    Profile and generate the index. the safelisted.txt file. If the file exists, the Enforce Server copies
    it to safelisted.x.txt, where x is a unique identification number
    corresponding to the Indexed Document Profile. Future indexing of the
    profile uses the profile-specific safelisted.txt file, not the generic
    safelisted.txt file.
    Creating and modifying Indexed Document Profiles

    Manage and add Indexed Document Profiles


    The Manage > Data Profiles > Indexed Documents screen lists all configured Indexed Document Profiles in the
    system. From this screen you can manage existing profiles and add new ones.

    Table 494: Indexed Documents screen actions

    Action Description

    Add IDM profile Click Add Document Profile to create a new Indexed Document Profile.
    Configuring IDM profiles and policy conditions
    Edit IDM profile Click the name of the Document Profile, or click the pencil icon to the far right of the profile, to modify an
    existing Document Profile.
    Creating and modifying Indexed Document Profiles
    Remove IDM profile Click the red X icon next to the far right of the document profile row to delete that profile from the system. A
    dialog box confirms the deletion.
    Note: You cannot edit or remove a profile if another user currently modifies that profile, or if a policy exists
    that depends on that profile.

    966
    Action Description

    Refresh IDM profile Click the refresh arrow icon at the upper right of the Indexed Documents screen to fetch the latest status
    status of the indexing process. If you are in the process of indexing, the system displays the message "Indexing is
    starting." The system does not automatically update the screen when the indexing process is complete.

    Table 495: Indexed Documents screen details

    Column Description

    Document Profile The name of the Indexed Document Profile.


    Detection server The name of the detection server that indexes the Document Profile and the Document Profile version.
    Click the triangle icon beside the Document Profile name to display this information. It appears beneath the
    name of the Document Profile.
    Location The location of the file(s) on the Enforce Server that the system has profiled and indexed.
    Documents The number of documents that the system has indexed for the document profile.
    Status The current status of the document indexing process, which can be any of the following:
    • Next scheduled indexing (if it is not currently indexing)
    • Sending an index to a detection server
    • Indexing
    • Deploying to a detection server
    In addition, beneath the status of the indexing process, the system displays the status of each
    detection server, which can be any of the following:
    • Completed, including a completion date
    • Pending index completion (that is, waiting for the Enforce Server to finish indexing a file)
    • Replicating indexing
    • Creating index (internally)
    Error messages The Indexed Document screen also displays any error messages in red (for example, if the document
    profile is corrupted or does not exist).

    Data Profiles
    Scheduling document profile indexing
    Configuring the Content Matches Document Signature policy condition

    Creating and modifying Indexed Document Profiles


    You define and configure an Indexed Document Profile at the screen Manage > Data Profiles > Indexed Documents
    > Configure Document Profile. The document profile specifies the document data source, the indexing parameters, and
    the indexing schedule. You must define a document profile to implement IDM detection.
    About the Indexed Document Profile
    Configuring a document profile describes the steps for creating and modifying IDM profiles.

    967
    Table 496: Configuring a document profile

    Step Action Description

    1 Navigate to the screen Manage > You must be logged on to the Enforce Server administration console as an
    Data Profiles > Indexed Documents. administrator or policy author.
    Policy authoring privileges
    2 Click Add Document Profile. Select an existing Indexed Document Profile to edit it.
    Manage and add Indexed Document Profiles
    3 Enter a Name for the Document Choose a name that describes the data content and the index type (for
    Profile. example, "Research Docs IDM"). The name is limited to 255 characters.
    Input character limits for policy configuration
    4 Select the Document Source method Select one of the five options for indexing the document data source,
    for indexing. depending on how large your data source is and how you have packaged it.
    About the document data source
    Options for making the data source available to the Enforce Server.
    • Upload Document Archive to Server Now
    To use this method, you Browse and select a ZIP file containing the
    documents to be indexed. The maximum size of the ZIP file is 50 MB.
    Uploading a document archive to the Enforce Server
    • Reference Archive on Enforce Server
    Use this method if you have copied the ZIP file to the file system host
    where the Enforce Server is installed. The maximum size of the ZIP file is 2
    GB. This ZIP file is available for selection in the drop-down field.
    Referencing a document archive on the Enforce Server
    • Use Local Path on Enforce Server
    This method lets you index individual files that are local to the Enforce
    Server. With this method the files to be indexed cannot be archived in a ZIP
    file.
    Using local path on Enforce Server
    • Use Remote SMB Share
    About indexing remote documents
    • Import from a remotely created IDM profile
    The Remote IDM Indexer is a standalone tool that lets you index your
    confidential documents and files locally on the systems where these files
    are stored. See Remote IDM Indexing About the Remote IDM Indexer for
    more information.
    • Using the remote SMB share option to index SharePoint documents
    5 Optionally, configure any Filters. You can specify file name and file size filters in the document profile. The filters
    tell the system which files to include or ignore during indexing.
    Filter documents from indexing to reduce false positives
    Enter files to include in the File Name Include Filters field, or enter files to
    exclude in the File Name Exclude Filters field.
    Filtering documents by file name
    Select file sizes to ignore, either Ignore Files Smaller Than or Ignore Files
    Larger Than.
    Filtering documents by file size

    968
    Step Action Description

    6 Select one of the Indexing options. As part of creating a document profile, you can set up a schedule for indexing
    the document source.
    You do not have to select an indexing option to create a profile that you
    can reference in a policy, but you must select an indexing option to
    generate the index and actually detect matches using an IDM policy.
    • Select Submit Indexing Job on Save to index the document source
    immediately on save of the Document Profile.
    • Select Submit Indexing Job on Schedule to display schedule options so
    that you can schedule indexing at a later time.
    Scheduling document profile indexing
    7 Click Save. You must save the document profile.

    Configure endpoint partial content matching


    You can enable or disable Endpoint partial content matching for IDM profiles on the Enforce Server administration console
    at Manage > Data Profiles > Indexed Documents > Configure Endpoint Partial Matching. This page displays a
    snapshot in time of all deployed profiles with their estimated current size. When you click Save, the profiles that you have
    selected have partial matching enabled.
    Configuring endpoint partial content matching describes the steps for configuring partial content matching on the endpoint.

    Table 497: Configuring endpoint partial content matching

    Step Action Description

    1 Navigate to the Manage > Data


    Profiles > Indexed Documents>
    screen.
    2 Click Configure Partial Matching. The Configure Partial Content Matching page displays a snapshot of all
    profiles that are deployed at the time you access the page, along with their
    estimated current size.
    Note: The Configure Partial Content Matching page is not accessible while
    any IDM profile is being indexed.

    3 Click the checkbox under Endpoint Note: If a profiles starts re-indexing when you are on this page, and the profile
    Partial Matching for all profiles size changes significantly, and if the profile is also selected for partial matching,
    that you want to enable for partial the list of selected profiles might be affected.
    matching.
    4 Click Save. Note: The sum of all deployed profiles on the endpoint cannot exceed the
    value of Endpoint Total Profile Size (MB), which is set to a default 60 MB. To
    change this value, enter a different value in the Endpoint Total Profile Size
    (MB) box.
    After you click Save, the profiles that you have selected have partial matching
    enabled. Click Refresh to ensure that you have the latest status of the indexing
    operation.

    Uploading a document archive to the Enforce Server


    The Upload Document Archive to Server Now option lets you upload a ZIP file with a maximum size of 50 MB to the
    Enforce Server and index its contents. To use this method of indexing, the document source must meet the requirements
    described in the table Requirements for using the Upload Document Archive to Server Now option

    969
    To upload the document archive to Enforce Server describes the process for using the Upload Document Archive to
    Server Now method of indexing.
    To upload the document archive to Enforce Server
    1. Navigate to the screen Manage > Data Profiles > Indexed Documents > Configure Document Profile.
    2. Select the option Upload Document Archive to Server Now.
    Click Browse and select the ZIP file. The ZIP file can be anywhere on the same network as the Enforce Server.
    Optionally, you can type the full path and the file name if the ZIP file is local to the Enforce Server, for example: c:
    \Documents\Research.zip.

    3. Specify one or more file name or file size filters (optional).


    Filtering documents by file name
    4. Select one of the indexing options (optional).
    Scheduling Document Profile Indexing
    5. Click Save.

    Table 498: Requirements for using the Upload Document Archive to Server Now option

    Requirement Description

    ZIP file only The document archive must be a ZIP file; no other encapsulation formats are supported for this option.
    50 MB or less You cannot use this option if the document archive ZIP file is more than 50 MB because files exceeding
    that size limit can take too long to upload and slow the performance of the Enforce Server. If the
    document archive ZIP file is over 50 MB, use the Reference Archive on Enforce Server method
    instead.
    UTF-8 file names only The IDM indexing process fails (and presents you with an "unexpected error") if the document archive
    (ZIP file) contains non-ASCII file names in encodings other that UTF-8.
    If the ZIP file contains files with non-ASCII file names, use one of the following options instead
    to make the files available to the Enforce Server for indexing:
    • Use the Remote IDM Indexer.
    • Use Local Path on Enforce Server
    • Use Remote SMB Share

    Referencing a document archive on the Enforce Server


    You use the Reference Archive on Enforce Server option to create an IDM index based on a ZIP file that is local to the
    Enforce Server. You use this option to index source documents that are archived in a ZIP file that is larger than 50 MB.
    About the document data source
    NOTE
    If the ZIP file is less than 50 MB, you can use the Upload Document Archive to Server Now option instead.
    Uploading a document archive to the Enforce Server
    To use the Reference Archive on Enforce Server option, you copy the ZIP file to the \ProgramData\Symantec
    \DataLossPrevention\ServerPlatformCommon\16.0.10000\documentprofiles folder on the Enforce Server
    file system host. Once you have copied the ZIP file to the Enforce Server, you can select the document source from the
    pull-down menu at the Add Document Profile screen. Creating and modifying Indexed Document Profiles
    To reference the document archive on the Enforce Server describes the procedure for using the Reference Archive on
    Enforce Server option.

    970
    To reference the document archive on the Enforce Server
    1. Copy the ZIP file to the Enforce Server.
    • On Windows, copy the ZIP file to directory \ProgramData\Symantec\DataLossPrevention
    \ServerPlatformCommon\16.0.10000\documentprofiles
    • On Linux, copy the ZIP file to directory /var/Symantec/DataLossPrevention/
    ServerPlatformCommon/16.0.10000/documentprofiles
    Requirements to use the option Reference Archive on Enforce Server
    NOTE
    The system deletes the document data source file after the indexing process completes.
    2. Log on to the Enforce Server administration console.
    3. Navigate to the screen Manage > Data Profiles > Indexed Documents > Configure Document Profile.
    4. Select the file from the Reference Archive on Enforce Server pull-down menu.
    NOTE
    A document source currently referenced by another Indexed Document Profile does not appear in the list.
    5. Specify one or more file name or file size filters (optional).
    Filtering documents by file name
    6. Select one of the indexing options (optional).
    Scheduling document profile indexing
    7. Click Save to save the document profile.

    Table 499: Requirements to use the option Reference Archive on Enforce Server

    Requirement Description

    ZIP file only The document archive must be a ZIP file; no other encapsulation formats are supported for this option.
    The ZIP file can be at the most 2 GB. Consider using a third-party solution (such as Secure FTP), to
    copy the ZIP file securely to the Enforce Server.
    About the document data source
    subfile not archived Make sure the subfiles are proper and not encapsulated in an archive (other than the top-level profile
    archive).
    Do not compress files in the document source
    Do not index empty documents
    UTF-8 file names only Do not use this method if any of the names of the files you are indexing contain non-ASCII file names.
    Use either of the following options instead:
    • Use the Remote IDM Indexer.
    • Use Local Path on Enforce Server
    Using local path on Enforce Server
    • Use Remote SMB Share
    Using the remote SMB share option to index file shares

    Using local path on Enforce Server


    The Use Local Path on Enforce Server method lets you index individual files that are local to the Enforce Server. With
    this method the files to be indexed cannot be archived in a ZIP file.
    Creating and modifying Indexed Document Profiles

    971
    To use the Use Local Path on Enforce Server method of making the document source available to the Enforce Server
    for indexing, you enter the local path to the directory that contains the documents to index. For example, if you copied the
    files to the file system at directory C:\Documents, you would enter C:\Documents in the field for the Use Local Path
    on Enforce Server option. You must specify the exact path, not a relative path. Do not include the actual file names in the
    path.
    NOTE
    If the files you index include a file that is more than 2 GB in size, the system indexes all the files except the 2
    GB file. This only applies to the Use Local Path on Enforce Server option. It does not apply to the Reference
    Archive on Enforce Server option.

    Using the remote SMB share option to index file shares


    The Use Remote SMB Share method lets you index documents remotely using the Common Internet File System (CIFS)
    protocol. To use this method of making the document source available to the Enforce Server, you enter the Universal
    Naming Convention (UNC) path for the Server Message Block (SMB) share that contains the documents to index
    About indexing remote documents
    To index remote documents on file shares using CIFS provides the steps for using CIFS to index remote documents.
    NOTE
    Symantec Data Loss Prevention does not delete documents after indexing when you use the Use Remote SMB
    Share option.
    To index remote documents on file shares using CIFS
    1. Log on to the Enforce Server administration console.
    2. Navigate to the screen Manage > Data Profiles > Indexed Documents > Configure Document Profile.
    3. Select the option Use Remote SMB Share.
    4. Enter the UNC Path for the SMB share that contains the documents to index.
    A UNC path consists of a server name, a share name, and an optional file path, for example: \\server\share
    \file_path.
    5. Enter a valid user name and password for the share, and then re-enter the password. The user you specify must have
    general access to the shared drive and read permissions for the constituent files.
    Optionally, you can Use Saved Credentials, in which case the credentials are available from the pull-down menu.

    6. Complete the configuration of the Indexed Document Profile.


    Creating and modifying Indexed Document Profiles

    Using the remote SMB share option to index SharePoint documents


    To remotely index files on SharePoint, you expose the remote file share using WebDAV. Once you have enabled WebDAV
    for SharePoint, you use the Use Remote SMB Share option and enter the UNC path to index the remote documents.
    Symantec Data Loss Prevention supports remote IDM indexing using WebDAV for SharePoint 2007 and SharePoint 2010
    instances.
    About indexing remote documents
    NOTE
    To index documents on a SharePoint server using the Remote SMB Share option, you must deploy the Enforce
    Server to a supported Windows Server operating system host. Data Loss Prevention depends on Windows
    NTLM services to mount a WebDAV server.

    972
    Indexing of SharePoint documents provides the procedure for remotely indexing SharePoint documents using WebDAV

    Table 500: Indexing of SharePoint documents

    Step Task Description

    1 Enable WebDAV for SharePoint. Enabling WebDAV for Microsoft IIS


    2 Start the WebClient service. From the computer where the Enforce Server is installed, start the WebClient service
    using the "Services" console. If this service is "disabled," right-click it and select
    Properties. Enable the service, set it to Manual, then Start it.
    Note: You must have administrative privileges to enable this service.

    3 Access the SharePoint instance. From the computer where your Enforce Server is installed, access SharePoint using your
    browser and the following address format:
    http://<server_name>:port
    For example: http://protect-x64:80
    4 Log on to SharePoint as an You do not need to have SharePoint administrative privileges.
    authorized user.
    5 Locate the documents to scan. In SharePoint, navigate to the documents you want to scan. Often SharePoint documents
    are stored at the Home > Shared Documents screen. Your documents may be stored in
    a different location.
    6 Find the UNC path for the In SharePoint for the documents you want to scan, select the option Library > Open
    documents. with Explorer. Windows Explorer should open a window and display the documents.
    Look in the Address field for the path to the documents. This address is the UNC path
    you need to scan the documents remotely. For example: \\protect-x64\Shared
    Documents. Copy this path to the Clipboard or a text file.
    7 Create the IDM Index. Creating and modifying Indexed Document Profiles
    8 Configure the SharePoint remote To configure the remote indexing source:
    indexing source. • For the Document Source field, select the Use Remote SMB Share option.
    • For the UNC Path, paste (or enter) the address you copied from the previous step.
    For example: \\protect-x64\Shared Documents.
    • For the User Credentials, enter your SharePoint user name and password, or select
    the same from the Saved Credentials drop-down list.
    • Select the option Submit Indexing on Save and click Save.
    9 Verify success. At the Manage > Data Profiles > Indexed Documents screen you should see that
    the index was successfully created. Check the "Status" and the number of documents
    indexed. If the index was successfully created you can now use it to create IDM policies.
    Troubleshooting SharePoint document indexing

    Enabling WebDAV for Microsoft IIS


    There are various methods for enabling WebDAV for IIS. The following steps provide one approach, in this case for a
    Windows Server 2008 R2. This approach is provided as an example only. Your approach and environment may differ.
    Microsoft IIS deployments that host SharePoint instances can be enabled to accept WebDAV connections from web
    clients.
    Using the remote SMB share option to index SharePoint documents
    Enable WebDAV for SharePoint

    973
    1. Log on to the SharePoint system where you want to enable WebDAV.
    2. Open the Internet Information Services (IIS) Manager console.
    3. Select the server name in the IIS tree.
    4. Expand the tree, click the Web Sites folder and expand it.
    5. Select the SharePoint instance from the list.
    6. Right-click the SharePoint instance and select New > Virtual Directory.
    7. The Virtual Directory Creation Wizard appears. Click Next.
    8. Enter a name in the Alias field (such as "WebDAV") and click Next.
    9. Enter a directory path in the Web Site Content Directory field. It can be any directory path as long as it exists. Click
    Next.
    10. Select Read access and click Next.
    11. Click Finish.
    12. Right-click the virtual directory that you created and select Properties.
    13. In the Virtual Directory tab, select the option "A redirection to a URL" and click Create. The alias name is populated
    in the Application Name field.
    14. Enter the SharePoint site URL in the "Redirect to" field and click OK. WebDAV is now enabled for this SharePoint
    instance.

    Troubleshooting SharePoint document indexing


    If you cannot connect the Enforce Server computer to the SharePoint Server computer after enabling WebDAV, make
    sure that you have started the WebClient service on the Enforce Server computer. You must start this service and test the
    WebDAV connection before you configure IDM indexing.
    Using the remote SMB share option to index SharePoint documents
    If you plan to re-index SharePoint documents periodically as they are updated, it may be useful to map the remote
    network resource to the local computer where the Enforce Server is installed. You can use the "net use" MS-DOS
    command to map SharePoint using the UNC path. For example:

    • net use
    This command without parameters retrieves and displays a list of network connections.
    • net use s: \\sharepoint_server\Shared Documents
    This command assigns (maps) the SharePoint server to the local "S" drive.
    • net use * \\sharepoint_server\Shared Documents
    This command assigns (maps) the SharePoint server to the next available letter drive.
    • net use s: /delete
    This command removes the network mapping to the specified drive.

    Filtering documents by file name


    When you configure an Indexed Document Profile, you have the option of using filters to include or exclude documents
    in your data source from being indexed. There are two types of file name filters: File Name Include Filters and File Name
    Exclude Filters. Symantec recommends that if you choose to use file name filters you select either inclusion filters or
    exclusion filters, but not both.

    974
    Filter documents from indexing to reduce false positives
    File name filters distinguished describes the differences between the include and exclude filters for file names.

    Table 501: File name filters distinguished

    Filter Description

    File Name Include Filters If the File Name Include Filters field is empty, matching is performed on all documents in the
    document profile. If you enter anything in the File Name Include Filters field, it is treated as an
    inclusion filter. In this case the document is indexed only if it matches the filter you specify.
    For example, if you enter *.docx in the File Name Include Filters field, the system indexes only the
    *.docx files in the document source.
    File Name Exclude Filters The Exclude Filters field lets you specify the documents to exclude in the matching process.
    If you leave the Exclude Filters field empty, the system performs matching on all documents in the
    ZIP file or file share. If you enter any values in the field, the system scans only those documents that
    do not match the filter.

    The system treats forward slashes (/) and backslashes (\) as equivalent. The system ignores whitespace at the beginning
    or end of the pattern. File name filtering does not support escape characters, so you cannot match on literal question
    marks, commas, or asterisks.
    File name filtering syntax describes the syntax accepted by the File Name Filters feature. The syntax for the Include and
    Exclude filters is the same.

    Table 502: File name filtering syntax

    Operator Description

    Asterisk (*) Represents any number of characters.


    Question mark (?) Represents a single character.
    Comma (,) and newline Represents a logical OR.

    File name filter examples provides sample filters and descriptions of behavior if you enter them in the File Name Include
    Filters field:

    Table 503: File name filter examples

    Filter string Description

    *.txt,*.docx The system indexes only .txt and .docx files in the ZIP file or file share, ignoring everything
    else.
    ?????.docx The system indexes files with the .docx extension and files with five-character names, such as
    hello.docx and stats.docx, but not good.docx or marketing.docx.
    */documentation/*,*/ The system indexes only files in two subdirectories below the root directory, one called
    specs/* "documentation" and the other called "specs."
    Example with wildcards and sub- IDM indexing fails or ignores the filter setting if the File Name Includes / Excludes filter string
    directories: starts with an alphanumeric character and includes a wildcard, for example: l*.txt. The
    *\scan_dir\l*.txt workaround is to configure the include/exclude filter with the filter string as indicated in this
    example, that is, *\scan_dir\l*.txt.
    For example, the filter 1*.txt does not work for a file path \\dlp.symantec.com
    \scan_dir\lincoln-LyceumAddress.txt. However, if the filter is configured as *
    \scan_dir\l*.txt, the indexer acknowledges the filter and index the file.

    975
    Filtering documents by file size
    Filters let you specify documents to include or exclude from indexing. The types of filters include File Name Include Filters,
    File Name Exclude Filters, and File Size Filters. You use file size filters to exclude files from the matching process based
    on their size. Any files that match the size filters are ignored.
    Filtering documents by file name
    In the Size Filters fields, specify any restrictions on the size of files the system should index. In general you should use
    only one type of file size filter.
    Filter documents from indexing to reduce false positives
    File size filter configuration options describes the file size filter options.

    Table 504: File size filter configuration options

    Filter Description

    Ignore Files Smaller Than To exclude files smaller than a particular size:
    • Enter a number in the field for Ignore Files Smaller Than.
    • Select the appropriate unit of measure Bytes, KB (kilobytes), or MB (megabytes) from the
    drop-down list.
    For example, to prevent indexing of files smaller than one kilobyte (1 KB), enter 1 in the field and
    select KB from the corresponding drop-down list.
    Ignore Files Larger Than To exclude files larger than a particular size:
    • Enter a number in the field for Ignore Files Larger Than.
    • Select the appropriate unit of measure (Bytes, KB, or MB) from the drop-down list.
    For example, to prevent indexing of files larger than two megabytes (2 MB), enter 2 in the field
    and select MB from the corresponding drop-down list.

    Scheduling Document Profile Indexing


    When you configure a document profile, select Submit Indexing Job on Save to index the document profile when you
    save it. Alternatively, you can set up a schedule for indexing the document source.
    To schedule document indexing, check Submit Indexing Job on Schedule and select a schedule from the drop-down list
    as described in Options for scheduling Document Profile indexing.
    NOTE
    The Enforce Server can index only one document profile at a time. If one indexing process starts while another
    indexing process is running, the new process begins when the first process completes.

    Table 505: Options for scheduling Document Profile indexing

    Parameter Description

    Once On – Enter the date to index the document profile in the format MM/DD/YY. You can also click the date
    widget and select a date.
    At – Select the hour to start indexing.
    By Minute At – Select the minute frequency to start indexing.
    Until – Select this check box to specify a date in the format MM/DD/YY when the indexing should stop. You
    can also click the date widget and select a date.

    976
    Parameter Description

    Hourly At – Select the hourly frequency to start indexing.


    Until – Select this check box to specify a date in the format MM/DD/YY when the indexing should stop. You
    can also click the date widget and select a date.
    Daily At – Select the hour to start indexing.
    Until – Select this check box to specify a date in the format MM/DD/YY when the indexing should stop. You
    can also click the date widget and select a date.
    Weekly Day of the week – Check the days to index the document.
    At – Select the hour to start indexing.
    Until – Check the box to specify a date in the format MM/DD/YY when the indexing should stop. You can
    also click the date widget and select a date.
    Monthly Day – Enter the number of the date of each month when you want the indexing to occur. The number must
    be 1 through 28.
    At – Select the hour to start indexing.
    Until – Select this check box to specify a date in the format MM/DD/YY when the indexing should stop. You
    can also click the date widget and select a date.

    Changing the Default Indexer Properties


    The server index contains the MD5 fingerprint of each file that has been indexed, either raw binary or exact extracted
    content if the contents of the file can be extracted, and hashes of discrete passages of content.
    Using IDM to detect exact and partial file contents
    The size of the passages depends on the low_threshold_k setting in the indexer properties file (\Program Files
    \Symantec\DataLossPrevention\EnforceServer\16.0.10000\Protect\config\indexer.properties).
    Generally, there is no need to change the default settings. When you lower the default minimum, the Enforce Server
    creates hashes out of smaller sections of the documents it indexes.
    The default settings apply to the Whitelisted.txt file as well. If the amount of content you need to whitelist is less than
    the minimum amount required for partial matching, you can adjust the default minimum setting.
    To change the default minimum for whitelisted text
    1. On the Symantec Data Loss Prevention host, navigate to directory \Program Files\Symantec
    \DataLossPrevention\EnforceServer\16.0.10000\Protect\config on Windows, or /opt/Symantec/
    DataLossPrevention/EnforceServer/16.0.10000/Protect/config on Linux.
    2. Use a text editor to open file Indexer.properties
    3. Locate the parameter low_threshold_k:
    low_threshold_k=50

    4. Change the numerical portion of the parameter value to reflect the wanted minimum number of characters that are
    allowed in Whitelisted.txt.
    For example, to change the minimum to 30 characters, modify the value to look like the following:
    low_threshold_k=30

    The value for this parameter must match the min_normalized_size value. The default for
    min_normalized_size is 50.
    5. Save the file.

    For more information on IDM configuration and customization, see the article "Understanding IDM configuration and
    customization" at http://www.support.symantec.com at the Symantec Support Center.

    977
    Enabling Agent IDM
    You enable exact and partial match IDM on the Windows endpoint by setting the advanced agent configuration parameter
    Detection.TWO_TIER_IDM_ENABLED.str to OFF. Once two-tier detection is OFF, the DLP Agent performs exact and
    partial file and exact and partial file contents matching, assuming you have generated the endpoint index.
    NOTE
    Two-tier deployment is not supported on the Mac Agent.
    Creating and modifying Indexed Document Profiles
    For new installations, exact and partial match IDM on the endpoint is the default setting for the default endpoint agent
    configuration (TWO_TIER_IDM_ENABLED = OFF); you do not need to enable it.
    For upgraded systems, exact and partial match IDM on the endpoint is disabled (TWO_TIER_IDM_ENABLED = ON) so
    that there is no change in functionality for existing IDM policies deployed to the endpoint. If you want to use exact match
    IDM on the endpoint after upgrade, you need to turn off two-tier detection and reindex each document data source.
    To turn two-tier detection on or off
    To turn two-tier detection on or off
    1. Log on to the Enforce Server administration console.
    2. Navigate to System > Agents > Agent Configuration.
    3. Select the applicable agent configuration.
    4. Select the Advanced Agent Settings tab.
    5. Locate the Detection.TWO_TIER_IDM_ENABLED.str parameter.
    6. Change the value to either "ON" or "OFF" (case insensitive) depending on your requirements.
    Advanced agent settings for exact match IDM on the endpoint
    7. Click Save at the top of the page to save the changes.
    8. Apply the agent configuration to the agent group or groups.

    Table 506: Advanced agent settings for exact match IDM on the endpoint

    Advanced Agent Setting parameter Value Default Detection engine Matching type

    Detection.TWO_TIER_IDM_ENABLED.str OFF New installation or DLP Agent Exact file


    system upgrade Partial file contents
    from 12.5 or later.
    ON System upgrade Endpoint Server Exact file
    from 12.0.x Exact file contents
    Partial file contents

    Estimating endpoint memory use for agent IDM


    For partial matching, DLP requires about 2 KB of RAM per file, or about 60 MB for 30,000 files for the agent. For exact
    matching only, DLP requires about 40 bytes per file.
    About the server index files and the agent index files

    978
    Configuring the Content Matches Document Signature policy condition
    The Content Matches Document Signature From matches unstructured document content that is based on the Indexed
    Document Profile. The Content Matches Document Signature From condition is available for detection rules and
    exceptions.
    About using the Content Matches Document Signature policy condition
    To configure the Content Matches Document Signature condition.
    1. Add an IDM condition to a policy rule or exception, or modify an existing one.
    Configuring policies
    Configuring Policy Rules
    Configuring policy exceptions
    2. Configure the IDM condition parameters.
    Content Matches Document Signature condition parameters
    3. Save the policy configuration.

    Table 507: Content Matches Document Signature condition parameters

    Action Description

    Set the Minimum Document Select an option from the drop-down list.
    Exposure. Choose Exact to match document contents exactly.
    Choose a percentage between 10% and 90% to match document contents partially.
    Configure Match Counting. Select how you want to count matches:
    • Check for existence
    Reports a match count of 1 if there are one or more condition matches.
    • Count all matches
    Reports a match count of the exact number of matches.
    Configuring Match Counting
    Select the components to Select one of the available message components to match on:
    Match On. • Body – The content of the message.
    • Attachments – Any files that are attached to the message or transferred by the message.
    Selecting components to match on
    Configure other conditions to Select this option to create a compound rule. All conditions must be met to trigger or except a match.
    Also Match. You can Add any available condition from the drop-down menu.
    Test and tune the policy. Test and tune policies to improve match accuracy
    Use parallel IDM rules to tune match thresholds
    Troubleshooting policies

    Best Practices for Using IDM


    Indexed Document Matching (IDM) is designed to protect document content and images. IDM relies on an index of
    fingerprinted documents to perform partial and derivative text-based content matching. In addition, you can also use
    IDM to match indexed documents exactly based on their binary stamp, including not only text-based documents but also
    graphics and media files.
    IDM policy best practices summarizes the IDM considerations that are discussed in this section, with links to individual
    topics for each.

    979
    Table 508: IDM policy best practices

    Consideration Description

    Reindex IDM profiles after upgrade. Reindex IDM profiles after upgrade
    Do not compress documents whose content you want to Do not compress files in the document source
    fingerprint.
    Prefer partial matching over exact matching on the DLP Agent. Prefer partial matching over exact matching on the DLP Agent
    Do not index empty text-based documents. Do not index empty documents
    Be aware of the limitations of exact matching. Understand limitations of exact matching
    Use white listing to exclude partial file contents from matching and Use white listing to exclude non-sensitive content from partial
    reduce false positives. matching
    Filter non-critical documents from indexing to reduce false Filter documents from indexing to reduce false positives
    positives.
    Change the index max size to index more than 1,000,000 Create separate profiles to index large document sources
    documents.
    Use scheduled indexing to automate profile updates. Use scheduled indexing to keep profiles up to date
    Use multiple IDM rules in parallel to establish and tune match Use parallel IDM rules to tune match thresholds
    thresholds.

    Reindex IDM profiles after upgrade


    You must update each Indexed Document Matching profile by reindexing each associated data source after performing a
    upgrade of Symantec Data Loss Prevention.
    If you have upgraded Symantec Data Loss Prevention and you want to use partial-match IDM on the endpoint for existing
    IDM policies, you must reindex the data source for each Indexed Document Profile so that each endpoint index is
    generated and deployed to DLP Agents.
    Enabling Agent IDM

    Do not compress files in the document source


    For file formats whose content can be extracted, the server indexing process opens the document, extracts the text-
    based content, and fingerprints the data in full and in part (sections). However, the indexing process cannot recursively
    inspect document archives that are contained in the document set. If a document whose file contents you want to index
    is compressed in an archive file (such as ZIP, RAR, or TAR) within the document data source, the system cannot extract
    the contents from the file and index its content. In this case, the system only takes a cryptographic hash of the binary file
    signature. The embedded file is considered for exact file matches only, like image files and other unsupported file formats.
    This behavior is specific to the design-time indexing process only. At run-time the detection server does recursively
    inspect document archives and extract the text of files contained in those archives. But, to be able to evaluate such
    content, the IDM index must have been able to index all content files.
    The best practice is not to include any files whose content you want to index in a document archive. The lone exception
    is the document archive ZIP file that you upload or copy to the Enforce Server that contains the entire document set. All
    files in that container file must be uncompressed. If the Document Archive uploaded to the Enforce Server for indexing
    contains one or more embedded archive files (such as a ZIP), the system performs an exact binary match on any file
    contained in the embedded archive file
    Creating and modifying Indexed Document Profiles

    980
    Do not index empty documents
    You should be careful about the documents you index. In particular, avoid indexing blank or empty documents.
    For example, indexing a PPTX file containing only photographs or other graphical content but no textual content matches
    other blank PPTX files exactly and produces false positives. Is this case, even though a PPTX file contains no user-
    entered text, the file does contain header and footer placeholder text that the system extracts as file contents. Because
    the amount of text extracted and normalized is more than 50 non-whitespace characters, the system treats the file as not
    binary and creates a cryptographic hash of all of the file contents. As a result, all other blank PPTX files produce exact file
    contents matches because the resulting MD5 of the extracted content is the same.
    NOTE
    This behavior has not been observed with XLSX files; that is, false positives do not get created if the blank files
    are different.
    Using IDM to detect exact and partial file contents

    Prefer partial matching over exact matching on the DLP Agent


    If you are deploying IDM polices to the endpoint, partial match IDM is recommended. The main advantage of partial match
    IDM on the endpoint is that matching is fast because it is done locally by the agent instead of remotely by the server. In
    addition, partial match IDM lets you use response rules directly on the endpoint.
    Types of IDM detection

    Understanding the Limitations of Exact Matching


    An exact match means just that: inbound data must match the MD5 fingerprint of either a binary file signature or an exact
    match of extracted and normalized file contents. .
    Supported forms of matching for IDM
    Consider the following when implementing server exact match IDM:
    • Safe listing only applies to partial file contents matching.
    • For binary files and text-based files coming into the detection engine for exact file matching, as an optimization the
    system checks the byte size of the file before computing the run-time MD5 for comparison against the index. The file
    byte sizes must match to compare the cryptographic hashes.
    • File type is never checked for exact file or exact file contents matching.
    • Some file formats change the byte size of a file if the file is opened by the native application and then saved without
    changes. This results in the file not matching exactly. For example, if you open a file such as a JPEG image with
    Windows Picture and Fax Viewer and save the file without making changes, the binary size of the file is nonetheless
    changed, resulting in no exact match.
    • For some applications, the Windows Print operation may alter the file data such that extracted file contents does not
    match exactly. Known file types that are affected by this include Microsoft Office documents.
    Limitations of exact file content matching lists some known limitations with exact content matching. This list is not
    exhaustive and there may be other file formats that change on resave.

    Table 509: Limitations of Exact File Content Matching

    File type Application Result on Resave

    dwg AutoCAD 2012 Does not match.


    jpeg Windows Picture and Fax Viewer Does not match.

    981
    File type Application Result on Resave

    doc Microsoft Office Word 2007 Does not match.


    xls Microsoft Excel 2007 Does not match.
    ppt Microsoft Presentation 2007 Does not match.
    pdf Adobe Acrobat 9 Pro Does not match.
    docx Microsoft Office Word 2007 Match
    xlsx Microsoft Excel 2007 Match
    pptx Microsoft Presentation 2007 Match

    Use Safe Listing to Exclude Non-Sensitive Content from Partial Matching


    Safe listing is designed to let you exclude partial file contents from matching. You use safe listing to exclude headers,
    footers, and boilerplate content from partial matching and reduce false positives. Information that is contained in document
    headers and footers is likely to cause false positives. Likewise boilerplate text, such as standard language and non-
    proprietary corporate content that is often repeated across confidential documents can cause false positives.
    Ideally, you should remove headers and footers from documents before you index them. However, this may not be
    feasible, especially if you have a large document set. As a best practice, you should safe list header, footer, and
    boilerplate content. When you safe list this text, it is excluded when the server index is generated. If you use safe listing,
    you can lower the Minimum Document Exposure setting in the policy without increasing false positives. In this case,
    more of the content that is indexed is confidential data, instead of common, repeated content.
    NOTE
    Safe listing does not apply to exact file or exact file contents matching.
    About Safe Listing Partial File Contents
    Safe Listing File Contents to Exclude from Partial Matching

    Filter documents from indexing to reduce false positives


    When you configure an Indexed Document Profile, you have the option of using filters to include or exclude documents in
    your data source for indexing. There are two types of filters: file name and file size.
    Creating and modifying Indexed Document Profiles
    You use filtering to filter non-critical documents from indexing and ensure that your index is protecting only confidential
    files and file contents. Filtering helps reduce false positives and decrease the size of the IDM index.
    Do not index empty documents
    The best practice is to use either an exclusion filter or an inclusion filter for each filter type, but not both. For example, you
    may not need to index all of the files you include in a document archive or expose to the system by file share. In this case,
    you can enumerate the files you want to include (inclusion filter) or list the file types you want to exclude from indexing
    (exclusion filter), but you should not use both. You can also use file size filters to set a threshold for the file size to include
    or exclude in the index.
    Filtering documents by file name
    Filtering documents by file size

    982
    Distinguish IDM Exceptions from Safe Listing and Filtering
    Safe listing lets you exclude partial file contents from matching. Filtering lets you exclude specific documents from the
    indexing process. IDM exceptions, on the other hand, let you except indexed files from exact matching at runtime.
    You use the IDM condition as a policy exception to exclude files from detection. To be excepted from matching, an
    inbound file must be an exact match with a file in the IDM index. You cannot use IDM exceptions to exclude content from
    matching. To exclude content, you must safe-list it.
    NOTE
    Safe listing is not available for exact file or file contents matching; it is only available for partial content matching.

    Table 510: Safe Listing, Filters, and Exceptions Distinguished

    IDM Configuration Use

    Exception Except exact files from matching


    As an example, the CAN-SPAM Act policy template uses an IDM exception.
    Safe listing Except file contents from matching
    Use safe listing to exclude non-sensitive content from partial matching
    Filtering Include or exclude files from the index
    Filter documents from indexing to reduce false positives

    Create separate profiles to index large document sources


    IDM detection is based on an Indexed Document Profile. The maximum single IDM profile size in RAM is 2 GB.
    This maximum size limit is based on the overall number of the documents being indexed. Depending on the
    size of the actual source files and their extracted text size, this translates into approximately 1,000,000 files.
    You can change the 2 GB maximum size of a single IDM profile index in the indexer.properties file using
    com.vontu.profiles.documents.maxIndexSize.

    About the document data source


    If you need to index more than 1,000,000 files, the best practice is to organize the documents into separate ZIP files or
    share directories. You should create a separate Indexed Document Profile for each individual document set. Then, you
    can define separate rules that reference each index and add the rules to one or more policies.

    Use WebDAV or CIFS to index remote document data sources


    For smaller document sets (50 MB or less), you can upload the files to the Enforce Server. For larger document sets,
    consider using FTP Secure to upload the files to the Enforce Server.
    Alternatively, you can remotely index documents that are stored on a file share that supports the CIFS protocol, or on a
    web server that supports the WebDAV protocol, such as Microsoft SharePoint or OpenText Livelink
    About indexing remote documents

    Use scheduled indexing to keep profiles up to date


    You can use index scheduling to keep your IDM profiles up to date. The initial index scans all the documents to be
    indexed. Any subsequent index only scans the differences between the two. You should schedule indexing outside of
    normal business hours to reduce any potential affect on the system.
    Scheduling document profile indexing

    983
    Before you set up an indexing schedule, consider the following recommendations:
    • If you update your document sources occasionally (for example, less than once a month), there is no need to create a
    schedule. Index the document each time you update it.
    • Schedule indexing for times of minimal system use. Indexing affects performance throughout the Symantec Data Loss
    Prevention system, and large documents can take time to index.
    • Index a document as soon as you add or modify the corresponding document profile, and re-index the document
    whenever you update it. For example, consider a situation where every Wednesday at 2:00 A.M. you update a
    document. In this case scheduling the index process to run every Wednesday at 3:00 A.M. is optimal. Scheduling
    document indexing daily is not recommended because that is too frequent and can degrade server performance.
    • Monitor results and modify your indexing schedule accordingly. If performance is good and you want more timely
    updates, schedule more frequent document updates and indexing.
    • Symantec Data Loss Prevention performs incremental indexing. When a previously indexed share or directory
    is indexed again, only the files that have changed or been added are indexed. Any files that are no longer in the
    archive are deleted during this indexing. So a reindexing operation can run significantly faster than the initial indexing
    operation.

    Use parallel IDM rules to tune match thresholds


    The primary use case for IDM policies is to detect unstructured document content based on a percentage match
    requirement called the Minimum Document Exposure. This value is a configurable parameter that specifies the minimum
    percentage of content in the message that must match the IDM index to produce a match. The IDM policy default is
    “Exact,” which means that, for text-based documents, all of the content of the message must match the fingerprint to
    create an incident. A Minimum Document Exposure setting of 10% means that, on average, one page of a 10 page
    document must match the IDM index to create an incident.
    A document might contain much more content, but Symantec Data Loss Prevention protects only the content that is
    indexed as part of a document profile. For example, consider a situation where you index a one-page document, and that
    one-page document is included as part of a 100-page document. The 100-page document is considered an exact match
    because its content matches the one-page document exactly. In addition, the matched document does not have to be of
    the same file type or format as the indexed document. For example, if you index a Word document as part of a document
    profile, and its contents are pasted into the body of an email message or used to create a PDF, the engine considers it a
    match
    A rule-of-thumb for setting the Minimum Document Exposure setting is 60%. Minimum Document Exposures set to less
    than 50% typically create many false positives. Starting with rate of 60% should give you enough information to determine
    whether you should go to a higher or lower match percentage without creating excessive false positives
    As an alternative, consider taking a tiered approach to establishing Minimum Document Exposure settings. For example,
    you can create multiple IDM rules, each with a different threshold percentage, such as 80% for documents with a high
    match percentage, 50% for documents with a medium match percentage, and 10% with a low match percentage. Using
    this approach helps you filter out false positives and establish an accurate Minimum Document Exposure setting for each
    IDM index you deploy as part of your policies.

    About the Remote IDM Indexer


    The Remote IDM Indexer is a standalone tool. With it you can index your confidential documents and files locally on the
    systems where these files are stored. The Remote IDM Indexer frees you from having to collect and copy all the files to
    the Enforce Server host for indexing.
    The Remote IDM Indexer generates a preindex file ( *.prdx) that is encrypted and password protected. You upload the
    preindex file to the Enforce Server host for final index generation and deployment.

    984
    The Remote IDM Indexer is supported on Windows and Linux platforms. The tool is configured using a command line
    interface (CLI) or a properties file. On Windows, you can use the graphical user interface (GUI) edition of the tool to
    configure it.
    You can integrate the tool with external systems to schedule indexing. In addition, you can incrementally index a data
    source by specifying an existing *.prdx file when you run the tool.

    Table 511: Remote IDM Indexer features

    Feature Description

    Familiar installation DLP installers for Windows and Linux


    Various configuration options Properties file (default)
    Command-line interface (CLI)
    Graphical user interface GUI (Windows)
    Secure preindex file Password protected
    Encrypted data contents
    Incremental indexing Ability to load an existing preindex and scan only new or updated
    files.
    Scheduled indexing Windows Task Scheduler
    Linux cron job
    Secure upload to Enforce UI for uploading the preindex to the Enforce Server
    User must provide password to complete the indexing process.

    Installing the Remote IDM Indexer

    Installing the Remote IDM Indexer


    You install the Remote IDM Indexer on one or more systems where the confidential files that you want to index are stored.
    You can install the Remote IDM Indexer on the all supported Windows and Linux platforms. See DLP System
    Requirements for platform details.
    NOTE
    You must be logged on as Administrator (Windows) or root (Linux) to install the Remote IDM Indexer. You
    must follow a workaround procedure to assure that users other than administrator or root can run the Remote
    Indexers. See Permissions for users to run the remote indexers (EDM) for more details.
    Installing the Remote IDM Indexer
    1. Copy the appropriate Indexers.msi (Windows) or SymantecDLPIndexers.zip (Linux) application to the remote
    system.
    Remote IDM Indexer installers lists the Remote IDM Indexer installer applications.
    2. Run the Indexers.msi or SymantecDLPIndexers.zip application.
    See Installing DLP for installation details.
    3. Select the Indexer option and deselect the other options.
    NOTE
    The Indexer includes both the Remote IDM Indexer and the Remote EDM Indexer.
    See Remote EDM indexing for details on using the Remote EDM Indexer.

    985
    4. Verify installation of the Remote IDM Indexer.

    Table 512: Remote IDM Indexer installers

    Platform Installer

    Linux SymantecDLPIndexers.zip
    Windows Indexers.msi

    Table 513: Remote IDM Indexer editions

    Platform Edition File path Executable

    Linux CLI /opt/Symantec/ RemoteIDMIndexer


    DataLossPrevention/
    Indexers/16.0.10000/
    Protect/bin/
    Windows CLI \Symantec\Data Loss RemoteIDMIndexer.exe
    GUI Prevention\Indexers RemoteIDMIndexerUI.exe
    \16.0.10000\Protect\bin
    \

    Setting up permissions for users to run the remote indexers


    You must be logged on as Administrator (Windows) or root (Linux) to install the remote indexers.
    On Linux, there is an issue that prevents you from logging on as "SymantecDLP."
    If you create a system user manually, you can log on, get the index file, and load the index file into the Enforce Server.
    However, when you attempt to access the error log for the indexer on Linux, you get an error.
    Work around for Linux:
    Log on as "root." Then use the su command to switch users and run the remote indexers. Once you switch users, and run
    the remote indexer as this user, you can get the index file.
    There are two other issues you face when you run the remote indexer as a user other than "root."
    1. The /opt/Symantec/DataLossPrevention/ServerPlatformCommon/16.0.10000/index is not created, so
    you have to create it manually. Once you run the indexer as "root," non-root users can automatically create the index.
    2. You will not be able to access the log folder. When you try to access the log folder, you get this error:
    Can't load log handler "java.util.logging.FileHandler" java.nio.file.AccessDeniedException: /var/log/Symantec/
    DataLossPrevention/Indexers/16.0.10000/debug/Indexer0.log.

    Indexing the Document Data Source Using the GUI Edition (Windows only)
    To configure the UI edition of the Remote IDM Indexer, you enter the parameters into the required fields. Optionally you
    can provide additional parameters, such as a safe list file for filters.
    On successful completion of indexing, the preindex file ( *.prdx) is generated. You move this file to the Enforce Server to
    complete the indexing process.
    Remote IDM Indexer GUI edition shows the GUI edition of the Remote IDM Indexer.
    Configuring the Remote IDM Indexer using the GUI edition provides instructions for configuring the GUI edition of the
    Remote IDM Indexer.

    986
    Table 514: Configuring the Remote IDM Indexer using the GUI edition

    Step Parameters Description

    1 Enter the Source URI path. The source URI is the local file path (directory folder) where the files to be indexed are
    stored. It can also be a shared file system path accessible by the host.
    The files to be indexed should not be encapsulated.
    If the document data source requires credentials you provide them in the URI
    Credentials section.
    2 Enter the Output File name. Specify the file path and name for the preindex file that the tool generates.
    Include the *.prdx file extension when you specify the output file name.
    3 Optionally, enter the safe list Specify the file path to the safelist.txt file.
    file path. Text in the safe list file is ignored during detection for server-based partial matching.

    987
    Step Parameters Description

    4 Optionally, enter one or more Enter one or more file names to include for indexing or to exclude for indexing.
    File Name Filters. The File Name Include Filter includes the named files for indexing.
    The File Name Exclude Filter excludes the named files from indexing.
    The format for the include and exclude filters accepts both comma-separated and
    newline-separated values.
    If you use a filter, use one type but not both. For example, if you choose to use a file
    name include filter, do not also provide a file name exclude filter.
    5 Optionally, enter a File Size If you choose Ignore Files Smaller Than, files under the specified size are not
    Filter. indexed.
    If you choose Ignore Files Larger Than, files over the specified size are not indexed.
    6 Optionally, click Always keep Click Always keep files
    files. • When you want to incrementally add multiple data sources to the same pre-index
    file.
    • If you have a folder with content that gets moved and want to keep the old content
    in the pre-index file.
    7 Click Run to index the data Click Run to start the indexing process.
    source immediately. Alternatively, you can click Schedule to schedule indexing. The tool opens the
    Windows Task Utility.
    Scheduling remote indexing with the Remote IDM Indexer app for Windows
    8 Enter the Password for the pre- For security purposes you must provide a password for the pre-index file.
    index file. The password must meet the one of the following requirements:
    • ASCII password: a minimum of 10 characters, with at least one upper case letter,
    one lower case letter, and one number.
    • Non-ASCII password: a minimum of 10 characters, including at least one number.
    The preindex file is encrypted with the password you provide.
    The password you enter here is required to load the preindex into the Enforce Server
    for indexing.
    9 Verify indexing progress. When you click Run, the status bar shows the scanning completion percentage.
    In addition the Progress section of the interface provides the following information:
    Current Stage: States are Running, Completed, or Error.
    Progress: The total number of files indexed.
    Current File: The name of the file that is indexed.

    Indexing the document data source using the properties file

    Indexing the document data source using the properties file


    You can pass parameters to the Remote IDM Indexer using the properties file.
    The properties file path is \Symantec\Data Loss Prevention\Indexer\16.0.10000\Protect\config
    \remote_idm.properties (Windows) or /opt/Symantec/DataLoss Prevention/Indexer/16.0.10000/
    Protect/config/remote_idm.properties (Linux).
    To index the data source using the properties file, you edit the file and provide the parameters. Then you run
    the Remote IDM Indexer without any command-line arguments. In this case, the parameters are read from the
    remote_idm.properties file. For example, using the following command without any arguments runs the tool which
    reads the arguments from the properties file:
    Symantec\Data Loss Prevention\Indexer\16.0.10000\Protect\bin\RemoteIDMIndexer

    988
    CAUTION
    If you run the tool from the command line with arguments, those arguments overwrite the parameters in the
    properties file.
    Required property file parameters lists and describes required parameters for running the Remote IDM Indexer from the
    command line.
    Refer to the Symantec Data Loss Prevention Help Center for details on preparing the document data source for indexing.

    Table 515: Required property file parameters

    Configuration file parameter Description

    param.uri= This parameter is the local file path (directory folder) or shared
    directory where the files to be indexed are stored.
    If you want to index the files from a share, you must mount that
    share on the system that contains the indexer. You must also
    specify the file path of that share in the param.uri field of the
    Remote IDM Indexer tool.
    The files should not be encapsulated.
    param.out= This parameter is the file path and name of the preindex file that
    the tool generates.

    Optional property file parameters lists and describes optional parameters for running the Remote IDM Indexer from the
    command line.

    Table 516: Optional property file parameters

    Property file parameter Description

    param.whitelist= This parameter is the full file path (including the name) to the
    allowlist.txt file. The allowlist file must be local to the
    Remote IDM Indexer.
    Text in the allowlist file is ignored during detection for partial file
    contents matching.
    param.include_filter= This parameter is the file type to include for indexing. Separate
    multiple file type entries with a comma.
    param.exclude_filter= This parameter is the file type to exclude for indexing. Multiple
    values are comma-separated.
    param.min_filesize_bytes= This parameter is the minimum file size filter. File sizes under the
    specified size are not indexed.
    param.max_filesize_bytes= This parameter is the maximum file size filter. File sizes over the
    specified size are not indexed.

    Indexing the document data source using the CLI


    Scheduling remote indexing

    Indexing the Document Data Source Using the CLI


    The command line interface (CLI) lets you configure and run the Remote IDM Indexer from the command line.
    You can pass parameters to the tool directly from the command line or using a properties file. Command line options
    overwrite property file parameters.

    989
    This example passes arguments by way of the command line. In this case the properties file is ignored.
    Symantec\Data Loss Prevention\Indexer\16.0.10000\Protect\bin>RemoteIDMIndexer -uri=\
    \10.66.195.173\remoteIDM\files -out=C:\temp\myRemoteIDMPreIndex.prdx

    CAUTION
    If you run the tool from the command line with arguments, those arguments overwrite the parameters in the
    properties file.
    Required CLI parameters lists and describes required parameters for running the Remote IDM Indexer from the command
    line.
    See Preparing the document data source for indexing for additional details.

    Table 517: Required CLI parameters

    Command line parameter Description

    -uri This parameter is the local file path (directory folder) or shared
    directory where files to be indexed are stored.
    The files to be indexed should not be encapsulated.
    -out This parameter is the file path and name of the preindex file that
    the tool generates.

    Optional CLI parameters lists and describes optional parameters for running the Remote IDM Indexer from the command
    line.

    Table 518: Optional CLI parameters

    Command line parameter Description

    -whitelist This parameter is the full file path to the whitelist.txt file.
    The whitelist file must be local to the Remote IDM Indexer.
    Text in the whitelist file is ignored during detection.
    -include_filter This parameter is one or more file types to include for indexing.
    Separate multiple entires with a comma.
    -exclude_filter This parameter is one or more file types to exclude for indexing.
    Separate multiple entires with a comma.
    -min_filesize_bytes This parameter is the minimum file size filter. Files under the
    specified size are not indexed.
    -max_filesize_bytes This parameter is the maximum file size filter. Files over the
    specified size are not indexed.

    Scheduling remote indexing

    Scheduling remote indexing


    You can schedule when indexing occurs using the Remote IDM Indexer.
    On Windows you can create a batch file containing the tool execution command and any parameters. Then you can use
    the Windows Task Scheduler to schedule when the Remote IDM Indexer tool runs. On Linux you can use a cron job
    to schedule remote indexing. When you schedule remote indexing in one of the CLI versions, you must provide a UTF8-
    encoded password file for the scheduled job. Access to this file should be limited to the appropriate user, such as your
    Protect user. Include a path to this file using the appropriate option:

    990
    • Properties file: include the parameter param.index_password_file = <path_to_password_file> in the
    remote_indexer.properties file.
    • CLI: include the invocation parameter -index_password_file=<path_to_password_file> at the command
    line.
    If you use the Windows GUI version of the Remote IDM Indexer, you can schedule or edit a task directly from the tool. The
    following screen shots illustrate the process.
    To schedule indexing using the Windows GUI version
    To edit an existing scheduled task using the Windows GUI

    To schedule indexing using the Windows GUI version of the tool


    1. Click Schedule to open the dialog.
    2. Click Create to create a new scheduled task. Or, if you already have a task created, click Edit.
    You are prompted to provide a UTF8-encoded password file in cleartext for the scheduled job. Access to this file
    should be limited to the appropriate user, such as your Protect user.
    3. Click Create.
    4. Enter the user name and password for the Windows host where the Task Scheduler is installed.
    When you enter the appropriate credentials (generally administrator privileges are required), the Remote IDM Indexer
    creates a new task in the Windows Task Scheduler. The tool displays a dialog indicating that the task was successfully
    created and provides you with the name of the task. Successfully scheduled task dialog
    5. Click OK to close the dialog.
    After you complete this operation with Windows the interface appears.
    6. Select the SymantecDLP folder in the Task Scheduler Library.
    Notice to the right that there is a task created named "Remote IDM Indexer <time-stamp>". Symantec DLP scheduled
    task
    7. Double-click the created task.
    This action brings up the Window Task Scheduler properties dialog for this task. Use this dialog to schedule when
    the Remote IDM Indexer should run. Refer to the Task Scheduler help for details on using the Windows Task
    Scheduler.
    To edit an existing scheduled task using the Windows GUI version of the tool
    8. Click Schedule to open the dialog. Scheduling indexing dialog
    9. Click Edit/Delete Existing Tasks.
    This action opens the Windows Task Scheduler utility where you can edit or delete an existing scheduled task.

    Scheduling remote indexing with the Remote IDM Indexer app for Windows

    Scheduling remote indexing with the Remote IDM Indexer app for Windows
    If you use the Windows GUI version of the Remote IDM Indexer, you can schedule or edit a task directly from the tool. The
    following screen shots illustrate the process.
    To schedule indexing using the Windows GUI version

    991
    To edit an existing scheduled task using the Windows GUI
    To schedule indexing using the Windows GUI version
    1. Click Schedule to open the dialog. Scheduling remote indexing with the Remote IDM Indexer app for Windows
    2. Click Create to create a new scheduled task. Or, if you already have a task created, click Edit.
    You are prompted to provide a UTF8-encoded password file in cleartext for the scheduled job. Access to this file
    should be limited to the appropriate user, such as your Protect user.
    Click Create and provide the credentials to the Windows host.
    3. Enter the user name and password for the Windows host where the Task Scheduler is installed.
    When you enter the appropriate credentials (generally administrator privileges are required), the Remote IDM Indexer
    creates a new task in the Windows Task Scheduler. The tool displays a dialog indicating that the task was successfully
    created and provides you with the name of the task. Successfully scheduled task dialog
    4. Click OK to close the dialog.
    After you complete this operation with Windows the interface appears.
    5. Select the SymantecDLP folder in the Task Scheduler Library.
    Notice to the right that there is a task created named "Remote IDM Indexer <time-stamp>". Symantec DLP scheduled
    task
    6. Double-click the created task.
    This action brings up the Window Task Scheduler properties dialog for this task. Using this dialog you can schedule
    when the Remote IDM Indexer should run. Refer to the Task Scheduler help for details on using the Windows Task
    Scheduler.

    To edit an existing scheduled task using the Windows GUI


    7. Click Schedule to open the dialog. Scheduling indexing dialog
    8. Click Edit/Delete Existing Tasks to open the Windows Task Scheduler utility. Here you can edit or delete an existing
    scheduled task.

    Incremental indexing for IDM

    Incremental indexing for IDM


    You can incrementally index a remote data source by specifying an existing preindex file (*.prdx) in the command line
    argument when you run the tool.
    In the GUI version of the tool you can browse to and select an existing *.prdx file for the Output File path.
    The indexing process appends newly indexed files and file contents to the existing preindex entries.
    The tool compares the last modified date of the file. If the file has been modified after the file that was preindexed, the
    tool updates the preindex with the changes that were made to the file. If the date the file was modified is the same, the
    pre-index is not updated. If you change any include, exclude, or size filters in your existing preindex file, those filters
    are applied to any previously indexed files. For example, for a remote data source with ten .docx files and ten .pptx
    files, if your first remote indexing job has no filters, all files are indexed. If you add an exclude filter for .docx files (-

    992
    exclude_filter=*.docx) and run the indexing job again, the .docx files are removed from the index and only the
    .pptx files remain.

    Always keep files for IDM


    You can select Always keep files in the Remote IDM Indexer GUI version for Windows or use keep_all_files=true
    at the command line for Windows and Linux when you want to incrementally add multiple data sources to the same
    preindex file. It keeps files which are in the previous preindex, but not in the current data source. It also enables you to
    incrementally add multiple data sources to the same preindex file. You can also use keep_all_files if you have a folder
    containing content that is moved and you want to keep the old content in the preindex file.
    The previous IDM incremental indexer, and the indexer available through the Enforce Server administration console,
    replaces the entire old index with a new one. For example, when document set A is indexed and then document set B is
    incrementally indexed for the same profile, the index of set A is dropped and replaced with the index of set B.

    Logging and Troubleshooting


    Remote IDM indexing status messages are logged to the Indexer.log file.
    The log file path is C:\ProgramData\Symantec\DataLossPrevention\Indexer\16.0.10000\logs (Windows)
    or /var/log/Symantec/DataLossPrevention/Indexer/16.0.10000/ (Linux).
    The log presents error messages indicating whether file access was denied or file indexing failed.
    Copying the preindex file to the Enforce Server host

    Copying the preindex file to the Enforce Server host


    After you have generated the preindex file you must copy it to the Enforce Server host so it can be loaded for profiling and
    deployment.
    You copy the *.prdx file to the following directory on the Enforce Server host on Windows: \ProgramData\Symantec
    \DataLossPrevention\ServerPlatformCommon\16.0.10000\documentprofiles or on Linux: /var/
    Symantec/DataLossPrevention/ServerPlatformCommon/16.0.10000/documentprofiles.
    You can use FTP or FTP/S to copy the *.prdx file to the Enforce Server host file system.
    NOTE
    Make sure that the Enforce user who is reading and loading the .prdx file has permission to enable copying
    and loading of the file.
    Loading the remote index file into the Enforce Server

    Loading the Remote Index File on to the Enforce Server


    The Enforce Server administration console provides a user interface for uploading remote IDM preindexes to the Enforce
    Server.
    The Data Loss Prevention administrator or policy author must specify the preindex password that was entered when the
    preindex file was initially created.
    The preindex is used to generate the final index. This index is deployed to detection servers and agents (if Agent IDM is
    enabled).
    NOTE
    If you have not copied the preindex file to the proper directory on the Enforce Server host on
    Windows: C:\ProgramData\Symantec\DataLossPrevention\ServerPlatformCommon

    993
    \16.0.10000\documentprofiles or on Linux: /var/Symantec/DataLossPrevention/
    ServerPlatformCommon/16.0.10000/documentprofiles, the file does not appear in the drop-down field
    for selection.

    Using a Password File with Remote Indexing


    You can schedule Remote indexing jobs using Windows Task Scheduler and Linux cron. For these jobs, you can use a
    password file.
    NOTE
    You cannot use a password file with jobs that are scheduled through the Remote IDM Indexer or when running
    indexing jobs using the command-line interface (CLI).

    -index_password_file This parameter is the full file path to the text file containing a
    password. For security, the tool requires a password file that is
    local to the indexer.
    The password must be a minimum of 10 characters. The
    password must include at least one number, one lowercase letter,
    and one upper case letter (ASCII only).
    The preindex file is encrypted and password that is protected with
    the password in the password file.
    The password is required to load the preindex into Enforce for
    indexing.
    The use of a password file is allowed only with cron jobs.
    param.index_password_file= Note: Password files can only be used with Windows Task
    Scheduler or Linux cron jobs. You cannot use a password file with
    the GUI or command line.
    For security purposes the tool requires a password file that is local
    to the indexer:
    The preindex file is encrypted and password protected with the
    password in the password file.
    The password is required to load the preindex into Enforce for
    indexing.
    The use of a password file is more secure than entering the
    password in clear text in the properties file.
    -user This parameter is the name of the user with read and write
    privileges for the directory where the files to be indexed are
    stored.
    You must run the tool as a user who has privileges for the file path
    where the data source files are located.
    For example: Windows = Administrator; Linux = root.
    -password This parameter is the password for the host where the files to be
    indexed are stored.

    Introducing Vector Machine Learning (VML)


    Vector Machine Learning (VML) performs statistical analysis to protect unstructured data. The analysis determines if
    content is similar to example content you train against.

    994
    With VML you do not have to locate and fingerprint all of the data you want to protect. You also do not have to describe
    it and risk potential inaccuracies. Instead, you train the system to learn the type of content you want to protect based on
    example documents you provide.
    VML detection is based on a VML profile. You create a VML profile by uploading a representative amount of content from
    a specific category of data. The system scans the content, extracts the features, and creates a statistical model based on
    the frequency of keywords in the example documents. At run-time the system applies the model to analyze and detect the
    content that has the features that are statistically similar to the profile.
    VML simplifies the detection of unstructured, text-based content and offers the potential for high accuracy. The key to
    implementing VML is the example content you train the system against. You must be careful to select the documents that
    are representative of the type of content you want to protect. And, you must select good examples of content you want to
    ignore that are closely related to the content you want to protect.
    Configuring VML profiles and policy conditions

    About the Vector Machine Learning Profile


    The Vector Machine Learning Profile is the data profile that you define for implementing VML policies.
    For example, you might create a VML profile to protect your source code. You train the system using positive example
    documents (proprietary code that you want to protect). You also train the system using negative example documents
    (open source code that you do not care to protect). A VML policy references the VML profile to analyze message data and
    recognize the content that is similar to the positive features. The VML profile can be tuned, and it can be easily updated by
    adding or removing documents to or from the training sets.
    Data Profiles
    Creating new VML profiles

    About the content you train


    Collecting the documents for training is the most important step in the Vector Machine Learning process. Vector Machine
    Learning is only as accurate as the example content you train against.
    Configuring VML profiles and policy conditions
    A VML profile is based on a category of content representing a specific business use case. A category of content
    comprises two training sets: positive and negative.
    The positive training set is content you want to protect. More specific categorization results in better accuracy. For
    example, “Customer Purchase Orders” is better than “Financial Documents” because it is more specific.
    The negative training set is content you want to ignore, yet related to the positive training set. For example, if the positive
    training set is “Weekly Sales Reports," the negative training set might contain "Sales Press Releases."
    You should collect an equal amount of positive and negative content that is primarily text-based. You do not have to collect
    all the content you want to protect. However, you do need to assemble training sets large enough to produce reliable
    statistics.
    The recommended number of documents is 250 per training set. The minimum number of documents per training set is
    50.
    VML training set requirementssummarizes the baseline requirements for the content you collect for VML profile training.

    995
    Table 519: VML training set requirements

    Category of content Type of data Training set Quantity Content Size

    Positive Recommended: 250 Content you want to


    documents protect.
    Minimum: 50
    documents 30 MB per upload
    Single, specific Text-based
    Negative Approximately the Content you do not No size limit per
    business use case (primarily)
    same amount as the want to protect yet category.
    positive category. thematically related
    to the positive
    category.

    About the base accuracy from training percentage rates


    During the VML profile training process, the system extracts example document content and converts it to raw text.
    The system selects features (or keywords) using a proprietary algorithm and generates the VML profile. As part of the
    training process, the system calculates and reports base accuracy rates for false positives and false negatives. The base
    accuracies from training percentage rates indicate the quality of your positive and negative training sets.
    The goal is to achieve 100% accuracy (0% base false rates), but obtaining this level of quality for both training sets is
    usually not possible. You should reject a training profile if either the base false positive rate or the base false negative rate
    is more than 5%. A relatively high base false percentage rate indicates that the training set is not well categorized. In this
    case you need to add documents to an under-represented training set or remove documents from an over-represented
    training set, or both.
    Managing training set documents
    Base accuracy rates from training describes what the base accuracy percentage rates from training mean in relation to the
    positive and negative training sets for a given VML profile.

    Table 520: Base accuracy rates from training

    Accuracy rate Description

    Base false positive rate (%) The percentage of the content in the negative training set that is statistically similar to the positive
    content.
    Base false negative Rrate The percentage of the content in the positive training set that is statistically similar to negative content.
    (%)

    About the Similarity Threshold and Similarity Score


    Each VML profile has a Similarity Threshold that can be set from 0 to 10. This setting is used to make an adjustment for
    imperfect information within a training set to achieve the best accuracy possible. During detection, a message must have
    a Similarity Score greater than the Similarity Threshold for an incident to be generated. The Similarity Threshold is set at
    the profile level—not within a policy. It is set this way because there is an ideal Similarity Threshold setting that is unique
    to your training set where the best accuracy rates can be achieved (both in terms of false positives and false negatives).
    When a VML policy detects an incident, the system displays the Similarity Score in the match highlighting section of the
    Incident Snapshot in the Enforce Server administration console. The Similarity Score indicates how similar the detected
    content is to the VML profile. The higher the score the more statistically similar the message is to the positive example
    documents in your VML profile.

    996
    Consider an example where a Similarity Threshold is set to 4 and a message with a Similarity Score of 5 is detected.
    In this case the system reports the match as an incident and displays the Similarity Score during match highlighting.
    However, if a message is detected with a Similarity Score of 3, the system does not report a match (and no incident)
    because the Similarity Score is below the Similarity Threshold.
    Similarity Threshold and Similarity Score details describes the Similarity Threshold and Similarity Score numbers.

    Table 521: Similarity Threshold and Similarity Score details

    Similarity Description

    Similarity Threshold The Similarity Threshold is a configurable parameter between 0 and 10 that is unique to each VML profile.
    The default setting is 10, which requires the most similar match between the VML profile features and the
    detected message content. As such, this setting is likely to produce fewer incidents. A setting of 0 produces
    the most number of matches, many of which are likely to be false positives.
    Adjusting the Similarity Threshold
    Similarity Score The Similarity Score is a read-only run-time statistic between 0 and 10 reported by the system based on the
    detection results of a VML policy. To report an incident, the Similarity Score must be higher than the Similarity
    Threshold, otherwise the VML policy does not report a match.

    About using unaccepted VML profiles in policies


    The system lets you create a policy that is based on a VML profile that has never been accepted. However, the VML
    profile is not active and is not deployed to a referenced policy until the profile is initially accepted.
    Training VML profiles
    Where you have a VML policy that references a never-accepted VML profile, the result of this configuration depends on
    the type of detection server. References to never-accepted VML profiles describes the behavior:

    Table 522: References to never-accepted VML profiles

    Detection server Description

    Discover Server Discover scanning does not begin until all policy dependencies are loaded. A Discover scan based
    on a VML policy does not start until the referenced VML profile is accepted. In this case the system
    displays a message in the Discover scanning interface that indicates that the scan waits on the
    dependency to load.
    Network and Endpoint Servers For a simple rule, or compound rule where the conditions are ANDed, the entire rule fails because
    the VML condition cannot match. If this is the only rule in the policy, the policy does not work.
    For a policy where there are multiple rules that are ORed, only the VML rule fails; the other rules in
    the policy are evaluated.
    Policy detection execution

    Configuring VML profiles and policy conditions


    Vector Machine Learning (VML) performs statistical analysis to protect unstructured data. It also determines if content is
    similar to an example set of documents you train against.
    Introducing Vector Machine Learning (VML)
    The following table describes the process for implementing VML.

    997
    Table 523: Implementing VML

    Step Action Description

    Step 1 Collect the example documents for Collect a representative number of example documents that contain the
    training the system. positive content that you want to protect and the negative content you want
    to ignore.
    About the content you train
    Step 2 Create a new VML profile. Define a new VML profile based on the specific business category of data
    from which you have derived your positive and negative training sets.
    Creating new VML profiles
    Step 3 Upload the example documents. Upload the example positive and negative training sets separately to the
    Enforce Server.
    Uploading example documents for training
    Step 4 Train the VML profile. Train the system to learn the type of content you want to protect and
    generate the VML profile.
    Training VML profiles
    Step 5 Accept or reject the trained profile. Accept the trained profile to deploy it. Or, reject the profile, update one or
    both of the training sets (by adding or removing example documents), and
    restart the training process.
    About the base accuracy from training percentage rates
    Managing VML profiles
    Step 6 Create a VML policy and test detection. Create a VML policy that references the VML profile.
    Configuring the Detect using Vector Machine Learning Profile condition
    Test and review incidents based on the Similarity Score.
    About the Similarity Threshold and Similarity Score
    Step 7 Tune the VML profile. Adjust the Similarity Threshold setting as necessary to optimize detection
    results.
    Adjusting the Similarity Threshold
    Step 8 Follow VML best practices. Best practices for using VML

    Creating new VML profiles


    A VML profile contains the model that is generated from the training set contents. Once you define a VML profile, you use
    it to create one or more VML policies.
    Configuring VML profiles and policy conditions
    NOTE
    You must have Enforce Server administrator privileges to create VML profiles.
    To create a new VML profile
    1. Click New Profile from the Manage > Data Profiles > Vector Machine Learning screen (if you have not already
    done so).
    2. Enter a Name for the VML profile in the Create New Profile dialog.
    Use a logical name for the VML profile that corresponds to the category of data you want to protect.
    About the content you train
    3. Optionally, enter a Description for the VML profile.
    You may want to include a description that identifies the purpose of the VML profile.

    998
    4. Click Create to create the new VML profile.
    Or, click Cancel to cancel the operation.
    5. Click Manage Profile to upload example documents.
    Uploading example documents for training

    Working with the Current Profile and Temporary Workspace tabs


    For any single VML profile there are two possible versions: Current and Temporary. The Current Profile is the run-time
    version; the Temporary Profile is the design-time version. As you develop a VML profile, you create a Current Profile that
    you have trained, accepted, and perhaps deployed to one or more policies. You also create a Temporary Profile that you
    actively edit and tune.
    The Enforce Server administration console displays each version of the VML profile in separate tabs:
    • Current Profile
    This version is the active instance of the VML profile. This version has been successfully trained and accepted; it is
    available for deployment to one or more policies.
    • Temporary Workspace
    This version is an editable version of the VML profile. This version has not been trained, or accepted, or both; it cannot
    be deployed to a policy.
    Initially, when you create a new VML profile, the system displays only the Current Profile tab with an empty training
    set. After you initially train and accept the VML profile, the Trained Set table in the Current Profile tab is populated with
    details about the training set. The information that is displayed in this table and tab is read-only.
    Click Manage Profile to the far right of the Current Profile tab.
    The system displays the editable version of the profile in the Temporary Workspace tab. You can now proceed with
    training and managing the profile.
    Training VML profiles

    The Temporary Workspace tab remains present in the user interface until you train and accept a new version of the VML
    profile. In other words, there is no way to close the Temporary Workspace tab without training and accepting, even if you
    made no changes to the profile.
    Once you accept a new version of the VML profile, the system overwrites the previous Current Profile with the newly
    accepted version. You cannot revert to a previously accepted Current Profile. However, you can revert to previous
    versions of the training set for a Temporary Profile.
    Managing training set documents

    Uploading example documents for training


    The training set comprises the example positive and negative documents you want to train the system against. You
    upload the positive and the negative documents separately.
    NOTE
    You can upload individual documents. However, we recommended that you upload a document archive (such as
    ZIP, RAR, or TAR) that contains the recommended (250) or minimum (50) number of example documents. The
    maximum upload size is 30 MB. You can partition the documents across archives if you have more than 30 MB
    of data to upload. About the content you train
    To upload the training set
    1. Click Manage Profile from the Current Profile tab (if you have not already done so).
    This action enables the VML profile for editing in the Temporary Workspace tab.

    999
    Working with the Current Profile and Temporary Workspace tabs
    2. Click Upload Contents (if you have not already done so).
    This action opens the Upload Contents dialog.
    3. Select the category of content:
    • Choose Positive: match contents similar to these to upload a positive document archive.
    • Choose Negative: ignore contents similar to these to upload a negative document archive.
    4. Click Browse to select the document archive to upload.
    5. Navigate the file system to where you have stored the example documents.
    6. Choose the file to upload and click Open.
    7. Verify that you have chosen the correct category of content: Positive or Negative.
    If you mismatch the upload (select Negative but upload a Positive document archive), the resulting profile is
    inaccurate.
    8. Click Submit to upload the document archive to the Enforce Server.
    The system displays a message indicating if the file successfully uploaded. If the upload was successful, the document
    archive appears in the New Documents table. This table displays the document type, name, size, date uploaded, and
    the user who uploaded it. If the upload was not successful, check the error message and retry the upload. Click the X
    icon in the Remove column to delete an uploaded document or document archive from the training set.
    9. Click Upload Contents to repeat the process for the other training set.
    The profile is not complete and cannot be trained until you have uploaded the minimum number of positive and
    negative example documents.
    VML training set requirements
    10. Once you have successfully uploaded both training sets you are ready to train the VML profile.
    Training VML profiles

    Training VML profiles


    During the profile training process, the system scans the training content, extracts key features, and generates a statistical
    model. When the training process completes successfully, the system prompts you to accept or reject the training profile.
    If you accept the training results, that version of the VML profile becomes the Current Profile. The Current Profile is active
    and available for use in one or more policies.
    Configuring VML profiles and policy conditions

    1000
    Table 524: Training the VML profile

    Step Action Description

    Step 1 Enable training mode. Select the VML profile you want to train from the Manage > Data Profiles > Vector
    Machine Learning screen. Or, create a new VML profile.
    Creating new VML profiles
    Click Manage Profile to the far right of the Current Profile tab. The system displays the
    profile for training in the Temporary Workspace tab.
    Working with the Current Profile and Temporary Workspace tabs
    Step 2 Upload the training Familiarize yourself with the training set requirements and recommendations.
    content. About the content you train
    Upload the positive and the negative training sets in separate document archives to the
    Enforce Server.
    Uploading example documents for training
    Step 3 Adjust the memory The default value is "High" which generally results in the best training set accuracy rates.
    allocation (only if Typically you do not need to change this setting. For some situations you may want to
    necessary). choose a "Medium" or "Low" memory setting (for example, deploying the profile to the
    endpoint).
    Adjusting the memory allocation
    Note: If you change the memory setting, you must do so before you train the profile to
    ensure accurate training results. If you have already trained the profile, you must retrain it
    again after you adjust the memory allocation.

    Step 4 Start the training process. Click Start Training to begin the profile training process.
    During the training process, the system:
    • Extracts the key features from the content;
    • Creates the model;
    • Calculates the predicted accuracy based on the averaged false positive and false
    negative rates for the entire training set;
    • Generates the VML profile.
    Step 5 Verify training completion. When the training process completes, the system indicates if the training profile was
    successfully created.
    If the training process failed, the system displays an error. Check the debug log files and
    restart the training process.
    On successful completion of the training process, the system displays the following
    information for the New Profile:
    • Trained Example Documents
    The number of example documents in each training set that the system has trained
    against and profiled.
    • Accuracy Rate From Training
    The quality of the training set expressed as base false positive and base false negative
    percentage rates.
    About the base accuracy from training percentage rates
    • Memory
    • The minimum amount of memory that is required to load the profile at run-time for
    detection.
    Note: If you previously accepted the profile, the system also displays the Current Profile
    statistics for side-by-side comparison.

    1001
    Step Action Description

    Step 6 Accept or reject the If the training process is successful, the system prompts you to accept or reject the training
    training profile. profile. Your decision is based on the Accuracy Rate from Training percentages.
    About the base accuracy from training percentage rates
    To accept or reject the training profile:
    • Click Accept to save the training results as the active Current Profile.
    Once you accept the training profile, it appears in the Current Profile tab and the
    Temporary Workspace tab is removed.
    • Click Reject to discard the training results.
    The profile remains in the Temporary Workspace tab for editing. You can adjust one or
    both of the training sets by adding or removing documents and retraining the profile.
    Managing training set documents
    Note: A trained VML profile is not active until you accept it. The system lets you create a
    policy based on a VML profile that has not been trained or accepted. However, the VML
    profile is not deployed to that policy until the profile is accepted. About using unaccepted
    VML profiles in policies

    Step 7 Test and tune the profile. Once you have successfully trained and accepted the VML profile, you can now use it to
    define policy rules and tune the VML profile.
    Configuring the Detect using Vector Machine Learning Profile condition
    About the Similarity Threshold and Similarity Score

    Adjusting the memory allocation


    The Memory Allocation setting determines the amount of memory that is required to load VML the profile at run-time
    for policy detection. When you allocate more memory to training the larger the VML profile, the profile becomes larger.
    More features are modeled. By default this value is set to "High." You should not normally adjust this value. Resources are
    limited on the endpoint. If you intend to deploy the VML profile to the endpoint, use a lower memory setting to reduce the
    size of the profile.
    To adjust memory allocation
    1. Click Adjust beside the Memory Allocation setting.
    This setting is available in the Temorary Workspace tab. If it is not available, click Manage Profile from the Current
    Profile tab.
    Working with the Current Profile and Temporary Workspace tabs
    2. Select the desired memory allocation level.
    • High
    Requires a higher amount of run-time memory; generally yields higher detection accuracy (default setting).
    • Medium
    • Low
    Requires less run-time memory; may result in lower detection accuracy.
    3. Click Save to save the setting.
    The Memory Setting display should reflect the adjustment you made.
    4. Click Start Training to start the training process.
    You must adjust the memory allocation before you train the VML profile. If you have already trained the profile, retrain
    after adjusting this setting.
    Training VML profiles

    1002
    5. Verify the amount of memory that is required to run the VML profile.
    After you train the VML profile, the system displays the Memory Required (KB) value. This value, represents the
    minimum amount of memory that is required to load the profile at run-time.
    Managing VML profiles

    Managing training set documents


    As you train and tune a VML profile, you may need to adjust one or both of the training sets. For example, if you reject a
    training profile, you must add or remove example documents to improve the training accuracy rates.
    About the base accuracy from training percentage rates
    To add documents to a training set
    1. Click Manage Profile for the profile you want to edit.
    The editable profile appears in the Temporary Workspace tab.
    2. Click Upload Contents.
    Uploading example documents for training
    To remove documents from a training set
    3. Click Manage Profile for the profile you want to edit.
    The editable profile appears in the Temporary Workspace tab.
    4. Click the red X in the Mark Removed column for the trained document you want to remove.
    The removed document appears in the Removed Documents table. Repeat this process as necessary to remove all
    unwanted documents from the training set.
    5. Click Start Training to retrain the profile.
    You must retrain and accept the updated profile to complete the document removal process. If you do not accept the
    new profile the document you attempted to remove remains part of the profile.
    Training VML profiles
    To revert removed documents
    6. Click the revert icon in the Revert column for a document you have removed.
    The document is added back to the training set.
    7. Click Start Training to retrain the profile.
    You must retrain the profile and reaccept it even though you reverted to the original configuration.

    Managing VML profiles


    The Manage > Data Profiles > Vector Machine Learning screen is the home page for managing existing VML profiles
    and the starting point for creating new VML profiles.
    Configuring VML profiles and policy conditions
    NOTE
    You must have Enforce Server administrator privileges to manage and create VML profiles.

    1003
    Table 525: Creating and managing VML profiles

    Action Description

    Create new profiles. Click New Profile to create a new VML profile.
    Creating new VML profiles
    View and sort profiles. The system lists all existing VML profiles and their state at the Vector Machine Learning screen.
    Click the column header to sort the VML profiles by name or status.
    Manage and train profiles. Select a VML profile from the list to display and manage it.
    The Current Profile tab displays the active profile.
    Working with the Current Profile and Temporary Workspace tabs
    Click Manage Profile to edit the profile.
    The editable profile appears in the Temporary Workspace tab. From this tab you can:
    • Upload training set documents.
    Uploading example documents for training
    • Train the profile.
    Training VML profiles
    • Add and remove documents from the training sets.
    Managing training set documents
    Monitor profiles. The system lists and describes the status of all VML profiles.
    • Memory Required (KB)
    The minimum amount of memory that is required to load the profile in memory for detection.
    Adjusting the memory allocation
    • Status
    The present status of the profile.
    Status values for VML profiles
    • Deployment Status
    The historical status of the profile.
    Deployment Status values for VML profiles
    Remove profiles. Click the X icon at the far right to delete an existing profile.
    If you delete an existing profile, the system removes the profile metadata and the Training Set from the
    Enforce Server.

    The Status field displays the current state of each VML profile.

    Table 526: Status values for VML profiles

    Status value Description

    Accepted on <date> The date the training profile was accepted.


    Managing The current profile is enabled for editing.
    Empty The profile is created, but no content is uploaded.
    Awaiting Acceptance The profile is ready to be accepted.
    Canceling Training The system is in the process of canceling the training.
    Training Canceled The training process is canceled.
    Failed The training process failed.
    Training <time> The training is in progress (for the time indicated).

    The Deployment Status field indicates if the VML profile has ever been accepted or not.

    1004
    Table 527: Deployment Status values for VML profiles

    Status value Description

    Never Accepted The VML profile has never been accepted.


    About using unaccepted VML profiles in policies
    Accepted on <date> The VML profile was accepted on the date indicated.

    Changing names and descriptions for VML profiles


    If necessary you can change the name of a VML profile or edit its description. When you are ready to deploy a VML profile
    to one or more policies, give the profile a self-describing name so policy authors can easily recognize it.
    NOTE
    You do not have to retrain a profile if you change the name or description.
    To change the VML profile name or description
    1. Select the VML profile from the Manage > Data Profiles > Vector Machine Learning screen.
    Managing VML profiles
    2. Click the Edit link beside the name of the VML profile.
    3. Edit the name and description of the profile in the Change Name and Description dialog that appears.
    4. Click OK to save the changes to the VML profile name or description.
    5. Verify the changes at the home screen for the VML profile.

    Configuring the Detect using Vector Machine Learning Profile condition


    Once you have trained and accepted the VML profile, you configure a VML policy using the Detect using Vector
    Machine Learning Profile condition. This condition references the VML profile to detect the content that is similar to the
    example content you have trained against.
    Configuring VML profiles and policy conditions

    Table 528: Configuring a VML policy rule

    Step Action Description

    Step 1 Create and train the VML profile. Creating new VML profiles
    Training VML profiles
    About using unaccepted VML profiles in policies
    Step 2 Configure a new or an existing Configuring policies
    policy.
    Step 3 Add the VML rule to the policy. From the Configure Policy screen:
    • Select Add Rule.
    • Select the Detect using Vector Machine Learning profile rule from the list of
    content rules.
    • Select the VML profile you want to use from the drop-down menu.
    • Click Next.
    Step 4 Configure the VML detection rule. Name the rule and configure the rule severity.
    Configuring Policy Rules

    1005
    Step Action Description

    Step 5 Select components to match on. Select one or both message components to Match On:
    • Body, which is the content of the message
    • Attachments, which are any files transported by the message
    Note: On the endpoint, the Symantec DLP Agent matches on the entire message,
    not individual message components.
    Selecting components to match on
    Step 6 Configure additional conditions Optionally, you can create a compound detection rule by adding more conditions to
    (optional). the rule.
    To add additional conditions, select the desired condition from the drop-down
    menu and click Add.
    Note: All conditions must match for the rule to trigger an incident.
    Configuring compound rules
    Step 7 Save the policy configuration. Click OK then click Save to save the policy.

    Configuring VML policy exceptions


    In some situations, you may want to implement a VML policy exception to ignore certain content.
    Configuring VML profiles and policy conditions

    Table 529: Configuring a VML policy exception

    Step Action Description

    Step 1 Create and train the VML profile. Creating new VML profiles
    Training VML profiles
    Step 2 Configure a new or an existing policy. Configuring policies
    Step 3 Add a VML exception to the policy. From the Configure Policy screen:
    • Select Add Exception.
    • Select the Detect using Vector Machine Learning profile exception from
    the list of content exceptions.
    • Select the VML profile you want to use from the drop-down menu.
    • Click Next.
    Step 4 Configure the policy exception. Name the exception.
    Select the components you want to apply the exception to:
    • Entire Message
    Select this option to compare the exception against the entire message. If an
    exception is found anywhere in the message, the exception is triggered and
    no matching occurs.
    • Matched Components Only
    Select this option to match the exception against the same component as the
    rule. For example, if the rule matches on the Body and the exception occurs in
    an attachment, the exception is not triggered.
    Step 5 Configure the condition. Generally you can accept the default condition settings for policy exceptions.
    Configuring policy exceptions
    Step 6 Save the policy configuration. Click OK then click Save to save the policy.

    1006
    Adjusting the Similarity Threshold
    You adjust the Similarity Threshold setting to tune the VML profile. The Similarity Threshold determines how similar
    detected content must be to a VML profile to produce an incident.
    About the Similarity Threshold and Similarity Score
    NOTE
    You do not have to retrain the VML profile after you adjust the Similarity Threshold, unless you modify a training
    set based on testing results.
    To adjust the Current Value of the Similarity Threshold
    1. Click Edit beside the Similarity Threshold label for the VML profile you want to tune.
    This action opens the Similarity Threshold dialog.
    2. Drag the meter to the desired Curent Value setting.
    You set the Similarity Threshold to a decimal value between 0 and 10. The default value is 10, which produces fewer
    incidents; a setting of 0 produces more incidents.
    3. Click Save to save the Similarity Threshold setting.
    4. Test the VML profile using a VML policy.
    Compare the Similarity Scores across matches. A detected message must have a Similarity Score higher than the
    Similarity Threshold to produce an incident. Make further adjustments to the Similarity Threshold setting as necessary
    to optimize and fine-tune the VML profile.
    Configuring the Detect using Vector Machine Learning Profile condition

    Testing and tuning VML profiles


    You tune a VML profile by testing it with the Similarity Threshold set to 0. After you determine the possible range of
    Similarity Scores for false positives, adjust the Similarity Threshold to be greater than the highest Similarity Score that
    false positives reports. This process is known as negative testing.
    A good training set has a well-defined range where the Similarity Threshold is set to achieve the best accuracy rates. A
    poor training set yields a poor accuracy result regardless of the Similarity Threshold. A Similarity Threshold that is set too
    high or too low can result in a large number of false positives or false negatives.
    To determine the proper Similarity Threshold setting, the recommendation is to perform negative testing as described in
    the following steps.

    Table 530: Steps for tuning VML profiles

    Step Action Description

    Step 1 Train the VML profile. Follow the recommendations in this guide for defining the category and uploading the training
    set documents. Adjust the memory allocation before you train the profile.
    Step 2 Set the Similarity The default Similarity Threshold is 10. At this value the system does not generate any
    Threshold to 0. incidents. A setting of 0 produces the most incidents, many of which are likely to be false
    positives. The purpose of setting the value to 0 is to see the entire range of potential
    matches. It also servers to tune the profile to be greater than the highest false positive score.
    Step 3 Create a VML policy. Create a policy that references the VML profile you want to tune. The profile must be
    accepted to be deployable to a policy.

    1007
    Step Action Description

    Step 4 Test the policy. Test the VML policy using a corpus of test data. For example, you can use the
    DLP_Wikipedia_sample.zip file to test your VML policies against. Create a
    mechanism to detect incidents. The mechanism can be a Discover scan target of a local
    file folder where you place the test data. Or it can be a DLP Agent scan of a copy/paste
    operation.
    Step 5 Review any incidents. Review any matches at the Incident Snapshot screen. Verify a relatively low Similarity Score
    for each match. A relatively low Similarity Score indicates a false positive. If one or more
    test documents produce a match with a relatively high Similarity Score, you have a training
    set quality issue. In this case you need to review the content and if appropriate add the
    document(s) to the positive training set. You then need to retrain and retune the profile.
    Log files for troubleshooting VML training and policy detection
    Step 6 Adjust the Similarity Review the incidents to determine the highest Similarity Score among the detected false
    Threshold. positives that you have tested the profile against. Then, you can adjust the Similarity
    Threshold for the profile to be greater than the highest Similarity Score for the false positives.
    For example, if the highest detected false positive has a Similarity Score of 4.5, set the
    Similarity Threshold to 4.6. This setting filters the known false positives from being reported
    as incidents.

    Properties for configuring training


    VML includes several property files for configuring VML training and logging. The following table lists and describes
    relevant VML configuration properties.

    Table 531: Property files for VML

    Property file at \Protect\config\ Description

    MLDTraining.properties Main property file for configuring VML training settings.


    Relevant configuration parameters for VML training
    Manager.properties Property file for the Enforce Server; contains 1 VML setting.
    Configuration parameter for VML profiles
    MLDTrainingLogging.properties Properties file for configuring VML logging.
    Log files for troubleshooting VML training and policy detection

    The following table lists and describes the VML training parameters available for configuration in properties file
    MLDTraining.properties.

    1008
    Table 532: Relevant configuration parameters for VML training

    Parameter Description

    minimum_documents_per_category Specifies the minimum number of documents that are required


    for each training set (positive and negative). The default setting
    is 50. Reducing this number below 50 is not recommended or
    supported.
    Recommendations for training set definition
    mld_num_folds Specifies the number of folds to use for the k-fold evaluation
    process. The default is 10.
    Reducing this value speeds up the time the system takes to train
    against the content because fewer folds are evaluated. This speed
    up occurs potentially at the sacrifice of visibility into profile quality.
    You don't need to change this value, unless you have a large
    number of example documents (and thus the training sets are
    very large). Or, unless you know for certain that you have a well-
    categorized overall training set.
    Recommendations for accepting or rejecting a profile
    minimum_features_to_keep Specifies the minimum number of features to keep for the profile.
    The default setting is 1000.
    Lowering this value can help reduce the size of the profile.
    However, adjusting this setting is not recommended. Instead, use
    the memory allocation setting to tune the size of the profile.
    Guidelines for profile sizing
    significance_threshold Specifies the minimum number of times a word must occur before
    it is considered a feature. The default is 2.
    Increasing this value (to 3 or 4, for example) may help reduce
    the size of the profile because fewer words qualify as features.
    You should not adjust this setting unless setting the memory
    allocation to "Low" does not produce a small enough profile for
    your deployment requirements.
    Guidelines for profile sizing
    stopword_file Specifies the default stopword file \config
    \machinelearningconfig\stopwords.txt.
    Stopwords are common words, such as articles and prepositions.
    During training the system ignores (does not consider for feature
    extraction) any word that is contained in the stopwords file.
    If you add words to be ignored, you must use all lower case
    because VML feature extraction normalizes the content to lower
    case for evaluation.
    logging_config_file Specifies the configuration file for standard VML logging.
    Log files for troubleshooting VML training and policy detection
    native_logging_config_file Specifies the configuration file for native VML logging.
    Log files for troubleshooting VML training and policy detection

    The following parameter is available for configuration in properties file MLDTraining.properties.

    1009
    Table 533: Configuration parameter for VML profiles

    Parameter Description

    DEFAULT_SIMILARITY_THRESHOLD Establishes the default value for the Similarity Threshold, which
    is 10. Changing this value affects the default value only. You can
    adjust the value using the Enforce Server administration console.
    Testing and tuning VML profiles

    Log files for troubleshooting VML training and policy detection


    The system provides debug log files for troubleshooting the VML training process and policy detection. The following table
    lists and describes the debug log files.
    Troubleshooting policies

    Table 534: Debug log files for VML

    Log file Description

    machinelearning_training.log Records the accuracy from training percentage rates for each
    fold of the evaluation process for each VML profile training run.
    Examines the quality of each training set at a granular, per-fold
    level.
    Recommendations for accepting or rejecting a profile
    machinelearning_native_filereader.log Records the "distance," which is expressed as a positive or
    negative number, and the "confidence," which is a similarity
    percentage, for each message evaluated by a VML policy.
    Examines all messages or documents evaluated by VML
    policies, including positive matches with similarity percentages
    beneath the Similarity Threshold, or messages the system has
    categorized as negative (expressed as a negative "distance"
    number).
    Testing and tuning VML profiles
    machinelearning_training_native_manager.log Records the total number of features modeled and the number
    of features kept to generate the profile for each training run.
    The total number of features modeled versus the number
    of features kept for the profile depends on the memory
    allocation setting:
    • If "high" the system keeps 80% of the features.
    • If "medium" the system keeps 50% of the features.
    • If "low" the system keeps 30% of the features.
    Guidelines for profile sizing

    Best practices for using VML


    This section provides best practices for implementing VML policies, including best practices for testing and tuning your
    VML policies.
    Summary of VML best practices provides a summary of the VML best practices that are discussed in this section. It
    includes links to individual topics for more in-depth recommendations.

    1010
    Table 535: Summary of VML best practices

    Functional area Best practice

    Recommended uses Use VML to protect unstructured, text-based content. Do not use VML to protect graphics, binary data, or
    for VML personally identifiable information (PII).
    When to use VML
    Category of content Define the VML profile based on a single category of content that you want to protect. The category of content
    should be derived from a specific business use case. Narrowly defined categories are better than broadly
    defined ones.
    Recommendations for training set definition
    Positive training set Archive and upload the recommended (250) number of example documents for the positive training set, or at
    least the minimum (50).
    Guidelines for training set sizing
    Negative training set Archive and upload the example documents for the negative training set. Ideally the negative training set
    contains a similar number of well-categorized documents as the positive training set. In addition, add some
    documents containing generic or neutral content to your negative training set.
    Guidelines for training set sizing
    Profile sizing Consider adjusting the memory allocation to low. Internal testing has shown that setting the memory allocation
    to low may improve accuracy in certain cases.
    Guidelines for profile sizing
    Training set quality Reject the training result and adjust the example documents if either of the base accuracy rates from training
    are more than 5%.
    Recommendations for accepting or rejecting a profile
    Profile tuning Perform negative testing to tune the VML profile by using a corpus of testable data.
    Testing and tuning VML profiles
    Profile deployment Remove accepted profiles not in use by policies to reduce detection server load. Tune the Similarity Threshold
    before deploying a profile into production across all endpoints to avoid network overhead.
    Recommendations for deploying profiles

    When to use VML


    VML is designed to protect unstructured content that is primarily text-based. VML is well-suited for protecting sensitive
    content that is highly distributed such that gathering all of it for fingerprinting is not possible or practical. VML is also well-
    suited for protecting sensitive content that you cannot adequately describe and achieve high matching accuracy.
    The following table summarizes the recommended uses cases for VML.

    Table 536: Recommended uses for VML

    Use VML when Explanation

    It is not possible or practical to Often collecting all of the content you want to protect for fingerprinting is an impossible task. This
    fingerprint all the data you want to situation arises for many forms of unstructured data: marketing materials, financial documents,
    protect. patient records, product formulas, source code, and so forth.
    VML works well for this situation because you do not have to collect all of the content you want to
    protect. You collect a smaller set of example documents.
    You cannot adequately describe Often describing the data you want to protect is difficult without sacrificing some accuracy.
    the data you want to protect. This situation may arise when you have long keyword lists that are hard to generate, tune, and
    maintain.
    VML works well in these situations because it automatically models the features (keywords) you
    want to protect. It enables you to easily manage and update the source content.

    1011
    Use VML when Explanation

    A policy reports frequent false Sometimes a certain category of information is a constant source of false positives. For example, a
    positives. weekly sales report may consistently produce false positives for a Data Identifier policy looking for
    social security numbers.
    VML may work well here because you can train against the content that causes the false positives
    and create a policy exception to ignore those features.
    Note: The false positive contents must belong to a well-defined category for VML to be an
    effective solution for this use case. Recommendations for training set definition

    When not to use VML


    VML is not designed to protect structured data, such as Personally Identifiable Information (PII), or binary content, such as
    documents that contain mostly graphics or image files.
    The following table summarizes the non-recommended uses of VML.

    Table 537: Non-recommended uses for VML

    Do not use VML to Explanation

    Protect personally identifiable Exact Data Matching (EDM) and Data Identifiers are the best option for protecting the common
    information (PII). types of PII.
    Protect binary files and images. Indexed Document Matching (IDM) is the best option to protect the content that is largely binary,
    such as image files or CAD files.

    Recommendations for training set definition


    A VML category is the specific business use case from which you derive your example documents for training the VML
    profile. The more specific the category the better the detection results. For example, the category "Financial Documents"
    is not recommended because it is too broad. A better category classification is "Sales Forecasts" or "Quarterly Earnings"
    because each is particular to a specific business use case.
    A VML category contains two sets of training content: positive and negative. The positive training set contains content
    you want to protect; the negative training set contains content you want to ignore. You should derive both the positive and
    negative training sets from the same category of content such that all documents are thematically related.
    Using an entirely generic content for the negative training set, while possible, is not recommended. While generic content
    produces good design-time training accuracy rates, you cannot detect the content you want to protect at run-time with
    sufficient accuracy.
    NOTE
    While a completely generic negative training set is not recommended, seeding the negative training set with
    some neutral-content documents does have value. Guidelines for training set sizing
    The following table provides some example categories and possible positive and negative training sets comprising those
    categories.

    Table 538: Some example categories and training sets

    Category Positive training set Negative training set

    Product source code Proprietary product source code Source code from open source projects
    Product formulas Proprietary product formulas Non-proprietary product information

    1012
    Category Positive training set Negative training set

    Quarterly earnings Pre-release earnings; sales estimates; Details of published annual accounts
    accounting documents
    Marketing plans Marketing plans Published marketing collateral and
    advertising copy
    Medical records Patient medical records Healthcare documents
    Customer sales Customer purchasing patterns Publicly available consumer data
    Mergers and acquisitions Confidential legal documents; M&A Publicly available materials; press releases
    documents
    Manufacturing methods Proprietary manufacturing methods and Industry standards
    research

    Guidelines for training set sizing


    VML is only as accurate as the example content you train. To use VML you do not have to locate all the data you want to
    protect, nor do you have to describe it. Instead, your sample documents must accurately represent the type of content you
    want to protect They must also represent content that you want to ignore. This content must be thematically related to the
    positive content.
    Higher numbers of example documents collected for training yield more accurate VML profiles. A well-defined category
    of content contains 500 example documents: 250 positive and 250 negative. The minimum number of documents per
    training set is 50.
    Ideally, you collect a similar number of negative and positive documents for training. You should seed the negative training
    set with generic or neutral-content documents. The archive file DLP_Wikipedia_sample.zip that is attached to this
    guide at the Symantec Support Center is provided for this purpose.
    As an example, your positive training set contains 250 example documents and your negative training set
    contains 150 documents. You can add 100 to 200 generic documents to your negative training set from the
    DLP_Wikipedia_sample.zip archive file. Internal testing has shown that adding generic content to complement a well-
    defined negative training set can improve accuracy for VML.
    If you cannot collect enough positive documents to meet the minimum requirement, you can upload the under-sized
    training set multiple times. For example, consider a case where you have the category of content "Sales Forecasts."
    For this category you have collected 25 positive spreadsheets and 50 negative documents. In this case, you can upload
    the positive training set twice to reach the minimum document threshold and equal the number of negative documents.
    Note that you should use this technique for development and testing purposes only. Production profiles should be trained
    against at least the minimum number of documents for both training sets.
    Training set size guidelines lists the optimal, recommended, and minimum number of documents to include in each
    training set.
    NOTE
    These training set guidelines assume an average document size of 3 KB. If you have larger-sized documents,
    fewer in number may be sufficient.

    Table 539: Training set size guidelines

    Training set Minimum Recommended

    Positive example documents 50 250


    Negative example documents 50 250
    Total number of documents for the category 100 500

    1013
    Recommendations for uploading documents for training
    While you can upload individual documents to the Enforce Server for training, it is recommended that you upload a
    document archive (ZIP, RAR, TAR) that contains the example documents for each training set. The maximum upload size
    is 30 MB. There is no training set size limit.
    To gather the documents for training, it is recommended that you create a staging area. For example, consider a category
    called "Sales Reports." In this case you would create a folder called \VML\training_stage\sales_reports that
    represents the category. Within this folder you would create two subfolders, one for the positive training set and the other
    for the negative training set (for example: \VML\training_stage\sales_reports\positive). When you are ready
    to train the profile, you compress the positive subfolder and the negative subfolder into separate document archives.
    You can partition the training set across archives if you have more than 30 MB of data to upload for a training set. Do not
    embed an archive within an archive.

    Guidelines for profile sizing


    Before you train a VML profile, you can adjust the amount of memory allocated to the profile. The amount of memory you
    allocate determines how many features the system models, which in turn affects the size of the profile. The higher the
    memory allocation setting, the more in-depth the feature extraction and the plotting of the model, and the larger the profile.
    In general, for server-based policy detection, the recommended memory allocation setting is high, which is the default
    setting.
    On the endpoint, the VML profile is deployed to the host computer and loaded into memory by the DLP Agent. (Unlike
    EDM and IDM, VML does not rely on two-tier detection for endpoint policies.) Because memory on the endpoint is limited,
    the recommendation is to allocate low or medium memory for endpoint policies. Internal testing has shown that reducing
    the memory allocation does not reduce the accuracy of the profile and may improve accuracy in certain situations.

    Table 540: Memory allocation recommendations

    Memory allocation Description

    High Default setting generally appropriate for server-based detection.


    Medium Use this setting to reduce the size of the profile.
    Low Use this setting for endpoint detection.

    Recommendations for accepting or rejecting a profile


    When you train a VML profile against the category content, the system selects features, creates the model, and calculates
    the base accuracy rates for false positives and negatives. Base accuracy rates are calculated using a standard and
    generally accepted process called k-folds evaluation. The base accuracy rates provide you with an early indicator of the
    quality of your category training sets.
    To illustrate how the k-folds evaluation process works, assume that you have a category with 500 total example
    documents: 250 positive and 250 negative. During the training run, the system divides the training set into 10 folds. Each
    fold is a distinct subset of the overall training set and contain both positive and negative example documents. The system
    uses nine folds to generate a VML profile, and one fold to test the profile. Any of the folds can become the test fold for the
    first round of evaluation. For the next round, the next fold in the queue becomes the test fold. This process repeats for all
    10 folds. The system performs a final training run called the cross-fold, averages the results of all folds, and generates the
    final model.
    On successful completion of the training process, the system displays the averaged accuracy rates and prompts you to
    accept or reject the training profile. The false positive accuracy rate is the percentage of negative test documents that are
    misclassified as positive. The false negative rate is the percentage of positive test documents that are misclassified as
    negative. As a general guideline, you should reject the training profile if either rate is more than 5%.

    1014
    NOTE
    You can use the log file machinelearning_training.log to evaluate per-fold training accuracy rates.
    Log files for troubleshooting VML training and policy detection

    Guidelines for Accepting or Rejecting Training Results


    You decide to accept or reject a training profile based on the false positive and false negative percentages that the system
    displays to you at the end of the training process.
    About the Similarity Threshold and Similarity Score
    To better understand how the system calculates the Machine Learning Profile training set accuracy rates, consider the
    following example.
    You have a training set that includes 1000 documents, 500 positive and 500 negative. When you train the profile, the
    system takes 90% of the documents, extracts the features, and creates a model. It takes the remaining 10% of the
    documents and evaluates their features against the model for similarity. It then produces false positive and false negative
    accuracy rates. This process is known as the "fold." For each training set, the system evaluates ten folds, each time
    comparing a different 10% of the documents against the 90%. At the end of the cycle, the system performs a cross-
    fold evaluation of all ten folds. It then produces an average accuracy percentage rate for both the positive and negative
    categories.
    Assume that the result of the training process yields a base false positive rate of approximately 1.2% and a base false
    negative rate of approximately 1%. On average, 1.2% of the negative documents in the training set are mis-categorized as
    positive, and 1% of the documents in the training set are mis-categorized as negative. While the goal is 0% for both rates,
    in general a percentage rate under 5% for each category is acceptable.
    The percentages that are produced at the end of the training process are averages across the 10 folds. Rather than
    relying on the general 5% rule of thumb, the better practice is to review the percentage rate results for each fold. To review
    the percentage rates, examine the log file \ProgramData\Symantec\DataLossPrevention\EnforceServer
    \16.0.10000\Protect\logs\debug\mld0.log (Windows) or /var/log/Symantec/DataLossPrevention/
    DetectionServer/16.0.10000/debug/mld0.log (Linux). As shown below, the individual fold rates give a reading
    for each of the ten folds on which you can base your decision to accept or reject the profile.

    Table 541: Training set accuracy evaluation process

    Fold evaluation Per fold category accuracy rates and cross-fold averages

    Fold 0 false positive rate 2.013422727584839 false negative rate 0.0


    Fold 1 false positive rate 1.3513513803482056 false negative rate 1.7857142686843872
    Fold 2 false positive rate 1.3513513803482056 false negative rate 0.8928571343421936
    Fold 3 false positive rate 1.3513513803482056 false negative rate 1.7857142686843872
    Fold 4 false positive rate 1.3513513803482056 false negative rate 0.8928571343421936
    Fold 5 false positive rate 1.3513513803482056 false negative rate 2.6785714626312256
    Fold 6 false positive rate 0.0 false negative rate 0.0
    Fold 7 false positive rate 0.6756756901741028 false negative rate 0.0
    Fold 8 false positive rate 1.3513513803482056 false negative rate 0.8928571343421936
    Fold 9 false positive rate 1.3513513803482056 false negative rate 1.8018018007278442
    Cross-fold Avg False Positive Rate 1.214855808019638 Avg False Negative Rate 1.0730373203754424

    1015
    Recommendations for deploying profiles
    Accepted VML profiles are transferred to every detection server and Symantec DLP Agent even if those profiles are not
    required by the active policies on that server or endpoint. Detection servers load all VML profiles into memory regardless
    of whether or not any associated VML policies are deployed to those servers. DLP Agents only load the VML profiles that
    are required by an active policy. To optimize server performance, it is recommended not to deploy (accept) unnecessary
    VML profiles and remove any accepted (deployed) VML profiles that are not required by active policies.
    In addition, when you change the Similarity Threshold, the system re-syncs the entire profile with the detection servers
    and DLP Agents. If you have a large VML profile and possible bandwidth limitations (for example, deployment to many
    endpoints), this may cause network congestion. In this case you should test and tune the profile at a select few endpoints
    before deploying the profile into production at every endpoint on your network.

    About Form Recognition detection


    Form Recognition provides the ability to detect forms that contain sensitive information, such as tax forms, medical forms,
    insurance forms, and so on.
    Form Recognition detects form images in a variety of image formats, including the following:
    • Microsoft Office documents
    • PDF (version 1.2 and later only)
    • PDF that use AcroForms format
    • XFA (Only the hard-copy image, or the image that you would see if you printed the form, is supported. Soft copies,
    such as fillable forms, are not supported. Text extraction from XFA is also not supported
    • JPEG (.jpg, .jpeg)
    • PNG
    • TIFF (single page or multi-page, .tif or .tiff)
    • Bitmap (.bmp, .dib)
    Form Recognition is available for Network Monitor, Network Prevent for Email, Network Prevent for Web, and Network
    Discover. Form Recognition is not available for Endpoint Discover, Endpoint Prevent, or any cloud detectors.
    Configuring Form Recognition detection

    How Form Recognition works


    Symantec Data Loss Prevention analyzes the features of your blank forms and stores the results as key points in the
    Form Recognition profile. This process is called indexing. Then the detection server compares images in network traffic
    or stored in data repositories to the forms you have indexed. The extent that the detected form matches key points in
    indexed blank form is called the alignment. By default, 85% of the key points must match or align for the form to be
    considered a match.
    The comparison between the detected image and the indexed blank form also allows Symantec Data Loss Prevention
    to determine how much of the form has been filled in. The fill threshold is represented as a range from 1-10, where 1 is
    a minimally filled-in form, and 10 is an entirely filled-in form. You use the fill threshold to specify when Symantec Data
    Loss Prevention creates an incident. A low fill threshold creates more incidents by detecting partially filled-in, electronically
    fillable forms with at least one check-box filled, or incomplete forms. A high fill threshold creates fewer incidents, but may
    not catch all possible data loss. A fill threshold of 0 detects all matching forms, including blank forms. By default, the fill
    threshold for a Form Recognition profile is 1. You can specify another value when you create a profile. You can also adjust
    this value for an existing profile to fine-tune your detection results.
    Configuring Form Recognition detection
    Managing Form Recognition profiles

    1016
    Configuring Form Recognition detection
    To configure Form Recognition, you collect a blank set of forms that you want to protect and add them to a ZIP archive
    of single-page PDF files. This ZIP archive is called a Gallery Archive. You then upload your gallery archive to a Form
    Recognition profile on the Enforce Server for indexing. The Enforce Server indexes your forms and pushes the index out
    to your detection servers. You also specify the fill threshold for the profile: the fill threshold specifies how much of the form
    must be filled to trigger an incident.
    Form Recognition workflow provides a high-level workflow for configuring Form Recognition detection:

    Table 542: Form Recognition workflow

    Step Action More information

    1 Collect and prepare blank copies of the forms you want to protect. Preparing a Form Recognition Gallery
    Archive
    2 Configure a Form Recognition profile. Specify the Gallery Archive with Configuring a Form Recognition profile
    the forms you want to detect and a Fill Threshold for creating incidents.
    3 Configure a policy with a Form Recognition detection or exception rule Configuring the Form Recognition detection
    using your Form Recognition profile. rule
    Configuring the Form Recognition exception
    rule

    Preparing a Form Recognition Gallery Archive


    The Form Recognition gallery archive is a ZIP archive containing single-page PDF copies of the blank forms you want to
    protect. You use the gallery archive to create a Form Recognition profile.
    Symantec recommends that you index no more than 500 total images across all Form Recognition profiles. To improve
    performance, Symantec recommends creating fewer profiles that contain more forms, rather than more profiles that
    contain fewer forms.
    For best results, ensure that the form images in your gallery archive meet the following guidelines:
    • The PDF files containing the form images should be at least 200 DPI.
    • Forms with electronically fillable fields must be in ArcroForm format. Other interactive form formats are not supported
    for detection.
    • Each form should have a sufficient amount of text and graphical content. Sparse forms may cause more false
    matches.
    • Each form should contain unique content. Forms that share very similar content are harder to match and may cause
    more false matches. For example, tax forms from 2014 and 2015 would share many similar features, and would be
    difficult to detect if they were in the same profile.
    • Each form should have content evenly distributed across the page. Forms with clustered content and sparse areas are
    more difficult to match.
    • Each form should have either white or light-colored backgrounds. Black or dark backgrounds are not supported.
    To prepare a Form Recognition Gallery Archive
    1. Collect blank copies of the forms you want to detect.
    2. Save all blank copies of forms as PDF files. Consider the following guidelines as you prepare PDF files:
    • The gallery must only contain PDF files. Symantec Data Loss Prevention ignores any other folders and files in the
    ZIP archive.
    • If a form has two or more pages, separate them into single-page files, then convert to PDF format.

    1017
    For example, if your form is a single three-page Microsoft Word file titled YourForm.docx, separate the file into
    three separate single-page files, then convert them to PDF:
    – YourForm_1of3.PDF
    – YourForm_2of3.PDF
    – YourForm_3of3.PDF
    • If your form contains electronically fillable fields, use a PDF editing tool for the conversion process that retains
    AcroForms formatting, for example Adobe Acrobat.
    • If your form includes several pages of un-fillable boilerplate, only add the fillable pages to your gallery archive.
    3. Add all single-page PDF files to a ZIP archive.

    Configuring a Form Recognition profile


    Configure a Form Recognition profile by uploading a Gallery Archive and specifying a Fill Threshold.
    Preparing a Form Recognition Gallery Archive
    To configure and index a Form Recognition profile
    1. Navigate to Manage > Data Profiles > Form Recognition to display the Form Recognition Profiles screen.
    2. Click Add Profile to display the Configure Form Recognition Profile.
    3. Enter a name for the profile in the Name field.
    NOTE
    The name you enter is used when you configure policies and appears in the incident snapshot for Form
    Recognition incidents.
    4. (Optional) Enter a description for the profile in the Description field.
    5. Enter a value in the Fill Threshold field.
    The fill threshold is a range from 1-10, where 1 represents a form that has been filled in minimally, and 10 a form that
    has been filled in completely. You can also enter 0 to detect blank forms.
    NOTE
    For electronically filled forms, entering 1 for the fill threshold detects any electronically filled item on a form.
    For example, setting the threshold to 1 detects a single selected check-box. In contrast, setting the threshold
    to 1 may not detect a similar check-box that has been filled in using a pen.
    6. Upload the gallery archive by clicking Browse and selecting the gallery archive ZIP file.
    7. Click Save to begin indexing the profile.
    When the gallery completes indexing, you can use it to configure a Form Recognition rule in a policy.
    Configuring the Form Recognition detection rule

    Configuring the Form Recognition detection rule


    You configure the detection rule by specifying a Form Recognition profile.
    Configuring a Form Recognition profile
    The indexed forms in the profile are compared against detected forms to determine if the forms match. The Form
    Recognition rule matches on attachments only.
    1. Go to Manage Policies > Policy List, click New, and create a new blank policy or policy from a template.
    Adding a new policy or policy template

    1018
    2. Click Add Rule on the Detection tab to display the Configure Policy - Add Rule.
    3. Select Detect using Form Recognition Profile in the Form Recognition section. Then select the Form Recognition
    profile that contains the forms you want to protect.
    4. Click Next to display the Configure Policy - Edit Rule page.
    5. Enter a name for the rule in the Rule Name field.
    6. Choose the rule severity.
    Policy severity
    7. Select the conditions for the Form Recognition detection rule.
    You can use the Also Match field to configure compound match rules. Compound rules
    8. Click OK to add the detection rule.
    9. Click Save to apply the detection rule to the policy.
    The new policy displays in the Policy List.

    Configuring the Form Recognition exception rule


    You configure the exception rule by specifying a Form Recognition profile.
    Configuring a Form Recognition profile
    To configure the Form Recognition exception rule
    1. Go to Manage Policies > Policy List, click New, and create a new blank policy or policy from a template.
    Adding a new policy or policy template
    2. Click Add Exception on the Detection tab to display the Configure Policy - Add Exception.
    3. Select Detect using Form Recognition Profile in the Form Recognition section and select the Form Recognition
    profile that contains the forms you want to protect.
    4. Click Next to display the Configure Policy - Edit Exception page.
    5. Enter a name for the exception in the Exception Name field.
    6. Select the conditions for the Form Recognition detection rule.
    You can use the Also Match field to configure compound rules. Compound rules
    7. Click OK to add the exception rule.
    8. Click Save to apply the detection rule to the policy.
    The new policy displays in the Policy List.

    Managing Form Recognition profiles


    The Form Recognition Profiles screen at Manage > Data Profiles > Form Recognition provides a summarized view of
    all Form Recognition profiles. You can use this screen to confirm that a profile was indexed successfully, view the indexing
    status, and so on.

    1019
    Table 543: Form Recognition Profiles details

    Element Description

    Add Profile Click Add Profile to configure a new Form Recognition profile.
    Configuring a Form Recognition profile
    Show Entries Select a value from Show Entries to specify the number of profiles you can
    view on this page.
    Page navigation Use the following buttons to change the view of profiles:
    • Click Last to view profiles with the most recent dates in ascending order.
    • Click a number to navigate to that specific page number.
    • Click Next to view the next page.
    • Click Previous to view the previous page.
    Profile Name Click the Profile Name to view or edit the profile.
    Note: Sort column data in ascending order (A-Z/1-3) by clicking the up arrow or
    descending order (Z-A/3-1) by clicking the down arrow.

    Description The profile description. Edit the description by clicking the profile name or the
    pencil icon in the Actions column.
    State Each profile displays one of the following states:
    • Gallery missing or invalid displays when indexing for the profile has failed.
    The gallery did not upload because the ZIP archive is invalid.
    • Indexing not started displays when indexing for the profile did not start.
    The uploaded gallery did not process.
    • Indexing in progress displays when the uploaded gallery is indexing.
    • Profile indexed displays when indexing for this profile is complete and the
    index successfully created.
    • Invalid gallery displays when indexing for the profile failed. The uploaded
    gallery did not start indexing because it is invalid.
    • Index contains no images displays when indexing for the profile failed. The
    uploaded gallery did not index because it contains no compatible files.
    • Indexing failed displays when indexing for this profile failed. The uploaded
    gallery was not indexed.
    • Indexing found some unusable files displays when indexing for the profile
    completes with errors. Some of the files in the uploaded gallery cannot be
    indexed.
    Gallery The gallery archive name.
    You cannot edit the gallery name. You can upload a new gallery or an existing
    gallery that has been renamed by clicking the profile name or the pencil icon in
    the Actions column.
    Usable Forms Count The total number of form images in the gallery that have been indexed without
    errors and can be used in a policy.
    Date Indexed The date when the profile was last indexed.
    Index Version The version number of the index.
    Fill Threshold The fill threshold value that you provided when you configured the Form
    Recognition profile. You can edit this value by clicking the profile name or the
    pencil icon in the Actions column.
    Actions Click the Pencil to edit profile details.
    Click the red X to delete a profile. If you delete a profile, the system removes the
    profile metadata and gallery from the Enforce Server.

    1020
    Advanced server settings for Form Recognition
    Some of the default Form Recognition server settings might require testing and fine-tuning to determine what works
    best for your needs. You can modify these settings on the System > Servers and Detectors > Overview > Server/
    Detector Detail - Advanced Settings page. Symantec recommends that you contact Symantec Technical Support before
    modifying any advanced server settings.
    There are nine advanced settings related to Form Recognition:
    • ContentExtraction.ImageExtractorEnabled
    • ContentExtraction.MaxNumImagesToExtract
    • FormRecognition.ALIGNMENT_COEFFICIENT
    • FormRecognition.CANONICAL_FORM_WIDTH
    • FormRecognition.MAXIMUM_FORM_WIDTH
    • FormRecognition.MINIMUM_FORM_ASPECT_RATIO
    • FormRecognition.MINIMUM_FORM_WIDTH
    • FormRecognition.OPENCV_THREADPOOL_SIZE
    • FormRecognition.PRECLASSIFIER_ACTION

    Viewing a Form Recognition incident


    You view and remediate Form Recognition incidents as you would any Symantec Data Loss Prevention incident.
    In addition to the usual incident snapshot information, Form Recognition incidents include:
    • Yellow highlighted areas on the form, which indicate form elements that align and electronic fields that have been filled.
    • Orange highlighted areas on the form, indicating questionable areas.
    • A Similarity Score which indicates how similar the form elements are. The higher the score, the more statistically
    similar the field contents are to the form fields.

    About Content Detection with On Premises OCR


    Optical character recognition (OCR) for Symantec Data Loss Prevention gives you the capability to extract the text from
    images.
    You can extract the text from scanned documents, screenshots, pictures, Microsoft office documents, and from PDFs. You
    can use new or preexisting text-based detection rules on this content.
    The extracted text then enters the detection chain and is processed identically to conventionally extracted text. Incident
    snapshots for the OCR text are similar to snapshots for conventionally extracted text: the text excerpt is displayed, with
    the detected words highlighted. OCR incidents have visual indicators denoting that the text came from OCR, and a
    thumbnail of the original image.
    You can set up on premises OCR to use various languages. To improve recognition results, you can also choose a
    specialized dictionary (such as legal, financial, or medical) to enable supplemental spell checking. You can also set up a
    customized dictionary to deal with proper nouns or other terms specific to your business.
    While the OCR content extraction can integrate with both Windows and Linux detection servers, Symantec supports
    installing the OCR Server on Windows servers only. OCR content extraction is not supported on the DLP Agents or the
    Data Loss Prevention virtual appliances.
    About Image Quality and Resolution for OCR
    You get more accurate results from Data Loss Prevention OCR by using high-quality and high-resolution images. The
    resolution requirements for detecting images with OCR vary depending on the language of the document.

    1021
    For languages that use the Latin character set, a minimum character height of 18 pixels for capital letters is required. A
    minimum character size of 30 pixels by 30 pixels is required. A character size of 48 pixels by 48 pixels is recommended
    for languages that do not use the Latin character set.

    Specific Guidelines for OCR Content Detection

    Image Quality and Resolution and Western Language (Latin Character Set) Resolution Guidance
    There should be a minimum of 18 pixels vertical for any upper case Latin character. There should be up to a maximum
    of 8400 pixels for the entire page. The best resolution for black and white images is 300 dpi or 400 dpi. For grayscale or
    color images, the optimal recognition resolution is from 150 dpi to 300 dpi.
    CJK Language Resolution Guidance
    For reliable CJK text detection in an image, the language body text should be 12 points ("small four" in a Chinese size
    name). The text should be scanned at 300 dpi, resulting in characters with around 48 x 48 pixels. The minimum pixel
    count is about 30 x 30; that is 7.5 points at 300 dpi.
    OCR Image Resolution Guidance
    For all OCR languages: any image smaller than 16 x 16 pixels or larger than 8400 x 8400 is not detected.
    Image Orientation Scripts Typefaces
    Image orientation is known to work in most situations. We are unable to provide an exact number since there are many
    factors that influence OCR. These factors include resolution, sharpness, and noise in the image. Text extraction can work
    with most scripts and typefaces, as long as there is no overlap and characters can be individually distinguished.
    Number of Languages Per image
    OCR works on determining the dominant language in the image and does the text extraction for that language. The
    selection of dominant language is based on many factors such as resolution, font size, sharpness, and noise.
    Image Transformations
    Text is extracted in the dominant language, as long as the image is sharp and has an acceptable quality and resolution.
    See About content detection with OCR in the Cloud to learn more about deploying OCR in the cloud.

    Installing an On Premises OCR Sensitive Image Recognition License


    When you first purchase Symantec Data Loss Prevention, upgrade to a later version, or purchase another product
    module, you must install one or more Symantec Data Loss Prevention license files. To use OCR (optical character
    recognition), you must install the Symantec Data Loss Prevention OCR Sensitive Image recognition license. License files
    have names in the format name.slf.
    NOTE
    If you have already installed an OCR license for on premises detection, you do not need to install a new license
    to use OCR in the Cloud.
    Installing a new license file

    Setting Up On-Premises OCR Servers


    On-premises OCR content extraction requires the installation of an OCR Server. You configure the OCR Server (micro
    service) from the Enforce Server administration console.
    A single OCR Server can be installed on a separate computer, or on the same computer as the detection server (not
    recommended). Symantec recommends that you install the OCR Server on hardware that is dedicated to the OCR Server.

    1022
    You can also install the OCR Server on VMs with dedicated resources. Dedicated resources are necessary because of its
    high processing requirements.
    Configuration information is included with the request. OCR Servers can service requests from different detection servers
    that are configured differently.
    For example, you can configure one detection server to detect English with the highest possible OCR accuracy. Then, you
    can configure another detection server to detect Japanese, with the highest possible speed. In this case, the same OCR
    Server is able to handle both types of requests.
    Upgrading to DLP 16.0.1
    DLP 16.0.1 detection servers are compatible with 16.0.1 OCR Servers and are backward compatible with 16.0 OCR
    Servers.
    The OCR Server is an independent server, separate from any Data Loss Prevention detection server. You can configure
    the detection server to talk to a single OCR address (IP address or host name). That address can either be a single
    OCR Server, or a single load balancer in front of several OCR Servers. You can use an external load balancer or another
    technology, such as Windows Network Load Balancing. You can configure a detection server with only a single OCR
    Server address.
    NOTE
    Only load balancers without persistence that is enabled are supported.
    You install an OCR Server using the Symantec DLP OCR Server Installer setup wizard.
    1. Export and save the private keys, certificates, and trusted certificates from the 16.0 OCR server.
    This step is optional. Use this step if the same TLS certificates and keys are to be used by the new OCR server. A
    certificate is required for communication between the OCR client on the Enforce Server and the OCR Server. See
    Exporting Private Keys, Certificates, and Trusted Certificates from a 15.x OCR Server.
    2. Click OCRServer.msi.
    3. Click Next.
    4. Accept the agreement and click Next.
    5. Select the desired Destination directory.
    6. Click Next.
    7. Select the desired Default data directory.
    8. Click Next.
    9. Click Install. The installer runs.
    10. Click Finish when the installation is complete.

    Now the OCR service is running and is ready to receive OCR requests.
    NOTE
    If you want to run the installer from the command line, it must be called with these arguments:
    msiexec /i OCRServer.msi /qn /norestart /L*v log.txt INSTALLATION_DIRECTORY="C:\installdir"

    In general, Installing a detection server on Windows applies to the OCR Server. The one exception is that the
    only installation parameter for the OCR Server is
    INSTALLATION_DIRECTORY .
    Creating an OCR configuration

    1023
    Exporting Private Keys, Certificates, and Trusted Certificates from a
    15.x OCR Server
    Export private keys, certificates, and trusted certificates from 15.x OCR Servers and save them to your 16.0 OCR Servers.

    DLP 16.0 TLS Credential Format


    The formats that are required for TLS credentials in DLP 16.0 are different from those formats that are required in DLP
    15.x.
    • OCR Server: The OCR Server now requires that the TLS keypair is in the form of a separate certificate file and an
    encrypted private key file. The format of these files should be PEM (Privacy Enhanced Mail), a text format with the
    base64-encoded content. This requirement is different from the old use of the Java keystore and truststores in .jks
    format.
    • OCR client: The detection server continues to use .jks keystores and truststores in DLP16.0. In addition, there
    is a new requirement on the trusted OCR server certificate that may invalidate an existing truststore. The OCR
    server TLS certificate is now required to contain the Subject Alternative Name (SAN) X.509 extension. This value must
    match the hostname of the OCR server. Alternatively, the expected value can be specified in Protect/config/
    OCRDetection.properties .

    Exporting Existing 15.x TLS credentials


    If the TLS certificate that is used by the OCR Server satisfies the requirements that are listed earlier, the credentials can
    be exported for use in DLP 16.0. On the OCR server, locate the .jks keystore (specified by server.ssl.key-store in
    Protect/config/OCR.properties ) and perform the following steps:
    Extract the OCR Server and Client Certificates
    You must know the entry aliases for:
    • The OCR server keypair entry, and
    • The trusted client certificate entry (if a client-side authentication is used).
    Repeat the following command for both to extract the OCR server certificate and trusted client certificate:
    keytool -list -rfc -alias [ENTRY ALIAS] -keystore [EXISTING KEYSTORE FILEPATH] -storepass
    [EXISTING KEYSTORE PASSWORD] > cert.crt

    Extracting the OCR server private key is a two-step process:


    1. Convert the existing JKS keystore to PKCS#12 keystore (using keytool).
    2. Convert the PKCS#12 keystore to a PKCS#12 encrypted key (using openssl ).

    keytool -importkeystore -srckeystore [EXISTING keystore FILEPATH] -destkeystore [NEW


    PKCS#12 FILEPATH] -deststoretype pkcs12 openssl pkcs12 -
    in [PKCS#12 FILEPATH from above] -nocerts -out [NEW PRIVATE KEY FILEPATH] -keypbe aes-128-cbc

    Ensure that the private key is encrypted using strong PBES2 (Password-Based Encryption, PKCS#5 v2.0).
    From the OCR server side, you should now have an OCR server certificate, encrypted private key, and a trusted OCR
    client certificate. The certificate should contain one or more of the
    -----BEGIN CERTIFICATE-----; statements. The encrypted key should contain
    -----BEGIN ENCRYPTED PRIVATE KEY----- .

    1024
    See Setting Up TLS Trust.

    Using Diagnostics for Sizing OCR Server Deployments


    You can measure image traffic data to help you better understand your OCR environment sizing needs. When you enable
    the advanced setting OCR.RECORD_REQUEST_STATISTICS, the results appear in the OCR log. The resulting values can be
    used in the OCR Server Sizing Estimator spreadsheet to help you determine how to size your OCR Server deployment.
    When you enable OCR.RECORD_REQUEST_STATISTICS on a given detection server, the detection server starts logging.
    The detection server collects metrics on the images that it encounters if they are suitable for OCR submission. Not all
    images that the detection server encounters are suitable for OCR submission. For example, the images that are the wrong
    dimensions or are unlikely to contain text that can be transcribed is not submitted to OCR for processing.
    You can measure the proportion of files and messages that Data Loss Prevention inspects and that contain images
    suitable for OCR submission. The resulting metrics can be used to help you properly size and scale your OCR Server
    deployment. First, set the OCR.RECORD_REQUEST_STATISTICS Advanced Server setting to true. Then, allow the detection
    server to operate normally for one calendar week. The system collects metrics on the images that are encountered and
    logs the results in the OcrRequestsRecord0.log for the last 24 hours. If you let the server run for one calendar week,
    you can plot the “trailing 24 hour” data over this longer interval. This longer run enables you to see the peaks and valleys
    of your potential OCR image load. During this process, no incidents are created and only the images that are suitable for
    submission to OCR are counted.
    NOTE
    You do not have to have the Data Loss Prevention Symantec Data Loss Prevention Sensitive Image
    Recognition add-on license to use this feature. You can estimate sizing requirements for an OCR Server
    deployment before you purchase the DLP Sensitive Image Recognition add-on license.
    Sample OcrRequestsRecord0.log results is a sample of an OcrRequestsRecord0.log showing a snapshot of the
    results. In the log you can see samples of the values that you can enter in the OCR Server Sizing Estimator spreadsheet
    to help you to size your OCR Server deployment.
    Figure 21: Sample OcrRequestsRecord0.log results

    After you run the OCR diagnostics, disable OCR.RECORD_REQUEST_STATISTICS to disable logging to the
    OcrRequestRecord0.log file.
    Use the following steps to run diagnostics for OCR sizing for the Network Prevent for Email, Network Prevent for
    Web, and Network Monitor data-in-motion channels:

    1025
    1. Go to System > Servers and Detectors > Overview and select a detection server.
    2. Click Server Settings.
    3. Set OCR.RECORD_REQUEST_STATISTICS to true.
    4. Click Save.
    5. Restart the detection server.
    6. Let the detection server run for a week and collect metrics. This process works best for the data in motion channels,
    such as Network Prevent for Email, Network Prevent for Web, and Network Monitor.
    7. Consult the OcrRequestsRecord0.log to get the values to enter in the OCR Server Sizing Estimator spreadsheet.
    8. See Using the OCR Server Sizing Estimator for instructions and a link to the sheet.
    9. Enter data in the green cells from the log for the following values:
    Percentage of messages containing images requiring OCR (OCR messages)
    Estimated average number of images per OCR message
    10. The spreadsheet calculates the number of OCR Servers that you must deploy for the image traffic of each detection
    server in your Symantec Data Loss Prevention deployment.
    11. Set OCR.RECORD_REQUEST_STATISTICS to false to disable logging.

    You use a different technique for estimating OCR Server sizing requirements for Network Discover.
    Creating a null policy to assist in OCR diagnostics for Discover Servers

    Creating a null policy to assist in OCR diagnostics for Discover


    Servers
    When you enable OCR.RECORD_REQUEST_STATISTICS on a given detection server, the detection server starts logging
    and collects metrics on the images that are suitable for submission to OCR. Not all images that the detection server
    encounters are suitable for submission to OCR. For example, images of the wrong dimensions or images that are unlikely
    to contain text that can be transcribed are not submitted to OCR for processing.
    NOTE
    You can only enable OCR.RECORD_REQUEST_STATISTICS for on-premises OCR diagnostics. You cannot
    enable OCR.RECORD_REQUEST_STATISTICS for the OCR cloud.
    For Network Discover, you can directly measure the proportion of images that are suitable for submission to OCR for
    each Discover scan target. To take this measurement, you enable the OCR.RECORD_REQUEST_STATISTICS advanced
    setting before you run a scan against that target. To expedite the scan process, we recommend binding a null policy to the
    Discover scan target.

    Using the OCR Server Sizing Estimator


    The OCR Server Sizing Estimator can help you to estimate how many OCR Servers you need for each detection server in
    your deployment. Click the following link to download a ZIP file that contains the spreadsheet:
    OCR Server Sizing Estimator.zip
    The OCR Server has specific hardware, operating system, and server settings system requirements. These requirements
    are different from the Data Loss Prevention Enforce Server and Data Loss Prevention detection server requirements.

    1026
    NOTE
    An OCR Server, whether it is a virtual or physical server, should not run other applications. The OCR
    Server should be dedicated to OCR.
    Hardware requirements
    • Processor: 3.0 GHz or more
    • Minimum: 4 logical cores per host
    • Recommended: 8 logical cores per host
    NOTE
    In a hyperthreaded environment, the number of logical cores is twice the number of physical cores. In a
    virtualized environment, the number of logical cores is the same as the number of vCPUs assigned to the VM
    that runs OCR Server.
    Physical Memory
    Total required memory is a function of the number of hardware threads/logical cores, therefore, the number of concurrent
    threads that configured to run on that host.
    • Baseline memory required: 250 MB
    • Memory that is required per hardware thread or logical core: 300 MB
    For a VM running with 8 logical cores or VCPUs, the total memory that is required is 250 MB + 8 x 300 MB = 2.7 GB.
    Disk Space
    32 GB
    Operating system requirements
    The Symantec Data Loss Prevention OCR Server can be installed on the following versions of the Windows Server:
    • Windows Server 2012 R2
    • Windows Server 2016
    OCR Server settings
    Two OCR Server settings that must be configured in the OCR.properties file at <install_dir>/Protect/config/:
    • Set the value of setting num.ocr.workers to equal the number of logical cores.
    • Set the value of server.tomcat.max-threads to equal the value of setting num.ocr.workers + 1.
    Assumptions for using the OCR Server Sizing Estimator Spreadsheet
    The OCR Server Sizing Estimator spreadsheet can help you to estimate the number of OCR Servers that you need in
    your Data Loss Prevention deployment. The spreadsheet makes the following assumptions:
    • Each OCR Server is deployed on a 4-physical core or 8-logical core server.
    • Hyperthreading is enabled on all servers and hypervisors
    The ratio of OCR Servers to detection servers depends on the following factors:
    • Percentage of messages that contain images that can be processed by one OCR Server. Not all images that are
    encountered by Data Loss Prevention are sent to OCR. Small images, photos that do not contain extractable text,
    and images in unsupported file formats are not sent to OCR. By default, the detection servers only extract the first 10
    images (pages) from scanned multipage PDF or TIFF documents. You must estimate the percentage of images that
    you expect to send to OCR for processing.
    • Your acceptable rate of OCR Server timeouts.
    • Estimated average number of images per message.
    Factors affecting performance

    1027
    A wide range of factors can greatly affect recognition, accuracy, and performance, including:
    • image quality
    • image resolution
    • image orientation
    • scripts
    • typefaces
    • number of languages per image
    • image transformations
    OCR performance and accuracy are best when processing high contrast, high DPI images that contain typewritten text.
    Performance is also best if the text is written in a single language and that language is devoid of image artifacts, rotations,
    and other types of transformations.

    Using the OCR Server Sizing Estimator


    Enter the values in the green cells to compute the number of OCR Servers per detection server. You can start with the
    defaults, view the logs, then tune the values for your particular situation.
    1. Enter the Busy hour rate per detection server in cell B:11.
    2. Enter the Percentage of messages containing images requiring OCR (OCR messages) in cell B:12.
    3. Enter the Estimated average number of images per OCR message in cell B:13.
    4. Enter the Average OCR time (seconds) in cell B:14.
    5. Enter the Number of OCR workers in cell B:15.
    6. Enter the System utilization rate in cell B:16.
    When you change any of the values, the spreadsheet recalculates the Number of OCR Servers per detection server in
    cell B:17.
    Log files for OCR Server Sizing
    • The OCR statistics are contained in the detection server log at /var/log/Symantec/DataLossPrevention/
    DetectionServer/16.0.10000/OcrRequestsRecord0.log
    • The OCR duration for each image is logged in the OCR server logs such as ocrworker-
    beeb3d51-1f87-4fc9-9c88-e7c5a661102e.log or ocrworker-5eafab48-
    e986-4fdd-8281-14b2bd4614cf.log etc.

    OCR Server Sizing Estimator values

    1028
    Table 544: Definitions of spreadsheet values

    Spreadsheet value Explanation

    Busy hour rate per detection server The number of messages per second that are processed when the
    system is at its busiest. You can get this information from the logs.
    Percentage of messages containing images requiring OCR The value in cell B:10 is the percentage of message traffic that
    (OCR messages) contains images that are sent to OCR. For a Discover scan on
    a repository containing only scanned images, the percentage
    of message traffic that contains images that are sent to OCR
    is 100%. If about one email message in every 20 contains an
    image file that is submitted to OCR, the percentage of message
    traffic that contains images sent to OCR is 5%.
    This value does not count the number of images within the
    message. For example, if one out of every 10 messages contain
    a scanned document with 10 pages, insert 10% in this field. The
    focus is on the percentage of messages and not the number of
    images.
    Estimated average number of images per OCR message Determine this estimate based on the types of images that are
    processed in your deployment. For example, a 10-page scanned
    PDF file contains 10 images. A single screenshot that is saved in
    a JPG file only contains a single image.
    Average OCR time (seconds) The average time that it takes to process an OCR image. While
    the default in the spreadsheet is 1.0 seconds, the average time is
    usually 1.5 seconds.
    Number of OCR Workers Ideally there is 1 worker per processing or physical core.
    Generally, there are 8 or 16 workers to a server.
    System utilization rate This value should not be 100% because a buffer is necessary.
    Number of OCR servers per detection server Given the configured values, is the number of OCR Servers that
    are required to handle each detection server.

    Setting up OCR Servers

    OCR Server System Requirements


    The OCR (optical character recognition) Server has specific hardware, operating system, and server settings
    requirements, different from the Data Loss Prevention Enforce Server and detection servers. You can find the latest
    information on these requirements in System Requirements for OCR Servers.
    Using Diagnostics for Sizing OCR Server Deployments

    File Types Supported for On Premises OCR Extraction


    Images of the following file types are extracted and sent to OCR:
    • JPEG (.jpg, .jpeg)
    • PNG
    • TIFF (single page or multi-page, .tif or .tiff)
    • Bitmap (.bmp)
    • Images that are extracted from container files such as ZIP, TAR, Microsoft Office, and PDF files

    Detection Types Supported for On Premises OCR Extraction


    The following detection types are supported for on premises OCR extraction:

    1029
    • Network Monitor
    • Network Prevent for Email
    • Network Prevent for Web
    • Network Discover
    • DLP Cloud

    More About Languages and Dictionaries


    Instead of choosing from a pool of languages, the OCR Server assumes that all selected languages may be in the image.
    This assumption is a good strategy for the mixed language document use case. However, selecting more than four
    languages is not recommended, It can adversely affect both speed and accuracy.
    Set up for languages and the number of supported languages is different for OCR in the Cloud and OCR on premises. For
    OCR in the Cloud, you set up language preferences in the Cloud Management Portal (CMP). Currently, there is a
    limit of three languages for OCR in the Cloud. For OCR on premises, you set up language preferences in the Enforce
    Administration console.

    Adding or Editing an On Premises OCR Configuration


    You can see all of your OCR configurations on the System > Settings > OCR Engine Configuration page. On this page,
    you can also.:
    • Click Add OCR Engine Configuration then add a name, description, and OCR server hostname to add a
    configuration.
    • Click the name of the configuration or the pencil icon to edit an existing configuration.
    • Click the red X to delete a configuration.
    Viewing OCR incidents in reports

    Creating an OCR Configuration


    Follow this procedure to create an OCR configuration for Symantec Data Loss Prevention.
    1. Go to System > Settings > OCR Engine Configuration.
    2. Click Add OCR Engine Configuration.
    Configuring the OCR Engine
    3. Enter the Name of the profile.
    4. Enter an optional Description of the profile.
    5. Enter the OCR server hostname of the server where the OCR requests should be sent. You can use a single load
    balancer or an individual OCR Server.
    6. Enter the Port number of the port where requests should be sent. The default port is 8555.
    7. Enter the OCR Engine timeout (seconds) value. This setting defines how long before an OCR request should be
    timed out. The default timeout is 25.
    The timeout equals the time that the OCR Server is allowed for performing the optical character recognition on the
    request. The timeout does not include transit time or other delays.
    You must set the timeout in Advanced Settings. If the timeout is reached, the OCR component is skipped and the
    previously extracted content moves on to detection.

    1030
    8. Enter the OCR request wait timeout (seconds) value. This setting defines the amount of time a request can sit in the
    queue at the OCR Server before it is rejected because of lack of worker threads. The default time-out is 5.
    9. Enter a value for Accuracy vs speed. By default, the OCR Server sets the value dynamically for each document. The
    Sensitive Image Recognition preclassifier on the detection server inspects each image and determines if it is suitable
    for OCR content extraction (and form recognition). The preclassifier then determines which preset is most appropriate.
    If you uncheck this box, you can select a preset to use for all images. You can choose from Accurate, Balanced, or
    Fast. This strategy can be appropriate for Discover scans, where accuracy is prioritized over time.
    10. In the Supported Languages section, select the candidate languages for OCR.
    You can select one or more languages, and the OCR Server selects a language from that pool to use for the
    image. Symantec assumes that documents are primarily one language (for example, all French, or all English,
    as opposed to mixed English and French). The number of languages should be as small as possible. The more
    languages that you select, the slower the processing speed.
    Even if a Latin language is not selected, you may still get an accurate text recognition result from that language. For
    example, you can select English and German and then you can submit a mixed English-French image to the OCR
    Server. The OCR Server may choose English and still return some French text. The language selection affects which
    Latin spell-check dictionary to use. If a character in the image is unclear, the language selection also affects the pool of
    characters to choose from.
    Mixed language images containing one or more non-Latin languages are not supported. You must select a non-Latin
    language as the primary language for any character detection for that language. All other non-Latin and non-English
    characters are discarded, regardless of the other languages selected.
    When an image is detected as containing primarily a non-Latin language, English may also be returned, but at
    a reduced accuracy. English is not returned for Arabic images. While this also might be true for Hebrew and Thai,
    Symantec does not officially support Hebrew and Thai.
    11. In the Languages and Dictionaries Specialized Dictionaries section, you enable supplemental spell checking for
    different businesses (legal, financial, medical) across different languages.
    12. In the Languages and Dictionaries Custom Dictionary section, specify the name of your custom dictionary file to
    aid recognition accuracy. For example, if certain proper nouns give the OCR Server difficulty, you can place them in
    this custom dictionary.
    Using Dictionaries and spell checking improves recognition results for low-quality scans and images (such as faxes). If
    the characters are crisp and clean, they are easier for the engine to read, and the Dictionaries are less useful.
    13. The custom dictionary is a text file, with one entry per line. This text file must be placed in the dictionary directory of
    each server at C\Program Files\Symantec\DataLossPrevention\OCRServer\16.0.1000\Protect\bin.
    After you create a configuration, use the following steps to assign a profile to a detection server.
    Assign a profile to a Detection Server
    14. Go to System > Servers and Detectors > Overview.
    15. Select a monitor.
    16. On the Server/Detector Detail page, click Configure.
    17. On the Configure Server page, click OCR Engine. In OCR Engine Configuration select the configuration that you
    want to use for the server.
    18. Click Save.

    Using the OCR engine

    1031
    Viewing OCR Incidents in Reports
    OCR incidents for both on premises and Cloud OCR are flagged and detected text is highlighted in yellow in incident
    reports. Thumbnails of the page are included in the incident. Click the thumbnail to view a larger version of the image.
    This image contains the extracted text that violates the Symantec Data Loss Prevention policy.

    Setting Up TLS Trust


    More on Setting up Mandatory TLS Server-Side Authentication and Optional Client-Side Authentication for the OCR
    Server.

    Setting up TLS Trust Server-Side Authentication


    Here are the requirements for server-side authentication:
    1. A keypair is required on the OCR Server. The keypair must be in the form of a certificate file and a private key file.
    – The certificate should be in a PEM format. If a certificate chain is required, the PEM data must be appended into a
    single file in signing order. The order should start with the end-entity (the OCR server) certificate and should go up
    the chain.
    • Also, the certificate MUST contain the Subject Alternative Name (SAN) X.509 extension. This value must match
    the hostname of the OCR server; alternatively, the expected value can be specified in Protect/config/
    OCRDetection.properties (detailed later).
    – The private key file should be in an encrypted PEM format.
    2. A .jks keystore is required on the detection server. The keystore must contain a trusted certificate entry matching the
    certificate of the OCR server.
    – For a self-signed certificate, the trusted certificate would be the same certificate as on the one on the OCR server. If
    a certificate chain is used, only the CA certificate that completes the chain is needed.
    3. An OCR Server Certificate (PEM) is required. A typical certificate is already in the PEM format.
    4. An OCR Server Encrypted Private key (PEM) is required. If your private key is in an unencrypted PEM format, convert
    it with the following command:
    openssl pkcs12 -inkey [UNENCRYPTED KEY FILEPATH] -in [CERTIFICATE FILEPATH] -export
    -out [EXPORTED KEY and CERTIFICATE FILEPATH] -keypbe aes- 128 -cbc openssl pkcs12 -in
    [EXPORTED KEY and CERTIFICATE FILEPATH] -nocerts -out [ENCRYPTED KEY FILEPATH] -keypbe
    aes- 128 -cbc

    The encrypted key password must be supplied to the OCR server in Protect/config/OCR.properties file.
    5. A Detection Server Truststore (.jks file) is required. Verify the OCR server certificate to identify the certificate to
    trust. Then, import the certificate with the following command:
    keytool -importcert -storetype JKS -keystore output.jks -storepass [PASSWORD] -alias
    ocrserver -file [SERVER CERTIFICATE FILEPATH]

    The preceding command attempts to create a file named output.jks. If that file exists, the certificate is added to that
    existing .jks instead.
    Load the Credentials
    1. On the OCR server, place the certificate file and matching private key file in Protect/keystore . Modify the
    following settings in Protect/config/OCR.properties :
    – CertificateFilePath : Set the relative filepath to the certificate file.
    – PrivateKeyFilePath : Set the relative filepath to the private key file.
    – PrivateKeyPassword : Set the password for the encrypted private key.

    1032
    2. On the detection server, place the truststore .jks file in DetectionServer/<version>/Protect/keystore .
    Modify the following setting in DetectionServer/<version>/Protect/config/OCRDetection.properties :
    – .grpc.truststore.location : Set the relative filepath to the truststore .jks file
    – .grpc.truststore.password : Set the password for the truststore .jks file
    – grpc.server.san : Set a hostname that matches what is specified in the Subject Alternative Name extension
    of the OCR Server certificate. During TLS negotiation, this setting value is what is matched against the SAN of the
    server certificate.

    Setting Up Client-Side Authentication (Optional)


    For client-side authentication, the TLS credentials required mirror that of a server-side authentication, but the format is
    different. Here are the required credentials:
    • On the detection server: a keypair, loaded into a .jks keystore
    • On the OCR server: the trusted certificate (PEM) that matching the detection server certificate
    – For a self-signed certificate, the trusted certificate is the same certificate as the one on the detection server. If a
    certificate chain was used, only the CA certificate that completes the chain is needed.
    For the Detection Server Keystore (.jks file):
    1. Identify the certificate file and matching private key file. If a certificate chain is required, the data (PEM) of the
    certificate must be appended into a single file in signing order. It must start with the end-entity (the detection server)
    certificate and must go up the chain. You can use the openssl to create an intermediate PKCS#12 file from the
    credentials first. Then you can convert that intermediate file into a Java store:
    openssl pkcs12 -export -in [CERTIFICATE FILEPATH] -inkey [PRIVATE KEY FILEPATH] -
    out [TEMPORARY PKCS12 FILPATH] -name "ocrclient" keytool -importkeystore -srckeystore
    [TEMPORARY PKCS12 FILPATH] -srcstoretype PKCS12 -destkeystore [JKS STORE FILEPATH] -
    deststoretype JKS -srcstorepass [PASSWORD] -deststorepass [PASSWORD]
    2. If the Key Usage flags are used in the client certificate, ensure that they are correct (including Extended Key). The
    following usages have proven to work (openssl output):
    X509v3 Key Usage: critical: Digital Signature, Non Repudiation, Key Encipherment
    X509v3 Extended Key Usage: TLS Web Client Authentication
    3. If a certificate chain is used, ensure that the certificate chain from one or more certificates the server does trust to the
    client certificate is available completely for verification.
    For the OCR Server Trusted Certificate (PEM file):
    Verify the detection server certificate to identify the certificate that is trusted. Ensure that it is in PEM format.
    Loading the Credentials
    1. On the detection server, place the keystore .jks file in DetectionServer/<version>/Protect/
    keystore. Modify the following settings in DetectionServer/<version>/Protect/config/
    OCRDetection.properties:
    – grpc.client.authentication : Set this property to true
    – grpc.keystore.location : Set the relative filepath to the keystore .jks file
    – grpc.keystore.password : Set the password for the keystore .jks file
    2. On the OCR server, place the trusted certificate in Protect/keystore. Modify the following settings in Protect/
    config/OCR.properties:
    – TrustedCertificateFilePath : The relative filepath to the trusted certificate file

    Introducing User Risk Based Detection


    Use User Risk-based Detection to trigger policies based on the risk score for a particular user.

    1033
    You can use Symantec Information Centric Analytics (ICA) with Symantec Data Loss Prevention to protect sensitive data
    in your organization.
    ICA allows you to configure user risk scoring settings to display risk vectors and indicate risk ratings. For more information
    about configuring ICA, see the Symantec Information Centric Analytics documentation available at the Information
    Security help center.
    The following user risk based detection options are available:
    • Create policy rules that protect sensitive data based on the user risk score.
    • Apply user risk scores to the following supported detection channels:
    • Network Monitor
    • Network Prevent for Web
    • Network Prevent for Email
    • Endpoint Prevent
    NOTE
    This solution works with your existing Symantec Data Loss Prevention policies on DLP cloud detectors,
    including DLP Cloud Service for Email, Symantec Web Security Service (WSS), and DLP Cloud Detection
    Service with CASB.
    • View the user risk score in incidents triggered by policies where no user risk condition is specified. DLP incident
    moderators can use the risk score information to determine user risk.
    • Respond to incidents based on the user risk score
    On endpoints, user risk-based detection applies to any user logged on to the endpoint. The user risk information is saved
    in the agent store on the endpoint. The Endpoint Server sends user risk data to the endpoint. Users risk detection on the
    endpoint supports domain/user and hostname/user user formats.
    User risk-based detection supports the following sender formats:

    Table 545: Supported sender formats

    Format Example

    SMTP jane.doe@abc.com
    NTLM WinNT://abc/jane.doe
    Local://abc/jane.doe or abc/jane.doe
    LDAP LDAP://host.abc.com/CN=Jane
    Doe,CN=Users,DC=abc,DC=com

    Data Identifiers
    Symantec Data Loss Prevention provides data identifiers to detect specific instances of described content. Data identifiers
    let you quickly implement precise, short-form data matching with minimal effort.
    Data identifiers are algorithms that combine pattern matching with data validators to detect content. Patterns are similar
    to regular expressions but are more efficient because they are tuned to match the data precisely. Validators are accuracy
    checks that focus the scope of detection and ensure compliance.
    For example, the Credit Card Number system data identifier detects numbers that match a specific pattern. The matched
    pattern is validated by a Luhn check algorithm. In this example, the validation is performed on the first 15 digits of the
    number that evaluates to equal the 16th digit.
    Symantec Data Loss Prevention provides pre-configured data identifiers that you can use to detect commonly used
    sensitive data, such as credit card, social security, and driver license numbers. Most data identifiers come in three

    1034
    breadths: wide, medium, and narrow. You can use the breadth of a data identiffier to fine-tune your detection results. Data
    identifiers offer broad support for detecting international content.
    If a system-defined data identifier does not meet your needs, you can modify it. You can also define your own custom data
    identifiers to detect any content that you can describe.
    Selecting a data identifier breadth
    Related Links
    System-defined data identifiers on page 1035

    System-defined data identifiers


    Symantec Data Loss Prevention provides several system-defined data identifiers to help you detect and validate pattern-
    based sensitive data.

    Table 546: System data identifiers

    Category Description

    Personal Identity Detect various types of identification numbers for the regions of Africa, Asia Pacific, Europe, North America,
    and South America.
    Personal identity data identifiers
    Financial Detect financial identification numbers, such as credit card numbers and ABA routing numbers.
    Financial data identifiers
    Healthcare Detect U.S. and international drug codes, and other healthcare-related pattern-based sensitive data.
    Healthcare data identifiers
    Information Technology Detect IP addresses.
    Information technology data identifiers
    International keywords International keywords for PII data identifiers.
    International keywords for PII data identifiers

    Personal identity data identifiers


    Symantec Data Loss Prevention provides various data identifiers for detecting personally identifiable information (PII) for
    the regions of Africa, Asia Pacific, Europe, North America, and South America.
    Table 547: African personal identity lists system-defined data identifiers for the Middle East and Africa region.

    Table 547: African personal identity

    Data identifier

    South Africa Personal Identification Number

    Table 548: Asia Pacific personal identity lists system-defined data identifiers for the Asia Pacific region.

    Table 548: Asia Pacific personal identity

    Data identifier

    Australia Driver Licence Number


    Australia Company Number (ACN)

    1035
    Data identifier

    Australia Company Number (ACN)


    Australia Passport Number
    Australia Tax File Number (TFN)
    People's Republic of China Passport Number
    Hong Kong Identity Card (HKID) Number
    India RuPay Card Number
    India Aadhaar Card Number (National Idenitification Number)
    India Permanent Account Number (PAN)
    Indonesia Identity Card Number
    Israel Personal Identification Number
    Japan Driver License Number
    Japan Passport Number
    Japan Juki-Net Identification Number
    Japan My Number - Corporate
    Japan My Number - Personal
    Kazakhstan Passport Number
    Korea Passport Number
    Korean Residence Registration Number for Foreigners
    Korean Residence Registration Number for Korean
    Macau Individual Identification Number
    Malaysia Passport Number
    Malaysian MyKad Number
    New Zealand Driver License Number
    New Zealand National Health Index Number
    New Zealand Passport Number
    People's Republic of China Resident Identity Card Number
    Singapore National Registration Identity Card (NRIC)
    Sri Lanka National Identity Number
    Taiwan ID
    Thailand Passport Number
    Thailand Personal Identification Number
    United Arab Emirates Personal Number

    Table 549: European personal identity lists system-defined data identifiers for the European region.

    Table 549: European personal identity

    Data identifier

    Austria Passport Number


    Austria Tax Identification Number
    Austria Value Added Tax (VAT) Number

    1036
    Data identifier

    Austria Social Security Number


    Belgium National Identity Number
    Belgium Driver Licence Number
    Belgium Passport Number
    Belgium Tax Identification Number
    Belgium Value Added Tax (VAT) Number
    Bulgaria Value Added Tax (VAT) Number
    Australia Company Number (ACN)
    Netherlands Burgerservicenummer (Citizen Service Number)
    Bosnia-Herzegovina Unique Master Citizen Number
    Italy Codice Fiscale (Fiscal Code)
    Croatia Personal Identification Number
    Cyprus Tax Identification Number
    Cyprus Value Added Tax (VAT) Number
    Czech Republic Driver Licence Number
    Czech Republic Personal Identification Number
    Czech Republic Tax Identification Number
    Czech Republic Value Added Tax (VAT) Number
    Denmark Personal Identification Number
    Denmark Tax Identification Number
    Denmark Value Added Tax (VAT) Number
    Estonia Driving Licence Number
    Estonia Personal Identification Code
    Estonia Passport Number
    Estonia Value Added Tax (VAT) Number
    European Health Insurance Card Number
    Finland Driving Licence Number
    Finland European Health Insurance Number
    Finland Passport Number
    Finland Tax Identification Number
    Finland Value Added Tax (VAT) Number
    Finland Personal Identification Number
    France Driver Licence Number
    France Health Insurance Number
    France Tax Identification Number
    France Value Added Tax (VAT) Number
    France INSEE code
    France Passport Number
    France Social Security Number
    Germany Passport Number

    1037
    Data identifier

    Germany Personal ID Number


    Germany Driver Licence Number
    Germany Tax Identification Number
    Germany Value Added Tax (VAT) Number
    Greece Passport Number
    Greece Social Security Number (AMKA)
    Greece Value Added Tax (VAT) Number
    Greece Tax Identification Number
    Hungary Social Security Number
    Hungary Tax Identification Number
    Hungary VAT Number
    Hungary Driver Licence Number
    Hungary Passport Number
    Iceland National Identification Number
    Iceland Passport Number
    Iceland Value Added Tax (VAT) Number
    Ireland Passport Number
    Ireland Tax Identification Number
    Ireland Value Added Tax (VAT) Number
    Ireland Personal Public Service Number
    Italy Driver's License Number
    Italy Health Insurance Number
    Italy Passport Number
    Italy Value Added Tax (VAT) Number
    Kosovo Unique Master Citizen Number
    Latvia Driver Licence Number
    Latvia Passport Number
    Latvia Personal Identification Number
    Latvia Value Added Tax (VAT) Number
    Liechtenstein Passport Number
    Lithuania Personal Identification Number
    Lithuania Tax Identification Number
    Lithuania Value Added Tax Number
    Luxembourg National Register of Individuals Number
    Luxembourg Passport Number
    Luxembourg Tax Identification Number
    Luxembourg Value Added Tax (VAT) Number
    Macedonia Unique Master Citizen Number
    Malta National Identification Number
    Malta Tax Identification Number

    1038
    Data identifier

    Malta Value Added Tax (VAT) Number


    Netherlands Bank Account Number
    Montenegro Unique Master Citizen Number
    Netherlands Driver's License Number
    Netherlands Passport Number
    Netherlands Tax Identification Number
    Netherlands Value Added Tax (VAT) Number
    Norway Driver Licence Number
    Norway Health Insurance Card Number (HICN)
    Norway National Identification Number
    Norway Value Added Tax Number
    Norway Birth Number
    Poland Driver Licence Number
    Poland European Health Insurance Number
    Poland Passport Number
    Poland Value Added Tax (VAT) Number
    Polish Identification Number
    Polish REGON Number
    Poland Social Security Number (PESEL)
    Poland Tax Identification Number
    Portugal Driver Licence Number
    Portugal National Identification Number
    Portugal Passport Number
    Portugal Tax Identification Number
    Portugal Value Added Tax (VAT) Number
    Romania Driver Licence Number
    Romania National Identification Number
    Romania Value Added Tax (VAT) Number
    Romania Numerical Personal Code
    Russia Cargo Customs Declaration
    Russia Employment Record
    Russia Insurance Account Number (SNILS)
    Russia Military Identity Number
    Russia OMS Number
    Russia Passport Identification Number
    Russia Taxpayer Identification Number
    SEPA Creditor Identifier Number North
    SEPA Creditor Identifier Number South
    SEPA Creditor Identifier Number West
    SEPA Creditor Identifier Number East

    1039
    Data identifier

    Serbia Unique Master Citizen Number


    Serbia Value Added Tax (VAT) Number
    Slovakia Driver Licence Number
    Slovakia National Identification Number
    Slovakia Passport Number
    Slovakia Value Added Tax (VAT) Number
    Slovenia Passport Number
    Slovenia Tax Identification Number
    Slovenia Unique Master Citizen Number
    Slovenia Value Added Tax (VAT) Number
    Spain Driver Licence Number
    Spain Value Added Tax (VAT) Number
    Spain Customer Account Number
    Spain DNI ID
    Spain Passport Number
    Spain Social Security Number
    Spain Tax Identification Number (CIF)
    Sweden Driver Licence Number
    Sweden Personal Identification Number
    Sweden Tax Identification Number
    Sweden Value Added Tax (VAT) Number
    Sweden Passport Number
    Switzerland AHV number
    Switzerland Social Security Number (AHV)
    Switzerland Health Insurance Card Number
    Switzerland Passport Number
    Switzerland Value Added Tax (VAT) Number
    Turkey Identification Number
    Turkey Local Phone Number
    Turkey Mobile Phone Number
    Turkey Passport Number
    Turkey Tax Identification Number
    Turkey Value Added Tax (VAT) Number
    UK Bank Account Number Sort Code
    UK Driving Licence Number
    UK Electoral Roll Number
    UK Passport Number
    UK National Health Service (NHS) Number
    UK National Insurance Number
    UK Tax ID Number

    1040
    Data identifier

    UK Value Added Tax (VAT) Number


    Ukraine Individual Identification Number
    Ukraine Passport (Domestic) Number
    Ukraine Passport (International) Number
    Vojvodina Unique Master Citizen Number Number

    North American personal identity lists system-defined data identifiers for the North American region.

    Table 550: North American personal identity

    Data identifier

    Canada Driver Licence Number


    Canada Government Identification Card Number
    Canada Passport Number
    Canada Permanent Residence (PR) Number
    Canadian Social Insurance Number
    US Driver License Number - AR State
    US Driver License Number - AZ State
    US Driver License Number - CA State
    US Driver License Number - CT State
    US Driver License Number - DC State
    US Driver License Number – FL State

    US Driver License Number - Guam


    US Driver License Number - HI State
    US Driver License Number - IA State
    US Driver License Number - ID State
    US Driver License Number - IL State
    US Driver License Number - IN State
    US Driver License Number - KS State
    US Driver License Number - KY State
    US Driver License Number - LA State
    US Driver License Number - MA State
    US Driver License Number - MD State
    US Driver License Number - MI State
    US Driver License Number - MN State
    US Driver License Number - MO State
    US Driver License Number - MS State
    US Driver License Number - MT State
    US Driver License Number - ND State
    US Driver License Number - NE State
    US Driver License Number - NH State

    1041
    Data identifier

    US Driver License Number - NJ State


    US Driver License Number - NY State
    US Driver License Number - OH State
    US Driver License Number - OK State
    US Driver License Number - OR State
    US Driver License Number - RI State
    US Driver License Number - US Virgin Islands
    US Driver License Number - VA State
    US Driver License Number - VT State
    US Driver License Number - WA State
    US Driver License Number - WI State
    US Driver License Number - WV State
    Mexico Passport Number
    Mexico Personal Registration and Identification Number
    Mexico Tax Identification Number
    Mexico Unique Population Registry Code (CURP) (CURP)
    Mexico CLABE Number (Standardized Banking Code)
    US Randomized Social Security Number (SSN)
    US Adoption Taxpayer Identification Number
    US Individual Tax ID Number (ITIN)
    US Passport Number
    US Preparer Taxpayer Identification Number
    US Social Security Number (SSN)
    US Zip+4 Postal Code
    Vehicle Identification Number

    South American personal identity lists system-defined data identifiers for the South American region.

    Table 551: South American personal identity

    Data identifier

    Argentina Tax Identification Number


    Brazil Election Identification Number
    Brazil National Registry of Legal Entities Number (CNPJ)
    Brazil Natural Person Registry Number (CPF)
    Brazil RG Number
    Chile Driver License Number
    Chilean National Identification Number
    Colombia Address
    Colombian Cell Phone Number
    Colombia Personal Identification Number

    1042
    Data identifier

    Colombia Tax Identification Number


    Venezuela Driver License Number
    Venezuela National Identification Number
    Venezuela Value Added Tax (VAT) Number

    Financial data identifiers


    Financial data identifiers lists system-defined data identifiers for detecting financial identification numbers, such as credit
    card numbers and ABA routing numbers.

    Table 552: Financial data identifiers

    Data identifier

    ABA Routing Number


    Credit Card Number
    Credit Card Magnetic Stripe Data
    CUSIP (Uniform Securities Identification Procedures) Number
    IBAN Central
    IBAN East
    IBAN West
    International Securities Identification Number
    SWIFT Code

    Healthcare data identifiers


    Healthcare lists system-defined data identifiers for detecting U.S. and international drug codes, and healthcare provider
    and consumer information.

    Table 553: Healthcare

    Data identifier

    Australia Medicare Number


    British Columbia Personal Healthcare Number
    Drug Enforcement Agency (DEA) Number
    Healthcare Common Procedure Coding System (HCPCS CPT Code)
    Health Insurance Claim Number
    Medicare Beneficiary Identifier
    National Drug Code
    National Provider Identifier Number

    1043
    Information technology data identifiers
    Information technology lists system-defined data identifiers for detecting information technology related patterns, such as
    IPv4 and IPv6 addresses, and mobile device identification numbers.

    Table 554: Information technology

    Data identifier

    International Mobile Equipment Identity Number


    IP Address
    IPv6 Address

    International keywords for PII data identifiers


    Symantec Data Loss Prevention lets you modify system data identifiers and customize the input keywords to detect a
    broad range of international content.
    Extending and customizing data identifiers
    Use custom keywords for system data identifiers

    Extending and customizing data identifiers


    You can customize data identifiers to suit your requirements. You can extend system-defined data identifiers by modifying
    them. And, you can create new data identifiers for custom data matching.
    The most common use case for modifying a system-defined data identifier is to edit the data input for a validator that
    accepts data input. For example, if the data identifier implements the "Find keywords" validator, you may want to add or
    remove values from the list of keywords. Another use case may involve adding or removing validators to or from the data
    identifier, or changing one or more of the patterns defined by the data identifier.
    Cloning a system data identifier before modifying it
    To create a custom data identifier, you implement one or more detection pattern(s), select one or more data validators,
    provide the data input if the validator requires it, and choose a data normalizer.
    Custom data identifier configuration
    Policy authors can reuse modified and custom data identifiers in one or more policies.

    About data identifier configuration


    You can configure three types of data identifiers:
    • Instance – defined at the policy level
    Configuring data identifier policy conditions
    • Modified – configured at the system-level
    Modifying system data identifiers
    • Custom – created at the system-level
    Creating custom data identifiers
    The type of data identifier you implement depends on your business requirements. For most use cases, configuring a
    policy instance using a non-modified, system-defined data identifier is sufficient to accurately detect data loss. Should you

    1044
    need to, you can extend a system-defined data identifier by modifying it, or you can implement one or more custom data
    identifiers to detect unique data.
    Data identifier configuration done at the policy instance-level is specific to that policy. Modifications you make to data
    identifiers at the system-level apply to all data identifiers derived from the modified data identifier.

    About data identifier breadths


    System data identifiers are implemented by breadth. The breadth defines the scope of detection for that data identifier.
    Each data identifier implements at least one breadth of detection. The widest option available for the data identifier is likely
    to produce the most false positive matches; the narrowest option produces the least. Generally the validators and often
    the patterns differ among breadths.
    Using data identifier breadths
    For example, the Driver's License Number – CA State data identifier provides wide and medium breadths, with the
    medium breadth using a keyword validator.
    NOTE
    Not all system data identifiers provide each breadth of detection. Refer to the complete list of data identifiers and
    breadths to determine what is available.
    Selecting a data identifier breadth

    About optional validators for data identifiers


    Optional validators help you refine the scope of detection for a data identifier. When you configure a data identifier
    instance, you can select among five optional validators.
    Using optional validators
    The type of characters accepted by each optional validator depends on the data identifier.
    Acceptable characters for optional validators
    NOTE
    Optional validators only apply to the policy instance you are actively configuring; they do not apply system-wide.

    About data identifier patterns


    Data identifiers implement patterns to match data. Beginning with version 16.0, you can use standard PCRE (Perl
    Compatible Regular Expressions library) regular expressions to create data identifier patterns. For endpoints that are
    on DLP 15.8, you must use the legacy data identifier patterns language which is also a subset of the regular expression
    language.
    When you upgrade to DLP 16.0, the existing legacy patterns for system-defined data identifiers and custom data
    identifiers are automatically converted to regular expressions. However, the legacy patterns are not removed from the
    database and are listed separately in the Legacy field of data identifiers.
    You can also click the Convert button to generate regular expressions from the legacy patterns that you created. Data
    identifiers support a maximum of 500 regular expressions and a maximum of 63 legacy patterns.
    NOTE
    Support for regular expressions is subject to a few limitations. For more information, see Limitations of data
    identifier support for PCRE regular expressions.
    The legacy pattern syntax is similar to the regular expression language, but is more limited. For example, the legacy
    data identifier pattern syntax does not support some regular expression features, including grouping, lookahead

    1045
    and lookbehind expressions, and many special characters (notably the dot "." character). In addition, the system only
    allows the use of ASCII characters for data identifier patterns.
    For more information, see Data identifier pattern language specification.
    When you edit a system data identifier, the system exposes the pattern for viewing and editing. The system-defined data
    identifier patterns have been tuned and optimized for precise content matching.
    See Selecting a data identifier breadth.
    In addition, you can create a custom data identifier in which case you are required to implement at least one pattern. The
    best way to understand how to write patterns is to examine the system-defined data identifier patterns.
    See Writing data identifier patterns to match data.

    About pattern validators


    Pattern validators are validation checks applied to data matched by a data identifier pattern. Validators help refine the
    scope of detection and reduce false positives. Many validators allow for data input. For example, the Keyword validator
    lets you enter a list of keywords.
    Using pattern validators
    When you modify a data identifier, you can edit the input values for any validator that accepts data.
    Editing pattern validator input
    When you modify a data identifier, you can add and remove pattern validators. When you create custom data identifiers,
    you can configure one or more validators. The system also provides you with the ability to author a custom script validator
    to define your own validation check.
    Selecting pattern validators

    About data normalizers


    A data normalizer reconciles the data detected by the data identifier pattern with the format expected by the normalizer.
    You cannot modify the normalizer of a system-defined data identifier. When you create a custom data identifier, you select
    a data normalizer.
    Acceptable characters for optional validators
    Selecting a data normalizer

    About cross-component matching


    Data identifiers support component matching. This means that you can configure data identifiers to match on one or
    more message components. However, if the data identifier implements a validator (optional or required), such as Find
    keywords, the validated data and the matched data must exist in the same component to trigger or except an incident.
    Detection Messages and Message Components
    For example, consider a scenario where you implement the Randomized US Social Security Number (SSN) data identifier.
    This data identifier detects on various 9-digits patterns and uses a keyword validator to narrow the scope of detection.
    (The keyword and phrases in the list are "social security number, ssn, ss#"). If the detection engine receives a message
    with the number pattern 123-45-6789 and the keyword "social security number" and both data items are contained in the
    message attachment component, the detection engine reports a match. However, if the attachment contains the number
    but the body contains the keyword validator, the detection engine does not consider this to be a match.
    Configuring the Content Matches data identifier condition

    1046
    About unique match counting
    Data identifiers, keywords, and regular expressions support unique match counting. This feature lets you count only those
    pattern matches that are unique.
    Unique match counting is useful when you are only concerned with detecting the presence of unique patterns and not with
    detecting every matched pattern. For example, you could use unique match counting to trigger an incident if a document
    contains 10 or more unique social security numbers. In this case, if a document contained 10 instances of the same social
    security number, the policy would not trigger an incident.
    Using unique match counting
    Configuring unique match counting

    Configuring data identifier policy conditions


    Policy instance data identifier configuration lists and describes the configuration options for data identifier conditions.
    Introducing data identifiers
    Configuring the Content Matches data identifier condition

    Table 555: Policy instance data identifier configuration

    Selectable at the policy level Not configurable

    • Breadth • Patterns
    You can implement any breadth the data identifier supports You cannot modify the match patterns at the instance level.
    at the instance level. • Mandatory Validators
    • Optional Validators You cannot modify, add, or remove required validators at the
    You can select one or more optional validators at the instance level.
    instance level.

    Workflow for configuring data identifier policies


    Workflow for implementing data identifiers describes the workflow for implementing system-defined data identifiers.

    Table 556: Workflow for implementing data identifiers

    Step Action Description

    1 Decide the type of data Introducing data identifiers


    identifier you want to
    implement.
    2 Decide the data identifier About data identifier breadths
    breadth.
    3 Configure the data identifier. Configuring the Content Matches data identifier condition
    4 Test and tune the data identifier Best practices for using data identifiers
    policy.

    Managing and Adding Data Identifiers


    The Manage > Policies > Data Identifiers screen lists all data identifiers, including system- and custom-defined. From
    this screen you manage and modify existing data identifiers, and add new ones.

    1047
    Introducing data identifiers

    Table 557: Manage data identifiers

    Action Description

    Edit a data identifier. Select the data identifier from the list to modify it.
    Selecting a data identifier breadth
    Extending and customizing data identifiers
    Editing data identifiers
    Define a custom data Click Add data identifier to create a custom data identifier.
    identifier. Custom data identifier configuration
    Workflow for creating custom data identifiers
    Sort and view data The list is sorted alphabetical by Name.
    identifiers. You can also sort by the Category.
    A pencil icon to the left means that the data identifier is modified from its original state, or is custom.
    Remove a data identifier. Click the X icon on the right side to delete a data identifier.
    The system does not let you delete system data identifiers. You can only delete custom data identifiers.

    Editing data identifiers


    You can modify system-defined data identifiers, including the patterns, validators, and validator input. Modifications are
    propagated to any policy that declares the data identifier. You cannot rename a system data identifier. Consider manually
    creating a cloned copy before you modify a system data identifier.
    Extending and customizing data identifiers
    NOTE
    The system does not export data identifiers in a policy template. The system exports a reference to the system
    data identifier. The target system where the policy template is imported provides the actual data identifier. If you
    modify a system-defined data identifier, the modifications do not export to the template.

    Table 558: Workflow for editing data identifiers

    Step Action Description

    1 Clone the system data identifier Clone the system data identifier before you modify it.
    you want to modify. Cloning a system data identifier before modifying it
    Clone system-defined data identifiers before modifying to preserve original state
    2 Edit the cloned data identifier. If you modify a system data identifier, click the plus sign to display the breadth and edit
    the data identifier.
    Selecting a data identifier breadth
    3 Edit one or more Patterns. You can modify any pattern that the Data Identifier provides.
    Writing data identifier patterns to match data
    4 Edit the data input for any validator Editing pattern validator input
    that accepts input. List of pattern validators that accept input data
    5 Optionally, you can add or remove Selecting pattern validators
    Validators, as necessary.

    1048
    Step Action Description

    6 Save the data identifier. Click Save to save the modifications.


    Once the data identifier is saved, the icon at the Data Identifiers screen indicates that it
    is modified from its original state, or is custom.
    Managing and adding data identifiers
    Note: Click Cancel to not save the Data Identifier.

    7 Implement the data identifier in a Configuring the Content Matches data identifier condition
    policy rule or exception.

    Configuring the Content Matches data identifier condition


    You can configure the Content Matches data identifier condition in policy detection rules and exceptions.
    Introducing data identifiers

    Table 559: Configuring the Content Matches data identifier condition

    Step Action Description

    1 Add a data identifier rule Select the Content Matches data identifier condition at the Add Detection Rule or Add
    or exception to a policy, or Exception screen.
    configure an existing one. Adding a Rule to a Policy
    Adding an Exception to a Policy
    2 Choose a data identifier. Choose a data identifier from the list and click Next.
    System-defined data identifiers
    3 Select a Breadth of Use the breadth option to narrow the scope of detection.
    detection. About data identifier breadths
    Wide is the default setting and detects the broadest set of matches. Medium and narrow
    breadths, if available, check additional criteria and detect fewer matches.
    Selecting a data identifier breadth
    4 Select and configure one or Optional validators restrict the match criteria and reduce false positives.
    more Optional Validators. About optional validators for data identifiers
    5 Configure Match Counting. Select how you want to count matches:
    • Check for existence
    Do not count multiple matches; report a match count of 1 for one or more matches.
    • Count all matches
    Count each match; specify the minimum number of matches to report an incident.
    Configuring Match Counting
    • Count all unique matches
    This is the default setting.
    About unique match counting
    Configuring unique match counting
    6 Configure the message Select one or more message components on which to match.
    components to Match On. On the endpoint, the detection engine matches the entire message, not individual
    components.
    Selecting components to match on
    If the data identifier uses optional or required keyword validators, the keyword must be
    present in the same component as the matched data identifier content.
    About cross-component matching

    1049
    Step Action Description

    7 Configure additional Optionally, you can Add one or more additional conditions from any available in the Also
    conditions to Also Match. Match condition list.
    All conditions in a compound rule or exception must match to trigger or except an incident.
    Configuring compound rules

    Using data identifier breadths


    Each system data identifier provides one or more breadths of detection. When you configure a system data identifier
    instance, or when you modify a system data identifier, you select which breadth to implement. Not all breadth options are
    available for each data identifier.
    About data identifier breadths

    Table 560: Available rule breadths for system data identifiers

    Breadth Description

    Wide The wide breadth defines a single or multiple patterns to create the greatest number of matches. In general this
    breadth produces a higher rate of false positives than the medium and narrow breadths.
    Medium The medium breadth may refine the detection pattern(s) and/or add one or more data validators to limit the
    number of matches.
    Narrow The narrow breadth offers the tightest patterns and strictest validation to provide the most accurate positive
    matches. In general this option requires the presence of a keyword or other validating restriction to trigger a
    match.

    Selecting a data identifier breadth


    You cannot change the normalizer that a system data identifier implements. This information is useful to know when you
    implement one or more optional validators.
    Acceptable characters for optional validators

    Table 561: System data identifier breadths and normalizers

    Data identifier Breadth(s) Normalizer

    ABA Routing Number Wide Digits


    Medium
    Narrow
    Argentina Tax Identification Number Wide Digits
    Medium
    Narrow
    Australia Driver's License Number Wide Digits and Letters
    Narrow
    Australian Business Number Wide Digits
    Medium
    Narrow
    Australian Company Number Wide Digits
    Medium
    Narrow

    1050
    Data identifier Breadth(s) Normalizer

    Australian Medicare Number Wide Digits


    Medium
    Narrow
    Australian Passport Number Wide Lowercase
    Narrow
    Australian Tax File Number Wide Digits
    Medium
    Narrow
    Austria Passport Number Wide Digits and Letters
    Narrow
    Austria Tax Identification Number Wide Digits
    Narrow
    Austria Value Added Tax (VAT) Number Wide Digits and Letters
    Medium
    Narrow
    Austrian Social Security Number Wide Digits
    Medium
    Narrow
    Belgian National Number Wide Digits
    Medium
    Narrow
    Belgium Driver's License Number Wide Digits
    Narrow
    Belgium Passport Number Wide Digits and Letters
    Narrow
    Belgium Tax Identification Number Wide Digits
    Narrow
    Belgium Value Added Tax (VAT) Number Wide Digits and Letters
    Medium
    Narrow
    Bosnia-Herzegovina Unique Master Citizen Number Wide Digits
    Medium
    Narrow
    Brazilian Election Identification Number Wide Digits
    Medium
    Narrow
    Brazilian National Registry of Legal Entities Number Wide Digits
    Medium
    Narrow
    Brazilian Natural Person Registry Number Wide Digits
    Medium
    Narrow
    Brazil RG Number Wide Digits and Letters
    Medium
    Narrow

    1051
    Data identifier Breadth(s) Normalizer

    British Columbia Personal Healthcare Number Wide Digits


    Medium
    Narrow
    Bulgaria Value Added Tax (VAT) Number Wide Digits and Letters
    Medium
    Narrow
    Bulgarian Uniform Civil Number - EGN Wide Digits
    Medium
    Narrow
    Burgerservicenummer Wide Digits
    Narrow
    Canada Driver's License Number Wide Digits and Letters
    Medium
    Narrow
    Canada Government Identification Card Number Wide Digits and Letters
    Medium
    Narrow
    Canada Passport Number Wide Digits and Letters
    Narrow
    Canada Permanent Residence (PR) Number Wide Digits and Letters
    Narrow
    Canadian Social Insurance Number Wide Digits
    Medium
    Narrow
    Chile Driver License Number Wide Digits
    Medium
    Narrow
    Chilean National Identification Number Wide Digits and Letters
    Medium
    Narrow
    China Passport Number Wide Digits and Letters
    Narrow
    Codice Fiscale Wide Digits and Letters
    Narrow
    Colombian Addresses Wide Lowercase
    Narrow
    Colombian Cell Phone Number Wide Digits
    Narrow
    Colombian Personal Identification Number Wide Digits
    Narrow
    Colombian Tax Identification Number Wide Digits
    Narrow
    Credit Card Magnetic Stripe Data Medium Digits
    Credit Card Number Wide Digits
    Medium
    Narrow

    1052
    Data identifier Breadth(s) Normalizer

    Croatia National Identification Number Wide Digits and Letters


    Medium
    Narrow
    CUSIP Number Wide Lowercase
    Medium
    Narrow
    Cyprus Tax Identification Number Wide Digits and Letters
    Medium
    Narrow
    Cyprus Value Added Tax (VAT) Number Wide Digits and Letters
    Medium
    Narrow
    Czech Republic Driver's Licence Number Wide Digits and Letters
    Narrow
    Czech Republic Personal Identification Number Wide Digits
    Medium
    Narrow
    Czech Republic Tax Identification Number Wide Digits
    Medium
    Narrow
    Czech Republic Value Added Tax (VAT) Number Wide Digits and Letters
    Medium
    Narrow
    Denmark Personal Identification Number Wide Digits and Letters
    Medium
    Narrow
    Denmark Tax Identification Number Wide Digits
    Medium
    Narrow
    Denmark Value Added Tax (VAT) Number Wide Digits and Letters
    Medium
    Narrow
    Driver's License Number – AR State Wide Digits
    Narrow
    Driver's License Number – AZ State Wide Digits and Letters
    Narrow
    Driver's License Number – CA State Wide Lowercase
    Medium
    Driver's License Number – CT State Wide Digits
    Narrow
    Driver's License Number - DC State Wide Digits
    Narrow
    Driver's License Number – Guam Wide Digits and Letters
    Narrow
    Driver's License Number – HI State Wide Digits and Letters
    Narrow

    1053
    Data identifier Breadth(s) Normalizer

    Driver's License Number – IA State Wide Digits and Letters


    Narrow
    Driver's License Number – ID State Wide Digits and Letters
    Narrow
    Driver's License Number – IL State Wide Lowercase
    Medium
    Driver's License Number – IN State Wide Digits and Letters
    Narrow
    Driver's License Number – KS State Wide Digits and Letters
    Narrow
    Driver's License Number – KY State Wide Digits and Letters
    Narrow
    Driver's License Number – MA State Wide Digits and Letters
    Narrow
    Driver's License Number – MD State Wide Digits and Letters
    Narrow
    Driver's License Number – MO State Wide Digits and Letters
    Narrow
    Driver's License Number – MS State Wide Digits and Letters
    Narrow
    Driver's License Number – MT State Wide Digits and Letters
    Narrow
    Driver's License Number – ND State Wide Digits and Letters
    Narrow
    Driver's License Number – NE State Wide Digits and Letters
    Narrow
    Driver's License Number – NH State Wide Digits and Letters
    Narrow
    Driver's License Number – NJ State Wide Lowercase
    Medium
    Driver's License Number – NY State Wide Lowercase
    Medium
    Driver's License Number – OH State Wide Digits and Letters
    Narrow
    Driver's License Number – OK State Wide Digits and Letters
    Narrow
    Driver's License Number – OR State Wide Digits and Letters
    Narrow
    Driver's License Number – RI State Wide Digits and Letters
    Narrow
    Driver's License Number – US Virgin Islants Wide Digits and Letters
    Narrow
    Driver's License Number – VA State Wide Digits and Letters
    Narrow

    1054
    Data identifier Breadth(s) Normalizer

    Driver's License Number – VT State Wide Digits and Letters


    Narrow
    Driver's License Number – WA State Wide Lowercase
    Medium
    Narrow
    Driver's License Number – WI State Wide Digits and Letters
    Medium
    Narrow
    Driver's License Number – WV State Wide Digits and Letters
    Narrow
    Drug Enforcement Agency (DEA) Number Wide Lowercase
    Medium
    Narrow
    Estonia Driver's Licence Number Wide Digits and Letters
    Narrow
    Estonia Passport Number Wide Digits and Letters
    Narrow
    Estonia Personal Identification Code Wide Digits
    Medium
    Narrow
    Estonia Value Added Tax (VAT) Number Wide Digits and Letters
    Medium
    Narrow
    European Health Insurance Card Number Wide Digits
    Narrow
    Finland Driver's Licence Number Wide Digits and Letters
    Medium
    Narrow
    Finland European Health Insurance Number Wide Digits
    Narrow
    Finland Passport Number Wide Digits and Letters
    Narrow
    Finland Tax Identification Number Wide Do nothing
    Medium
    Narrow
    Finland Value Added Tax (VAT) Number Wide Digits and Letters
    Medium
    Narrow
    Finnish Personal Identification Number Wide Lowercase
    Medium
    Narrow
    France Driver's License Number Wide Digits
    Narrow
    France Health Insurance Number Wide Digits
    Narrow

    1055
    Data identifier Breadth(s) Normalizer

    France Tax Identification Number Wide Digits


    Narrow
    France Value Added Tax (VAT) Number Wide Digits and Letters
    Medium
    Narrow
    French INSEE Code Wide Digits
    Narrow
    French Passport Number Wide Digits and Letters
    Narrow
    French Social Security Number Wide Digits and Letters
    Medium
    Narrow
    German Passport Number Wide Lowercase
    Medium
    Narrow
    German Personal ID Number Wide Lowercase
    Medium
    Narrow
    Germany Driver's License Number Wide Digits and Letters
    Narrow
    Germany Tax Identification Number Wide Digits
    Medium
    Narrow
    Germany Value Added Tax (VAT) Number Wide Digits and Letters
    Medium
    Narrow
    Greece Passport Number Wide Digits and Letters
    Narrow
    Greece Social Security Number (AMKA) Wide Digits
    Medium
    Narrow
    Greece Value Added Tax (VAT) Number Wide Digits and Letters
    Medium
    Narrow
    Greek Tax Identification Number Wide Digits
    Medium
    Narrow
    Healthcare Common Procedure Coding System (HCPCS CPT Medium Digits and Letters
    Code) Narrow
    Health Insurance Claim Number Wide Digits and Letters
    Medium
    Narrow
    Hong Kong ID Wide Lowercase
    Narrow
    Hungarian Social Security Number Wide Digits
    Medium
    Narrow

    1056
    Data identifier Breadth(s) Normalizer

    Hungarian Tax Identification Number Wide Digits


    Medium
    Narrow
    Hungarian VAT Number Wide Lowercase
    Medium
    Narrow
    Hungary Driver's Licence Number Wide Digits and Letters
    Narrow
    Hungary Passport Number Wide Digits and Letters
    Medium
    Narrow
    IBAN Central Wide Do nothing
    Narrow
    IBAN East Wide Do nothing
    Narrow
    IBAN West Wide Do nothing
    Narrow
    Iceland National Identification Number Wide Digits
    Medium
    Narrow
    Iceland Passport Number Wide Digits and Letters
    Narrow
    Iceland Value Added Tax (VAT) Number Wide Digits and Letters
    Narrow
    India RuPay Card Number Wide Digits
    Medium
    Narrow
    Indian Aadhaar Card Number Wide Digits
    Medium
    Narrow
    Indian Permanent Account Number Wide Digits and Letters
    Narrow
    Indonesian Identity Card Number Wide Digits
    Medium
    Narrow
    International Mobile Equipment Identity Number Wide Digits
    Medium
    Narrow
    International Securities Identification Number Wide Lowercase
    Medium
    Narrow
    IP Address Wide Do nothing
    Medium
    Narrow
    IPv6 Address Wide Do nothing
    Medium
    Narrow

    1057
    Data identifier Breadth(s) Normalizer

    Ireland Passport Number Wide Digits and Letters


    Narrow
    Ireland Tax Identification Number Wide Digits and Letters
    Medium
    Narrow
    Ireland Value Added Tax (VAT) Number Wide Digits and Letters
    Medium
    Narrow
    Irish Personal Public Service Number Wide Lowercase
    Medium
    Narrow
    Israel Personal Identification Number Wide Digits
    Medium
    Narrow
    Italy Driver's Licence Number Wide Digits and Letters
    Narrow
    Italy Health Insurance Number Wide Digits and Letters
    Narrow
    Italy Passport Number Wide Digits and Letters
    Narrow
    Italy Value Added Tax (VAT) Number Wide Digits and Letters
    Medium
    Narrow
    Japan Driver's License Number Wide Digits
    Medium
    Narrow
    Japan Passport Number Wide Digits and Letters
    Narrow
    Japanese Juki-Net Identification Number Wide Digits
    Medium
    Narrow
    Japanese My Number - Corporate Wide Digits
    Narrow
    Japanese My Number - Personal Wide Digits
    Medium
    Narrow
    Kazakhstan Passport Number Wide Digits and Letters
    Narrow
    Korea Passport Number Wide Digits and Letters
    Narrow
    Korea Residence Registration Number for Foreigners Wide Digits
    Medium
    Narrow
    Korea Residence Registration Number for Korean Wide Digits
    Medium
    Narrow

    1058
    Data identifier Breadth(s) Normalizer

    Kosovo Unique Master Citizen Number Wide Digits


    Medium
    Narrow
    Latvia Driver's Licence Number Wide Digits and Letters
    Narrow
    Latvia Passport Number Wide Digits and Letters
    Narrow
    Latvia Personal Identification Number Wide Digits
    Medium
    Narrow
    Latvia Value Added Tax (VAT) Number Wide Digits and Letters
    Medium
    Narrow
    Liechtenstein Passport Number Wide Digits and Letters
    Narrow
    Lithuania Personal Identification Number Wide Digits
    Medium
    Narrow
    Lithuania Tax Identification Number Wide Digits
    Medium
    Narrow
    Lithuania Value Added Tax Number Wide Digits and Letters
    Medium
    Narrow
    Luxembourg National Register of Individuals Number Wide Digits
    Medium
    Narrow
    Luxembourg Passport Number Wide Digits and Letters
    Narrow
    Luxembourg Tax Identification Number Wide Digits
    Medium
    Narrow
    Luxembourg Value Added Tax (VAT) Number Wide Digits and Letters
    Medium
    Narrow
    Macau Individual Identification Number Wide Digits
    Narrow
    Macedonia Unique Master Citizen Number Wide Digits
    Medium
    Narrow
    Malaysia Passport Number Wide Digits and Letters
    Narrow
    Malaysian MyKad Number Wide Digits
    Medium
    Narrow
    Malta National Identification Number Wide Digits and Letters
    Narrow

    1059
    Data identifier Breadth(s) Normalizer

    Malta Tax Identification Number Wide Digits and Letters


    Narrow
    Malta Value Added Tax (VAT) Number Wide Digits and Letters
    Medium
    Narrow
    Medicare Beneficiary Identifier Wide Digits and Letters
    Medium
    Narrow
    Mexico Passport Number Wide Digits and Letters
    Narrow
    Mexican Personal Registration and Identification Number Wide Digits and Letters
    Medium
    Narrow
    Mexican Tax Identification Number Wide Digits and Letters
    Medium
    Narrow
    Mexican Unique Population Registry Code (CURP) Wide Lowercase
    Medium
    Narrow
    Mexico CLABE Number Wide Digits
    Medium
    Narrow
    Montenegro Unique Master Citizen Number Wide Digits
    Medium
    Narrow
    National Drug Code Wide Do nothing
    Medium
    Narrow
    National Provider Identifier Number Wide Digits
    Medium
    Narrow
    Netherlands Bank Account Number Wide Digits and Letters
    Medium
    Narrow
    Netherlands Driver's License Number Wide Digits
    Narrow
    Netherlands Passport Number Wide Digits and Letters
    Narrow
    Netherlands Tax Identification Number Wide Digits
    Medium
    Narrow
    Netherlands Value Added Tax (VAT) Number Wide Digits and Letters
    Medium
    Narrow
    New Zealand Driver's License Number Wide Digits and Letters
    Narrow

    1060
    Data identifier Breadth(s) Normalizer

    New Zealand National Health Index Number Wide Lowercase


    Medium
    Narrow
    New Zealand Passport Number Wide Digits and Letters
    Narrow
    Norway Driver's Licence Number Wide Digits
    Narrow
    Norway Health Insurance Card Number (HICN) Wide Digits
    Narrow
    Norway National Identification Number Wide Digits
    Medium
    Narrow
    Norway Value Added Tax Number Wide Digits and Letters
    Medium
    Narrow
    Norwegian Birth Number Wide Digits
    Medium
    Narrow
    People's Republic of China ID Wide Lowercase
    Narrow
    Poland Driver's Licence Number Wide Digits
    Narrow
    Poland European Health Insurance Number Wide Digits
    Narrow
    Poland Passport Number Wide Digits and Letters
    Narrow
    Poland Value Added Tax (VAT) Number Wide Digits and Letters
    Medium
    Narrow
    Polish Identification Number Wide Digits and Letters
    Medium
    Narrow
    Polish REGON Number Wide Digits
    Medium
    Narrow
    Polish Social Security Number (PESEL) Wide Digits
    Medium
    Narrow
    Polish Tax Identification Number Wide Digits
    Medium
    Narrow
    Portugal Driver's Licence Number Wide Digits and Letters
    Narrow
    Portugal National Identification Number Wide Digits and Letters
    Medium
    Narrow

    1061
    Data identifier Breadth(s) Normalizer

    Portugal Passport Number Wide Digits and Letters


    Narrow
    Portugal Tax Identification Number Wide Digits
    Medium
    Narrow
    Portugal Value Added Tax (VAT) Number Wide Digits and Letters
    Medium
    Narrow
    Randomized US Social Security Number (SSN) Medium Digits
    Narrow
    Romania Driver's Licence Number Wide Lowercase
    Narrow
    Romania National Identification Number Wide Digits
    Medium
    Narrow
    Romania Value Added Tax (VAT) Number Wide Digits and Letters
    Medium
    Narrow
    Romanian Numerical Personal Code Wide Digits
    Medium
    Narrow
    Russia Cargo Customs Declaration Wide Digits
    Narrow
    Russia Employment Record Wide Digits and Letters
    Narrow
    Russia Insurance Account Number (SNILS) Wide Digits
    Medium
    Narrow
    Russia Military Identity Number Wide Digits and Letters
    Narrow
    Russia OMS Number Wide Digits
    Medium
    Narrow
    Russian Passport Identification Number Wide Digits
    Narrow
    Russian Taxpayer Identification Number Wide Digits
    Medium
    Narrow
    SEPA Creditor Identifier Number North Wide Digits and Letters
    Medium
    Narrow
    SEPA Creditor Identifier Number South Wide Digits and Letters
    Medium
    Narrow
    SEPA Creditor Identifier Number West Wide Digits and Letters
    Medium
    Narrow

    1062
    Data identifier Breadth(s) Normalizer

    SEPA Creditor Identifier Number East Wide Digits and Letters


    Medium
    Narrow
    Serbia Unique Master Citizen Number Wide Digits
    Medium
    Narrow
    Serbia Value Added Tax (VAT) Number Wide Digits and Letters
    Medium
    Narrow
    Singapore NRIC Wide Lowercase
    Slovakia Driver's Licence Number Wide Digits and Letters
    Narrow
    Slovakia National Identification Number Wide Digits and Letters
    Medium
    Narrow
    Slovakia Passport Number Wide Digits and Letters
    Narrow
    Slovakia Value Added Tax (VAT) Number Wide Digits and Letters
    Medium
    Narrow
    Slovenia Passport Number Wide Digits and Letters
    Narrow
    Slovenia Tax Identification Number Wide Digits
    Medium
    Narrow
    Slovenia Unique Master Citizen Number Wide Digits
    Medium
    Narrow
    Slovenia Value Added Tax (VAT) Number Wide Digits and Letters
    Medium
    Narrow
    South African Personal Identification Number Wide Digits
    Medium
    Narrow
    Spain Driver's License Number Wide Digits and Letters
    Narrow
    Spain Value Added Tax (VAT) Number Wide Digits and Letters
    Medium
    Narrow
    Spanish Customer Account Number Wide Digits
    Medium
    Narrow
    Spanish DNI ID Wide Digits and Letters
    Narrow
    Spanish Social Security Number Wide Digits
    Medium
    Narrow

    1063
    Data identifier Breadth(s) Normalizer

    Spanish Tax Identification (CIF) Wide Digits and Letters


    Medium
    Narrow
    Sri Lanka National Identity Number Wide Digits and Letters
    Medium
    Narrow
    Sweden Driver's Licence Number Wide Digits
    Medium
    Narrow
    Sweden Tax Identification Number Wide Digits
    Medium
    Narrow
    Sweden Value Added Tax (VAT) Number Wide Digits and Letters
    Medium
    Narrow
    Swedish Passport Number Wide Digits and Letters
    Narrow
    Swedish Personal Identification Number Wide Digits
    Medium
    Narrow
    SWIFT Code Wide Swift
    Narrow
    Swiss AHV Number Wide Digits
    Narrow
    Swiss Social Security Number (AHV) Wide Digits
    Medium
    Narrow
    Switzerland Health Insurance Card Number Wide Digits
    Narrow
    Switzerland Passport Number Wide Digits and Letters
    Narrow
    Switzerland Value Added Tax (VAT) Number Wide Lowercase
    Medium
    Narrow
    Taiwan ROC ID Wide Do nothing
    Narrow
    Thailand Passport Number Wide Digits and Letters
    Narrow
    Thailand Personal Identification Number Wide Digits
    Medium
    Narrow
    Turkish Identification Number Wide Digits
    Medium
    Narrow
    Turkey Local Phone Number Wide Digits
    Narrow

    1064
    Data identifier Breadth(s) Normalizer

    Turkey Mobile Phone Number Wide Digits


    Narrow
    Turkey Passport Number Wide Digits and Letters
    Narrow
    Turkey Tax Identification Number Wide Digits
    Medium
    Narrow
    Turkey Value Added Tax (VAT) Number Wide Digits and Letters
    Narrow
    UK Bank Account Number Sort Code Wide Digits
    Medium
    Narrow
    UK Driver's Licence Number Wide Digits and Letters
    Medium
    Narrow
    UK Electoral Roll Number Narrow Lowercase
    UK National Health Service (NHS) Number Medium Digits
    Narrow
    UK National Insurance Number Wide Lowercase
    Medium
    Narrow
    UK Passport Number Wide Do nothing
    Medium
    Narrow
    UK Tax ID Number Wide Do nothing
    Medium
    Narrow
    UK Value Added Tax (VAT) Number Wide Digits and Letters
    Medium
    Narrow
    Ukraine Identity Card Wide Digits
    Medium
    Narrow
    Ukraine Passport (Domestic) Wide Digits
    Narrow
    Ukraine Passport (International) Wide Digits and Letters
    Narrow
    United Arab Emirates Personal Number Wide Digits
    Medium
    Narrow
    US Adoption Taxpayer Identification Number Wide Digits and Letters
    Narrow
    US Individual Tax ID Number (ITIN) Wide Digits
    Medium
    Narrow

    1065
    Data identifier Breadth(s) Normalizer

    US Passport Number Wide Digits


    Narrow
    US Preparer Taxpayer Identification Number Wide Digits and Letters
    Narrow
    US Social Security Number (SSN) Wide Digits
    Medium
    Narrow
    US ZIP+4 Postal Codes Wide Digits and Letters
    Medium
    Narrow
    Vehicle Idenitfication Number Wide Digits and Letters
    Medium
    Narrow
    Venezuela Driving License Number Wide Digits and Letters
    Narrow
    Venezuela National ID Number Wide Digits and Letters
    Medium
    Narrow
    Venezuela Value Added Tax (VAT) Number Wide Digits and Letters
    Medium
    Narrow
    Vojvodina Unique Master Citizen Number Number Wide Digits
    Medium
    Narrow

    Using optional validators


    Available optional validators for policy instances lists the optional validators policy authors can configure for system data
    identifiers.
    About optional validators for data identifiers

    Table 562: Available optional validators for policy instances

    Optional validator Description

    Require beginning characters Match the characters that begin (lead) the matched data item.
    For example, for the CA Drivers License data identifier, you could require the beginning character to be
    the letter "C." In this case the engine matches a license number C6457291.
    Acceptable characters for optional validators
    Require ending characters Match the characters that end (trail) the matched data item.
    Acceptable characters for optional validators
    Exclude beginning characters Exclude from matching characters that begin (lead) the matched data.
    Acceptable characters for optional validators
    Exclude ending characters Exclude from matching the characters that end (trail) the matched data item.
    Acceptable characters for optional validators

    1066
    Optional validator Description

    Find keywords Match one or more keywords or key phrases in addition to the matched data item. Can check for the
    proximity of matched data against a list of keywords.
    Keywords can also be scanned for case sensitivity. Then a check is performed for the proximity of the
    matched data identifier patterns against a list of keywords. An incident is generated when all of the
    data identifier patterns in the rule match. Captured keywords are highlighted in incidents. Proximity,
    case sensitivity, and validator highlighting are disabled by default and must be enabled to work.
    The keyword must be detected in the same message component as the data identifier content to report
    a match.
    About cross-component matching
    This optional validator accepts any characters (numbers, letters, others).
    Acceptable characters for optional validators
    List of pattern validators that accept input data
    Exact Match Data Identifier Lookup tokens around a pattern for an Exact Match Data Identifier index and validate the pattern.
    Check Adding an EMDI check to a built-in or custom data identifier condition in a policy

    Configuring optional validators


    You implement optional validators to refine the scope of a data identifier defined in a policy instance. System and custom
    data identifiers support the configuration of optional validators.
    About optional validators for data identifiers
    The type of input allowed by an optional validator (numbers, letters, characters) depends on the data identifier. If you enter
    unacceptable input characters and attempt to save the configuration, the system reports an error.
    For example, the US Social Security Number (SSN) data identifier accepts numbers only. If you configure the "Require
    ending character" optional validator and provide input as letters, you receive the following error when you attempt to save
    the configuration: Input to "Require ending characters" Validator is incorrect: List contains non-number character.
    Acceptable characters for optional validators
    To configure an optional validator
    1. Click the plus sign beside the Optional Validators label for the data identifier instance you are configuring.
    Configuring the Content Matches data identifier condition
    2. Select one or more optional validators.
    About optional validators for data identifiers
    3. Provide the expected input for each optional validator you select.
    Each value can be of any length. Use commas to separate multiple values.
    4. Click Save to save the configuration.
    If the system displays an error message, make sure you have entered the correct type of expected character input.
    Acceptable characters for optional validators

    Acceptable characters for optional validators


    Each optional validator requires you to enter in some data values. You must enter the appropriate type of data according
    for that data identifier. Acceptable characters for optional validators lists the acceptable data type for each data identifier/
    optional validator pairing.
    About optional validators for data identifiers

    1067
    NOTE
    The Find keyword optional validator accepts any characters as values for all data identifiers .
    The type of data expected by the optional validator depends on the data identifier. Most data identifier/optional validator
    pairings accept numbers only; some accept alphanumeric values, and a few accept any characters. If you enter
    unacceptable input and attempt to save the policy, the system reports an error.
    Configuring optional validators

    Table 563: Acceptable characters for optional validators

    Exclude/require Exclude/require
    Data Identifier
    beginning characters ending characters
    ABA Routing Number Numbers only Numbers only
    Argentina Tax Identification Number Numbers only Numbers only
    Australia Driver's License Number Alphanumeric Alphanumeric
    Australian Business Number Numbers only Numbers only
    Australian Company Number Numbers only Numbers only
    Australian Medicare Number Numbers only Numbers only
    Australian Passport Number Letters only (normalized to Numbers only
    lowercase)
    Australian Tax File Number Numbers only Numbers only
    Austria Passport Number Alphanumeric Alphanumeric
    Austria Tax Identification Number Numbers only Numbers only
    Austria Value Added Tax (VAT) Number Letters only Numbers only
    Austrian Social Security Number Numbers only Numbers only
    Belgian National Number Numbers only Numbers only
    Belgium Driver's Licence Number Numbers only Numbers only
    Belgium Passport Number Alphanumeric Alphanumeric
    Belgium Tax Identification Number Numbers only Numbers only
    Belgium Value Added Tax (VAT) Number Letters only Numbers only
    Bosnia-Herzegovina Unique Master Citizen Number Numbers only Numbers only
    Brazilian Election Identification Number Numbers only Numbers only
    Brazilian National Registry of Legal Entities Number Numbers only Numbers only
    Brazil RG Number Numbers only Alphanumeric
    Brazilian Natural Person Registry Number Numbers only Numbers only
    British Columbia Personal Number Numbers only Numbers only
    Bulgaria Value Added Tax (VAT) Number Letters only Numbers only
    Bulgarian Uniform Civil Number - EGN Numbers only Numbers only
    Burgerservicenummer Numbers only Numbers only
    Canada Driver's License Number Alphanumeric Alphanumeric
    Canada Government Identification Number Alphanumeric Numbers only
    Canada Passport Number Letters only Numbers only
    Canada Permanent Resident (PR) Number Letters only Numbers only
    Canadian Social Insurance Number Numbers only Numbers only

    1068
    Exclude/require Exclude/require
    Data Identifier
    beginning characters ending characters
    Chile Driver License Number Numbers only Numbers only
    Chilean National Identification Number Alphanumeric Alphanumeric
    China Passport Number Alphanumeric Alphanumeric
    Codice Fiscale Letters only Letters only
    Columbian Addresses Numbers only Numbers only
    Colombian Cell Phone Number Numbers only Numbers only
    Columbian Personal Identification Number Numbers only Numbers only
    Colombian Tax Identification Number Numbers only Numbers only
    Common Procedure Coding System (HCPCS CPT Code) Alphanumeric Alphanumeric
    Credit Card Magnetic Stripe Data Numbers only Numbers only
    Credit Card Number Numbers only Numbers only
    Croatia National Identification Number Alphanumeric Alphanumeric
    CUSIP Number Alphanumeric (normalized to Alphanumeric (normalized to
    lowercase) lowercase)
    Cyprus Tax Identification Number Letters only Numbers only
    Cyprus Value Added Tax (VAT) Number Alphanumeric Alphanumeric
    Czech Republic Driver's Licence Number Letters only Numbers only
    Czech Republic Personal Identification Number Numbers only Numbers only
    Czech Republic Tax Identification Number Numbers only Numbers only
    Czech Republic Value Added Tax (VAT) Number Letters only Numbers only
    Denmark Personal Identification Number Alphanumeric Alphanumeric
    Denmark Tax Identification Number Numbers only Numbers only
    Denmark Value Added Tax (VAT) Number Letters only Numbers only
    Driver's License Number – AR State Letters only (normalized to Numbers only
    lowercase)
    Driver's License Number – AZ State Letters only (normalized to Numbers only
    lowercase)
    Driver's License Number – CA State Letters only (normalized to Numbers only
    lowercase)
    Driver's License Number – CT State Numbers only Numbers only
    Driver's License Number – DC State Numbers only Numbers only
    Driver's License Number – FL, MI, MN States Letters only (normalized to Numbers only
    lowercase)
    Driver's License Number – Guam Alphanumeric Numbers only
    Driver's License Number – HI State Alphanumeric Numbers only
    Driver's License Number – IA State Alphanumeric Numbers only
    Driver's License Number – ID State Alphanumeric Numbers only
    Driver's License Number – IN State Alphanumeric Numbers only
    Driver's License Number – KY State Alphanumeric Numbers only
    Driver's License Number – KS State Alphanumeric Numbers only
    Driver's License Number – MA State Alphanumeric Numbers only

    1069
    Exclude/require Exclude/require
    Data Identifier
    beginning characters ending characters
    Driver's License Number – MD State Letters only Numbers only
    Driver's License Number – MS State Alphanumeric Numbers only
    Driver's License Number – MO State Alphanumeric Numbers only
    Driver's License Number – ND State Alphanumeric Numbers only
    Driver's License Number – NE State Numbers only
    Driver's License Number – NH State Alphanumeric Numbers only
    Driver's License Number – NJ State Letters only (normalized to Numbers only
    lowercase)
    Driver's License Number – NY State Numbers only Numbers only
    Driver's License Number – OH State Alphanumeric Numbers only
    Driver's License Number – OK State Alphanumeric Numbers only
    Driver's License Number – OR State Alphanumeric Numbers only
    Driver's License Number – RI State Alphanumeric Numbers only
    Driver's License Number – US Virgin Islands Letters only Numbers only
    Driver's License Number – VA State Alphanumeric Numbers only
    Driver's License Number – VT State Numbers only Numbers only
    Driver's License Number - WA State Alphanumeric (normalized to Alphanumeric (normalized to
    lowercase) lowercase)
    Driver's License Number - WI State Letters only Numbers only
    Driver's License Number – WV State Alphanumeric Numbers only
    Drug Enforcement Agency (DEA) Number Letters only (normalized to Numbers only
    lowercase)
    Estonia Driver's Licence Number Letters only Numbers only
    Estonia Passport Number Letters only Numbers only
    Estonia Personal Identification Number Numbers only Numbers only
    Estonia Value Added Tax (VAT) Number Letters only Numbers only
    European Health Insurance Card Number Numbers only Numbers only
    Finland Driver's Licence Number Alphanumeric Alphanumeric
    Finland European Health Insurance Number Numbers only Numbers only
    Finland Passport Number Letters only Numbers only
    Finland Tax Identification Number Alphanumeric Alphanumeric
    Finland Value Added Tax (VAT) Number Letters only Numbers only
    Finnish Personal Identification Number Alphanumeric (normalized to Alphanumeric (normalized to
    lowercase) lowercase)
    France Driver's Licence Number Numbers only Numbers only
    France Health Insurance Number Numbers only Numbers only
    France Tax Identification Number Numbers only Numbers only
    France Value Added Tax (VAT) Number Letters only Numbers only
    French INSEE Code Numbers only Numbers only
    French Passport Number Alphanumeric Alphanumeric
    French Social Security Number Alphanumeric Alphanumeric

    1070
    Exclude/require Exclude/require
    Data Identifier
    beginning characters ending characters
    German Passport Number Alphanumeric (normalized to Alphanumeric (normalized to
    lowercase) lowercase)
    German Personal Identification Number Alphanumeric (normalized to Alphanumeric (normalized to
    lowercase) lowercase)
    German Driver's Licence Number Alphanumeric Alphanumeric
    German Tax Identification Number Numbers only Numbers only
    German Value Added Tax (VAT) Number Letters only Numbers only
    Greece Passport Number Letters only Numbers only
    Greece Social Security Number (AMKA) Numbers only Numbers only
    Greece Value Added Tax (VAT) Number Letters only Numbers only
    Greek Tax Identification Number Numbers only Numbers only
    Health Insurance Claim Number Alphanumeric Alphanumeric
    Hong Kong ID Alphanumeric Alphanumeric
    Hungarian Social Security Number Numbers only Numbers only
    Hungarian Tax Identification Number Numbers only Numbers only
    Hungarian VAT Number Letters only (normalized to Numbers only
    lowercase)
    Hungary Driver's Licence Number Letters only Numbers only
    Hungary Passport Number Letters only Numbers only
    IBAN Central Alphanumeric Alphanumeric
    IBAN East Alphanumeric Alphanumeric
    IBAN West Alphanumeric Alphanumeric
    Iceland National Identification Number Numbers only Numbers only
    Iceland Passport Number Letters only Numbers only
    Iceland Value Added Tax (VAT) Number Letters only Numbers only
    India RuPay Card Number Numbers only Numbers only
    Indian Aadhar Card Number Numbers only Numbers only
    Indonesian Identity Card Number Letters only Letters only
    International Mobile Equipment Identity Number Numbers only Numbers only
    International Securities Identification Number Letters only (normalized to Numbers only
    lowercase)
    IP Address Any characters Any characters
    IPv6 Address Alphanumeric Alphanumeric
    Ireland Passport Number Letters only Numbers only
    Ireland Tax Identification Number Alphanumeric Alphanumeric
    Ireland Value Added Tax (VAT) Number Letters only Numbers only
    Irish Personal Public Service Number Numbers only Letters only (normalized to
    lowercase)
    Israel Personal Identification Number Numbers only Numbers only
    Italy Driver's Licence Number Letters only Letters only
    Italy Health Insurance Number Letters only Letters only

    1071
    Exclude/require Exclude/require
    Data Identifier
    beginning characters ending characters
    Italy Passport Number Alphanumeric Alphanumeric
    Italy Value Added Tax (VAT) Number Letters only Numbers only
    Japan Driver's License Number Numbers only Numbers only
    Japan Passport Number Letters only Numbers only
    Japanese Juki-Net ID Number Numbers only Numbers only
    Japanese My Number - Corporate Numbers only Numbers only
    Japanese My Number - Personal Numbers only Numbers only
    Kazakhstan Passport Number Letters only Numbers only
    Korea Passport Number Alphanumeric Alphanumeric
    Korea Residence Registration Number for Foreigners Numbers only Numbers only
    Korea Residence Registration Number for Korean Numbers only Numbers only
    Kosovo Unique Master Citizen Number Number Numbers only Numbers only
    Latvia Driver's Licence Number Letters only Numbers only
    Latvia Passport Number Letters only Numbers only
    Latvia Personal Identification Number Numbers only Numbers only
    Latvia Value Added Tax (VAT) Number Letters only Numbers only
    Liechtenstein Passport Number Letters only Numbers only
    Lithuania Personal Identification Number Numbers only Numbers only
    Lithuania Tax Identification Number Numbers only Numbers only
    Lithuania Value Added Tax (VAT) Number Letters only Numbers only
    Luxembourg National Register of Individuals Number Numbers only Numbers only
    Luxembourg Passport Number Alphanumeric Alphanumeric
    Luxembourg Tax Identification Number Numbers only Numbers only
    Luxembourg Value Added Tax (VAT) Number Letters only Numbers only
    Macau National Identification Number Numbers only Numbers only
    Macedonia Unique Master Citizen Number Numbers only Numbers only
    Malaysia Passport Number Letters only Numbers only
    Malaysian MyKad Number (MyKad) Numbers only Numbers only
    Malta National Identification Number Numbers only Letters only
    Malta Tax Identification Number Alphanumeric Alphanumeric
    Malta Value Added Tax (VAT) Number Alphanumeric Alphanumeric
    Medicare Beneficiary Number Alphanumeric Alphanumeric
    Mexico Passport Number Alphanumeric Numbers only
    Mexican Personal Registration and Identification Number Alphanumeric Alphanumeric
    Mexican Tax Identification Number Alphanumeric Alphanumeric
    Mexican Unique Population Registry Code Alphanumeric (normalized to Alphanumeric (normalized to
    lowercase) lowercase)
    Mexico CLABE Number Numbers only Numbers only
    Montenegro Unique Master Citizen Number Numbers only Numbers only
    National Drug Code (NDC) Numbers only Numbers only

    1072
    Exclude/require Exclude/require
    Data Identifier
    beginning characters ending characters
    National Provider Identifier Number Numbers only Numbers only
    Netherlands Bank Account Number Alphanumeric Alphanumeric
    Netherlands Driver's Licence Number Numbers only Numbers only
    Netherlands Passport Number Alphanumeric Alphanumeric
    Netherlands Tax Identification Number Numbers only Numbers only
    Netherlands Value Added Tax (VAT) Number Letters only Numbers only
    New Zealand Driver's License Number Letters only Numbers only
    New Zealand National Health Index Number Letters only (normalized to Numbers only
    lowercase)
    New Zealand Passport Number Letters only Numbers only
    Norway Driver's Licence Number Numbers only Numbers only
    Norway Health Insurance Card Number (HICN) Numbers only Numbers only
    Norway National Identification Number Numbers only Numbers only
    Norway Value Added Tax Number Alphanumeric Alphanumeric
    Norwegian Birth Number Numbers only Numbers only
    People's Republic of China ID Alphanumeric (normalized to Alphanumeric (normalized to
    lowercase) lowercase)
    Poland Driver's Licence Number Numbers only Numbers only
    Poland European Health Insurance Number Numbers only Numbers only
    Poland Passport Number Letters only Numbers only
    Poland Value Added Tax (VAT) Number Letters only Numbers only
    Polish Identification Number Letters only Numbers only
    Polish REGON Number Numbers only Numbers only
    Polish Social Security Number (PESEL) Numbers only Numbers only
    Polish Tax Identification Number Numbers only Numbers only
    Portugal Driver's Licence Number Letters only Numbers only
    Portugal National Identification Number Alphanumeric Alphanumeric
    Portugal Passport Number Letters only Numbers only
    Portugal Tax Identification Number Numbers only Numbers only
    Portugal Value Added Tax (VAT) Number Letters only Numbers only
    Randomized US Social Security Number (SSN) Numbers only Numbers only
    Romania Driver's Licence Number Alphanumeric (normalized to Alphanumeric (normalized to
    lowercase) lowercase)
    Romania National Identification Number Numbers only Numbers only
    Romania Numerical Personal Code Numbers only Numbers only
    Romania Value Added Tax (VAT) Number Letters only Numbers only
    Romanian Numerical Personal Code Numbers only Numbers only
    Russia Cargo Customs Declaration Number Numbers only Numbers only
    Russia Employment Record Letters only Numbers only
    Russia Individual Personal Account Insurance Number Numbers only Numbers only
    Russia Military Identity Number Letters only Numbers only

    1073
    Exclude/require Exclude/require
    Data Identifier
    beginning characters ending characters
    Russia OMS Number Numbers only Numbers only
    Russian Passport Identification Number Numbers only Numbers only
    Russian Taxpayer Identification Number Numbers only Numbers only
    SEPA Creditor Identifier Number North Alphanumeric Alphanumeric
    SEPA Creditor Identifier Number South Alphanumeric Alphanumeric
    SEPA Creditor Identifier Number West Alphanumeric Alphanumeric
    SEPA Creditor Identifier Number East Alphanumeric Alphanumeric
    Serbia Unique Master Citizen Number Numbers only Numbers only
    Serbia Value Added Tax (VAT) Number Alphanumeric Alphanumeric
    Singapore NRIC Alphanumeric (normalized to Alphanumeric (normalized to
    lowercase) lowercase)
    Slovakia Driver's Licence Number Letters only Numbers only
    Slovakia National Identification Number Alphanumeric Alphanumeric
    Slovakia Passport Number Letters only Numbers only
    Slovakia Value Added Tax (VAT) Number Letters only Numbers only
    Slovenia Passport Number Letters only Numbers only
    Slovenia Tax Identification Number Numbers only Numbers only
    Slovenia Unique Master Citizen Number Numbers only Numbers only
    Slovenia Value Added Tax (VAT) Number Letters only Numbers only
    South African Personal Identification Number Numbers only Numbers only
    Spain Driver's Licence Number Alphanumeric Alphanumeric
    Spain Value Added Tax (VAT) Number Alphanumeric Alphanumeric
    Spanish Customer Account Number Numbers only Numbers only
    Spanish DNI ID Alphanumeric Alphanumeric
    Spanish Passport Number Alphanumeric Alphanumeric
    Spanish Social Security Number Numbers only Numbers only
    Spanish Tax ID (CIF) Alphanumeric Alphanumeric
    Sri Lanka National Identification Number Alphanumeric Alphanumeric
    Sweden Driver's Licence Number Numbers only Numbers only
    Sweden Personal Identification Number Numbers only Numbers only
    Sweden Tax Identification Number Numbers only Numbers only
    Sweden Value Added Tax (VAT) Number Letters only Numbers only
    Swedish Passport Number Alphanumeric Alphanumeric
    SWIFT Code Alphanumeric Alphanumeric
    Swiss AHV Number Numbers only Numbers only
    Swiss Social Security Number (AHV) Alphanumeric Alphanumeric
    Switzerland Health Insurance Card Number Numbers only Numbers only
    Switzerland Passport Number Letters only Numbers only
    Switzerland Value Added Tax (VAT) Number Alphanumeric (normalized to Alphanumeric (normalized to
    lowercase) lowercase)

    1074
    Exclude/require Exclude/require
    Data Identifier
    beginning characters ending characters
    Taiwan ROC ID Alphanumeric Alphanumeric
    Thailand Passport Number Letters only Numbers only
    Thailand Personal ID Number Numbers only Numbers only
    Turkish Identification Number Numbers only Numbers only
    Turkey Local Phone Number Numbers only Numbers only
    Turkey Mobile Number Numbers only Numbers only
    Turkey Passport Number Letters only Numbers only
    Turkey Tax Identification Number Numbers only Numbers only
    Turkey VAT Number Letters only Numbers only
    UK Bank Account Number Sort Code Numbers only Numbers only
    UK Driver's Licence Number Alphanumeric (normalized to Alphanumeric (normalized to
    lowercase) lowercase)
    UK Electoral Roll Number Letters only (normalized to Numbers only
    lowercase)
    UK National Health Service (NHS) Number Numbers only Numbers only
    UK National Insurance Number Letters only (normalized to Letters only (normalized to
    lowercase) lowercase)
    UK Passport Number Numbers only Numbers only
    UK Tax Identification Number Numbers only Numbers only
    UK Value Added Tax (VAT) Number Letters only Numbers only
    Ukraine Identity Card Numbers only Numbers only
    Ukraine Passport (Domestic) Numbers only Numbers only
    Ukraine Passport (International) Alphanumeric Alphanumeric
    United Arab Emirates Personal Number Numbers only Numbers only
    US Adoption Tax Identification Number Numbers only Numbers only
    US Individual Tax Identification Number (ITIN) Numbers only Numbers only
    US Passport Number Numbers only Numbers only
    US Preparer Tax Identification Number Numbers only Numbers only
    US Social Security Number (SSN) Numbers only Numbers only
    US ZIP+4 Postal Codes Letters only Numbers only
    Vehicle Identification Number Alphanumeric Numbers only
    Venezuela Driver's License Number Alphanumeric Numbers only
    Venezuela National ID Number Letters only Numbers only
    Venezuela Value Added Tax (VAT) Number Letters only Numbers only
    Vojvodina Unique Master Citizen Number Numbers only Numbers only

    Using unique match counting


    When you define a new data identifier rule, a new keyword rule, or a new regular expression rule Count all unique
    matches is the default method for counting matches.
    The following table describes unique match counting characteristics.

    1075
    Table 564: Unique match counting characteristics

    Unique match counting characteristic Description

    First match is unique A unique match is the first match found in a message component.
    Detection Messages and Message Components
    Match count updated for each unique The match count is incremented by 1 for each unique pattern match.
    match
    Only unique matches are highlighted Duplicate matches are neither counted nor highlighted at the Incident Snapshot screen
    Uniqueness does not span message For example, if the same SSN appears in both the message body and attachment, two
    components unique matches will be generated, not one. This is because each instance is detected in a
    separate message component.
    Compound rule with data identifier and In a compound rule combining a data identifier condition with a keyword condition that
    keyword proximity conditions specifies keyword proximity logic, the reported match will be the first match found

    Configuring unique match counting


    Count all unique matches is the default selection for new data identifiers you create. After upgrading Data Loss
    Prevention, you may need to manually configure pre-existing data identifier rules to use unique match counting, if you
    have not done so prior to upgrade
    About unique match counting
    To configure unique match counting
    1. Select the policy containing the data identifier rule or rules you want to update at the Manage > Policies > Policy List
    screen.
    2. Select the data identifier rule at the Configure Policy screen.
    3. Select the match counting option Count all unique matches.
    4. Click OK to apply the unique match counting configuration change.
    5. Click Save to save the policy change.
    6. Test unique match counting.
    Create an incident with multiple instances of a data identifier pattern, such as several instances of the same social
    security number in the same message component (for example, in an email attachment).
    At the Incident Snapshot verify that only unique matches are highlighted and counted.

    Modifying system data identifiers


    The system lets you modify system-defined data identifiers, but you cannot delete them. Any modifications you make to
    the configuration of a system-defined data identifier take effect system-wide. This means that the modifications apply to
    any policies that actively or subsequently declare the data identifier.
    There is no way to automatically revert a data identifier to its original configuration once it is modified. Before you modify a
    system data identifier, consider cloning it.
    , and any custom data identifiers that you have created. Any modification you make to a data identifier takes effect system
    wide. This means the modifications apply to any policy that declares the modified data identifier.
    The system does not include modified data identifiers in policies exported as templates. Before modifying a system data
    identifier, export any policies that declare it.
    Editing data identifiers

    1076
    Editing pattern validator input
    NOTE
    The system does not export modified and custom data identifiers in a policy template. The system exports a
    reference to the system data identifier. The target system where the policy template is imported provides the
    actual data identifier. Clone system-defined data identifiers before modifying to preserve original state
    Editing data identifiers

    Table 565: System data identifier modification options

    Modifiable at the system level Not configurable

    • Patterns • Name, Description, and Category


    You can edit one or more data identifier patterns at the You cannot modify the name, description, or category of a system
    system level. data identifier.
    • Active Validators • Breadth
    You can add or remove required validators at the system You cannot define a new detection breadth for a system data
    level. identifier; you can only modify an existing breadth.
    • Data Entry • Optional Validators
    You can edit the input of an active validator for a system You cannot define optional validators at the system level. You can
    data identifier. only configure optional validators at the policy level.
    • Data Normalizer
    You cannot modify the type of data normalizer implemented by a
    system data identifier.
    • Delete
    You cannot delete a system data identifier.

    Cloning a system data identifier before modifying it


    The Enforce Server does not provide an automated mechanism for cloning a system data Identifier.
    Extending and customizing data identifiers
    Before you modify a system data Identifier, consider manually cloning it so you can revert to the original configuration, if
    necessary. At the least, you should export a policy as a template before you modify any system data Identifier declared by
    that policy.
    To manually clone a system data identifier
    1. Review the original configuration of the data identifier you want to modify.
    2. Create a custom data identifier.
    Workflow for creating custom data identifiers
    3. Copy the configuration of the original data identifier to the custom data identifier.
    Add the pattern(s), validator(s), any data input, and the normalizer.
    Selecting a data identifier breadth
    4. Save the custom data identifier.
    5. Modify the custom data identifier to suit your needs.

    Editing pattern validator input


    At the system-level you can edit the data input that a required validator accepts. Not all validators accept data input.

    1077
    About pattern validators
    To edit required validator input
    1. Edit the data identifier by selecting it from the Manage > Policies > data identifiers screen.
    2. Select the Rule Breadth you want to modify.
    Generally, the medium and narrow breadth options include validators that accept data input.
    3. Select the editable validator from the Active Validators list whose input you want to edit.
    For example, select Find keywords.
    List of pattern validators that accept input data
    4. Edit the input for the validator in the Description and Data Entry field.
    5. Select the qualities you want for the keyword;
    • Proximity - To find a keyword only within the set proximity of the matched patterns, check this box and also
    indicate the Word Distance or proximity.
    • Case sensitive - Check this box if you want to search for a case-sensitive match.
    • Highlight keywords in incident - Check this box if you want to highlight the matched keywords in incidents.
    6. Click Update Validator to save the changes you have made to the validator input.
    Click Discard Changes to not save the changes.
    7. Click Save to save the data identifier.

    List of pattern validators that accept input data


    The following table lists all available pattern validators that require data input. The input data is editable at the system-
    level definition of the data identifier.
    NOTE
    Input you use for beginning and ending validators concern the text of the match itself. Input you use for prefix
    and suffix validators concern characters before and after matched text.

    Table 566: Pattern validators that accept input data

    Validator Description

    Exact Match Enter a comma-separated list of values. If the values are numeric, do NOT enter any dashes or
    other separators. Each value can be of any length.
    Exclude beginning characters Enter a comma-separated list of values. If the values are numeric, do NOT enter any dashes or
    other separators. Each value can be of any length.
    Exclude ending characters Enter a comma-separated list of values. If the values are numeric, do NOT enter any dashes or
    other separators. Each value can be of any length.
    Exclude exact match Enter a comma-separated list of values. Each value can be of any length.
    Exclude prefix Enter a comma-separated list of values. Each value can be of any length.
    Exclude suffix Enter a comma-separated list of values. Each value can be of any length.
    Find keywords Enter a comma-separated list of values. Each value can be of any length.
    Require beginning characters Enter a comma-separated list of values. If the values are numeric, do NOT enter any dashes or
    other separators. Each value can be of any length.
    Require ending characters Enter a comma-separated list of values. If the values are numeric, do NOT enter any dashes or
    other separators. Each value can be of any length.

    1078
    Editing keywords for international PII data identifiers
    Data identifiers offer broad support for detecting international content.
    Introducing data identifiers
    Some international data identifiers offer a wide breadth of detection only. In this case you can implement the Find
    Keywords optional validator to narrow the scope of detection. Implementing this optional validator may help you eliminate
    any false positives that your policy matches.
    Selecting a data identifier breadth
    To use keywords for international data identifiers
    1. Create a policy using one of the system-provided international data identifiers that is listed in the table.
    List of keywords for international system data identifiers
    2. Select the Find Keywords optional validator.
    Configuring the Content Matches data identifier condition
    3. Copy and past the appropriate comma-separated keywords from the list to the Find Keywords optional validator field.
    Configuring optional validators

    List of keywords for international system data identifiers


    Keyword list for international PII data identifiers provides keywords for several system-defined international data
    identifiers. You can modify the specified data identifier using the corresponding keyword(s).
    Extending and customizing data identifiers
    Introducing data identifiers
    Selecting a data identifier breadth

    Table 567: Keyword list for international PII data identifiers

    Data identifier Language Keywords English translation

    Argentina Tax Spanish Número de Identificación Tax identification number, taxpayer


    Identification Number Fiscal, número de number, Argentina tax identification
    contribuyente, Número number, Argentina taxpayer number
    de identificación fiscal
    Argentina, Argentina número
    de contribuyente
    Austria Passport Number German REISEPASS, ÖSTERREICHISCH Passport, Austrian passport
    REISEPASS, reisepass
    Austria Tax Identification German Österreich, Steuernummer Austria, tax number
    Number
    Austria Value Added Tax German MwSt, Umsatzsteuernummer, VAT, sales tax number, VAT number,
    (VAT) Number MwSt Nummer, Ust.- VAT identification number, sales tax,
    Identifikationsnummer, UID number
    umsatzsteuer, Umsatzsteuer-
    Identifikationsnummer

    1079
    Data identifier Language Keywords English translation

    Austrian Social Security German sozialversicherungsnummer, Social insurance number, social


    Number soziale sicherheit security number, insurance number,
    kein,Versicherungsnummer, Austrian SSN, Austrian social
    Österreichischen insurance
    SSN, Österreichischen
    Sozialversicherungs
    Belgian National Number French Numéro national, numéro de National number, security number,
    sécurité, numéro d'assuré, number of insured, national
    identifiant national, identification, national identification #,
    identifiantnational#, national number #
    Numéronational#
    Belgium Driver's License German, French, Führerschein, Fuhrerschein, Driver's license, driver's license
    Number Frisian Fuehrerschein, number, driving permit, driving permit
    Führerscheinnummer, number
    Fuhrerscheinnummer,
    Fuehrerscheinnummer,
    Führerscheinnummer,
    Fuhrerscheinnummer,
    Fuehrerscheinnummer,
    Führerschein- Nr,
    Fuhrerschein- Nr,
    Fuehrerschein- Nr,
    permis de conduire,
    rijbewijs,Rijbewijsnummer,
    Numéro permis conduire
    Belgium Passport Number Dutch, German, Paspoort, paspoort, Passport, passport number, passport
    French paspoortnummer, Reisepass book, passport card
    kein, Reisepass,
    Passnummer, Passeport,
    Passeport livre, Passeport
    carte, numéro passeport
    Belgium Tax Identification Dutch, German, Numéro de registre National registry number, tax
    Number French national, numéro identification number, tax number
    d'identification
    fiscale, belasting
    aantal,Steuernummer
    Belgium Value Added Tax German, French Numéro T.V.A, Umsatzsteuer- VAT number, tax identification number
    (VAT) Number Identifikationsnummer,
    Umsatzsteuernummer
    Brazilian Election Brazilian Portuguese número identificação, Identification number, voter
    Identification Number identificação do eleitor, identification, electoral identification
    ID eleitor eleição, número number, Brazilian electoral
    identificação eleitoral, identification number,
    Número identificação
    eleitoral brasileira,
    IDeleitoreleição#
    Brazilian National Registry Brazilian Portuguese Brasileira ID Legal, Brazilian legal identification, legal
    of Legal Entities Number entidades jurídicas entities ID, National Registry of Legal
    ID,Registro Nacional de Entities No
    Pessoas Jurídicas n º,
    BrasileiraIDLegal#

    1080
    Data identifier Language Keywords English translation

    Brazilian Natural Person Brazilian Portuguese Cadastro de Pessoas Registration of individuals, Brazilian
    Registry Number Físicas, Brasileiro Pessoa Natural Person Registry Number,
    Natural Número de Registro, natural person registry number,
    pessoa natural número individual registration number
    de registro, pessoas
    singulares registro NO
    British Columbia Personal French MSP nombre, soins de MSP Number, MSP no, personal
    Healthcare Number santé no, soins de healthcare number, Healthcare No,
    santé personnels nombre, PHN
    MSPNombre#, soinsdesanténo#
    Bulgaria Value Added Tax Bulgarian номер на таксата, ДДС, Fee number, VAT, VAT number, value
    (VAT) Number ДДС#, ДДС номер., ДДС added tax
    номер.#, номер на данъка
    върху добавената стойност,
    данък върху добавената
    стойност, ДДС номер
    Bulgarian Uniform Civil Bulgarian Униформ граждански номер, Uniform civil number, Uniform ID,
    Number - EGN Униформ ID, Униформ Uniform civil ID, Bulgarian uniform civil
    граждански ID, Униформ number
    граждански не., български
    Униформ граждански номер,
    УниформгражданскиID#,
    Униформгражданскине.#
    Burgerservicenummer Dutch Persoonsnummer, sofinummer, person number, social-fiscal number
    sociaal-fiscaal nummer, (abbreviation), social-fiscal number,
    persoonsgebonden person-related number
    Canada Driver's License French permis de conduire Driver's license
    Number
    Canada Passport Numbert French numéro passeport, No Passport number, passport no.,
    passeport, passeport# passport#
    Canada Permanent French numéro résident permanent, permanent resident number,
    Resident (PR) Number résident permanent non, permanent resident no, permanent
    résident permanent no., resident number, permanent resident
    carte résident permanent, card, permanent resident card number,
    numéro carte résident pr no
    permanent, pr non
    Chilean National Spanish Chilena número Chileand identification number,
    Identification Number identificación, nacional national identity, identification number,
    identidad, número national identification number, identity
    identificación, número number, Unique National Role
    identificación nacional,
    identidad número,
    NúmerodeIdentificación#,
    Identidadchilenano#,
    Rol Único Nacional,
    RolÚnicoNacional#,
    nacionalidentidad#
    China Passport Number Chinese ####, ##, ### Chinese passport, passport, passport
    book
    Codice Fiscale Italian codice fiscal, dati tax code, personal data, VAT number,
    anagrafici, partita I.V.A., VAT number
    p. iva

    1081
    Data identifier Language Keywords English translation

    Columbian Addresses Spanish Calle, Cll, Carrera, Street, St, Career, Avenue, Diagonal,
    Cra, Cr, Avenida, Av, Dg, Transversal, sidewalk
    Diagonal, Diag, Tv, Trans,
    Transversal, vereda
    Columbian Cell Phone Spanish numero celular, número de Cellular number, telephone number,
    Number teléfono, teléfono celular cellular telephone number
    no., numero celular#
    Columbian Personal Spanish cedula, cédula, c.c., Identification card, citizenship card,
    Identification Number c.c,C.C., C.C, cc, CC, identification document
    NIE., NIE, nie., nie,
    cedula de ciudadania,
    cédula de ciudadanía,
    cc#, CC #, documento de
    identificacion, documento
    de identificación, Nit.
    Columbian Tax Spanish NIT., NIT, nit., nit, Nit. TIN (tax identification number)
    Identification Number
    Croatia National Croatian Osobna iskaznica, Personal ID, national identification
    Identification Number Nacionalni identifikacijski number, personal ID, personal
    broj, osobni ID, osobni identification number, tax identification
    identifikacijski broj, card, tax number, tax identification
    porez iskaznica, number, tax code, taxpayer code
    porezni broj, porezni
    identifikacijski broj,
    porez kod, šifra poreznog
    obveznika
    Cyprus Tax Identification Turkish, Greek αριθμός φορολογικού Tax identification number, tax number,
    Number μητρώου, Vergi Kimlik TIN number, Cyprus TIN number
    Numarası, vergi numarası,
    Kıbrıs TIN numarası
    Cyprus Value Added Tax Turkish, Greek KDV, kdv#, KDV numarası, VAT, VAT number, value added tax,
    (VAT) Number Katma değer Vergisi, Φόρος
    Προστιθέμενης Αξίας
    Czech Republic Driver's Czech řidičský průkaz, řidičský Driving license, driver's license
    Licence Number prúkaz, číslo řidičského number, driving license number,
    průkazu, řidičské číslo driver's lic., driver license number,
    řidičů, ovladače lic., driver's permit
    Číslo licence řidiče,
    Řidičský průkaz, povolení
    řidiče, řidiči povolení,
    povolení k jízdě, číslo
    licence
    Czech Republic Personal Czech Česká Osobní identifikační Czech Personal Identification Number,
    Identification Number číslo, Osobní identifikační personal identification number, Czech
    číslo., identifikační identification number
    číslo, čeština
    identifikační číslo
    Czech Republic Tax Czech osobní kód, Národní Personal code, national identification
    Identification Number identifikační číslo, osobní number, personal identification
    identifikační číslo, cínové number, TIN number, tax identification
    číslo, daňové identifikačné number, taxpayer ID
    číslo, daňový poplatník id

    1082
    Data identifier Language Keywords English translation

    Czech Republic Value Czech číslo DPH, Daň z přidané VAT number, value added tax, VAT
    Added Tax (VAT) Number hodnoty, Dan z pridané
    hodnoty, Daň přidané
    hodnoty, Dan pridané
    hodnoty, DPH, DIC, DIČ
    Denmark Personal Danish Nationalt National identification number,
    Identification Number identifikationsnummer, personal number, unique identification
    personnummer, unikt number, identification number, central
    identifikationsnummer, registry of persons, CPR number
    identifikationsnummer,
    centrale personregister,
    cpr,cpr-nummer,cpr#,
    cpr-nummer#,
    identifikationsnummer#,
    personnummer#
    Denmark Value Added Tax Danish moms, momsnummer, moms VAT number, vat, value added tax
    (VAT) Number identifikationsnummer, number, vat identification number
    merværdiafgift
    Estonia Driver's Licence Estonian juhiluba, JUHILUBA, Driving license, driving license number,
    Number juhiluba number, juhiloa driver's license number, license
    number, Juhiluba, juhi number
    litsentsi number
    Estonia Passport Number Estonian Pass, pass, passi number, Passport, passport number, Estonian
    pass nr, pass#, Pass nr, passport number
    Eesti passi number
    Estonia Personal Estonian isikukood, isikukood#, Personal identification code, tax
    Identification Code IK, IK#, maksu ID, ID, taxpayer identification number,
    maksukohustuslase tax identification number, tax code,
    identifitseerimisnumber, taxpayer code
    maksukood, maksukood#,
    maksuID#, maksumaksja
    kood, maksumaksja
    identifitseerimisnumber
    Estonia Value Added Tax Estonian käibemaksu VAT registration number, VAT, VAT
    (VAT) Number registreerimisnumber, number
    käibemaksu, Käibemaksu
    number, käibemaks,
    käibemaks#, käibemaksu#

    1083
    Data identifier Language Keywords English translation

    European Health Insurance Croatian, Danish, numero conto medico, Medical account number, health
    Card Number Estonian, Finnish, tessera sanitaria insurance card number, insurance card
    French, German, assicurazione numero, number, health insurance number,
    Irish, Italian, carta assicurazione numero, medical account number, health
    Luxembourgish, Krankenversicherungsnummer, card number, health card, insurance
    Polish, Slovenian, assicurazione sanitaria number, EHIC number,
    Spanish numero, medisch
    rekeningnummer,
    ziekteverzekeringskaartnummer,
    verzekerings kaart
    nummer, gezondheidskaart
    nummer, gezondheidskaart,
    medizinische Kontonummer,
    Krankenversicherungskarte
    Nummer,
    Versicherungsnummer,
    Gesundheitskarte Nummer,
    Gesundheitskarte,
    arstliku konto number,
    ravikindlustuse kaardi
    number, tervisekaart,
    tervisekaardi number,
    Uimhir ehic, tarjeta
    salud, broj kartice
    zdravstvenog osiguranja,
    kartice osiguranja broj,
    zdravstvenu karticu,
    zdravstvene kartice broj,
    ehic broj, numero tessera
    sanitaria, numero carta
    di assicurazione, tessera
    sanitaria, numero ehic,
    Gesondheetskaart, ehic
    nummer, numer rachunku
    medycznego, numer karty
    ubezpieczenia zdrowotne,
    numer karty ubezpieczenia,
    karta zdrowia, numer
    karty zdrowia, numer ehic,
    sairausvakuutuskortin
    numero, vakuutuskortin
    numero, terveyskortti,
    terveyskortin numero,
    medicinsk kontonummer,
    ehic numeris, medizinescher
    Konto Nummer, zdravstvena
    izkaznica
    Finland Driver's License Finnish, Swedish permis de conduire, Driver's license, driver's license
    Number ajokortti, ajokortin number, driver's lic.
    numero, kuljettaja lic.,
    körkort, körkort nummer,
    förare lic.

    1084
    Data identifier Language Keywords English translation

    Finland European Health Finnish Suomi EHIC-numero, Finland EHIC number, sickness
    Insurance Number Sairausvakuutuskortti, insurance card, health insurance card,
    sairaanhoitokortin, EHIC, Finnish health insurance card,
    Sjukförsäkringskort, ehic, Health Card, Survival Card, health
    sairaanhoitokortin, Suomen insurance number
    sairausvakuutuskortti,
    Finska sjukförsäkringskort,
    Terveyskortti,
    Hälsokort, ehic#,
    sairausvakuutusnumero,
    sjukförsäkring nummer
    Finland Passport Number Finnish Suomen passin numero, Finnish passport number, Finnish
    suomalainen passi, passin passport, passport number, passport
    numero, passin numero.#, number, passport #
    passin numero#, passin
    numero, passin numero.,
    passin numero#, passi#
    Finland Tax Identification Finnish verotunniste, verokortti, Tax identification number, tax card, tax
    Number verotunnus, veronumero ID, tax number
    Finland Value Added Tax Finnish arvonlisäveronumero, ALV, VAT number, VAT, VAT identification
    (VAT) Number arvonlisäverotunniste, ALV number
    nro, ALV numero, alv
    Finnish Personal Finnish tunnistenumero, Identification number, personal
    Identification Number henkilötunnus, yksilöllinen identification number, unique personal
    henkilökohtainen identification number, identity number,
    tunnistenumero, Finnish personal identification number,
    Ainutlaatuinen national identification number
    henkilökohtainen tunnus,
    identiteetti numero, Suomen
    kansallinen henkilötunnus,
    henkilötunnusnumero#,
    kansallisen tunnistenumero,
    tunnusnumero,kansallinen
    tunnus numero
    France Driver's License French permis de conduire Driver's license
    Number
    France Health Insurance French carte vitale, carte Health card, social insurance card
    Number d'assuré social
    France Tax Identification French numéro d'identification Tax identification number
    Number fiscale
    France Value Added Tax French Numéro d'identification Value added tax identification number,
    (VAT) Number taxe sur valeur ajoutée, value added tax number, value added
    Numéro taxe valeur tax, VAT number, French VAT number,
    ajoutée, taxe valeur SIREN identification number
    ajoutée, Taxe sur la valeur
    ajoutée, Numéro de TVA
    intracommunautaire, n° TVA,
    numéro de TVA, Numéro de
    TVA en France, français
    numéro de TVA, Numéro
    d'identification SIREN
    French INSEE Code French INSEE, numéro de sécu, code INSEE, social security number, social
    sécu security code

    1085
    Data identifier Language Keywords English translation

    French Passport Number French Passeport français, French passport, passport, passport
    Passeport, Passeport livre, book, passport card, passport number
    Passeport carte, numéro
    passeport
    French Social Security French sécurité sociale non., Social secuty number, social security
    Number sécurité sociale numéro, code, insurance number
    code sécurité sociale,
    numéro d'assurance,
    sécuritésocialenon.#,
    sécuritésocialeNuméro#
    German Passport Number German Reisepass kein, Reisepass, Passport number, passport, German
    Deutsch Passnummer, passport number, passport number
    Passnummer, Reisepasskein#,
    Passnummer#
    German Personal ID German persönliche Personal identification number, ID
    Number identifikationsnummer, number, Germane personal ID number,
    ID-Nummer, Deutsch personal ID number, clear ID number,
    persönliche-ID- personal number, identity number,
    Nummer, persönliche ID insurance number
    Nummer, eindeutige ID-
    Nummer, persönliche
    Nummer,identität nummer,
    Versicherungsnummer,
    persönlicheNummer#,
    IDNummer#
    Germany Driver's License German Führerschein, Fuhrerschein, Driver's license, driver's license
    Number Fuehrerschein, number
    Führerscheinnummer,
    Fuhrerscheinnummer,
    Fuehrerscheinnummer,
    Führerscheinnummer,
    Fuhrerscheinnummer,
    Fuehrerscheinnummer,
    Führerschein- Nr,
    Fuhrerschein- Nr,
    Fuehrerschein- Nr
    Germany Value Added Tax German Mehrwertsteuer, Value added tax, value added tax
    (VAT) Number MwSt, Mehrwertsteuer identification number, value added tax
    Identifikationsnummer, number
    Mehrwertsteuer nummer
    Greece Passport Number Greek λλάδα pasport αριθμός, Greece passport number, Greece
    Ελλάδα pasport όχι., passport no., passport, Greece
    Ελλάδα Αριθμός Διαβατηρίου, passport, passport book
    διαβατήριο, Διαβατήριο,
    ΕΛΛΑΔΑ ΔΙΑΒΑΤΗΡΙΟ,
    Ελλάδα Διαβατήριο, ελλάδα
    διαβατήριο, Διαβατήριο
    Βιβλίο, βιβλίο διαβατηρίου
    Greece Social Security Greek Αριθμού Μητρώου Κοινωνικής Social security number
    Number (AMKA) Ασφάλισης

    1086
    Data identifier Language Keywords English translation

    Greece Value Added Tax Greek FPA, fpa, Foros VAT, value added tax, tax identification
    (VAT) Number Prostithemenis Axias, number
    arithmós dexamenís, Fóros
    Prostithémenis Axías,
    μέγας κάδος, ΦΠΑ, Φ Π
    Α, Φόρος Προστιθέμενης
    Αξίας, ΦΟΡΟΣ ΠΡΟΣΤΙΘΕΜΕΝΗΣ
    ΑΞΙΑΣ, φόρος προστιθέμενης
    αξίας, Arithmos Forologikou
    Mitroou, Α.Φ.Μ, ΑΦΜ
    Greek Tax Identification Greek Αριθμός Φορολογικού Tax identification number, TIN, tax
    Number Μητρώου, AΦΜ, Φορολογικού registry number
    Μητρώου Νο., τον αριθμό
    φορολογικού μητρώου
    Hong Kong ID Chinese (Traditional) ### , ### Identity card, Hong Kong permanent
    resident ID Card
    Hungary Driver's Licence Hungarian jogosítvány, License, driver's lic, driver's license,
    Number Illesztőprogramok Lic, number of licenses, driving license
    jogsi, licencszám, vezetői
    engedély, VEZETŐI ENGEDÉLY,
    vezető engedély, VEZETŐ
    ENGEDÉLY
    Hungary Passport Number French, Hungarian útlevél, Magyar Passport, Hungarian passport number,
    útlevélszám, útlevél passport book, number, passport
    könyv, nombre, numéro de number
    passeport, hongrois, numéro
    de passeport hongrois
    Hungarian Social Security Hungarian Magyar Hungarian social security number,
    Number társadalombiztosítási szám, social security number, social security
    Társadalombiztosítási szám, ID, social security code
    társadalombiztosítási ID,
    szociális biztonsági kódot,
    szociális biztonság nincs.,
    társadalombiztosításiID#
    Hungarian Tax Hungarian Magyar adóazonosító jel Hungarian tax identification tumber,
    Identification Number no, adóazonosító szám, tax identification number, Hungarian
    magyar adószám, Magyar tax number, Hungarian tax authority
    adóhatóság no., azonosító number, tax number, tax authority
    szám, adóazonosító no., number
    adóhatóság no
    Hungarian VAT Number Hungarian Közösségi adószám, Value added tax identification number,
    Általános forgalmi adó sales tax number, value added tax,
    szám, hozzáadottérték adó, Hungarian value added tax number
    magyar Közösségi adószám
    Iceland National Icelandic kennitala, persónuleg Social security number, personal
    Identification Number kennitala, galdur identification number, magic number,
    númer, skattanúmer, tax code, taxpayer code, taxpayer ID
    skattgreiðenda kóða, number
    kennitala skattgreiðenda
    Iceland Passport Number Icelandic vegabréf, vegabréfs númer, Passport, passport number, passport
    Vegabréf Nei, vegabréf# no.

    1087
    Data identifier Language Keywords English translation

    Iceland Value Added Tax Icelandic virðisaukaskattsnúmer, vsk VAT number


    (VAT) Number númer
    Indonesian Identity Card Indonesian, Kartu Tanda Penduduk Identity card number, card number,
    Number Portuguese nomor, número do cartão, Indonesian identity card number, card
    Kartu identitas Indonesia no., Indonesian identity card number,
    no, kartu no., Kartu ID number
    identitas Indonesia nomor,
    Nomor Induk Kependudukan,
    númerodocartão,kartuno.,
    KartuidentitasIndonesiano
    International Bank Account French Code IBAN, numéro IBAN IBAN Code, IBAN number
    Number (IBAN) Central
    International Bank Account French Code IBAN, numéro IBAN IBAN Code, IBAN number
    Number (IBAN) East
    International Bank Account French Code IBAN, numéro IBAN IBAN Code, IBAN number
    Number (IBAN) West
    Ireland Passport Number Irish irelande passeport, Éire Ireland passport, passport number,
    pas, no de passeport, pas passport
    uimh, uimhir pas, numéro de
    passeport
    Ireland Tax Identification Irish uimhir carthanachta, Uimhir Charity number, charity registration
    Number chláraithe charthanais, number,CHY number, tax reference
    uimhir CHY, CHY uimh., number, Ireland tax identification
    uimhir thagartha cánach, number, Irish tax identification, tax
    uimhir aitheantais cánach identification number, tax id, TIN,
    ireland, aitheantais cánach Ireland tin
    irish, uimhir aitheantais
    cánach, id cánach, uimhir
    chánach, cáin #, STÁIN,
    cáin id uimh.
    Ireland Value Added Tax Irish cáin bhreisluacha, CBL, CBL Ireland VAT number, VAT number, VAT
    (VAT) Number aon, Uimhir CBL, Uimhir no, VAT#, value added tax number,
    CBL hÉireann, bhreisluacha value added tax, irish VAT
    uimhir chánach
    Irish Personal Public Gaelic Gaeilge Uimhir Phearsanta Irish personal public service number,
    Service Number Seirbhíse Poiblí, PPS PPS no., personal public service
    Uimh., uimhir phearsanta number, service no., PPS no., PPS
    seirbhíse poiblí, seirbhíse service one
    Uimh, PPS Uimh, PPS
    seirbhís aon
    Israel Personal Hebrew, Arabic ‫מספר‬,‫מספר זיהוי‬ Israeli identity number, identity number,
    Identification Number ‫זהות‬,‫זיהוי ישראלי‬ unique identity number, personal ID,
    ‫هويةاسرائيلية‬,‫ישראלית‬ unique personal ID, unique ID
    ‫رقم‬,‫هوية إسرائيلية‬,‫عدد‬
    ‫عدد هوية فريدة من‬,‫الهوية‬
    ‫نوعها‬
    Italy Driver's License Italian patente guida numero, Driver's license number, driver's
    Number patente di guida numero, license
    patente di guida, patente
    guida

    1088
    Data identifier Language Keywords English translation

    Italy Health Insurance Italian TESSERA SANITARIA, Health insurance card, Italian health
    Number tessera sanitaria, tessera insurance card
    sanitaria italiana
    Italian Passport Number Italian Repubblica Italiana Italian Republic passport, passport,
    Passaporto, Passaporto, Italian passport, Italian passport
    Passaporto Italiana, number, passport number
    passport number, Italiana
    Passaporto numero,
    Passaporto numero, Numéro
    passeport italien, numéro
    passeport
    Italy Value Added Tax (VAT) Italian IVA, numero partita IVA, VAT, VAT number, VAT#, VAT number
    Number IVA#, numero IVA
    Japan Driver's License Japanese #####, ##, ##, ##, ####, # Public Security Committee, driver's
    Number ####, #########, ########## license, driving license, driver license,
    #, #####, ####### driver's license number, driving license
    number, driver license number, license
    Japanese Juki-Net ID Japanese #########, #######, ####, # Juki-Net identification number, Juki-
    Number ##### Net number, identification number,
    personal identification number
    Japanese My Number - Japanese ######, #### My number, common number
    Corporate
    Japanese My Number - Japanese ######, ####, #### My number, personal number, common
    Personal number
    Japan Passport Number Japanese #####, #####, ###### Japanese passport, passport, passport
    number
    Kazakhstan Passport Kazakh төлқұжат, төлқұжат нөмірі, Passport, passport number, passport
    Number номер паспорта, заграничный ID, international passport, national
    пасспорт, национальный passport
    паспорт
    Korea Passport Number Korean ### ##, ##, ## ##, #### Korean passport, passport, passport
    number, Republic of Korea
    Korea Residence Korean ### ## ##, #### Foreigner registration number, social
    Registration Number for security number
    Foreigners
    Korean Residence Korean ######, #### Resident registration number, social
    Registration Number for security number
    Korean
    Latvia Driver's Licence Latvian licences numurs, vadītāja License number, driver's license,
    Number apliecība, autovadītāja driver's license number, driver's lic.
    apliecība, vadītāja
    apliecības numurs, Vadītāja
    licences numurs, vadītāji
    lic., vadītāja atļauja
    Latvia Passport Number Latvian LATVIJA, LETTONIE, Pases Latvia, passport no., passport number,
    Nr., Pases Nr, Pase, pase, passport book, passport #, passport
    pases numurs, Pases Nr, card
    pases grāmata, pase#, pases
    karte

    1089
    Data identifier Language Keywords English translation

    Latvia Personal Latvian Personas kods, Latvia personal code, personal


    Identification Number personas kods, latvijas code, national identification number,
    personas kods, Valsts identification number, national ID,
    identifikācijas numurs, latvia TIN, TIN, tax identification
    valsts identifikācijas number, tax ID, TIN number, tax
    numurs, identifikācijas number
    numurs, nacionālais id,
    latvija alva, alva, nodokļu
    identifikācijas numurs,
    nodokļu id, alvas nē,
    nodokļa numurs
    Latvia Value Added Tax Latvian PVN Nr, PVN maksātāja VAT no., VAT payer number, VAT
    (VAT) Number numurs, PVN numurs, PVN#, number, VAT#, value added tax, value
    pievienotās vērtības added tax number
    nodoklis, pievienotās
    vērtības nodokļa numurs
    Liechtenstein Passport German Reisepass, Pass Nr, Pass Passport, passport no.
    Number Nr., Reisepass#, Pass Nr#
    Lithuania Personal Lithuanian Nacionalinis ID, National ID, national identification
    Identification Number Nacionalinis identifikavimo number, personal ID
    numeris, asmens kodas
    Lithuania Tax Identification Lithuanian mokesčių identifikavimo tax identification number, tax ID, tax ID
    Number Nr., mokesčių number, tax ID number, tax ID #, tax
    identifikavimo numeris, number, tax no., fee #
    mokesčių ID, mokesčių
    id nr, mokesčių id nr.,
    mokesčių ID#, mokesčių
    numeris, mokestis Nr,
    mokestis #, Mokesčių
    identifikavimo numeris
    Lithuania Value Added Tax Lithuanian pridėtinės vertės VAT number, VAT, VAT #, Value added
    (VAT) Number mokesčio numeris, PVM, tax, VAT registration number
    PVM#, pridėtinės vertės
    mokestis, PVM numeris, PVM
    registracijos numeris
    Luxembourg National German, French Eindeutige ID-Nummer, Unique ID number, unique ID, personal
    Register of Individuals Eindeutige ID, ID ID, personal identification number
    Number personnelle, Numéro
    d'identification personnel,
    IDpersonnelle#, Persönliche
    Identifikationsnummer,
    EindeutigeID#
    Luxembourg Passport French and German passnummer, ausweisnummer, Passport number, passport,
    Number passeport, reisepass, Luxembourg pass, Luxembourg
    pass, pass net, pass nr, passport
    no de passeport, passeport
    nombre, numéro de passeport

    1090
    Data identifier Language Keywords English translation

    Luxembourg Tax French, German Zinn, Zinn Nummer, TIN, TIN number, Luxembourg tax
    Identification Number Luxembourg Tax identification number, tax number, tax
    Identifikatiounsnummer, ID, social security ID, Luxembourg tax
    Steier Nummer, Steier ID, identification number, Social Security,
    Sozialversicherungsausweis, Social Security Card, tax identification
    Zinnzahl, Zinn nein, number
    Zinn#, luxemburgische
    steueridentifikationsnummer,
    Steuernummer,Steuer ID,
    sécurité sociale, carte
    de sécurité sociale,
    étain,numéro d'étain,
    étain non, étain#, Numéro
    d'identification fiscal
    luxembourgeois, numéro
    d'identification fiscale
    Luxembourg Value Added German, TVA kee, TVA#, TVA Luxembourg VAT number, VAT
    Tax (VAT) Number Luxembourgish Aschreiwung kee, T.V.A, number, VAT, value added tax number,
    stammnummer, bleiwen, VAT ID, VAT registration number, value
    geheescht, gitt id, added tax
    mehrwertsteuer, vat
    registrierungsnummer,
    umsatzsteuer-id, wat,
    umsatzsteuernummer,
    umsatzsteuer-
    identifikationsnummer, id
    de la batterie, lëtzebuerg
    vat nee, registréierung
    nummer, numéro de TVA,
    numéro de enregistrement
    vat
    Macau National Chinese, #####, ####### ID number, unique identification
    Identification Number Portuguese número de identificação, number
    número cartão identidade, Identification number, identity card
    número cartão identidade number, national identity card number,
    nacional, número personal identification number, unique
    identificação pessoal, identification number, unique non-ID,
    número identificação único, unique ID #
    id único não, ID único#
    Malaysia Passport Number Malay pasport, nombor pasport, Passport, passport number, passport #
    pasport#
    Malaysian MyKad Number Malay nombor kad pengenalan, Identification card number,
    (MyKad) kad pengenalan no, kad identification card no., Malaysian
    pengenalan Malaysia, identification card, unique identity
    bilangan identiti number, personal number
    unik, nombor peribadi,
    nomborperibadi#,
    kadpengenalanno#
    Malta National Maltese numru identifikazzjoni national identification number, national
    Identification Number nazzjonali, ID nazzjonali, ID, personal identification number,
    numru identifikazzjoni personal ID
    personali, ID personali,
    IDnazzjonali#, IDpersonali#

    1091
    Data identifier Language Keywords English translation

    Malta Tax Identification Maltese kodiċi tat-taxxa, Tax code, tax number, tax identification
    Number numru tat-taxxa, numru number, taxid# taxpayer identification
    identifikazzjoni tat- number, taxpayer code, tin, tin no
    taxxa, taxxaid#,
    numru identifikazzjoni
    kontribwent, kodiċi
    kontribwent, landa, landa
    nru
    Malta Value Added Tax Maltese Numru tal-VAT, numru tal- VAT number, VAT, value added tax
    (VAT) Number VAT, bettija,valur miżjud number, vat identification number
    taxxa in-numru, bettija
    identifikazzjoni in-numru
    Mexican Personal Spanish Clave de Registro de Personal identity registration key,
    Registration and Identidad Personal, Mexican personal identification code,
    Identification Number Código de Identificación Mexican personal identification number
    Personal mexicana, número
    de identificación personal
    mexicana
    Mexican Tax Identification Spanish Registro Federal de Federal taxpayer registry, tax
    Number Contribuyentes, número identification number, federal taxpayer
    de identificación de registry number, RFC number, RFC
    impuestos, Código del key
    Registro Federal de
    Contribuyentes, Número RFC,
    Clave del RFC
    Mexican Unique Spanish Única de registro de Unique population registry, unique key,
    Population Registry Code Población, clave única, unique identity key, unique personal
    clave única de identidad, identity, personal identity key
    clave personal Identidad,
    personal Identidad
    Clave, ClaveÚnica#,
    clavepersonalIdentidad#
    Mexico CLABE Number Spanish Clave Bancaria Standardized banking code,
    Estandarizada, standardized bank code number, code
    Estandarizado Banco número number
    de clave, número de clave,
    clave número, clave#
    Netherlands Bank Account Dutch, Papiamento bancu aklarashon number, Bank account number, account
    Number aklarashon number, number
    bankrekeningnummer,
    rekeningnummer
    Netherlands Driver's Dutch RIJMEWIJS, permis de Driver's license, driving permit, driver's
    License Number conduire, rijbewijs, license number
    Rijbewijsnummer,
    RIJBEWIJSNUMMER
    Netherlands Passport Dutch Nederlanden paspoort Dutch passport number, passport,
    Number nummer, Paspoort, paspoort, passport number
    Nederlanden paspoortnummer,
    paspoortnummer

    1092
    Data identifier Language Keywords English translation

    Netherlands Tax Dutch, Nederlands belasting Dutch tax identification number,


    Identification Number Pampiamento, identificatienummer, tax identification number, Dutch tax
    Norwegian identificatienummer identification, Dutch tax number, tax
    van belasting, number
    identificatienummer
    belasting, Nederlands
    belasting identificatie,
    Nederlands belasting
    id nummer, Nederlands
    belastingnummer, btw
    nummer, Nederlandse
    belasting identificatie,
    Nederlands belastingnummer,
    netherlands tax
    identification tal,
    netherland's tax
    identification tal,
    tax identification tal,
    tax tal, Nederlânske
    tax identification
    tal, Hollânske tax
    identification, Nederlânsk
    tax tal, Hollânske tax id
    tal, netherlands impuesto
    identification number,
    netherland's impuesto
    identification number,
    impuesto identification
    number, impuesto number,
    hulandes impuesto
    identification number,
    hulandes impuesto
    identification, hulandes
    impuesto number, hulandes
    impuesto id number
    Netherlands Value Added Dutch, Frisian wearde tafoege tax getal, Value added tax number, VAT number
    Tax (VAT) Number BTW nûmer, BTW-nummer
    New Zealand Driver's Maori raihana taraiwa Driving license
    Licence Number
    New Zealand Passport Maori uruwhenua, tau uruwhenua, Passport, passport no.
    Number uruwhenua no, uruwhenua no.
    Norway Driver's Licence Norwegian førerkort, førerkortnummer Driver's license, driver's license
    Number number
    Norway National Norwegian Nasjonalt ID, personlig National ID, personal ID, national ID
    Identification Number ID, Nasjonalt ID#, #, personal ID #, tax ID, tax code,
    personlig ID#, skatt taxpayer ID, taxpayer identification
    id, skattenummer, number
    skattekode, skattebetalers
    id, skattebetalers
    identifikasjonsnummer
    Norway Value Added Tax Norwegian mva, MVA, momsnummer, VAT, VAT number, VAT registration
    Number Momsnummer, number
    momsregistreringsnummer

    1093
    Data identifier Language Keywords English translation

    Norwegian Birth Number Norwegian fødsel nummer, Fødsel nr, Birth number
    fødsel nei, fødselnei#,
    fødselnummer#
    People's Republic of China Chinese (Simplified) ###,####,###### Identity Card, Information of resident,
    ID Information of resident identification
    Poland Driver's Licence Polish Kierowcy Lic., prawo Drivers license number, driving license,
    Number jazdy, numer licencyjny, license number
    zezwolenie na prowadzenie,
    PRAWO JAZDY
    Poland European Health Polish Numer EHIC, Karta EHIC number, Health Insurance Card,
    Insurance Number Ubezpieczenia Zdrowotnego, European Health Insurance Card,
    Europejska Karta health insurance number, medical
    Ubezpieczenia Zdrowotnego, account number
    numer ubezpieczenia
    zdrowotnego, numer rachunku
    medycznego
    Poland Passport Number French, Polish paszport#, numer paszportu, Passport #, passport number, passport
    Nr paszportu, paszport, number, passport, passport book
    książka paszportowa Passport, number, passport number,
    passeport, nombre, numéro passport #, passport number
    de passeport, passeport#,
    No de passeport
    Poland Value Added Tax Polish Numer Identyfikacji Tax identification number, tax ID
    (VAT) Number Podatkowej, NIP, nip, number, VAT number, value added tax,
    Liczba VAT, podatek od VAT invoice, VAT invoice #
    wartosci dodanej, faktura
    VAT, faktura VAT#
    Polish Identification Polish owód osobisty, Tożsamości Identification card, national identity,
    Number narodowej, osobisty identification card number, unique
    numer identyfikacyjny, number, number
    niepowtarzalny numer, numer
    Polish REGON Number Polish numer statystyczny, Statistical number, REGON number
    REGON, numeru REGON,
    numerstatystyczny#,
    numeruREGON#
    Polish Social Security Polish PESEL Liczba, społeczny PESEL number, social security
    Number (PESEL) bezpieczeństwo number, social security ID, social
    liczba, społeczny security code
    bezpieczeństwo ID,
    społeczny bezpieczeństwo
    kod, PESELliczba#,
    społecznybezpieczeństwoliczba#
    Polish Tax Identification Polish Numer Identyfikacji Tax identification number, Polish tax
    Number Podatkowej, Polski numer identification number
    identyfikacji podatkowej,
    NumerIdentyfikacjiPodatkowej#

    1094
    Data identifier Language Keywords English translation

    Portugal Driver's License Portuguese carteira de motorista, driver's license, license number,
    Number carteira motorista, driving license, driving license Portugal
    carteira de habilitação,
    carteira habilitação,
    número de licença, número
    licença, permissão de
    condução, permissão
    condução, Licença condução
    Portugal, carta de condução
    Portugal National Portuguese bilhete de identidade, identity card, civil identification number,
    Identification Number número de identificação citizen's card number, identification
    civil, número de cartão document, citizen's card, bi number of
    de cidadão, documento Portugal, document number
    de identificação, cartão
    de cidadão, número bi
    de portugal, número do
    documento
    Portugal Passport Number French and passaporte, passeport, Passport number, passport,
    Portuguese portuguese passport, Portuguese passport
    portuguese passeport,
    portuguese passaporte,
    passaporte nº, passeport nº
    Portugal Tax Identification Portuguese número identificação fiscal Tax identification numberr
    Number
    Portugal Value Added Tax Portuguese imposto sobre valor Value added tax, VAT, VAT number,
    (VAT) Number acrescentado, VAT nº, VAT code
    número iva, vat não, código
    iva
    Romania Driver's Licence Romanian permis de conducere, PERMIS Driving license, driving license number
    Number DE CONDUCERE, Permis
    de conducere, numărul
    permisului de conducere,
    Numărul permisului de
    conducere
    Romania National Romanian numărul de identificare fiscal identification number, tax
    Identification Number fiscală, identificarea identification number, fiscal code
    fiscală nr #, codul fiscal number,
    nr.
    Romania Value Added Tax Romanian CIF, cif, CUI, cui, TVA, VAT, VAT #, value added tax, fiscal
    (VAT) Number tva, TVA#, tva#, taxa code, fiscal identification code, unique
    pe valoare adaugata, cod registration code, unique identification
    fiscal, cod fiscal de code, code unique registration
    identificare, cod fiscal
    identificare, Cod Unic
    de Înregistrare, cod unic
    de identificare, cod unic
    identificare, cod unic
    de înregistrare, cod unic
    înregistrare

    1095
    Data identifier Language Keywords English translation

    Romanian Numerical Romanian Cod Numeric Personal, cod Personal numeric code, personal
    Personal Code identificare personal, identification code, unique
    cod unic identificare, identification code, identity number,
    număr personal unic, personal identification number
    număr identitate, număr
    identificare personal,
    număridentitate#,
    CodNumericPersonal#,
    numărpersonalunic#
    Russian Passport Russian паспорт нет, паспорт, Passport no., passport, passport
    Identification Number номер паспорта, паспорт ID, number, passport ID, Russian
    Российской паспорт, Русский passport, Russian passport number
    номер паспорта, паспорт#,
    паспортID#, номерпаспорта#
    Russian Taxpayer Russian НДС, номер TIN (tax identification number),
    Identification Number налогоплательщика, taxpayer number, taxpayer ID, rax
    Налогоплательщика ИД, налог number
    число, налогчисло#, ИНН#,
    НДС#
    SEPA Creditor Identifier Bulgarian, Finnish, SEPA-Gläubiger- SEPA creditor identifier, creditor ID,
    Number North French, German, Identifikator, Gläubiger- SEPA ID, creditor ID
    Irish, Italian, ID, SEPA-ID, Gläubiger- Creditor ID, SEPA ID
    Luxembourgish, Kennung SEPA creditor identifier, crediting,
    Portuguese, ID créancier, ID SEPA, creditor identification
    Spanish Identifiant du créancie SEPA creditor identifier, Creditor
    SEPA Krediter Identifier
    Identifizéierer, Creditor ID, SEPA ID, Creditor
    Kreditergeld, Krediter identifier
    Identifizéierer Creditor ID, Creditor Identifier
    SEPA kreditoridentifikator, Creditor ID, Creditor Identifier
    Kreditoridentifikator Creditor Identifier SEPA, Creditor ID,
    Velkojan tunnus, SEPA- SEPA ID, Creditor Identifier
    tunnus, Velkojan tunniste SEPA Creditor Identifier, Creditor
    ID Creidiúnaí, Aithnitheoir Identifier
    Creidiúnaí
    ID del creditore,
    Identificatore del
    creditore
    Identificador de acreedor
    SEPA, ID del acreedor, ID
    de SEPA, Identificador del
    acreedor
    Identificador Credor SEPA,
    Identificador do Credor

    1096
    Data identifier Language Keywords English translation

    SEPA Creditor Identifier Bulgarian, Finnish, SEPA-Gläubiger- SEPA creditor identifier, creditor ID,
    Number South French, German, Identifikator, Gläubiger- SEPA ID, creditor ID
    Irish, Italian, ID, SEPA-ID, Gläubiger- Creditor ID, SEPA ID
    Luxembourgish, Kennung SEPA creditor identifier, crediting,
    Portuguese, ID créancier, ID SEPA, creditor identification
    Spanish Identifiant du créancie SEPA creditor identifier, Creditor
    SEPA Krediter Identifier
    Identifizéierer, Creditor ID, SEPA ID, Creditor
    Kreditergeld, Krediter identifier
    Identifizéierer Creditor ID, Creditor Identifier
    SEPA kreditoridentifikator, Creditor ID, Creditor Identifier
    Kreditoridentifikator Creditor Identifier SEPA, Creditor ID,
    Velkojan tunnus, SEPA- SEPA ID, Creditor Identifier
    tunnus, Velkojan tunniste SEPA Creditor Identifier, Creditor
    ID Creidiúnaí, Aithnitheoir Identifier
    Creidiúnaí
    ID del creditore,
    Identificatore del
    creditore
    Identificador de acreedor
    SEPA, ID del acreedor, ID
    de SEPA, Identificador del
    acreedor
    Identificador Credor SEPA,
    Identificador do Credor
    SEPA Creditor Identifier Bulgarian, Finnish, SEPA-Gläubiger- SEPA creditor identifier, creditor ID,
    Number West French, German, Identifikator, Gläubiger- SEPA ID, creditor ID
    Irish, Italian, ID, SEPA-ID, Gläubiger- Creditor ID, SEPA ID
    Luxembourgish, Kennung SEPA creditor identifier, crediting,
    Portuguese, ID créancier, ID SEPA, creditor identification
    Spanish Identifiant du créancie SEPA creditor identifier, Creditor
    SEPA Krediter Identifier
    Identifizéierer, Creditor ID, SEPA ID, Creditor
    Kreditergeld, Krediter identifier
    Identifizéierer Creditor ID, Creditor Identifier
    SEPA kreditoridentifikator, Creditor ID, Creditor Identifier
    Kreditoridentifikator Creditor Identifier SEPA, Creditor ID,
    Velkojan tunnus, SEPA- SEPA ID, Creditor Identifier
    tunnus, Velkojan tunniste SEPA Creditor Identifier, Creditor
    ID Creidiúnaí, Aithnitheoir Identifier
    Creidiúnaí
    ID del creditore,
    Identificatore del
    creditore
    Identificador de acreedor
    SEPA, ID del acreedor, ID
    de SEPA, Identificador del
    acreedor
    Identificador Credor SEPA,
    Identificador do Credor

    1097
    Data identifier Language Keywords English translation

    Serbia Unique Master Serbian јединствен мајстор грађанин Unique master citizen number, unique
    Citizen Number Број, Јединствен матични identification number, unique id
    број, јединствен број ид, number, National identification number
    Национални идентификациони
    број
    Serbia Value Added Tax Serbian poreski identifikacioni Tax identification number VAT number,
    (VAT) Number broj, PORESKI value added tax, VAT, identification
    IDENTIFIKACIONI BROJ, number, tax number
    Poreski br., ПДВ број,
    Порез на додату вредност,
    PDV broj, Porez na dodatu
    vrednost, porez na dodatu
    vrednost, PDV, pdv, ПДВ,
    порески идентификациони
    број, PIB, pib, пиб,
    poreski broj, порески број
    Slovakia Driver's Licence Slovak vodičský preukaz, Vodičský Driving license, license number
    Number preukaz, VODIČSKÝ PREUKAZ,
    číslo vodičského preukazu,
    ovládače lic., povolenie
    vodiča, povolenia vodičov,
    povolenie na jazdu,
    povolenie jazdu, číslo
    licencie
    Slovakia National Hungarian, Slovak identifikačné číslo, ID number, identity card number,
    Identification Number személyi igazolvány száma, national identity card number, national
    személyigazolvány szám, identification number, identification
    číslo občianského preukazu, number, ID card number, identification
    identifikačná karta č, card, national identity card
    személyi igazolvány szám,
    nemzeti személyi igazolvány
    száma, číslo národnej
    identifikačnej karty,
    národná identifikačná karta
    č, nemzeti személyazonosító
    igazolvány, nemzeti
    azonosító szám, národné
    identifikačné číslo,
    národná identifikačná
    značka č, nemzeti azonosító
    szám, azonosító szám,
    identifikačné číslo
    Slovakia Passport Number French, Slovak PASSEPORT, passeport, Passport, passport number, passport
    cestovný pas, číslo pasu, no
    pas č, Číslo pasu, PAS,
    CESTOVNÝ PAS, Passeport n°
    Slovakia Value Added Tax Slovak číslo DPH, číslo dane VAT number, value added tax
    (VAT) Number z pridanej hodnoty, number, VAT, value added tax, VAT
    identifikačné číslo identification number
    vat, dph, DPH, daň z
    pridanej hodnoty, daň
    pridanej hodnoty, číslo
    dane pridanej hodnoty,
    identifikačné číslo DPH

    1098
    Data identifier Language Keywords English translation

    Slovenia Passport Number French, Slovenian številka potnega lista, Passport number, passport, passport
    potni list, knjiga potnega book, passport #
    lista, potni list #,
    passeport, Passeport
    Slovenia Tax Identification Slovenian identifikacijska številka Tax identification number, Slovenian
    Number davka, Slovenska davčna tax number, tax number
    številka, Davčna številka
    Slovenia Unique Master Slovenian EMŠO, emšo, edinstvena Unique national number, unique
    Citizen Number številka državljana, enotna identification number, uniform
    identifikacijska številka, registration number, unique registration
    Enotna maticna številka number, citizen's number, unique
    obcana, enotna maticna identification number
    številka obcana, številka
    državljana, edinstvena
    identifikacijska številka
    Slovenia Value Added Tax Slovenian številka davka na dodano Value added tax number, VAT no,
    (VAT) Number vrednost, DDV št, slovenia Slovenia vat no
    vat št
    South African Personal Afrikaans nasionale identifikasie National identification number, national
    Identification Number nommer, nasionale identity number, insurance number,
    identiteitsnommer, personal identity number, unique
    versekering aantal, identity number, identity number
    persoonlike
    identiteitsnommer,
    unieke identiteitsnommer,
    identiteitsnommer,
    identiteitsnommer#,
    versekeringaantal#,
    nasionaleidentiteitsnommer#
    South Korea Resident Korean ######, #### Resident Registration Number,
    Registration Number Resident Number
    Spain Driver's License Spanish permiso de conducción, Driver's license, driver's license
    Number permiso conducción, Número number, driving license, driving permit,
    licencia conducir, Número driving permit number
    de carnet de conducir,
    Número carnet conducir,
    licencia conducir, Número
    de permiso de conducir,
    Número de permiso conducir,
    Número permiso conducir,
    permiso conducir, licencia
    de manejo, el carnet de
    conducir, carnet conducir
    Spain Value Added Tax Spanish Número IVA españa, Número Spain VAT number, Spanish VAT
    (VAT) Number de IVA español, español number, VAT Number, VAT, value
    Número IVA, Número de valor added tax number, value added tax
    agregado, IVA, Número IVA,
    Número impuesto sobre
    valor añadido, Impuesto
    valor agregado, Impuesto
    sobre valor añadido, valor
    añadido el impuesto, valor
    añadido el impuesto numero

    1099
    Data identifier Language Keywords English translation

    Spanish Customer Spanish número cuenta cliente, Customer account number, account
    Account Number código cuenta, cuenta code, customer account ID, customer
    cliente ID, número cuenta bank account number, bank account
    bancaria cliente, código code
    cuenta bancaria
    Spanish DNI ID Spanish NIE número, Documento NIE number, national identity
    Nacional de Identidad, document, unique identity, national
    Identidad único, Número identity number, DNI number
    nacional identidad, DNI
    Número
    Spanish Passport Number Spanish libreta pasaporte, passport book, passport number,
    número pasaporte, Spanish passport, passport
    Número Pasaporte, España
    pasaporte, pasaporte
    Spanish Social Security Spanish Número de la Seguridad Social security number
    Number Social, número de la
    seguridad social
    Spanish Tax ID (CIF) Spanish número de contribuyente, taxpayer number, corporate tax
    número de impuesto number, tax identification number, CIF
    corporativo, número de number
    Identificación fiscal, CIF
    número, CIFnúmero#
    Sri Lanka National Identity Sinhala See user interface ID, national identity number, personal
    Number identification number, National Identity
    Card number
    Sweden Driver's License Finnish, Romani, ajokortti, permis de Driver's license, driver's license
    Number Swedish, Yiddish conducere,ajokortin numero, number, driving license number
    kuljettajat lic., drivere
    lic., körkort, numărul
    permisului de conducere,
    ‫שָאפער דערלויבעניש נומער‬,
    körkort nummer, förare
    lic., ‫דריווערס דערלויבעניש‬,
    körkortsnummer
    Sweden Personal Swedish personnummer ID, personligt ID number, personal ID number,
    Identification Number id-nummer, unikt id- unique ID number, personal,
    nummer, personnummer, identification number
    identifikationsnumret,
    personnummer#,
    identifikationsnumret#
    Sweden Tax Identification Swedish skattebetalarens Tax identification number, Swedish
    Number identifikationsnummer, TIN, TIN number
    Sverige TIN, TIN-nummer
    Sweden Value Added Tax Swedish moms#, sverige moms, Swedish VAT, Swedish VAT number,
    (VAT) Number sverige momsnummer, VAT registration number
    sverige moms nr, sweden vat
    nummer, sweden momsnummmer,
    momsregistreringsnummer
    Swedish Passport Number Swedish Passnummer, pass, sverige Passport number, passport, Swedish
    pass, SVERIGE PASS, sverige passport, Swedish passport number
    Passnummer

    1100
    Data identifier Language Keywords English translation

    Switzerland Health German, Italian medizinische Kontonummer, Medical account number, health
    Insurance Card Number Krankenversicherungskarte insurance card number, health
    Nummer, numero conto insurance number
    medico, tessera sanitaria
    assicurazione numero,
    assicurazione sanitaria
    numero
    Switzerland Passport French, German, Passeport, passeport, Passport, passport number, passport #
    Number Italian numéro passeport, numéro passport book
    de passeport,passeport#, Passport, passport Number, passport #
    No de passeport, No de Passport, passport number, passport
    passeport., Numéro de no., passport #
    passeport, PASSEPORT, LIVRE Passport, passport #
    DE PASSEPORT
    Pass, Passnummer, Pass#,
    Pass Nr., Pass Nr, PASS
    Passaporto, Numero di
    passaporto, passaporto,
    Passaporto n,Passaporto
    n., passaporto#, Passaport,
    numero passaporto, numero
    di passaporto, numero
    passaporto, passaporto n,
    PASSAPORTO
    Reisepass, Reisepass#,
    REISEPASS
    Switzerland Value Added French, German, T.V.A, numéro TVA, T.V.A#, VAT, VAT number, VAT #, value added
    Tax (VAT) Number Italian numéro taxe valeur ajoutée, tax number, value added tax, VAT
    T.V.A., taxe sur la valeur registration number,
    ajoutée, T.V.A#, numéro VAT, VAT number, VAT #
    enregistrement TVA, Numéro VAT, VAT registration number, VAT #,
    TVA VAT number
    I.V.A, Partita IVA, I.V.A#,
    numero IVA
    MwSt, Umsatzsteuer-
    Identifikationsnummer,
    MwSt#, Mehrwertsteuer-
    Nummer, Mehrwertsteuer,
    VAT Registrierungsnummer,
    Umsatzsteuer-
    Identifikationsnummer
    Swiss AHV Number French Numéro AVS, numéro AVS number, insurance number,
    d'assuré, identifiant national identifier, national insurance
    national, numéro number, social security number, AVH
    d'assurance vieillesse, number
    numéro de sécurité soclale,
    Numéro AVH
    German AHV-Nummer, Matrikelnumme, AHV number, Swiss Registration
    Personenidentifikationsnummernumber, PIN
    Italian AVS, AVH AVS, AVH

    1101
    Data identifier Language Keywords English translation

    Swiss Social Security French, German, Identifikationsnummer, Identification number, social security
    Number (AHV) Italian sozialversicherungsnummer, number, personal identification ID, tax
    identification identification number, tax ID, social
    personnelle ID, security number, tax number
    Steueridentifikationsnummer,
    Steuer ID, codice fiscale,
    Steuernummer
    Taiwan ROC ID Chinese (Traditional) ######### Taiwan ID
    Thailand Passport Number Thai ########### Passport, passport number
    ###,#####################
    Thailand Personal ID Thai ##############, Insurance number, personal
    Number ########################, identification, identification number
    ###########################,
    ###############,
    #########################,
    ###########################
    Turkish Identification Turkish Kimlik Numarası, Türkiye Identification number, Turkish Republic
    Number Cumhuriyeti Kimlik identification number, citizen identity,
    Numarası, vatandaş kimliği, personal identification number, citizen
    kişisel kimlik no, kimlik identification number
    Numarası#, vatandaş kimlik
    numarası, Kişisel kimlik
    Numarası
    Ukraine Identity Card Ukrainian посвідчення особи України Ukraine identity card
    Ukraine Passport Number Ukrainian паспорт, паспорт Passport, Ukraine passport, passport
    (Domestic) України, номер паспорта, number
    персональний
    Ukraine Passport Number Ukranian паспорт, паспорт України, Passport, Ukraine passport, passport
    (International) номер паспорта number
    United Arab Emirates Arabic ‫رقم‬,‫الهوية الشخصية رقم‬ Personal ID Number, PIN, Unique ID
    Personal Number ‫فريدة من‬,‫التعريف الشخصي‬ Number, Insurance Number, Unique
    ‫التأمين‬,‫نوعها هوية رقم‬ Identity #
    ‫هوية فريدة‬,‫التأمينرقم‬,‫رقم‬#
    Venezuela National ID Spanish cédula de identidad National ID number, national
    Number número, clave única de identification number, personal ID
    identidad, personal de number, personal identification, unique
    identidad clave, personal identification number
    de identidad, número de
    identificación nacional,
    número ID nacional

    Updating policies to use the US Randomized SSN data identifier


    The US Randomized Social Security Number (SSN) data identifier detects both traditional and randomized SSNs.
    Use the US Randomized SSN data identifier to detect SSNs
    All policy templates that previously used the US Social Security Number (SSN) data identifier to detect SSNs are updated
    to use the US Randomized Social Security Number (SSN) data identifier.
    Updating policies after upgrading to the latest version

    1102
    If you have existing policies that use the US SSN data identifier to detect SSNs, you should update each policy to use
    the US Randomized SSN data identifier. If you have created policies using the version 12.5 US Randomized SSN data
    identifier, you should update each to use the latest version of the US Randomized SSN data identifier.
    To update a policy to use the US Randomized SSN data identifier provides steps for updating your SSN policies.
    To update a policy to use the US Randomized SSN data identifier
    1. Edit the policy that implements the US SSN data identifier or the 12.5 US Randomized SSN data identifier.
    Configuring policies
    Refer to the topic "Configuring policies" in the Symantec Data Loss Prevention Help Center.
    2. Edit the rule that contains the US SSN data identifier.
    Configuring policy rules
    Refer to the topic "Configuring policy rules" in the Symantec Data Loss Prevention Help Center.
    3. Remove the US SSN data identifier.
    4. Add the US Randomized SSN data identifier.
    Managing and adding data identifiers
    Refer to the topic "Managing and adding data identifiers" in the Symantec Data Loss Prevention Help Center.
    5. Save the policy.
    6. Test policy detection for both traditional and US Randomized SSNs.
    Test and tune policies to improve match accuracy
    Refer to the topic "Test and tune policies to improve match accuracy" in the Symantec Data Loss Prevention Help
    Center.
    7. Deploy the updated SSN policy into production.
    Policy deployment
    Refer to the topic "Policy deployment" in the Symantec Data Loss Prevention Help Center.

    Creating custom data identifiers


    You can create and delete one or more custom data identifiers. A custom data identifier may be a system data identifier
    that you have cloned and intend to modify, or one that you create from scratch. A custom data identifier is reusable across
    policies. Changes made to a custom data identifier at the system-level affect any policies that actively or subsequently
    declare the custom data identifier.
    For more information, see Workflow for creating custom data identifiers.
    The following table. lists the components of custom data identifiers.

    Table 568: Custom data identifier components

    Component Description

    Patterns Define one or more data identifier pattern language patterns, separated by line breaks.
    See About data identifier patterns.
    Data Normalizer Select a data normalizer to standardize the data before matching against it.
    See Selecting a data normalizer.

    1103
    Component Description

    Validators Add or remove validators to perform validation checks on the data detected by the pattern(s).
    See About pattern validators.
    Validation Checks Select system-provided validation checks to add them to your list of Active Validators.
    See About pattern validators.
    Description and Data Entry Provide comma-separated data values for any validators that require data input.
    See About pattern validators.
    Pre- and Post-Validators Pre- and post-validators define characters and character ranges that are valid before or after a data
    identifier pattern.
    See Configuring pre- and post-validators.

    Workflow for creating custom data identifiers


    You can implement custom data identifiers to detect unique content. To implement a custom data identifier, you must
    define at least one pattern and select a data normalizer. Validators are optional.
    See Custom data identifier configuration.
    When you define a custom data identifier, the system assigns it to the "Wide" breadth by default. This is not a limitation,
    however, because the actual scope of detection is determined by the pattern(s) and validator(s) that you define.

    Table 569: Implementing custom data identifiers

    Step Action Description

    1 Select Manage > Policies > Data The Data Identifiers screen lists all data identifiers available in the system.
    Identifiers.
    2 Select Add data identifier. Enter a Name for the custom data identifier.
    The name must be unique.
    Enter a Description for the custom data identifier.
    A custom data identifier is assigned to the Custom category by default and cannot be
    changed.
    The description field is limited to 255 characters per line.
    3 Enter one or more Patterns to Beginning with version 16.0, DLP supports standard PCRE syntax for defining regular
    match data. expressions.
    For DPL 15.8 endpoints, you must use the legacy pattern syntax.
    You must enter at least one regular expression for the custom data identifier to be valid.
    Separate multiple patterns by line breaks.
    See Writing data identifier patterns to match data.
    4 Select a Data Normalizer. You must select a data normalizer.
    See Selecting a data normalizer.
    The following normalizers are available:
    • Digits
    • Digits and Letters
    • Lowercase
    • Swift codes
    • Do nothing
    Select this option if you do not want to normalize the data.
    5 Select zero or more Validation Including a validator to check and verify pattern matching is optional.
    Checks. See Selecting pattern validators.

    1104
    Step Action Description

    6 Pre- and Post-Validators: Pre- and Post-Validators are required. You can accept the default values, or edit them
    Specify characters or character as necessary.
    ranges that are valid before or See Configuring pre- and post-validators.
    after a data identifier pattern.
    7 Save the custom data identifier. Click Save at the upper left of the screen.
    Once you define and save a custom data identifier, it appears alphabetically in the list
    of data identifiers at the Data Identifiers screen.
    To edit a custom data identifier, select it from the list.
    See Editing data identifiers.
    Note: Click Cancel to not save the custom data identifier.

    8 Implement the custom data The system lists all custom data identifiers beneath the Custom category for the
    identifier in one or more policies. "Content Matches data identifier" condition at the Configure Policy - Add Rule and
    the Configure Policy - Add Exception screens.
    See Configuring the Content Matches data identifier condition.
    You can configure optional validators at the policy instance level for custom data
    identifiers.
    See Configuring optional validators.

    Custom Data Identifier Configuration


    You can create and delete one or more custom data identifiers. A custom data identifier can be used across
    policies. Changes made to a custom data identifier at the system-level affect any policies that actively or later declare the
    custom data identifier.
    See Workflow for creating custom data identifiers.

    1105
    Table 570: Custom data identifier configuration

    Configurable at the custom level Not configurable

    • Name and Description • Category


    You must give a unique name to a custom data identifier. The system assigns a custom data identifier to the Custom
    Provide a description for the custom data identifier. category. You cannot change this setting.
    You can change the name or description of a custom data • Breadth
    identifier when you modify it. The system assigns a custom data identifier to the Wide rule
    • Masking breadth. You cannot change this setting.
    You can choose either Partial Masking or Full • Optional Validators
    Masking. See Setting Up Masking for Data Identifiers. Custom data identifiers support all optional validators, but they are
    • Patterns configured at the policy instance level.
    You must define at least one regular expression for the
    custom data identifier to be valid.
    See Writing data identifier patterns to match data.
    • Active Validators
    You can add one or more required validators to a custom
    data identifier.
    • Description and Data Entry
    You can edit the input of an active validator that accepts
    data input.
    • Data Normalizer
    You must select a data normalizer when defining a custom
    data identifier.
    • Pre- and Post-Validators
    You can edit the values for the valid pre- and post validator
    characters.

    Using the legacy data identifier pattern language


    The legacy data identifier pattern language is a limited subset of the PCRE regular expression lexicon. The legacy data
    identifier pattern language does not support all of the regular expressions characters and constructs. A regular expression
    pattern that is converted to a legacy data identifier pattern will require some modifications.
    NOTE
    You use legacy data identifier patterns only for DLP 15.8 endpoints. For later versions of DLP, you must use
    standard PCRE syntax to define regular expressions.
    Support for regular expressions is subject to a few limitations. For more information, see Limitations of data
    identifier support for PCRE regular expressions.
    Legacy data identifier patterns are limited to 100 characters per line. The pattern itself can be longer than 100 characters,
    but a line cannot have more than 100 characters. You should split the pattern up by lines no longer than 100 characters.
    Input character limits for policy configuration
    regular expressions and the legacy data identifier pattern language. For more detailed information about the legacy data
    identifier pattern language, see Legacy data identifier pattern language specification.

    1106
    Table 571: Legacy data identifier pattern language limitations

    Character Description

    * The asterisk (*), pipe (|), and dot (.) characters are not supported for legacy data identifier patterns.
    |
    .
    \w The \w construct cannot be used to match the underscore character (_).
    \s The \s construct cannot be used to match a whitespace character; instead, use an actual whitespace.
    \d For digits, use the construct \d.
    Grouping Grouping only works at the beginning of the pattern, such as in credit card numbers.

    Legacy data identifier pattern language specification

    You can use three types of tokens when defining a legacy data identifier pattern. Tokens are sequences of non-
    whitespace characters at the beginning of the file, or preceded by one or more whitespace characters, followed by
    whitespace characters or the end of the file. The three token types that are used in legacy data identifier patterns are:
    • Character literals
    • Bracket expressions
    • Special characters
    You can follow each token by an optional quantifier.
    See Quantifiers.
    Data identifier patterns only match a complete token or set of tokens.
    NOTE
    You use legacy data identifier patterns only for DLP 15.8 endpoints. For later versions of DLP, you must use
    standard PCRE syntax to define regular expressions.
    Support for regular expressions is subject to a few limitations. For more information, see Limitations of data
    identifier support for PCRE regular expressions.
    Literal characters, metacharacters, and special characters
    Most characters are literal matches in the legacy data identifier pattern language. For example, the character a in the
    legacy data identifier pattern matches the character a in your content. The legacy data identifier pattern language includes
    four metacharacters. To match these metacharacters as character literals, use the backslash to escape the characters in
    your legacy data identifier pattern. See Metacharacters for descriptions of these metacharacters.

    Table 572: Metacharacters

    Character Description

    [ This character is used to begin a bracket expression.


    { This character is used to quantify the preceding token.
    ? This character is used to quantify the preceding token.
    \ This character is used to escape the following character.

    The legacy data identifier pattern language includes five predefined special characters. See Special characters for
    descriptions of these special characters.

    1107
    Table 573: Special characters

    Character Description

    \l This special character matches any ASCII letter.


    \L This special character matches any non-ASCII letter character, including Unicode characters.
    \d This special character matches any ASCII digit.
    \D This special character matches any non-ASCII digit, including Unicode characters.
    \w This special character matches any character not matched by \l or \d, including Unicode
    characters.

    Bracket expressions
    Bracket expressions begin with [ and end with ], and contain at least one character within the body of the expression. For
    example, the bracket expression [abcd] matches any of the letters "a," "b," "c," or "d."
    You can include a character range within a bracket expression by separating two characters with a hyphen: -. For
    example, the bracket expression [a-z] matches the lower-case letters "a" through "z". Any two characters separated
    by - are interpreted as a range. The relative ordering of the range does not matter: [a-z] and [z-a] match the same
    characters.
    You can include the characters "]" and "-" in your bracket expression if you follow these rules:
    • The "]" character must appear as the first character in your bracket expression. For example: []a-z] matches the "]"
    character or any lower-case letter between "a" and "z."
    • The "-" character must appear as either the first or last character in your bracket expression. If your bracket expression
    contains both the "]" and "-" characters, the "]" must be the first character, and "-" the last character. For example: []-]
    matches either "]" or "-."
    Order of interpretation
    Data identifier patters are interpreted from left to right. For example, the bracket expression [a-d-z] is interpreted as the
    range a-d and then the literals - and z.
    Quantifiers
    You can follow any token in your legacy data identifier pattern with a quantifier. The quantifier specifies how many
    occurrences of the pattern to match. See Quantifiers for a description of the quantifiers available in the legacy data
    identifier pattern language.

    Table 574: Quantifiers

    Quantifier Description

    ? This quantifier specifies that the expression should match zero or one occurrences of the preceding
    token.
    {n} This quantifier specifies that the expression should match exactly n occurrences of the preceding
    token.
    {n, m} This quantifier specifies that the expression should match between n and m occurrences of the
    preceding token (inclusive).

    Writing data identifier patterns to match data


    If you modify an existing data identifier, you can edit its patterns. Data identifier patterns are implemented either through
    regular expressions or through the legacy data identifier pattern language that is similar to regular expressions.

    1108
    If you create a custom data identifier, you must implement at least one regular expression.
    See About data identifier patterns.
    See Limitations of data identifier support for PCRE regular expressions.
    See Using the legacy data identifier pattern language.
    To edit or implement a pattern
    1. Review the patterns for the data identifier you want to modify.
    See Selecting a data identifier breadth.
    2. Consider cloning the data identifier, if you are modifying a system data identifier.
    See Cloning a system data identifier before modifying it.
    3. Select Manage > Policies > Data Identifiers in the Enforce Server administration console.
    4. Select the data identifier you want to modify.
    5. Select the breadth for the data identifier you want to modify.
    Generally, patterns vary among detection breadths.
    6. In the Patterns field, modify an existing pattern, or enter one or more new patterns, separated by line breaks. If you
    created a pattern using the legacy pattern syntax, enter the pattern in the Legacy field.
    You can save a maximum of 500 regular expressions and a maximum of 63 legacy patterns.
    NOTE
    You use legacy data identifier patterns only for DLP 15.8 endpoints. For later versions of DLP, you must use
    standard regular expression syntax to define data identifier patterns.
    Support for regular expressions is subject to a few limitations. For more information, see Limitations of data
    identifier support for PCRE regular expressions.
    7. Optionally, if you created one or more legacy patterns, click Convert to convert all of the legacy patterns to regular
    expressions.
    When you click Convert, all the converted patterns are added to the Patterns.
    8. Click Save to save the data identifier.

    Using pattern validators


    The following table lists all available pattern validators. Validators marked with an asterisk (*) beside the name in the table
    below require data input.

    Table 575: Available validators for system and custom data identifiers

    Validator Description

    ABA Checksum Every ABA routing number must start with the following two digits: 00-15,21-32,61-72,80 and
    pass an ABA specific, position-weighted check sum.
    Advanced KRRN Validation Validates that 3rd and 4th digits are a valid month, that 5th and 6th digits are a valid day, and the
    checksum matches the check digit.
    Advanced SSN Validator checks whether SSN contains zeros in any group, the area number (first group) is
    less than 773 and not 666, the delimiter between the groups is the same, the number does
    not consist of all the same digits, and the number is not reserved for advertising (123-45-6789,
    987-65-432x).

    1109
    Validator Description

    Argentinian Tax Identity Number Computes the checksum and validates the pattern against it.
    Validation Check
    Australian Business Number Computes the checksum and validates the pattern against it.
    Validation Check
    Australian Company Number Computes the checksum and validates the pattern against it.
    Validation Check
    Australian Medicare Number Computes the checksum and validates the pattern against it.
    Validation Check
    Australian Tax File validation Computes the checksum and validates the pattern against it.
    check
    Austria VAT Number Validation Computes the checksum and validates the pattern against it.
    Check
    Austrian Social Security Number Computes the checksum and validates the pattern against it.
    Validation Check
    Basic SSN Performs minimal SSN validation.
    Belgian National Number Computes the checksum and validates the pattern against it.
    Validation Check
    Belgian Tax Identification Number Computes the checksum and validates the pattern against it.
    Validation Check
    Belgium VAT Number Validation Computes the checksum and validates the pattern against it.
    Check
    Brazil Election Identification Computes the checksum and validates the pattern against it.
    Number Validation Check
    Brazilian National Registry of Computes the checksum and validates the pattern against it.
    Legal Entities Number Validation
    Check
    Brazilian Natural Person Registry Computes the checksum and validates the pattern against it.
    Number Validation Check
    British Columbia Personal Computes the checksum and validates the pattern against it.
    Healthcare Number Validation
    Check
    Bulgaria Value Added Tax (VAT) Computes the checksum and validates the pattern against it.
    Number Validation Check
    Bulgarian Uniform Civil Number Computes the checksum and validates the pattern against it.
    Validation Check
    Burgerservicenummer Check Performs a check for the Burgerservicenummer.
    Canada Driver's License Number Computes the checksum and validates the pattern against it.
    Check
    Chilean National Identification Computes the checksum and validates the pattern against it.
    Number Validation Check
    China ID checksum validator Computes the checksum and validates the pattern against it.
    Codice Fiscale Control Key Check Computes the control key and checks if it is valid.
    Croatia National Identification Computes the checksum and validates the pattern against it.
    Number Validation Check
    Cusip Validation Validator checks for invalid CUSIP ranges and computes the CUSIP checksum (Modulus 10
    Double Add Double algorithm).

    1110
    Validator Description

    Custom Script* Enter a custom script to validate pattern matches for this data identifier breadth.
    Creating custom script validators
    Cyprus Tax Identification Number Computes the checksum and validates the pattern against it.
    Validation Check
    Cyprus Value Added Tax (VAT) Computes the checksum and validates the pattern against it.
    Number Validation Check
    Czech Personal Identity Number Computes the checksum and validates the pattern against it.
    Validation Check
    Czech Republic Tax Identification Computes the checksum and validates the pattern against it.
    Number Validation Check
    Czech Republic VAT Number Computes the checksum and validates the pattern against it.
    Validation Check
    Denmark Personal Identification Computes the checksum and validates the pattern against it.
    Number Validation Check
    Denmark Tax Identification Computes the checksum and validates the pattern against it.
    Number Validation Check
    Denmark VAT Number Validation Computes the checksum and validates the pattern against it.
    Check
    DNI control key check Computes the control key and checks if it is valid.
    Driver's License Number WA State Computes the checksum and validates the pattern against it.
    Validation Check
    Driver's License Number WI State Computes the checksum and validates the pattern against it.
    Validation Check
    Drug Enforcement Agency Computes the checksum and validates the pattern against it.
    Number Validation Check
    Duplicate digits Ensures that a string of digits are not all the same.
    Dutch Tax Identification Number Computes the checksum and validates the pattern against it.
    Validation Check
    Estonia Personal Identification Computes the checksum and validates the pattern against it.
    Number Check
    Estonia Value Added Tax (VAT) Computes the checksum and validates the pattern against it.
    Number Validation Check
    Exact Match* Enter a comma-separated list of values. If the values are numeric, do NOT enter any dashes or
    other separators. Each value can be of any length.
    Exact Match Data Identifier Check Looks up tokens around a pattern for the Exact Match Data Identifier index and validates the
    pattern.
    Exclude beginning characters* Enter a comma-separated list of values. If the values are numeric, do NOT enter any dashes or
    other separators. Each value can be of any length.
    Note: Beginning and ending validators concern the text of the match itself. Prefix and suffix
    validators concern characters before and after matched text.

    Exclude ending characters* Enter a comma-separated list of values. If the values are numeric, do NOT enter any dashes or
    other separators. Each value can be of any length.
    Exclude exact match* Enter a comma-separated list of values. Each value can be of any length.

    1111
    Validator Description

    Exclude prefix* Enter a comma-separated list of values. Each value can be of any length.
    Note: Prefix and suffix validators concern characters before and after matched text. Beginning
    and ending validators concern the text of the match itself.

    Exclude suffix* Enter a comma-separated list of values. Each value can be of any length.
    Find keywords* Enter a comma-separated list of values. Each value can be of any length.
    Finland Driver's Licence Number Computes the checksum and validates the pattern against it.
    Validation Check
    Finland Tax Identification Number Computes the checksum and validates the pattern against it.
    Validation Check
    Finland VAT Number Validation Computes the checksum and validates the pattern against it.
    Check
    Finnish Personal Identification Computes the checksum and validates the pattern against it.
    Number Validation Check
    France VAT Number Validation Computes the checksum and validates the pattern against it.
    Check
    French Social Security Number Computes the checksum and validates the pattern against it.
    Validation Check
    German ID Number Validation Computes the checksum and validates the pattern against it.
    Check
    German Passport Number Computes the checksum and validates the pattern against it.
    Validation Check
    Germany Tax Number Validation Computes the checksum and validates the pattern against it.
    Check
    Germany VAT Number Validation Computes the checksum and validates the pattern against it.
    Check
    Greece Social Security Number Computes the checksum and validates the pattern against it.
    (AMKA)
    Greece VAT Number Validation Computes the checksum and validates the pattern against it.
    Check
    Greek Tax Identification Number Computes the checksum and validates the pattern against it.
    Validation Check
    HCPCS CPT Code Validation Computes the checksum and validates the pattern against it.
    Check
    Health Care Insurance Number Computes the checksum and validates the pattern against it.
    Check
    Hong Kong ID Computes the checksum and validates the pattern against it.
    Hungarian Social Security Computes the checksum and validates the pattern against it.
    Validation Check
    Hungarian Tax Identification Computes the checksum and validates the pattern against it.
    Number Validation Check
    Hungarian VAT Number Validation Computes the checksum and validates the pattern against it.
    Check
    Hungary Passport Number Computes the checksum and validates the pattern against it.
    Validation Check
    Iceland National Identification Computes the checksum and validates the pattern against it.
    Number Validation Check

    1112
    Validator Description

    Indonesian Kartu Tanda Computes the checksum and validates the pattern against it.
    Penduduk Validation Check
    INSEE Control Key Validator computes the INSEE control key and compares it to the last 2 digits of the pattern.
    IP Basic Check Every IP address must match the format x.x.x.x and every number must be less than 256.
    IP Octet Check Every IP address must match the format x.x.x.x, every number must be less than 256, and no IP
    address can contain only single-digit numbers (1.1.1.2).
    IP Reserved Range Check Checks whether the IP address falls into any of the "Bogons" ranges. If so the match is invalid.
    IPv6 Basic Validation Check Every IPv6 address must match the format xxxx.xxxx.xxxx.xxxx.xxxx.xxxx.xxxx.xxxx and every
    number must be lower than ffff.
    Ipv6 Medium Validation Check Every IPv6 address must match the format xxxx.xxxx.xxxx.xxxx.xxxx.xxxx.xxxx.xxxx and every
    number must be lower than ffff. No IPv6 address can start with 0.
    Ipv6 Reserved Validation Check Every IPv6 address must match the format xxxx.xxxx.xxxx.xxxx.xxxx.xxxx.xxxx.xxxx and every
    number must be lower than ffff. No IPv6 address can start with 0. Each IPv6 address must be
    fully compressed.
    Ireland Tax Identification Number Computes the checksum and validates the pattern against it.
    Validation Check
    Ireland VAT Number Validation Computes the checksum and validates the pattern against it.
    Check
    Irish Personal Public Service Computes the checksum and validates the pattern against it.
    Number Validation Check
    Israel Personal Identity Number Computes the checksum and validates the pattern against it.
    Validation Check
    Italy VAT Number Validation Computes the checksum and validates the pattern against it.
    Check
    Japan Driver's License Number Computes the checksum and validates the pattern against it.
    Validation Check
    Japanese Juki-Net ID Validation Computes the checksum and validates the pattern against it.
    Check
    Japanese My Number Validation Computes the checksum and validates the pattern against it.
    Check
    KRRN Foreign Validation Check Validates that 3rd and 4th digits are a valid month, that 5th and 6th digits are a valid day, and the
    checksum matches the check digit.
    Latvia Personal Code Check Computes the checksum and validates the pattern against it.
    Latvia Value Added Tax (VAT) Computes the checksum and validates the pattern against it.
    Number Validation Check
    Lithuania Tax Identification Computes the checksum and validates the pattern against it.
    Number Validation Check
    Lithuania Value Added Tax (VAT) Computes the checksum and validates the pattern against it.
    Number Validation Check
    Luhn Check Computes the Luhn checksum and validates the matched pattern against it.
    Luxembourg National Register Computes the checksum and validates the pattern against it.
    of Individuals Number Validation
    Check
    Luxembourg Tax Identification Computes the checksum and validates the pattern against it.
    Number Validation Check
    Luxembourg VAT Number Computes the checksum and validates the pattern against it.
    Validation Check

    1113
    Validator Description

    Malaysian MyKad Number Computes the checksum and validates the pattern against it.
    Validation Check
    Malta Value Added Tax (VAT) Computes the checksum and validates the pattern against it.
    Number Validation Check
    Medicare Beneficiary Identifier Computes the checksum and validates the pattern against it.
    Number Validation Check
    Mexican CRIP Validation Check Computes the checksum and validates the pattern against it.
    Mexican Tax Identification Computes the checksum and validates the pattern against it.
    Validation Check
    Mexican Unique Population Computes the checksum and validates the pattern against it.
    Registry Code Validation Check
    Mexico CLABE Number Validation Computes the checksum and validates the pattern against it.
    Check
    Mod 97 Validator Computes the ISO 7064 Mod 97-10 checksum of the complete match.
    National Provider Identifier Computes the checksum and validates the pattern against it.
    Number Validation Check
    National Securities Identification Computes the checksum and validates the pattern against it.
    Number Validation Check
    Netherlands Bank Account Computes the checksum and validates the pattern against it.
    Number Validation Check
    Netherlands VAT Number Computes the checksum and validates the pattern against it.
    Validation Check
    New Zealand National Health Computes the checksum and validates the pattern against it.
    Index Number Validation Check
    NIB Number Validation Check Computes the ISO 7064 Mod 97-10 checksum of the complete match of the NIB Number.
    No Validation Performs no validation.
    Norway National Identificaiton Computes the checksum and validates the pattern against it.
    Number Validation Check
    Norway Value Added Tax (VAT) Computes the checksum and validates the pattern against it.
    Number Check
    Norwegian Birth Number Computes the checksum and validates the pattern against it.
    Validation Check
    Number Delimiter Validates a match by checking the surrounding digits.
    Poland VAT Number Validation Computes the checksum and validates the pattern against it.
    Check
    Polish ID Number Validation Computes the checksum and validates the pattern against it.
    Check
    Polish REGON Number Validation Computes the checksum and validates the pattern against it.
    Check
    Polish Social Security Number Computes the checksum and validates the pattern against it.
    Validation Check
    Polish Tax ID Number Validation Computes the checksum and validates the pattern against it.
    Check
    Portugal National Identification Computes the checksum and validates the pattern against it.
    Number Validation Check

    1114
    Validator Description

    Portugal Tax and VAT Computes the checksum and validates the pattern against it.
    Identification Number Validation
    Check
    Randomized US Social Security Computes the checksum and validates the pattern against it.
    Number Validation Check
    Require beginning characters* Enter a comma-separated list of values. If the values are numeric, do NOT enter any dashes or
    other separators. Each value can be of any length.
    Require ending characters* Enter a comma-separated list of values. If the values are numeric, do NOT enter any dashes or
    other separators. Each value can be of any length.
    Romania Driver's Licence Number Computes the checksum and validates the pattern against it.
    Validation Check
    Romania National Identification Computes the checksum and validates the pattern against it.
    Number Check
    Romania VAT Number Validation Computes the checksum and validates the pattern against it.
    Check
    Romanian Numerical Personal Computes the checksum and validates the pattern against it.
    Code Check
    Russian Taxpayer Identification Computes the checksum and validates the pattern against it.
    Number Validation Check
    SEPA Creditor Number Validation Computes the checksum and validates the pattern against it.
    Check
    Serbia Value Added Tax (VAT) Computes the checksum and validates the pattern against it.
    Number Validation Check
    Singapore NRIC Computes the Singapore NRIC checksum and validates the pattern against it.
    Slovakia National Identification Computes the checksum and validates the pattern against it.
    Number Validation Check
    Slovakia Value Added Tax (VAT) Computes the checksum and validates the pattern against it.
    Number Validation Check
    Slovenia Tax Identification Computes the checksum and validates the pattern against it.
    Number Validation Check
    Slovenia Unique Master Citizen Computes the checksum and validates the pattern against it.
    Number Validation Check
    Slovenia Value Added Tax (VAT) Computes the checksum and validates the pattern against it.
    Number Validation Check
    South African Personal Computes the checksum and validates the pattern against it.
    Identification Number Validation
    Check
    Spain VAT Number Validation Computes the checksum and validates the pattern against it.
    Check
    Spanish Customer Account Computes the checksum and validates the pattern against it.
    Number Validation Check
    Spanish SSN Number Validation Computes the checksum and validates the pattern against it.
    Check
    Spanish Tax ID Number Validation Computes the checksum and validates the pattern against it.
    Check
    Sri Lanka National Identification Computes the checksum and validates the pattern against it.
    Number Validation Check

    1115
    Validator Description

    SSN Area-Group number For a given area number (first group), not all group numbers (second group) might have been
    assigned by the SSA. Validator eliminates SSNs with invalid group numbers.
    Sweden TaxPayer Identification Computes the checksum and validates the pattern against it.
    Number Validation Check
    Sweden Value Added Tax Number Computes the checksum and validates the pattern against it.
    Validation Check
    Swedish Personal Identification Computes the checksum and validates the pattern against it.
    Number Validation Check
    Swiss AHV Swiss AHV Modulus 11 Checksum.
    Swiss Social Security Number Computes the checksum and validates the pattern against it.
    Validation Check
    Switzerland Value Added Tax Computes the checksum and validates the pattern against it.
    (VAT) Number Validation Check
    Taiwan ID Taiwan ID checksum.
    Thailand Personal Identification Computes the checksum and validates the pattern against it.
    Number Validation Check
    Turkish Identification Number Computes the checksum and validates the pattern against it.
    Validation Check
    UK Bank Sort Code Check Computes the checksum and validates the pattern against it.
    UK Drivers License Every UK drivers license must be 16 characters and the number at the 8th and 9th position must
    be larger than 00 and smaller than 32.
    UK NHS UK NHS checksum.
    UK VAT Number Validation Check Computes the checksum and validates the pattern against it.
    Ukraine Identity Card Check Validates that the first eight digits are a correctly formatted date.
    Venezuela Identification Number Computes the checksum and validates the pattern against it.
    Validation Check
    Verhoeff Validation Check Computes the checksum and validates the pattern against it.
    Ukraine Identity Card Check Computes the checksum and validates the pattern against it.
    Zip+4 Postal Codes Validation Computes the checksum and validates the pattern against it.
    Check

    Selecting pattern validators


    Symantec Data Loss Prevention provides a comprehensive set of validators to facilitate pattern matching accuracy.
    About pattern validators
    When you modify a data identifier, the system exposes the active validators used by the data identifier. When you modify
    or create a data identifier, the system displays all system-defined data validators from which you can choose.
    NOTE
    The active validators that allow for and define input are not to be confused with the "Optional validators" that can
    be configured for any runtime instance of a particular data identifier. Optional validators are always configurable
    at the instance level. Active validators are only configurable at the system level.
    Select a validator from the "Validation Checks" list on the left, then click Add Validator to the right. If the validator requires
    input, provide the required data using a comma-separated list and then click Add Validator.
    Selecting pattern validators

    1116
    To select a pattern validator
    1. Create a custom data identifier.
    Workflow for creating custom data identifiers
    2. In the Validators section, select the desired validator.
    About pattern validators
    3. If the validator does not require data input, click Add Validator.
    The validator is added to the Active Validators list.
    4. If the validator requires data input, enter the data values in the Description and Data Entry field.
    5. Edit the input for the validator in the Description and Data Entry field. If you are using the Find keywords validator,
    edit the input for the validator in the Description and Data Entry field. Then select the qualities you want for the
    keyword:
    • Proximity: Finds a keyword only within the set proximity of the matched patterns. Check this box and also indicate
    the Word Distance.
    • Case sensitive: Check this box if you want to search for a case-sensitive match.
    • Highlight keywords in incident: Check this box if you want to highlight the matched keywords in incidents.
    6. Click Add Validator when you are done entering the values.
    The validator is added to the Active Validators list.
    7. To remove a validator, select it in the Active Validators list and click the red X icon.
    8. Click Save to save the configuration of the data identifier.

    Selecting a data normalizer


    When you create a custom data identifier, you must select a normalizer to reconcile the data detected by the pattern with
    the format expected by the validators.
    Workflow for creating custom data identifiers
    Available data normalizers lists and describes the normalizers you can implement for custom data identifiers .
    NOTE
    You cannot modify the normalizer of a system-defined data identifier.

    Table 576: Available data normalizers

    Normalizer Description

    Digits Only numeric characters are allowed.


    Digits and Letters Alphanumeric characters are allowed.
    Lowercase Only letters are allowed, normalized to lowercase.
    Swift codes Code must match SWIFT requirements.
    Do nothing The data is not normalized, evaluated as entered by the user.

    Creating custom script validators


    The custom script validation check lets you enter a custom script to validate pattern matches. To implement a custom
    validator, you use the Symantec Data Loss Prevention Scripting Language.

    1117
    You can implement a custom script validator in a system data identifier you modify or in a custom data identifier.
    NOTE
    Refer to the Symantec Data Loss Prevention Detection Customization Guide for details on using the Symantec
    Data Loss Prevention Scripting Language.
    To implement a custom script validator
    1. Modify an existing data identifier or create a custom data identifier.
    Workflow for creating custom data identifiers
    2. Select the Custom Script validator from the list of Validation Checks.
    3. Enter your custom script in the Description and Data Entry field.
    4. Click Add Validator to add the custom validator to the Active Validators list.
    5. Click Save to save the configuration of the data identifier.

    Configuring pre- and post-validators


    Pre- and Post-Validators define characters and character ranges that are valid before or after a data identifier pattern.
    They can be helpful for eliminating false-positive detection results.
    Acceptable characters for pre- and post-validators include ASCII characters 32 through 126 (as literal characters) and
    Unicode characters.
    Whitespace characters and characters from languages that do not use whitespace between words are regarded as valid.
    For example, characters from Japanese, Chinese, Korean, and Thai. You do not have to specify any invalid characters.
    Pre- and Post-Validators are required in custom data identifiers. The fields are pre-populated with default values, but you
    can edit them as necessary to tune your results.
    The default valid characters for the pre- and post-validators are:
    • Pre-validators: ,=:#"'()>;@!`~$%^*
    • Post-validators: ,."'()<;&=@`~
    In addition, you can select the Letter and Digit check box to regard all letters and digits as valid characters.
    Examples
    These examples show some matching and non-matching pre- and post-validators for a 10 digit data identifier pattern
    \d{10}:

    Table 577: Pre- and post-validator characters

    Character position Valid characters

    Pre-validator characters !(,


    Post-validator characters ),

    The following strings would match or not match the data identifier pattern based on the preceding or following characters
    as described here:

    1118
    Table 578: Pre- and post-validator pattern matching examples

    String Pattern match condition Description

    A1234567890 No match The character A preceding the \d{10}


    pattern is not a valid pre-validator character,
    so the pattern does not match.
    !1234567890 Match The character ! preceding the \d{10}
    pattern is a valid pre-validator character, so
    the pattern matches.
    1234567890} No match The character } following the \d{10}
    pattern is not a valid post-validator
    character, so the pattern does not match.
    (1234567890) Match The character ( preceding the \d{10}
    pattern is a valid pre-validator character.
    The character ) following the pattern is a
    valid post-validator character. Because both
    characters are valid, the pattern matches.
    @1234567890 No match The character @ preceding the \d{10}
    pattern is not a valid pre-validator character.
    ,1234567890, Match The character , is a valid pre- and post-
    validator character, so the pattern matches.
    1234567890 Match The \d{10} pattern has no preceding or
    following character, so the pattern matches.

    Best practices for using data identifiers


    Data identifiers are algorithms that combine pattern matching with data validators to detect content. Symantec Data Loss
    Prevention provides a number of system-defined data identifiers for common data patterns, such as SSNs, Tax IDs, and
    more. In addition, you can define your own custom data identifiers to match any data you can describe using the data
    identifier pattern language. Data identifiers are commonly used to detect personally identifiable information (PII).
    This section provides best practices for implementing data identifier policies.
    Summary of data identifier best practices summarizes the best practices in this section.

    Table 579: Summary of data identifier best practices

    Best practice Description

    Use data identifiers instead of regular expressions when possible. Use data identifiers instead of regular expressions to improve
    accuracy
    Modify data identifier definitions when you want tuning to apply Modify data identifier definitions when you want tuning to apply
    globally. globally
    Clone system-defined data identifiers before modifying them. Clone system-defined data identifiers before modifying to preserve
    original state
    Consider using multiple data identifier breadths in parallel. Consider using multiple breadths in parallel to detect different
    severities of confidential data
    Avoid matching on the Envelope over HTTP. Avoid matching on the Envelope over HTTP to reduce false
    positives
    Use the Randomized US SSN data identifier to detect traditional Use the Randomized US SSN data identifier to detect SSNs
    and randomized SSNs.

    1119
    Best practice Description

    Use unique match counting to improve accuracy and ease Use unique match counting to improve accuracy and ease
    remediation. remediation

    Use data identifiers instead of regular expressions to improve accuracy


    Data identifiers are designed to protect personally identifiable information (PII) with very good accuracy (<10% false
    positive rate). If a data identifier is available for the type of content you want to protect, you should use the data identifier
    instead of a regular expression because data identifiers are more efficient than regular expressions. Out-of-the-box data
    identifier patterns are tuned for accuracy, including region, industry, and country nuances. In addition, data identifiers
    include validation checks to verify the data that is matched by the pattern. This additional layer of intelligence screens out
    test data and other triggers of false positive incidents. Regular expressions, on the other hand, can be computationally
    expensive and can lead to increased false positives.
    For example, if you want to detect social security numbers (SSN), you use the Randomized US SSN data identifier
    instead of a regular expression pattern. The Randomized US SSN data identifier is more accurate than any regular
    expression you can write and much easier and quicker to implement.
    NOTE
    The data identifier pattern language is a limited subset of the regular expression language. Not all regular
    expression constructs or characters are supported for data identifier patterns. Using the data identifier pattern
    language

    Clone system-defined data identifiers before modifying to preserve original state


    Before you modify a system data identifier or create a custom data identifier, consider the following:
    • If you want to modify a system data identifier, manually clone it as a custom data identifier and then modify the cloned
    copy. In this fashion you preserve the state of the original system-defined data identifier.
    • Data identifiers do not export as part of a policy template. As such, you should add the data identifier to a policy and
    export the policy as a template before modifying the data identifier.
    An exported template contains a reference to each data identifier that is implemented in that policy. On import to a
    target system, the template uses a reference to select the local data identifier. If the system data identifier is modified,
    on import it is not by the target system.
    Cloning a system data identifier before modifying it

    Modify data identifier definitions when you want tuning to apply globally
    Data identifiers offer two levels of configuration:
    • Definitions
    • Instances
    Data identifier definitions are configured at the system-level of the Enforce Server. At the definition level you can tune the
    data that is supplied by any required validator that the definition declares at this level, as well as what validators are used.
    Data identifier instances are only configured at the policy rule level. Any configurations that are made at the rule level are
    local in scope and applicable only to that policy. At the rule level you use optional validators, such as require or exclude
    beginning or ending characters, to tune the instance of the data identifier rule.
    The general recommendation is to configure data identifier definitions so that the changes apply globally to any instance
    of that data identifier definition. Such configurations are reusable across policies. Rule-level optional validators, such as,
    should be used for unique policies.

    1120
    Consider using multiple breadths in parallel to detect different severities of confidential data
    Matching data identifiers against content often requires fine-tuning as you adjust the configuration to keep both false
    positives and false negatives to a minimum. After you configure an instance of the Content Matches Data Identifier
    condition, study the matches and adjust the configuration to ensure optimum data matching success.
    Consider adjusting the data identifier breadth you use if the data identifier produces too many false positive or negatives.
    For example, if you use a wide breadth and receive many false positives, consider using a medium breadth or narrow
    breadth.
    About data identifier breadths
    As an alternative approach, consider using multiple data identifier breadths in parallel in the same rule with different
    severity levels for each rule. For example, in a single policy that is designed to detect credit card numbers, you can add
    three rules to the policy, each using a different breadth (one wide, one medium, one narrow). You would then set the
    severity for the narrow to be high severity incidents, and the wide to be low severity incidents. Using this layered approach
    lets you survey the data flowing through the enterprise using a policy that covers both ends of spectrum. You can use this
    sampling-based approach to focus your remediation efforts on the highest-priority incidents while still detecting and being
    able to review low-severity incidents.

    Avoid matching on the Envelope over HTTP to reduce false positives


    Sometimes HTTP transmissions contain session IDs in the header that can trigger false positives for numeric data
    identifiers. For example, some social media sites such as Facebook and LinkedIn contain a session ID that may at times
    match the CCN and SSN data identifiers exactly, causing false positives.
    To reduce false positives in connection with HTTP session IDs in the message header, the best practice is not to match
    on the “Envelope” message component when you implement numeric data identifiers, specifically the CCN or SSN data
    identifiers.

    Use the US Randomized SSN data identifier to detect SSNs


    In 2011, the United States Social Security Administration (SSA) began issuing randomized SSNs. Under this scheme, the
    high group number (second part of the SSN) no longer corresponds to the area number (first part of the SSN). Also, the
    range of the area number can go up to 899 instead of 773. Randomization applies to SSNs issued on or after June 25,
    2011. It does not apply to SSNs issued before that date.
    To support the new randomized SSN scheme, Symantec Data Loss Prevention provides the system-defined US
    Randomized Social Security Number (SSN) data identifier.
    The US Randomized SSN data identifier detects both traditional and randomized SSNs. The US Randomized SSN data
    identifier replaces the US SSN data identifier, which only detects traditional SSNs.
    Symantec recommends that you use the US Randomized SSN data identifier for all new policies that you want to use to
    detect SSNs, and that you update your existing SSN policies to use the US Randomized SSN data identifier. For your
    existing policies that already implement the traditional US SSN data identifier, you can add the US Randomized SSN data
    identifier as an OR'd rule so that both run in parallel as you test the policy to ensure it accurately detects both styles of
    SSNs.
    Updating policies to use the US Randomized SSN data identifier

    Use unique match counting to improve accuracy and ease remediation


    The data identifier rule configuration, by default, counts only unique matches. With this option only unique matches
    are reported as the first match found in the message or message component. Only unique matches are counted and
    highlighted. You can also choose the option which counts all matches.

    1121
    The best practice is to use unique match counting when you only care about unique matches, not duplicate matches. For
    example, if you are using the Credit Card Numbers data identifier to protect credit card numbers, and you only care if a
    document contains 25 or more unique numbers, you can use count all unique matches instead of the count all matches
    option. If you counted all matches, a document containing 25 of the same CCNs would trigger the policy, which is not the
    objective of your policy.
    About unique match counting

    Introducing keyword matching


    Symantec Data Loss Prevention provides the Content Matches Keyword policy condition for keyword detection.
    To detect data loss using keyword matching, the detection engine compares inbound messages or message components
    against each keyword in a list of one or more keywords or keyword phrases. Keyword matching supports both whole word
    and partial word matching, as well as word proximity. Keyword matching is supported on the server and on the endpoint.
    Unique match counting is supported for keywords.
    Using unique match counting
    Keyword matching use cases lists typical keyword matching use cases.

    Table 580: Keyword matching use cases

    Configuration Typical use

    Whole word matching Languages based on the Latin alphabet


    UTF-8 characters
    Chinese, Japanese, and Korean (CJK) languages with token verification enabled for the server
    CJK keywords on the endpoint
    About keyword matching for Chinese, Japanese, and Korean (CJK) languages
    Partial word matching Languages based on the Latin alphabet
    Mixed languages
    Keyword matching examples

    About keyword matching for Chinese, Japanese, and Korean (CJK) languages
    Symantec Data Loss Prevention detection servers support natural language processing for Chinese, Japanese, and
    Korean (CJK) keywords. When natural language processing for CJK languages is enabled, the detection server validates
    CJK tokens before reporting a match. For CJK languages, a token is a single character which constitutes a word. Thus,
    partial word matching does not apply to CJK languages.
    Token validation for CJK keywords is only supported for detection servers and is disabled by default. You must enable
    token validation for each detection server. In addition you must match on whole words for token validation to apply.
    On the endpoint you can use whole word matching for CJK keywords.
    Keyword matching use cases for CJK languages summarizes keyword matching use cases for CJK languages.

    1122
    Table 581: Keyword matching use cases for CJK languages

    Detection component Use case

    Server Enable token verification on the detection server and use whole word matching
    Enabling and using CJK token verification for server keyword matching
    Endpoint Use whole word matching
    Keyword matching examples for CJK languages

    About keyword proximity


    Using keyword proximity, a policy author can define a pair of keywords and specify a word range between them. If the
    words occur within that range, a match is triggered. For example, an instance of the Content Matches Keyword condition
    might require that any instance of the words “confidential” and “information” occurring within 10 words of each other
    triggers a match.
    Alternatively, you can use keyword proximity to exclude matching words within a specified distance by using the Content
    Matches Keyword condition as a detection exception. In this case any occurrence of the words “confidential” and
    “information” within 10 words of each is excepted from matching.
    For Chinese, Japanese, and Korean (CJK) languages, a single CJK character is counted as one word.
    Keyword matching syntax
    Keyword matching examples
    Configuring the Content Matches Keyword condition

    Keyword matching syntax


    When you define a keyword rule, the system evaluates every keyword in the condition list against each message
    component (header, subject, body, attachment).
    Consider the following syntactical guidelines when creating keyword lists.

    Table 582: Keyword matching syntax

    Behavior Description

    Whole word matching With whole word matching, keywords match at word boundaries only (\W in the regular expression lexicon).
    Any characters other than A-Z, a-z, and 0-9 are interpreted as word boundaries.
    With whole word matching, keywords must have at least one alphanumeric character (a letter or a number).
    A keyword consisting of only white-space characters, such as "..", is ignored.
    Quotation marks Do not use quotation marks when you enter keywords or phrases because quotes are interpreted literally
    and will be required in the match.
    White space The systems strips out the white space before and after keywords or key phrases. Each whitespace within
    a keyword phrase is counted. In addition to actual spaces, all characters other than A-Z, a-z, and 0-9 are
    interpreted as white spaces.
    Case sensitivity The case sensitivity option that you choose applies to all keywords in the list for that condition.
    Plurals and verb All plurals and verb inflections must be specifically listed. If the number of enumerations becomes
    inflections complicated use the wildcard character (asterisk [*]) to detect a keyword suffix (in whole word mode only).
    Keyword phrases You can enter keyword phrases, such as social security number (without quotes). The system
    looks for the entire phrase without returning matches on individual constituent words (such as social or
    security).

    1123
    Behavior Description

    Keyword variants The system only detects the exact keyword or key phrase, not variants. For example, if you specify the
    key phrase social security number, detection does not match a phrase that contains two spaces
    between the words.
    Matching multiple The system implies an OR between keywords. That is, a message component matches if it contains any of
    keywords the keywords, not necessarily all of them. To perform an ALL (or AND) keyword match, combine multiple
    keyword conditions in a compound rule or exception.
    Alpha-numeric During keyword matching, only a letter or a digit is considered a valid keyword start position. Special
    characters characters (non-alphanumeric) are treated as delimiters (ignored). For example, the ampersand character
    ("&") and the underscore character ("_") are special characters and are not considered for keyword start
    position.
    For example, consider the following:
    ____keyword__
    Keyword
    &&akeyword&&
    123Keyword__
    For these examples, the valid keyword start positions are as follows: k, K, a, and 1.
    Note: This same behavior applies to keyword validators implemented in data identifiers.

    Proximity The word distance (proximity value) is exclusive of detected keywords. Thus, a word distance of 10 allows
    for a proximity window of 12 words.

    Keyword matching examples


    To implement keyword matching, you can enter one or more keywords or phrases, each separated by a comma or
    newline character. You can match on whole or partial words, and specify case sensitivity. You can use the asterisk (*)
    wildcard character to detect a keyword suffix (in whole word mode only).

    Table 583: Keyword matching examples

    Keyword type Keyword(s) Matches Does Not Match

    keyword confidential confidential confidentially (in whole word


    -confidential; mode only, otherwise it would
    ®
    "confidential" match)
    ®
    Confidential
    ®
    CONFIDENTIAL
    key phrase internal use only internal use only internal use
    internal use ONLY (if case
    insensitive is selected)
    keyword list Newline delimited: Comma delimited:
    hack hack, hacker, hacks
    hacker
    hacks
    keyword with wildcard priv* private prize
    privilege prevent
    privy
    privity
    privs
    priv

    1124
    Keyword type Keyword(s) Matches Does Not Match

    keyword dictionary account number, account If any keyword or phrase is amx


    ps, american express, present, the data is matched: creditcard
    americanexpress, amex, bank master card
    amex
    card, bankcard, card num, car
    credit card
    card number, cc #, cc#, ccn,
    check card, checkcard, credit mastercard
    card, credit card #, credit card
    number, credit card#, debit
    card, debitcard, diners club,
    dinersclub, discover, enroute,
    japanese card bureau, jcb,
    mastercard, mc, visa, (etc....)

    Keyword matching examples for CJK languages


    Keyword matching examples for CJK provides keyword matching examples for Chinese, Japanese, and Korean
    languages. All examples assume that the keyword condition is configured to match on whole words only.
    If token verification is enabled, the message size must be sufficient for the token validator to recognize the language. For
    example: the message “東京都市部の人口” is too small fo a message for the token validation process to recognize the
    language of the message. The following message is a sufficient size for token validation processing:
    今朝のニュースによると東京都市部の人口は増加傾向にあるとのことでした。 全国的な人口減少の傾向の中、東京への
    一極集中を表しています。
    About keyword matching for Chinese, Japanese, and Korean (CJK) languages
    Token validation for CJK language keywords is not available on the endpoint. To match CJK on the endpoint, you
    configure the condition to match on whole words only.

    Table 584: Keyword matching examples for CJK

    Matches on server with Matches on server with


    Language Keyword Matches on endpoint
    token validation ON token validation OFF
    Chinese 通信 数字无线通信 数字无线通信 交通信息网站 数字无线通信 交通信息网站
    Japanese 京都市 京都府京都市左京区 京都府京都市左京区 東京都 京都府京都市左京区 東京都
    市部の人口 市部の人
    Korean 정부 정부의 방침 정부의 방침 의정부 경전철 정부의 방침 의정부 경전철

    About updates to the Drug, Disease, and Treatment keyword lists


    The Drug, Disease, and Treatment keyword lists are updated with current terminology based on information from the U.S.
    Federal Drug Administration (FDA) and other sources. The Drug, and Disease, and Treatment keyword lists are used by
    the HIPAA and HITECH (including PHI) and Caldicott Report policy templates.
    When you upgrade your Data Loss Prevention system, the generic, system-defined HIPAA and Caldicott policy templates
    are updated with the recent Drug, Disease, and Treatment keyword lists. However, policies you have created based on
    the HIPAA or Caldicott policy templates are not automatically updated. This behavior is expected so that any changes
    or customizations you have made to your HIPAA or Caldicott policy templates are not overwritten by updates to the
    system-defined templates. Updating the Drug, Disease, and Treatment keyword lists for your HIPAA and Caldicott policy
    templates is a manual process that you should perform to ensure your HIPAA or Caldicott policies are up to date.
    Updating the Drug, Disease, and Treatment keyword lists for your HIPAA and Caldicott policies

    1125
    Keep the keyword lists for your HIPAA and Caldicott policies up to date
    HIPAA and HITECH (including PHI) policy template
    Caldicott Report policy template

    Configuring keyword matching


    Implementing keyword matching describes the components for implementing keyword matching.

    Table 585: Implementing keyword matching

    Keyword matching feature Description

    Match on whole or partial keywords and Separate each keyword or phrase by a newline or comma.
    key phrases Keyword matching examples
    Match on the wildcard asterisk (*) Match the wildcard at the end of a keyword, in whole word mode only.
    character Keyword matching examples
    Keyword proximity matching Match across a range of keywords.
    About keyword proximity
    Find keywords Implement one or more keywords in data identifiers to refine the scope of detection.
    Introducing data identifiers
    Policy rules and exceptions You can implement keyword matching conditions in policy rules and exceptions.
    Configuring the Content Matches Keyword condition
    Cross-component matching Keyword matching detects on one or more message components.
    Detection messages and message components
    Keyword dictionary If you have a large dictionary of keywords, you can index the keyword list.
    Use VML to generate and maintain large keyword dictionaries
    CJK token verification Enable on the detection server for CJK languages and match on whole words only.
    Keyword matching use cases for CJK languages

    Configuring the Content Matches Keyword condition


    The Content Matches Keyword condition lets you match content using keywords and key phrases.
    Introducing keyword matching
    You can implement keyword matching conditions in policy rules and exceptions.
    Configuring policies
    To configure the Content Matches Keyword condition
    1. Add a new keyword condition to a policy rule or exception, or modify an existing one.
    Configuring Policy Rules
    Configuring policy exceptions
    2. Configure the keyword matching parameters.
    Configure the Content Matches Keyword condition
    Keyword matching syntax

    1126
    3. Save the policy.

    Table 586: Configure the Content Matches Keyword condition

    Action Description

    Enter the match type. Select if you want the keyword match to be:
    Case Sensitive or Case Insensitive
    Case insensitive is the default.
    Choose the keyword Select the keyword separator you to delimit multiple keywords:
    separator. Newline or Comma.
    Newline is the default.
    Match any keyword. Enter one or more keywords or key phrases that you want to match. Use the separator that you have
    selected (newline or comma) to delimit multiple keyword or key phrase entries.
    You can use the asterisk (*) wildcard character at the end of any keyword to match one or more suffix
    characters in that keyword. If you use the asterisk wildcard character, you must match on whole words only.
    For example, a keyword entry of confid* would match on "confidential" and "confide," but not "confine."
    As long as the keyword prefix matches, the detection engine matches on the remaining characters using the
    wildcard.
    Keyword matching syntax
    Keyword matching examples
    Configure keyword Keyword proximity matching lets you specify a range of detection among keyword pairs.
    proximity matching About keyword proximity
    (optional). To implement keyword proximity matching:
    • Select (check) the Keyword Proximity matching option in the "Conditions" section of the rule builder
    interface.
    • Click Add Pair of Keywords.
    • Enter a pair of keywords.
    • Specify the Word distance.
    The maximum distance between keywords is 999, as limited by the three-digit length of the “Word
    distance” field. The word distance is exclusive of detected keywords. For example, a word distance of
    10 allows for a range of 12 words, including the two words comprising the keyword pair.
    • Repeat the process to add more keyword pairs.
    The system connects multiple keyword pair entries the OR Boolean operator, meaning that the detection
    engine evaluates each keyword pair independently.
    Match on whole or Select the option On whole words only to match on whole keywords only (by default this option is
    partial keywords. selected).
    Match on whole words only if you use the asterisk (*) wildcard character in any keyword you enter in the list.
    Keyword matching examples
    You must match on whole words only if you have enabled token validation for the server.
    Keyword matching examples for CJK languages
    Configure match Keyword matching lets you specify how you want to count condition matches.
    conditions. Select one of the following options:
    • Check for existence
    The system reports one incident for all matches.
    • Count all matches and only report incidents with at least 1 matches (default)
    The system reports one incident for each match with the default setting. Or, you can configure the match
    threshold by changing the default value from 1 to another value.
    Configuring Match Counting

    1127
    Action Description

    Select components to Keyword matching detection supports matching across message components.
    match on. Selecting components to match on
    Select one or more message components to match on:
    • Envelope – Header metadata used to transport the message
    • Subject – Email subject of the message (only applies to SMTP)
    • Body – The content of the message
    • Attachments – Any files attached to or transferred by the message
    Note: The endpoint the DLP Agent matches on the entire message, not on individual components.
    Note: Detection Messages and Message Components

    Also match one or more Select this option to create a compound rule. All conditions must be met to report a match.
    conditions. You can Add any available condition from the list.
    Configuring compound rules

    Enabling and using CJK token verification for server keyword matching
    To use token verification for Chinese, Japanese, and Korean (CJK) languages you must enable it on the server and you
    must use whole word matching for the keyword condition. In addition, there must be a sufficient amount of message text
    for the system to recognize the language.
    Keyword matching examples for CJK languages
    Keyword token verification parameter lists and describes the detection server parameter that lets you enable token
    verification for CJK languages.

    Table 587: Keyword token verification parameter

    Setting Default Description

    Keyword.TokenVerifierEnabled false Default is disabled ("false").


    If enabled ("true"), the server validates tokens for Chinese,
    Japanese, and Korean language keywords.

    Enable keyword token verification for CJK describes how to enable and use token verification for CJK keywords.
    Enable keyword token verification for CJK
    1. Log on to the Enforce Server as an administrative user.
    2. Navigate to the System > Servers and Detectors > Overview > Server/Detector Detail - Advanced Settings
    screen for the detection server or detector you want to configure.

    3. Locate the parameter Keyword.TokenVerifierEnabled.


    4. Change the value to true from false (default).
    Setting the server parameter Keyword.TokenVerifierEnabled = true enables token validation for CJK keyword
    detection.
    5. Save the detection server configuration.
    6. Recycle the detection server.
    7. Configure a keyword condition using whole word matching.
    In the condition the option Match On whole word only is checked.

    1128
    Configuring the Content Matches Keyword condition

    Updating the Drug, Disease, and Treatment keyword lists for your HIPAA and
    Caldicott policies
    If you have created a policy derived from the HIPAA or Caldicott template and have not made any changes or
    customizations to the derived policy, after upgrade you can create a new policy from the appropriate template and remove
    the old policy from production. If you have made changes to a policy derived from either the HIPAA or Caldicott policy
    template and you want to preserve these changes, you can copy the updated keyword lists from either the HIPAA or
    Caldicott policy template and use the copied keyword lists to update your HIPAA or Caldicott policies.
    About updates to the Drug, Disease, and Treatment keyword lists
    Keep the keyword lists for your HIPAA and Caldicott policies up to date
    To update the Drug, Disease, and Treatment keyword lists for HIPAA and Caldicott policies provides instructions for
    updating the keyword lists for your HIPAA and Caldicot policies.
    To update the Drug, Disease, and Treatment keyword lists for HIPAA and Caldicott policies
    1. Create a new policy from a template and choose either the HIPAA or Caldicott template.
    Creating a policy from a template
    2. Edit the detection rules for the policy.
    Configuring policy rules
    3. Select the Patient Data and Drug Keywords (Keyword Match) rule.
    4. Select the Content Matches Keyword condition.
    5. Select all the keywords in the Match any Keyword data field and copy them to the Clipboard.
    6. Paste the copied keywords to a text file named Drug Keywords.txt.
    7. Cancel the rule edit operation to return to the policy Detection tab.
    8. Repeat the same process for the Patient Data and Treatment Keywords (Keyword Match) rule.
    9. Copy and paste the keywords from the condition to a text file named Treatment Keywords.txt.
    10. Repeat the same process for the Patient Data and Disease Keywords (Keyword Match) rule.
    11. Copy and paste the keywords from the condition to a text file named Disease Keywords.txt.
    12. Update your HIPAA and Caldicott policies derived from the HIPAA or Caldicott templates using the keyword *.txt
    files you created.
    13. Test your updated HIPAA and Caldicott policies.

    Best practices for using keyword matching


    The Content Matches Keyword condition lets you match content using keywords, key phrases, and keyword lists or
    dictionaries. On the server, the keyword rule matches on the header, subject, body and attachment message components,
    and it supports cross-component matching. On the endpoint the keyword condition matches on the entire message.
    Summary of keyword matching best practices summarizes the keyword matching best practices in this section.

    1129
    Table 588: Summary of keyword matching best practices

    Best practice More information

    Enable linguistic validation for CJK keyword detection on Enable token verification on the server to reduce false positives for CJK
    the server. keyword detection
    Update keyword lists for your Caldicott and HIPAA policies. Keep the keyword lists for your HIPAA and Caldicott policies up to date
    Tune keyword validators to improve data identifier Tune keywords lists for data identifiers to improve match accuracy
    accuracy.
    Use VML to profile long keyword lists and dictionaries Use VML to generate and maintain large keyword dictionaries
    Use keyword matching for metadata detection. Use keyword matching to detect document metadata

    Enable token verification on the server to reduce false positives for CJK keyword
    detection
    Symantec Data Loss Prevention provides token validation for Chinese, Japanese, and Korean (CJK) languages. Token
    validation is supported for detection servers and must be enabled.
    About keyword matching for Chinese, Japanese, and Korean (CJK) languages
    Token validation lets you match CJK keywords using whole word matching, and improves overall match accuracy for CJK
    languages. Although there may be a slight performance hit, you should enable token verification for each detection server
    where CJK keyword conditions are deployed. Once enabled you can use whole word matching for CJK keywords.
    Enabling and using CJK token verification for server keyword matching

    Keep the keyword lists for your HIPAA and Caldicott policies up to date
    For each Symantec Data Loss Prevention relese, the Drug, Disease, and Treatment keyword lists are updated based
    on information from the U.S. Federal Drug Administration (FDA) and other sources. These keyword lists are used in the
    HIPAA and HITECH (including PHI) and Caldicott Report policy templates.
    About updates to the Drug, Disease, and Treatment keyword lists
    If you have upgraded to the latest Data Loss Prevention version and you have existing policies derived from either the
    HIPAA or Caldicott policy template, consider updating your HIPAA and Caldicott policies to use the Drug, Disease, and
    Treatment keyword lists provided with this Data Loss Prevention version.
    Updating the Drug, Disease, and Treatment keyword lists for your HIPAA and Caldicott policies

    Tune keywords lists for data identifiers to improve match accuracy


    Many data identifier definitions contain required keyword validators with pre-populated keyword lists. In addition, you can
    add your own list of keywords to a data identifier rule. The best practice is tune the keyword list using a keyword matching
    condition before you add the keyword list to the data identifier condition as a required or optional validator
    Using pattern validators
    To tune the keyword list, take the keywords you want to use for the validator and put them into a separate keyword
    matching rule condition and policy. Then test the policy using data that should and should not match the keywords. The
    keyword rule will let you see match highlighting and tune the keyword list. Once tested, you can add the keywords to the
    data identifier and then test the data identifier policy to ensure accuracy.

    1130
    Use keyword matching to detect document metadata
    Symantec Data Loss Prevention supports metadata detection for certain document formats, such as DOCX and PDF.
    Detection servers and DLP Agents support metadata detection.
    If you want to detect document metadata, the recommendation is to enable it for the server or endpoint and use the
    Content Matches Keyword condition to match metadata tags.

    Use VML to generate and maintain large keyword dictionaries


    Sometimes you may want to protect a long list or dictionary of keywords. An example might be a list of project code
    names. You can use Vector Machine Learning (VML) to automate the detection of long keyword lists that are difficult
    to generate, tune, and maintain. For example, you could generate a VML profile based on a collection of documents
    containing the keywords you want to detect. If you want to detect common words, remove them from the VML stopword
    file.
    Best practices for using VML

    Introducing regular expression matching


    Data Loss Prevention provides the Content Matches Regular Expression policy match condition to match message
    content using the regular expression pattern language.
    Regular expressions provide a mechanism for identifying strings of text, such as particular characters, words, or patterns
    of characters. You can use the regular expression condition to match (or exclude from matching) characters, patterns, and
    strings. Unique match counting is supported for regular expressions.
    Using unique match counting
    Configuring the Content Matches Regular Expression condition
    Best practices for using regular expression matching

    About the updated regular expression engine


    Detection servers and endpoint agents use a common regular expression engine. This common engine performs regular
    expression evaluation at a faster rate than previous engines. You will also notice performance improvements when you
    have DLP policy sets with many regex rules, since adding more rules doesnt incur much of a performance cost.

    About writing regular expressions for policy condition matching


    Symantec Data Loss Prevention implements a subset of PCRE regular expression syntax for policy condition matching.
    The following table provides some reference constructs for writing regular expressions to match or exclude characters in
    messages or message components.
    See Introducing regular expression matching.
    NOTE
    Data Identifier pattern matching is based on standard PCRE syntax. For more information see About data
    identifier patterns.

    1131
    Table 589: Regular expression constructs for policy condition matching

    Regular expression
    Description
    construct
    . Any single character
    \d Any digit (0-9)
    \s Any white space
    \w Any word character (a-z, A-Z, 0-9, _)
    \D Anything other than a digit
    \S Anything other than white space
    [] Elements inside brackets are a character class (For example, [abc] matches 1 character: a, b, or c.)
    ^ At the beginning of a character class, negates it (For example, [^abc] matches anything except a, b, or
    c.)
    + Following a regular expression means 1 or more (For example, \d+ means 1 or more digit.)
    ? Following a regular expression means 0 or 1 (For example, \d? means 1 or no digits.)
    * Following a regular expression means any number (For example, \d* means 0, 1, or more digits.)
    (?i) At the beginning of a regular expression makes the expression case-insensitive (Regular expressions are
    case-sensitive by default.)
    (?: ) Groups regular expressions together (The ?: is a slight performance enhancement.)
    (?u) Makes a period (.) match even newline characters
    | Means OR (For example, A|B means regular expression A or regular expression B.)

    Configuring the Content Matches Regular Expression condition


    You use the Content Matches Regular Expression condition to match (or exclude from matching) characters, patterns,
    and strings using regular expressions.
    Introducing regular expression matching
    To configure the Content Matches Regular Expression condition
    1. Add a Content Matches Regular Expression condition to a policy, or edit an existing one.
    Configuring policies
    Configuring Policy Rules
    Configuring policy exceptions
    2. Configure the Content Matches Regular Expression condition parameters.
    Content Matches Regular Expression parameters

    1132
    3. Save the policy configuration.

    Table 590: Content Matches Regular Expression parameters

    Action Description

    Match regex Specify a regular expression to be matched.


    About writing regular expressions
    Configure match counting. Configure how you want to count matches.
    Configuring Match Counting
    Check for existence reports a match count of 1 if there are one or more matches. For compound rules
    or exceptions, all conditions must be configured this way.
    Count all matches reports the sum of all matches; applies if any condition uses this parameter.
    Match on one or more Configure cross-component matching by selecting one or more message components to match
    message components. on.
    • Envelope – The header of the message, transport metadata.
    • Subject – The email subject (only applies to email messages).
    • Body – The content of the message.
    • Attachments – The content of any files that are attached to or transported by the message.
    Selecting components to match on
    Also match one or more Select this option to create a rule. All conditions must match to trigger or except an incident.
    other conditions. You can Add any available condition from the list.
    Configuring compound rules

    Best practices for using regular expression matching


    This section provides considerations for implementing the Content Matches Regular Expression match condition in your
    Data Loss Prevention policies.
    Introducing regular expression matching
    Regular expressions best practices summarizes the regular expression matching best practices in this section.

    Table 591: Regular expressions best practices

    Best practice Description

    Use Data Identifiers instead of regular expressions where Use regular expressions sparingly to support efficient performance
    possible.
    Use regular expressions sparingly to support efficient policy Test regular expressions before deployment to improve accuracy
    performance.
    Use look ahead and behind characters to improve regular Use look ahead and look behind characters to improve regular
    expression performance. expression accuracy
    Test regular expressions for accuracy and performance. Test regular expressions before deployment to improve accuracy

    When to use regular expression matching


    Data Identifiers are more efficient than regular expressions because the Data Identifier patterns are tuned for accuracy
    and the data is validated. For example, if you want to search for social security numbers, use the US Social Security
    Number (SSN) Data Identifier instead of a regular expression.

    1133
    The regular expression condition is useful for matching or excepting unique data types for which there are no system-
    provided Data Identifiers. Examples of these include internal account numbers and data types that can vary greatly in
    length, such as email addresses.

    Use look ahead and look behind characters to improve regular expression
    accuracy
    Symantec Data Loss Prevention implements a significant enhancement to improve the performance of regular
    expressions. To achieve improved regular expression performance, the look ahead and look behind sections must exactly
    match one of the supported standard sections.
    Look ahead and look behind standard sections lists the standard look ahead and look behinds sections that this
    performance improvement supports. If either section differs even slightly, that section is executed as part of the regular
    expression without the performance improvement.
    About writing regular expressions

    Table 592: Look ahead and look behind standard sections

    Operation Construct

    Look ahead (?=(?:[^-\w])|$)


    Look behind (?<=(^|(?:[^)+\d][^-\w+])))
    and
    (?<=(^|(?:[^)+\d][^-\w+])|\t))

    Use regular expressions sparingly to support efficient performance


    Regular expressions can be computationally expensive. If you add a regular expression condition, observe the system for
    one hour. Make sure that the system does not slow down and that there are no false positives.

    Test regular expressions before deployment to improve accuracy


    If you implement regular expression matching, consider using a third-party tool to test the regular expressions before you
    deploy the policy rules to production. The recommended tool is RegexBuddy. Another good tool for testing your regular
    expressions is RegExr.

    Detecting non-English language content


    Symantec Data Loss Prevention detection features support many localized versions of Microsoft Windows operating
    systems. To use international character sets, the Windows system on which you view the Enforce Server administration
    console must have the appropriate capabilities.

    You can create policies and detect violations using any supported language. You can use localized keywords, regular
    expressions, and Data Profiles to detect data loss. In addition, Symantec Data Loss Prevention offers several international
    data identifiers and policy templates for protecting confidential data.
    Best practices for detecting non-English language content

    Best practices for detecting non-English language content


    The following topics provide best practices for implementing non-English language content detection.

    1134
    Use international policy templates for policy creation
    Use custom keywords for system data identifiers
    Enable token validation to match Chinese, Japanese, and Korean keywords on the server

    Use international policy templates for policy creation


    Symantec Data Loss Prevention provides several international policy templates that you can quickly deploy in your
    enterprise.
    Creating a policy from a template

    Table 593: International policy Templates

    Policy template Description

    Canadian Social Insurance Numbers This policy detects patterns indicating Canadian social insurance numbers.
    Canadian Social Insurance Numbers policy template
    Caldicott Report This policy protects UK patient information.
    Caldicott Report policy template
    UK Data Protection Act 1998 This policy protects personal identifiable information.
    Data Protection Act 1998 policy template
    EU Data Protection Directives This policy detects personal data specific to the EU directives.
    Data Protection Directives (EU) policy template
    UK Human Rights Act 1998 This policy enforces Article 8 of the act for UK citizens.
    Human Rights Act 1998 policy template
    PIPEDA (Canada) This policy detects Canadian citizen customer data.
    PIPEDA policy template
    SWIFT Codes (International banking) This policy detects codes that banks use to transfer money across international
    borders.
    SWIFT Codes policy template
    UK Drivers License Numbers This policy detects UK Drivers License Numbers.
    UK Drivers License Numbers policy template
    UK Electoral Roll Numbers This policy detects UK Electoral Roll Numbers.
    UK Electoral Roll Numbers policy template
    UK National Insurance Numbers This policy detects UK National Insurance Numbers.
    UK National Insurance Numbers policy template
    UK National Health Service Number This policy detects personal identification numbers issued by the NHS.
    UK National Health Service (NHS) Number policy template
    UK Passport Numbers This policy detects valid UK passports.
    UK Passport Numbers policy template
    UK Tax ID Numbers This policy detects UK Tax ID Numbers.
    UK Tax ID Numbers policy template

    Use custom keywords for system data identifiers


    Data identifiers offer broad support for detecting international content.
    Introducing data identifiers

    1135
    Some international data identifiers offer a wide breadth of detection only. In this case you can implement the Find
    Keywords optional validator to narrow the scope of detection. Implementing this optional validator may help you eliminate
    any false positives that your policy matches.
    Selecting a data identifier breadth
    The following table provides keywords for several international data identifiers.
    To use international keywords for system data identifiers
    1. Create a policy using one of the system-provided international data identifiers that is listed in the table.
    International data identifiers and keyword lists
    2. Select the Find Keywords optional validator.
    Configuring the Content Matches data identifier condition
    3. Copy and past the appropriate comma-separated keywords from the list to the Find Keywords optional validator field.
    Configuring optional validators

    Table 594: International data identifiers and keyword lists

    Data Identifier Language Keywords English Translation

    Argentina Tax Spanish Número de Identificación Tax identification number, taxpayer


    Identification Number Fiscal, número de number, Argentina tax identification
    contribuyente, Número number, Argentina taxpayer number
    de identificación fiscal
    Argentina, Argentina número
    de contribuyente
    Austria Passport Number German REISEPASS, ÖSTERREICHISCH Passport, Austrian passport
    REISEPASS, reisepass
    Austria Tax Identification German Österreich, Steuernummer Austria, tax number
    Number
    Austria Value Added Tax German MwSt, Umsatzsteuernummer, VAT, sales tax number, VAT number,
    (VAT) Number MwSt Nummer, Ust.- VAT identification number, sales tax,
    Identifikationsnummer, UID number
    umsatzsteuer, Umsatzsteuer-
    Identifikationsnummer
    Austrian Social Security German sozialversicherungsnummer, Social insurance number, social
    Number soziale sicherheit security number, insurance number,
    kein,Versicherungsnummer, Austrian SSN, Austrian social
    Österreichischen insurance
    SSN, Österreichischen
    Sozialversicherungs
    Belgian National Number French Numéro national, numéro de National number, security number,
    sécurité, numéro d'assuré, number of insured, national
    identifiant national, identification, national identification #,
    identifiantnational#, national number #
    Numéronational#

    1136
    Data Identifier Language Keywords English Translation

    Belgium Driver's License German, French, Führerschein, Fuhrerschein, Driver's license, driver's license
    Number Frisian Fuehrerschein, number, driving permit, driving permit
    Führerscheinnummer, number
    Fuhrerscheinnummer,
    Fuehrerscheinnummer,
    Führerscheinnummer,
    Fuhrerscheinnummer,
    Fuehrerscheinnummer,
    Führerschein- Nr,
    Fuhrerschein- Nr,
    Fuehrerschein- Nr,
    permis de conduire,
    rijbewijs,Rijbewijsnummer,
    Numéro permis conduire
    Belgium Passport Number Dutch, German, Paspoort, paspoort, Passport, passport number, passport
    French paspoortnummer, Reisepass book, passport card
    kein, Reisepass,
    Passnummer, Passeport,
    Passeport livre, Passeport
    carte, numéro passeport
    Belgium Tax Identification Dutch, German, Numéro de registre National registry number, tax
    Number French national, numéro identification number, tax number
    d'identification
    fiscale, belasting
    aantal,Steuernummer
    Belgium Value Added Tax German, French Numéro T.V.A, Umsatzsteuer- VAT number, tax identification number
    (VAT) Number Identifikationsnummer,
    Umsatzsteuernummer
    Brazilian Election Brazilian Portuguese número identificação, Identification number, voter
    Identification Number identificação do eleitor, identification, electoral identification
    ID eleitor eleição, número number, Brazilian electoral
    identificação eleitoral, identification number,
    Número identificação
    eleitoral brasileira,
    IDeleitoreleição#
    Brazilian National Brazilian Portuguese Brasileira ID Legal,
    Registry of Legal entidades jurídicas
    Entities Number ID,Registro Nacional de
    Pessoas Jurídicas n º,
    BrasileiraIDLegal#
    Brazilian Natural Brazilian Portuguese Cadastro de Pessoas
    Person Registry Físicas, Brasileiro
    Number Pessoa Natural Número de
    Registro, pessoa natural
    número de registro,
    pessoas singulares
    registro NO
    British Columbia Personal French MSP nombre, soins de MSP Number, MSP no, personal
    Healthcare Number santé no, soins de healthcare number, Healthcare No,
    santé personnels nombre, PHN
    MSPNombre#, soinsdesanténo#

    1137
    Data Identifier Language Keywords English Translation

    Bulgaria Value Added Tax Bulgarian номер на таксата, ДДС, Fee number, VAT, VAT number, value
    (VAT) Number ДДС#, ДДС номер., ДДС added tax
    номер.#, номер на данъка
    върху добавената стойност,
    данък върху добавената
    стойност, ДДС номер
    Bulgarian Uniform Civil Bulgarian Униформ граждански номер, Uniform civil number, Uniform ID,
    Number - EGN Униформ ID, Униформ Uniform civil ID, Bulgarian uniform civil
    граждански ID, Униформ number
    граждански не., български
    Униформ граждански номер,
    УниформгражданскиID#,
    Униформгражданскине.#
    Burgerservicenummer Dutch Persoonsnummer, sofinummer, person number, social-fiscal number
    sociaal-fiscaal nummer, (abbreviation), social-fiscal number,
    persoonsgebonden person-related number
    Canada Driver's License French permis de conduire Driver's license
    Number
    Canada Passport Numbert French numéro passeport, No Passport number, passport no.,
    passeport, passeport# passport#
    Canada Permanent French numéro résident permanent, permanent resident number,
    Resident (PR) Number résident permanent non, permanent resident no, permanent
    résident permanent no., resident number, permanent resident
    carte résident permanent, card, permanent resident card number,
    numéro carte résident pr no
    permanent, pr non
    Chilean National Spanish Chilena número Chileand identification number,
    Identification Number identificación, nacional national identity, identification number,
    identidad, número national identification number, identity
    identificación, número number, Unique National Role
    identificación nacional,
    identidad número,
    NúmerodeIdentificación#,
    Identidadchilenano#,
    Rol Único Nacional,
    RolÚnicoNacional#,
    nacionalidentidad#
    China Passport Number Chinese ####, ##, ### Chinese passport, passport, passport
    book
    Codice Fiscale Italian codice fiscal, dati tax code, personal data, VAT number,
    anagrafici, partita I.V.A., VAT number
    p. iva
    Columbian Addresses Spanish Calle, Cll, Carrera, Street, St, Career, Avenue, Diagonal,
    Cra, Cr, Avenida, Av, Dg, Transversal, sidewalk
    Diagonal, Diag, Tv, Trans,
    Transversal, vereda
    Columbian Cell Phone Spanish numero celular, número de Cellular number, telephone number,
    Number teléfono, teléfono celular cellular telephone number
    no., numero celular#

    1138
    Data Identifier Language Keywords English Translation

    Columbian Personal Spanish cedula, cédula, c.c., Identification card, citizenship card,
    Identification Number c.c,C.C., C.C, cc, CC, identification document
    NIE., NIE, nie., nie,
    cedula de ciudadania,
    cédula de ciudadanía,
    cc#, CC #, documento de
    identificacion, documento
    de identificación, Nit.
    Columbian Tax Spanish NIT., NIT, nit., nit, Nit. TIN (tax identification number)
    Identification Number
    Croatia National Croatian Osobna iskaznica, Personal ID, national identification
    Identification Number Nacionalni identifikacijski number, personal ID, personal
    broj, osobni ID, osobni identification number, tax identification
    identifikacijski broj, card, tax number, tax identification
    porez iskaznica, number, tax code, taxpayer code
    porezni broj, porezni
    identifikacijski broj,
    porez kod, šifra poreznog
    obveznika
    Cyprus Tax Identification Turkish, Greek αριθμός φορολογικού Tax identification number, tax number,
    Number μητρώου, Vergi Kimlik TIN number, Cyprus TIN number
    Numarası, vergi numarası,
    Kıbrıs TIN numarası
    Cyprus Value Added Tax Turkish, Greek KDV, kdv#, KDV numarası, VAT, VAT number, value added tax,
    (VAT) Number Katma değer Vergisi, Φόρος
    Προστιθέμενης Αξίας
    Czech Republic Driver's Czech řidičský průkaz, řidičský Driving license, driver's license
    Licence Number prúkaz, číslo řidičského number, driving license number,
    průkazu, řidičské číslo driver's lic., driver license number,
    řidičů, ovladače lic., driver's permit
    Číslo licence řidiče,
    Řidičský průkaz, povolení
    řidiče, řidiči povolení,
    povolení k jízdě, číslo
    licence
    Czech Republic Personal Czech Česká Osobní identifikační Czech Personal Identification Number,
    Identification Number číslo, Osobní identifikační personal identification number, Czech
    číslo., identifikační identification number
    číslo, čeština
    identifikační číslo
    Czech Republic Tax Czech osobní kód, Národní Personal code, national identification
    Identification Number identifikační číslo, osobní number, personal identification
    identifikační číslo, cínové number, TIN number, tax identification
    číslo, daňové identifikačné number, taxpayer ID
    číslo, daňový poplatník id
    Czech Republic Value Czech číslo DPH, Daň z přidané VAT number, value added tax, VAT
    Added Tax (VAT) Number hodnoty, Dan z pridané
    hodnoty, Daň přidané
    hodnoty, Dan pridané
    hodnoty, DPH, DIC, DIČ

    1139
    Data Identifier Language Keywords English Translation

    Denmark Personal Danish Nationalt National identification number,


    Identification Number identifikationsnummer, personal number, unique identification
    personnummer, unikt number, identification number, central
    identifikationsnummer, registry of persons, CPR number
    identifikationsnummer,
    centrale personregister,
    cpr,cpr-nummer,cpr#,
    cpr-nummer#,
    identifikationsnummer#,
    personnummer#
    Denmark Value Added Tax Danish moms, momsnummer, moms VAT number, vat, value added tax
    (VAT) Number identifikationsnummer, number, vat identification number
    merværdiafgift
    Estonia Driver's Licence Estonian juhiluba, JUHILUBA, Driving license, driving license number,
    Number juhiluba number, juhiloa driver's license number, license
    number, Juhiluba, juhi number
    litsentsi number
    Estonia Passport Number Estonian Pass, pass, passi number, Passport, passport number, Estonian
    pass nr, pass#, Pass nr, passport number
    Eesti passi number
    Estonia Personal Estonian isikukood, isikukood#, Personal identification code, tax
    Identification Code IK, IK#, maksu ID, ID, taxpayer identification number,
    maksukohustuslase tax identification number, tax code,
    identifitseerimisnumber, taxpayer code
    maksukood, maksukood#,
    maksuID#, maksumaksja
    kood, maksumaksja
    identifitseerimisnumber
    Estonia Value Added Tax Estonian käibemaksu VAT registration number, VAT, VAT
    (VAT) Number registreerimisnumber, number
    käibemaksu, Käibemaksu
    number, käibemaks,
    käibemaks#, käibemaksu#

    1140
    Data Identifier Language Keywords English Translation

    European Health Insurance Croatian, Danish, numero conto medico, Medical account number, health
    Card Number Estonian, Finnish, tessera sanitaria insurance card number, insurance card
    French, German, assicurazione numero, number, health insurance number,
    Irish, Italian, carta assicurazione numero, medical account number, health
    Luxembourgish, Krankenversicherungsnummer, card number, health card, insurance
    Polish, Slovenian, assicurazione sanitaria number, EHIC number,
    Spanish numero, medisch
    rekeningnummer,
    ziekteverzekeringskaartnummer,
    verzekerings kaart
    nummer, gezondheidskaart
    nummer, gezondheidskaart,
    medizinische Kontonummer,
    Krankenversicherungskarte
    Nummer,
    Versicherungsnummer,
    Gesundheitskarte Nummer,
    Gesundheitskarte,
    arstliku konto number,
    ravikindlustuse kaardi
    number, tervisekaart,
    tervisekaardi number,
    Uimhir ehic, tarjeta
    salud, broj kartice
    zdravstvenog osiguranja,
    kartice osiguranja broj,
    zdravstvenu karticu,
    zdravstvene kartice broj,
    ehic broj, numero tessera
    sanitaria, numero carta
    di assicurazione, tessera
    sanitaria, numero ehic,
    Gesondheetskaart, ehic
    nummer, numer rachunku
    medycznego, numer karty
    ubezpieczenia zdrowotne,
    numer karty ubezpieczenia,
    karta zdrowia, numer
    karty zdrowia, numer ehic,
    sairausvakuutuskortin
    numero, vakuutuskortin
    numero, terveyskortti,
    terveyskortin numero,
    medicinsk kontonummer,
    ehic numeris, medizinescher
    Konto Nummer, zdravstvena
    izkaznica
    Finland Driver's License Finnish, Swedish permis de conduire, Driver's license, driver's license
    Number ajokortti, ajokortin number, driver's lic.
    numero, kuljettaja lic.,
    körkort, körkort nummer,
    förare lic.

    1141
    Data Identifier Language Keywords English Translation

    Finland European Health Finnish Suomi EHIC-numero, Finland EHIC number, sickness
    Insurance Number Sairausvakuutuskortti, insurance card, health insurance card,
    sairaanhoitokortin, EHIC, Finnish health insurance card,
    Sjukförsäkringskort, ehic, Health Card, Survival Card, health
    sairaanhoitokortin, Suomen insurance number
    sairausvakuutuskortti,
    Finska sjukförsäkringskort,
    Terveyskortti,
    Hälsokort, ehic#,
    sairausvakuutusnumero,
    sjukförsäkring nummer
    Finland Passport Number Finnish Suomen passin numero, Finnish passport number, Finnish
    suomalainen passi, passin passport, passport number, passport
    numero, passin numero.#, number, passport #
    passin numero#, passin
    numero, passin numero.,
    passin numero#, passi#
    Finland Tax Identification Finnish verotunniste, verokortti, Tax identification number, tax card, tax
    Number verotunnus, veronumero ID, tax number
    Finland Value Added Tax Finnish arvonlisäveronumero, ALV, VAT number, VAT, VAT identification
    (VAT) Number arvonlisäverotunniste, ALV number
    nro, ALV numero, alv
    Finnish Personal Finnish tunnistenumero, Identification number, personal
    Identification Number henkilötunnus, yksilöllinen identification number, unique personal
    henkilökohtainen identification number, identity number,
    tunnistenumero, Finnish personal identification number,
    Ainutlaatuinen national identification number
    henkilökohtainen tunnus,
    identiteetti numero, Suomen
    kansallinen henkilötunnus,
    henkilötunnusnumero#,
    kansallisen tunnistenumero,
    tunnusnumero,kansallinen
    tunnus numero
    France Driver's License French permis de conduire Driver's license
    Number
    France Health Insurance French carte vitale, carte Health card, social insurance card
    Number d'assuré social
    France Tax Identification French numéro d'identification Tax identification number
    Number fiscale
    France Value Added Tax French Numéro d'identification Value added tax identification number,
    (VAT) Number taxe sur valeur ajoutée, value added tax number, value added
    Numéro taxe valeur tax, VAT number, French VAT number,
    ajoutée, taxe valeur SIREN identification number
    ajoutée, Taxe sur la valeur
    ajoutée, Numéro de TVA
    intracommunautaire, n° TVA,
    numéro de TVA, Numéro de
    TVA en France, français
    numéro de TVA, Numéro
    d'identification SIREN
    French INSEE Code French INSEE, numéro de sécu, code INSEE, social security number, social
    sécu security code

    1142
    Data Identifier Language Keywords English Translation

    French Passport Number French Passeport français, French passport, passport, passport
    Passeport, Passeport livre, book, passport card, passport number
    Passeport carte, numéro
    passeport
    French Social Security French sécurité sociale non., Social secuty number, social security
    Number sécurité sociale numéro, code, insurance number
    code sécurité sociale,
    numéro d'assurance,
    sécuritésocialenon.#,
    sécuritésocialeNuméro#
    German Passport Number German Reisepass kein, Reisepass, Passport number, passport, German
    Deutsch Passnummer, passport number, passport number
    Passnummer, Reisepasskein#,
    Passnummer#
    German Personal ID German persönliche Personal identification number, ID
    Number identifikationsnummer, number, Germane personal ID number,
    ID-Nummer, Deutsch personal ID number, clear ID number,
    persönliche-ID- personal number, identity number,
    Nummer, persönliche ID insurance number
    Nummer, eindeutige ID-
    Nummer, persönliche
    Nummer,identität nummer,
    Versicherungsnummer,
    persönlicheNummer#,
    IDNummer#
    Germany Driver's License German Führerschein, Fuhrerschein, Driver's license, driver's license
    Number Fuehrerschein, number
    Führerscheinnummer,
    Fuhrerscheinnummer,
    Fuehrerscheinnummer,
    Führerscheinnummer,
    Fuhrerscheinnummer,
    Fuehrerscheinnummer,
    Führerschein- Nr,
    Fuhrerschein- Nr,
    Fuehrerschein- Nr
    Germany Value Added Tax German Mehrwertsteuer, Value added tax, value added tax
    (VAT) Number MwSt, Mehrwertsteuer identification number, value added tax
    Identifikationsnummer, number
    Mehrwertsteuer nummer
    Greece Passport Number Greek λλάδα pasport αριθμός, Greece passport number, Greece
    Ελλάδα pasport όχι., passport no., passport, Greece
    Ελλάδα Αριθμός Διαβατηρίου, passport, passport book
    διαβατήριο, Διαβατήριο,
    ΕΛΛΑΔΑ ΔΙΑΒΑΤΗΡΙΟ,
    Ελλάδα Διαβατήριο, ελλάδα
    διαβατήριο, Διαβατήριο
    Βιβλίο, βιβλίο διαβατηρίου
    Greece Social Security Greek Αριθμού Μητρώου Κοινωνικής Social security number
    Number (AMKA) Ασφάλισης

    1143
    Data Identifier Language Keywords English Translation

    Greece Value Added Tax Greek FPA, fpa, Foros VAT, value added tax, tax identification
    (VAT) Number Prostithemenis Axias, number
    arithmós dexamenís, Fóros
    Prostithémenis Axías,
    μέγας κάδος, ΦΠΑ, Φ Π
    Α, Φόρος Προστιθέμενης
    Αξίας, ΦΟΡΟΣ ΠΡΟΣΤΙΘΕΜΕΝΗΣ
    ΑΞΙΑΣ, φόρος προστιθέμενης
    αξίας, Arithmos Forologikou
    Mitroou, Α.Φ.Μ, ΑΦΜ
    Greek Tax Identification Greek Αριθμός Φορολογικού Tax identification number, TIN, tax
    Number Μητρώου, AΦΜ, Φορολογικού registry number
    Μητρώου Νο., τον αριθμό
    φορολογικού μητρώου
    Hong Kong ID Chinese (Traditional) ### , ### Identity card, Hong Kong permanent
    resident ID Card
    Hungary Driver's Licence Hungarian jogosítvány, License, driver's lic, driver's license,
    Number Illesztőprogramok Lic, number of licenses, driving license
    jogsi, licencszám, vezetői
    engedély, VEZETŐI ENGEDÉLY,
    vezető engedély, VEZETŐ
    ENGEDÉLY
    Hungary Passport Number French, Hungarian útlevél, Magyar Passport, Hungarian passport number,
    útlevélszám, útlevél passport book, number, passport
    könyv, nombre, numéro de number
    passeport, hongrois, numéro
    de passeport hongrois
    Hungarian Social Security Hungarian Magyar Hungarian social security number,
    Number társadalombiztosítási szám, social security number, social security
    Társadalombiztosítási szám, ID, social security code
    társadalombiztosítási ID,
    szociális biztonsági kódot,
    szociális biztonság nincs.,
    társadalombiztosításiID#
    Hungarian Tax Hungarian Magyar adóazonosító jel Hungarian tax identification tumber,
    Identification Number no, adóazonosító szám, tax identification number, Hungarian
    magyar adószám, Magyar tax number, Hungarian tax authority
    adóhatóság no., azonosító number, tax number, tax authority
    szám, adóazonosító no., number
    adóhatóság no
    Hungarian VAT Number Hungarian Közösségi adószám, Value added tax identification number,
    Általános forgalmi adó sales tax number, value added tax,
    szám, hozzáadottérték adó, Hungarian value added tax number
    magyar Közösségi adószám
    Iceland National Icelandic kennitala, persónuleg Social security number, personal
    Identification Number kennitala, galdur identification number, magic number,
    númer, skattanúmer, tax code, taxpayer code, taxpayer ID
    skattgreiðenda kóða, number
    kennitala skattgreiðenda
    Iceland Passport Number Icelandic vegabréf, vegabréfs númer, Passport, passport number, passport
    Vegabréf Nei, vegabréf# no.

    1144
    Data Identifier Language Keywords English Translation

    Iceland Value Added Tax Icelandic virðisaukaskattsnúmer, vsk VAT number


    (VAT) Number númer
    Indonesian Identity Card Indonesian, Kartu Tanda Penduduk Identity card number, card number,
    Number Portuguese nomor, número do cartão, Indonesian identity card number, card
    Kartu identitas Indonesia no., Indonesian identity card number,
    no, kartu no., Kartu ID number
    identitas Indonesia nomor,
    Nomor Induk Kependudukan,
    númerodocartão,kartuno.,
    KartuidentitasIndonesiano
    International Bank Account French Code IBAN, numéro IBAN IBAN Code, IBAN number
    Number (IBAN) Central
    International Bank Account French Code IBAN, numéro IBAN IBAN Code, IBAN number
    Number (IBAN) East
    International Bank Account French Code IBAN, numéro IBAN IBAN Code, IBAN number
    Number (IBAN) West
    Ireland Passport Number Irish irelande passeport, Éire Ireland passport, passport number,
    pas, no de passeport, pas passport
    uimh, uimhir pas, numéro de
    passeport
    Ireland Tax Identification Irish uimhir carthanachta, Uimhir Charity number, charity registration
    Number chláraithe charthanais, number,CHY number, tax reference
    uimhir CHY, CHY uimh., number, Ireland tax identification
    uimhir thagartha cánach, number, Irish tax identification, tax
    uimhir aitheantais cánach identification number, tax id, TIN,
    ireland, aitheantais cánach Ireland tin
    irish, uimhir aitheantais
    cánach, id cánach, uimhir
    chánach, cáin #, STÁIN,
    cáin id uimh.
    Ireland Value Added Tax Irish cáin bhreisluacha, CBL, CBL Ireland VAT number, VAT number, VAT
    (VAT) Number aon, Uimhir CBL, Uimhir no, VAT#, value added tax number,
    CBL hÉireann, bhreisluacha value added tax, irish VAT
    uimhir chánach
    Irish Personal Public Gaelic Gaeilge Uimhir Phearsanta Irish personal public service number,
    Service Number Seirbhíse Poiblí, PPS PPS no., personal public service
    Uimh., uimhir phearsanta number, service no., PPS no., PPS
    seirbhíse poiblí, seirbhíse service one
    Uimh, PPS Uimh, PPS
    seirbhís aon
    Israel Personal Hebrew, Arabic ‫מספר‬,‫מספר זיהוי‬ Israeli identity number, identity number,
    Identification Number ‫זהות‬,‫זיהוי ישראלי‬ unique identity number, personal ID,
    ‫هويةاسرائيلية‬,‫ישראלית‬ unique personal ID, unique ID
    ‫رقم‬,‫هوية إسرائيلية‬,‫عدد‬
    ‫عدد هوية فريدة من‬,‫الهوية‬
    ‫نوعها‬
    Italy Driver's License Italian patente guida numero, Driver's license number, driver's
    Number patente di guida numero, license
    patente di guida, patente
    guida

    1145
    Data Identifier Language Keywords English Translation

    Italy Health Insurance Italian TESSERA SANITARIA, Health insurance card, Italian health
    Number tessera sanitaria, tessera insurance card
    sanitaria italiana
    Italian Passport Number Italian Repubblica Italiana Italian Republic passport, passport,
    Passaporto, Passaporto, Italian passport, Italian passport
    Passaporto Italiana, number, passport number
    passport number, Italiana
    Passaporto numero,
    Passaporto numero, Numéro
    passeport italien, numéro
    passeport
    Italy Value Added Tax (VAT) Italian IVA, numero partita IVA, VAT, VAT number, VAT#, VAT number
    Number IVA#, numero IVA
    Japan Driver's License Japanese #####, ##, ##, ##, ####, # Public Security Committee, driver's
    Number ####, #########, ########## license, driving license, driver license,
    #, #####, ####### driver's license number, driving license
    number, driver license number, license
    Japanese Juki-Net ID Japanese #########, #######, ####, # Juki-Net identification number, Juki-
    Number ##### Net number, identification number,
    personal identification number
    Japanese My Number - Japanese ######, #### My number, common number
    Corporate
    Japanese My Number - Japanese ######, ####, #### My number, personal number, common
    Personal number
    Japan Passport Number Japanese #####, #####, ###### Japanese passport, passport, passport
    number
    Kazakhstan Passport Kazakh төлқұжат, төлқұжат нөмірі, Passport, passport number, passport
    Number номер паспорта, заграничный ID, international passport, national
    пасспорт, национальный passport
    паспорт
    Korea Passport Number Korean ### ##, ##, ## ##, #### Korean passport, passport, passport
    number, Republic of Korea
    Korea Residence Korean ### ## ##, #### Foreigner registration number, social
    Registration Number for security number
    Foreigners
    Korean Residence Korean ######, #### Resident registration number, social
    Registration Number for security number
    Korean
    Latvia Driver's Licence Latvian licences numurs, vadītāja License number, driver's license,
    Number apliecība, autovadītāja driver's license number, driver's lic.
    apliecība, vadītāja
    apliecības numurs, Vadītāja
    licences numurs, vadītāji
    lic., vadītāja atļauja
    Latvia Passport Number Latvian LATVIJA, LETTONIE, Pases Latvia, passport no., passport number,
    Nr., Pases Nr, Pase, pase, passport book, passport #, passport
    pases numurs, Pases Nr, card
    pases grāmata, pase#, pases
    karte

    1146
    Data Identifier Language Keywords English Translation

    Latvia Personal Latvian Personas kods, Latvia personal code, personal


    Identification Number personas kods, latvijas code, national identification number,
    personas kods, Valsts identification number, national ID,
    identifikācijas numurs, latvia TIN, TIN, tax identification
    valsts identifikācijas number, tax ID, TIN number, tax
    numurs, identifikācijas number
    numurs, nacionālais id,
    latvija alva, alva, nodokļu
    identifikācijas numurs,
    nodokļu id, alvas nē,
    nodokļa numurs
    Latvia Value Added Tax Latvian PVN Nr, PVN maksātāja VAT no., VAT payer number, VAT
    (VAT) Number numurs, PVN numurs, PVN#, number, VAT#, value added tax, value
    pievienotās vērtības added tax number
    nodoklis, pievienotās
    vērtības nodokļa numurs
    Liechtenstein Passport German Reisepass, Pass Nr, Pass Passport, passport no.
    Number Nr., Reisepass#, Pass Nr#
    Lithuania Personal Lithuanian Nacionalinis ID, National ID, national identification
    Identification Number Nacionalinis identifikavimo number, personal ID
    numeris, asmens kodas
    Lithuania Tax Identification Lithuanian mokesčių identifikavimo tax identification number, tax ID, tax ID
    Number Nr., mokesčių number, tax ID number, tax ID #, tax
    identifikavimo numeris, number, tax no., fee #
    mokesčių ID, mokesčių
    id nr, mokesčių id nr.,
    mokesčių ID#, mokesčių
    numeris, mokestis Nr,
    mokestis #, Mokesčių
    identifikavimo numeris
    Lithuania Value Added Tax Lithuanian pridėtinės vertės VAT number, VAT, VAT #, Value added
    (VAT) Number mokesčio numeris, PVM, tax, VAT registration number
    PVM#, pridėtinės vertės
    mokestis, PVM numeris, PVM
    registracijos numeris
    Luxembourg National German, French Eindeutige ID-Nummer, Unique ID number, unique ID, personal
    Register of Individuals Eindeutige ID, ID ID, personal identification number
    Number personnelle, Numéro
    d'identification personnel,
    IDpersonnelle#, Persönliche
    Identifikationsnummer,
    EindeutigeID#
    Luxembourg Passport French and German passnummer, ausweisnummer, Passport number, passport,
    Number passeport, reisepass, Luxembourg pass, Luxembourg
    pass, pass net, pass nr, passport
    no de passeport, passeport
    nombre, numéro de passeport

    1147
    Data Identifier Language Keywords English Translation

    Luxembourg Tax French, German Zinn, Zinn Nummer, TIN, TIN number, Luxembourg tax
    Identification Number Luxembourg Tax identification number, tax number, tax
    Identifikatiounsnummer, ID, social security ID, Luxembourg tax
    Steier Nummer, Steier ID, identification number, Social Security,
    Sozialversicherungsausweis, Social Security Card, tax identification
    Zinnzahl, Zinn nein, number
    Zinn#, luxemburgische
    steueridentifikationsnummer,
    Steuernummer,Steuer ID,
    sécurité sociale, carte
    de sécurité sociale,
    étain,numéro d'étain,
    étain non, étain#, Numéro
    d'identification fiscal
    luxembourgeois, numéro
    d'identification fiscale
    Luxembourg Value Added German, TVA kee, TVA#, TVA Luxembourg VAT number, VAT
    Tax (VAT) Number Luxembourgish Aschreiwung kee, T.V.A, number, VAT, value added tax number,
    stammnummer, bleiwen, VAT ID, VAT registration number, value
    geheescht, gitt id, added tax
    mehrwertsteuer, vat
    registrierungsnummer,
    umsatzsteuer-id, wat,
    umsatzsteuernummer,
    umsatzsteuer-
    identifikationsnummer, id
    de la batterie, lëtzebuerg
    vat nee, registréierung
    nummer, numéro de TVA,
    numéro de enregistrement
    vat
    Macau National Chinese, #####, ####### ID number, unique identification
    Identification Number Portuguese número de identificação, number
    número cartão identidade, Identification number, identity card
    número cartão identidade number, national identity card number,
    nacional, número personal identification number, unique
    identificação pessoal, identification number, unique non-ID,
    número identificação único, unique ID #
    id único não, ID único#
    Malaysia Passport Number Malay pasport, nombor pasport, Passport, passport number, passport #
    pasport#
    Malaysian MyKad Number Malay nombor kad pengenalan, Identification card number,
    (MyKad) kad pengenalan no, kad identification card no., Malaysian
    pengenalan Malaysia, identification card, unique identity
    bilangan identiti number, personal number
    unik, nombor peribadi,
    nomborperibadi#,
    kadpengenalanno#
    Malta National Maltese numru identifikazzjoni national identification number, national
    Identification Number nazzjonali, ID nazzjonali, ID, personal identification number,
    numru identifikazzjoni personal ID
    personali, ID personali,
    IDnazzjonali#, IDpersonali#

    1148
    Data Identifier Language Keywords English Translation

    Malta Tax Identification Maltese kodiċi tat-taxxa, Tax code, tax number, tax identification
    Number numru tat-taxxa, numru number, taxid# taxpayer identification
    identifikazzjoni tat- number, taxpayer code, tin, tin no
    taxxa, taxxaid#,
    numru identifikazzjoni
    kontribwent, kodiċi
    kontribwent, landa, landa
    nru
    Malta Value Added Tax Maltese Numru tal-VAT, numru tal- VAT number, VAT, value added tax
    (VAT) Number VAT, bettija,valur miżjud number, vat identification number
    taxxa in-numru, bettija
    identifikazzjoni in-numru
    Mexican Personal Spanish Clave de Registro de Personal identity registration key,
    Registration and Identidad Personal, Mexican personal identification code,
    Identification Number Código de Identificación Mexican personal identification number
    Personal mexicana, número
    de identificación personal
    mexicana
    Mexican Tax Identification Spanish Registro Federal de Federal taxpayer registry, tax
    Number Contribuyentes, número identification number, federal taxpayer
    de identificación de registry number, RFC number, RFC
    impuestos, Código del key
    Registro Federal de
    Contribuyentes, Número RFC,
    Clave del RFC
    Mexican Unique Spanish Única de registro de Unique population registry, unique key,
    Population Registry Code Población, clave única, unique identity key, unique personal
    clave única de identidad, identity, personal identity key
    clave personal Identidad,
    personal Identidad
    Clave, ClaveÚnica#,
    clavepersonalIdentidad#
    Mexico CLABE Number Spanish Clave Bancaria Standardized banking code,
    Estandarizada, standardized bank code number, code
    Estandarizado Banco número number
    de clave, número de clave,
    clave número, clave#
    Netherlands Bank Account Dutch, Papiamento bancu aklarashon number, Bank account number, account
    Number aklarashon number, number
    bankrekeningnummer,
    rekeningnummer
    Netherlands Driver's Dutch RIJMEWIJS, permis de Driver's license, driving permit, driver's
    License Number conduire, rijbewijs, license number
    Rijbewijsnummer,
    RIJBEWIJSNUMMER
    Netherlands Passport Dutch Nederlanden paspoort Dutch passport number, passport,
    Number nummer, Paspoort, paspoort, passport number
    Nederlanden paspoortnummer,
    paspoortnummer

    1149
    Data Identifier Language Keywords English Translation

    Netherlands Tax Dutch, Nederlands belasting Dutch tax identification number,


    Identification Number Pampiamento, identificatienummer, tax identification number, Dutch tax
    Norwegian identificatienummer identification, Dutch tax number, tax
    van belasting, number
    identificatienummer
    belasting, Nederlands
    belasting identificatie,
    Nederlands belasting
    id nummer, Nederlands
    belastingnummer, btw
    nummer, Nederlandse
    belasting identificatie,
    Nederlands belastingnummer,
    netherlands tax
    identification tal,
    netherland's tax
    identification tal,
    tax identification tal,
    tax tal, Nederlânske
    tax identification
    tal, Hollânske tax
    identification, Nederlânsk
    tax tal, Hollânske tax id
    tal, netherlands impuesto
    identification number,
    netherland's impuesto
    identification number,
    impuesto identification
    number, impuesto number,
    hulandes impuesto
    identification number,
    hulandes impuesto
    identification, hulandes
    impuesto number, hulandes
    impuesto id number
    Netherlands Value Added Dutch, Frisian wearde tafoege tax getal, Value added tax number, VAT number
    Tax (VAT) Number BTW nûmer, BTW-nummer
    New Zealand Driver's Maori raihana taraiwa Driving license
    Licence Number
    New Zealand Passport Maori uruwhenua, tau uruwhenua, Passport, passport no.
    Number uruwhenua no, uruwhenua no.
    Norway Driver's Licence Norwegian førerkort, førerkortnummer Driver's license, driver's license
    Number number
    Norway National Norwegian Nasjonalt ID, personlig National ID, personal ID, national ID
    Identification Number ID, Nasjonalt ID#, #, personal ID #, tax ID, tax code,
    personlig ID#, skatt taxpayer ID, taxpayer identification
    id, skattenummer, number
    skattekode, skattebetalers
    id, skattebetalers
    identifikasjonsnummer
    Norway Value Added Tax Norwegian mva, MVA, momsnummer, VAT, VAT number, VAT registration
    Number Momsnummer, number
    momsregistreringsnummer

    1150
    Data Identifier Language Keywords English Translation

    Norwegian Birth Number Norwegian fødsel nummer, Fødsel nr, Birth number
    fødsel nei, fødselnei#,
    fødselnummer#
    People's Republic of China Chinese (Simplified) ###,####,###### Identity Card, Information of resident,
    ID Information of resident identification
    Poland Driver's Licence Polish Kierowcy Lic., prawo Drivers license number, driving license,
    Number jazdy, numer licencyjny, license number
    zezwolenie na prowadzenie,
    PRAWO JAZDY
    Poland European Health Polish Numer EHIC, Karta EHIC number, Health Insurance Card,
    Insurance Number Ubezpieczenia Zdrowotnego, European Health Insurance Card,
    Europejska Karta health insurance number, medical
    Ubezpieczenia Zdrowotnego, account number
    numer ubezpieczenia
    zdrowotnego, numer rachunku
    medycznego
    Poland Passport Number French, Polish paszport#, numer paszportu, Passport #, passport number, passport
    Nr paszportu, paszport, number, passport, passport book
    książka paszportowa Passport, number, passport number,
    passeport, nombre, numéro passport #, passport number
    de passeport, passeport#,
    No de passeport
    Poland Value Added Tax Polish Numer Identyfikacji Tax identification number, tax ID
    (VAT) Number Podatkowej, NIP, nip, number, VAT number, value added tax,
    Liczba VAT, podatek od VAT invoice, VAT invoice #
    wartosci dodanej, faktura
    VAT, faktura VAT#
    Polish Identification Polish owód osobisty, Tożsamości Identification card, national identity,
    Number narodowej, osobisty identification card number, unique
    numer identyfikacyjny, number, number
    niepowtarzalny numer, numer
    Polish REGON Number Polish numer statystyczny, Statistical number, REGON number
    REGON, numeru REGON,
    numerstatystyczny#,
    numeruREGON#
    Polish Social Security Polish PESEL Liczba, społeczny PESEL number, social security
    Number (PESEL) bezpieczeństwo number, social security ID, social
    liczba, społeczny security code
    bezpieczeństwo ID,
    społeczny bezpieczeństwo
    kod, PESELliczba#,
    społecznybezpieczeństwoliczba#
    Polish Tax Identification Polish Numer Identyfikacji Tax identification number, Polish tax
    Number Podatkowej, Polski numer identification number
    identyfikacji podatkowej,
    NumerIdentyfikacjiPodatkowej#

    1151
    Data Identifier Language Keywords English Translation

    Portugal Driver's License Portuguese carteira de motorista, driver's license, license number,
    Number carteira motorista, driving license, driving license Portugal
    carteira de habilitação,
    carteira habilitação,
    número de licença, número
    licença, permissão de
    condução, permissão
    condução, Licença condução
    Portugal, carta de condução
    Portugal National Portuguese bilhete de identidade, identity card, civil identification number,
    Identification Number número de identificação citizen's card number, identification
    civil, número de cartão document, citizen's card, bi number of
    de cidadão, documento Portugal, document number
    de identificação, cartão
    de cidadão, número bi
    de portugal, número do
    documento
    Portugal Passport Number French and passaporte, passeport, Passport number, passport,
    Portuguese portuguese passport, Portuguese passport
    portuguese passeport,
    portuguese passaporte,
    passaporte nº, passeport nº
    Portugal Tax Identification Portuguese número identificação fiscal Tax identification numberr
    Number
    Portugal Value Added Tax Portuguese imposto sobre valor Value added tax, VAT, VAT number,
    (VAT) Number acrescentado, VAT nº, VAT code
    número iva, vat não, código
    iva
    Romania Driver's Licence Romanian permis de conducere, PERMIS Driving license, driving license number
    Number DE CONDUCERE, Permis
    de conducere, numărul
    permisului de conducere,
    Numărul permisului de
    conducere
    Romania National Romanian numărul de identificare fiscal identification number, tax
    Identification Number fiscală, identificarea identification number, fiscal code
    fiscală nr #, codul fiscal number,
    nr.
    Romania Value Added Tax Romanian CIF, cif, CUI, cui, TVA, VAT, VAT #, value added tax, fiscal
    (VAT) Number tva, TVA#, tva#, taxa code, fiscal identification code, unique
    pe valoare adaugata, cod registration code, unique identification
    fiscal, cod fiscal de code, code unique registration
    identificare, cod fiscal
    identificare, Cod Unic
    de Înregistrare, cod unic
    de identificare, cod unic
    identificare, cod unic
    de înregistrare, cod unic
    înregistrare

    1152
    Data Identifier Language Keywords English Translation

    Romanian Numerical Romanian Cod Numeric Personal, cod Personal numeric code, personal
    Personal Code identificare personal, identification code, unique
    cod unic identificare, identification code, identity number,
    număr personal unic, personal identification number
    număr identitate, număr
    identificare personal,
    număridentitate#,
    CodNumericPersonal#,
    numărpersonalunic#
    Russian Passport Russian паспорт нет, паспорт, Passport no., passport, passport
    Identification Number номер паспорта, паспорт ID, number, passport ID, Russian
    Российской паспорт, Русский passport, Russian passport number
    номер паспорта, паспорт#,
    паспортID#, номерпаспорта#
    Russian Taxpayer Russian НДС, номер TIN (tax identification number),
    Identification Number налогоплательщика, taxpayer number, taxpayer ID, rax
    Налогоплательщика ИД, налог number
    число, налогчисло#, ИНН#,
    НДС#
    SEPA Creditor Identifier Bulgarian, Finnish, SEPA-Gläubiger- SEPA creditor identifier, creditor ID,
    Number North French, German, Identifikator, Gläubiger- SEPA ID, creditor ID
    Irish, Italian, ID, SEPA-ID, Gläubiger- Creditor ID, SEPA ID
    Luxembourgish, Kennung SEPA creditor identifier, crediting,
    Portuguese, ID créancier, ID SEPA, creditor identification
    Spanish Identifiant du créancie SEPA creditor identifier, Creditor
    SEPA Krediter Identifier
    Identifizéierer, Creditor ID, SEPA ID, Creditor
    Kreditergeld, Krediter identifier
    Identifizéierer Creditor ID, Creditor Identifier
    SEPA kreditoridentifikator, Creditor ID, Creditor Identifier
    Kreditoridentifikator Creditor Identifier SEPA, Creditor ID,
    Velkojan tunnus, SEPA- SEPA ID, Creditor Identifier
    tunnus, Velkojan tunniste SEPA Creditor Identifier, Creditor
    ID Creidiúnaí, Aithnitheoir Identifier
    Creidiúnaí
    ID del creditore,
    Identificatore del
    creditore
    Identificador de acreedor
    SEPA, ID del acreedor, ID
    de SEPA, Identificador del
    acreedor
    Identificador Credor SEPA,
    Identificador do Credor

    1153
    Data Identifier Language Keywords English Translation

    SEPA Creditor Identifier Bulgarian, Finnish, SEPA-Gläubiger- SEPA creditor identifier, creditor ID,
    Number South French, German, Identifikator, Gläubiger- SEPA ID, creditor ID
    Irish, Italian, ID, SEPA-ID, Gläubiger- Creditor ID, SEPA ID
    Luxembourgish, Kennung SEPA creditor identifier, crediting,
    Portuguese, ID créancier, ID SEPA, creditor identification
    Spanish Identifiant du créancie SEPA creditor identifier, Creditor
    SEPA Krediter Identifier
    Identifizéierer, Creditor ID, SEPA ID, Creditor
    Kreditergeld, Krediter identifier
    Identifizéierer Creditor ID, Creditor Identifier
    SEPA kreditoridentifikator, Creditor ID, Creditor Identifier
    Kreditoridentifikator Creditor Identifier SEPA, Creditor ID,
    Velkojan tunnus, SEPA- SEPA ID, Creditor Identifier
    tunnus, Velkojan tunniste SEPA Creditor Identifier, Creditor
    ID Creidiúnaí, Aithnitheoir Identifier
    Creidiúnaí
    ID del creditore,
    Identificatore del
    creditore
    Identificador de acreedor
    SEPA, ID del acreedor, ID
    de SEPA, Identificador del
    acreedor
    Identificador Credor SEPA,
    Identificador do Credor
    SEPA Creditor Identifier Bulgarian, Finnish, SEPA-Gläubiger- SEPA creditor identifier, creditor ID,
    Number West French, German, Identifikator, Gläubiger- SEPA ID, creditor ID
    Irish, Italian, ID, SEPA-ID, Gläubiger- Creditor ID, SEPA ID
    Luxembourgish, Kennung SEPA creditor identifier, crediting,
    Portuguese, ID créancier, ID SEPA, creditor identification
    Spanish Identifiant du créancie SEPA creditor identifier, Creditor
    SEPA Krediter Identifier
    Identifizéierer, Creditor ID, SEPA ID, Creditor
    Kreditergeld, Krediter identifier
    Identifizéierer Creditor ID, Creditor Identifier
    SEPA kreditoridentifikator, Creditor ID, Creditor Identifier
    Kreditoridentifikator Creditor Identifier SEPA, Creditor ID,
    Velkojan tunnus, SEPA- SEPA ID, Creditor Identifier
    tunnus, Velkojan tunniste SEPA Creditor Identifier, Creditor
    ID Creidiúnaí, Aithnitheoir Identifier
    Creidiúnaí
    ID del creditore,
    Identificatore del
    creditore
    Identificador de acreedor
    SEPA, ID del acreedor, ID
    de SEPA, Identificador del
    acreedor
    Identificador Credor SEPA,
    Identificador do Credor

    1154
    Data Identifier Language Keywords English Translation

    Serbia Unique Master Serbian јединствен мајстор грађанин Unique master citizen number, unique
    Citizen Number Број, Јединствен матични identification number, unique id
    број, јединствен број ид, number, National identification number
    Национални идентификациони
    број
    Serbia Value Added Tax Serbian poreski identifikacioni Tax identification number VAT number,
    (VAT) Number broj, PORESKI value added tax, VAT, identification
    IDENTIFIKACIONI BROJ, number, tax number
    Poreski br., ПДВ број,
    Порез на додату вредност,
    PDV broj, Porez na dodatu
    vrednost, porez na dodatu
    vrednost, PDV, pdv, ПДВ,
    порески идентификациони
    број, PIB, pib, пиб,
    poreski broj, порески број
    Slovakia Driver's Licence Slovak vodičský preukaz, Vodičský Driving license, license number
    Number preukaz, VODIČSKÝ PREUKAZ,
    číslo vodičského preukazu,
    ovládače lic., povolenie
    vodiča, povolenia vodičov,
    povolenie na jazdu,
    povolenie jazdu, číslo
    licencie
    Slovakia National Hungarian, Slovak identifikačné číslo, ID number, identity card number,
    Identification Number személyi igazolvány száma, national identity card number, national
    személyigazolvány szám, identification number, identification
    číslo občianského preukazu, number, ID card number, identification
    identifikačná karta č, card, national identity card
    személyi igazolvány szám,
    nemzeti személyi igazolvány
    száma, číslo národnej
    identifikačnej karty,
    národná identifikačná karta
    č, nemzeti személyazonosító
    igazolvány, nemzeti
    azonosító szám, národné
    identifikačné číslo,
    národná identifikačná
    značka č, nemzeti azonosító
    szám, azonosító szám,
    identifikačné číslo
    Slovakia Passport Number French, Slovak PASSEPORT, passeport, Passport, passport number, passport
    cestovný pas, číslo pasu, no
    pas č, Číslo pasu, PAS,
    CESTOVNÝ PAS, Passeport n°
    Slovakia Value Added Tax Slovak číslo DPH, číslo dane VAT number, value added tax
    (VAT) Number z pridanej hodnoty, number, VAT, value added tax, VAT
    identifikačné číslo identification number
    vat, dph, DPH, daň z
    pridanej hodnoty, daň
    pridanej hodnoty, číslo
    dane pridanej hodnoty,
    identifikačné číslo DPH

    1155
    Data Identifier Language Keywords English Translation

    Slovenia Passport Number French, Slovenian številka potnega lista, Passport number, passport, passport
    potni list, knjiga potnega book, passport #
    lista, potni list #,
    passeport, Passeport
    Slovenia Tax Identification Slovenian identifikacijska številka Tax identification number, Slovenian
    Number davka, Slovenska davčna tax number, tax number
    številka, Davčna številka
    Slovenia Unique Master Slovenian EMŠO, emšo, edinstvena Unique national number, unique
    Citizen Number številka državljana, enotna identification number, uniform
    identifikacijska številka, registration number, unique registration
    Enotna maticna številka number, citizen's number, unique
    obcana, enotna maticna identification number
    številka obcana, številka
    državljana, edinstvena
    identifikacijska številka
    Slovenia Value Added Tax Slovenian številka davka na dodano Value added tax number, VAT no,
    (VAT) Number vrednost, DDV št, slovenia Slovenia vat no
    vat št
    South African Personal Afrikaans nasionale identifikasie National identification number, national
    Identification Number nommer, nasionale identity number, insurance number,
    identiteitsnommer, personal identity number, unique
    versekering aantal, identity number, identity number
    persoonlike
    identiteitsnommer,
    unieke identiteitsnommer,
    identiteitsnommer,
    identiteitsnommer#,
    versekeringaantal#,
    nasionaleidentiteitsnommer#
    South Korea Resident Korean ######, #### Resident Registration Number,
    Registration Number Resident Number
    Spain Driver's License Spanish permiso de conducción, Driver's license, driver's license
    Number permiso conducción, Número number, driving license, driving permit,
    licencia conducir, Número driving permit number
    de carnet de conducir,
    Número carnet conducir,
    licencia conducir, Número
    de permiso de conducir,
    Número de permiso conducir,
    Número permiso conducir,
    permiso conducir, licencia
    de manejo, el carnet de
    conducir, carnet conducir
    Spain Value Added Tax Spanish Número IVA españa, Número Spain VAT number, Spanish VAT
    (VAT) Number de IVA español, español number, VAT Number, VAT, value
    Número IVA, Número de valor added tax number, value added tax
    agregado, IVA, Número IVA,
    Número impuesto sobre
    valor añadido, Impuesto
    valor agregado, Impuesto
    sobre valor añadido, valor
    añadido el impuesto, valor
    añadido el impuesto numero

    1156
    Data Identifier Language Keywords English Translation

    Spanish Customer Spanish número cuenta cliente, Customer account number, account
    Account Number código cuenta, cuenta code, customer account ID, customer
    cliente ID, número cuenta bank account number, bank account
    bancaria cliente, código code
    cuenta bancaria
    Spanish DNI ID Spanish NIE número, Documento NIE number, national identity
    Nacional de Identidad, document, unique identity, national
    Identidad único, Número identity number, DNI number
    nacional identidad, DNI
    Número
    Spanish Passport Number Spanish libreta pasaporte, passport book, passport number,
    número pasaporte, Spanish passport, passport
    Número Pasaporte, España
    pasaporte, pasaporte
    Spanish Social Security Spanish Número de la Seguridad Social security number
    Number Social, número de la
    seguridad social
    Spanish Tax ID (CIF) Spanish número de contribuyente, taxpayer number, corporate tax
    número de impuesto number, tax identification number, CIF
    corporativo, número de number
    Identificación fiscal, CIF
    número, CIFnúmero#
    Sri Lanka National Identity Sinhala See user interface ID, national identity number, personal
    Number identification number, National Identity
    Card number
    Sweden Driver's License Finnish, Romani, ajokortti, permis de Driver's license, driver's license
    Number Swedish, Yiddish conducere,ajokortin numero, number, driving license number
    kuljettajat lic., drivere
    lic., körkort, numărul
    permisului de conducere,
    ‫שָאפער דערלויבעניש נומער‬,
    körkort nummer, förare
    lic., ‫דריווערס דערלויבעניש‬,
    körkortsnummer
    Sweden Personal Swedish personnummer ID, personligt ID number, personal ID number,
    Identification Number id-nummer, unikt id- unique ID number, personal,
    nummer, personnummer, identification number
    identifikationsnumret,
    personnummer#,
    identifikationsnumret#
    Sweden Tax Identification Swedish skattebetalarens Tax identification number, Swedish
    Number identifikationsnummer, TIN, TIN number
    Sverige TIN, TIN-nummer
    Sweden Value Added Tax Swedish moms#, sverige moms, Swedish VAT, Swedish VAT number,
    (VAT) Number sverige momsnummer, VAT registration number
    sverige moms nr, sweden vat
    nummer, sweden momsnummmer,
    momsregistreringsnummer
    Swedish Passport Number Swedish Passnummer, pass, sverige Passport number, passport, Swedish
    pass, SVERIGE PASS, sverige passport, Swedish passport number
    Passnummer

    1157
    Data Identifier Language Keywords English Translation

    Switzerland Health German, Italian medizinische Kontonummer, Medical account number, health
    Insurance Card Number Krankenversicherungskarte insurance card number, health
    Nummer, numero conto insurance number
    medico, tessera sanitaria
    assicurazione numero,
    assicurazione sanitaria
    numero
    Switzerland Passport French, German, Passeport, passeport, Passport, passport number, passport #
    Number Italian numéro passeport, numéro passport book
    de passeport,passeport#, Passport, passport Number, passport #
    No de passeport, No de Passport, passport number, passport
    passeport., Numéro de no., passport #
    passeport, PASSEPORT, LIVRE Passport, passport #
    DE PASSEPORT
    Pass, Passnummer, Pass#,
    Pass Nr., Pass Nr, PASS
    Passaporto, Numero di
    passaporto, passaporto,
    Passaporto n,Passaporto
    n., passaporto#, Passaport,
    numero passaporto, numero
    di passaporto, numero
    passaporto, passaporto n,
    PASSAPORTO
    Reisepass, Reisepass#,
    REISEPASS
    Switzerland Value Added French, German, T.V.A, numéro TVA, T.V.A#, VAT, VAT number, VAT #, value added
    Tax (VAT) Number Italian numéro taxe valeur ajoutée, tax number, value added tax, VAT
    T.V.A., taxe sur la valeur registration number,
    ajoutée, T.V.A#, numéro VAT, VAT number, VAT #
    enregistrement TVA, Numéro VAT, VAT registration number, VAT #,
    TVA VAT number
    I.V.A, Partita IVA, I.V.A#,
    numero IVA
    MwSt, Umsatzsteuer-
    Identifikationsnummer,
    MwSt#, Mehrwertsteuer-
    Nummer, Mehrwertsteuer,
    VAT Registrierungsnummer,
    Umsatzsteuer-
    Identifikationsnummer
    Swiss AHV Number French, German, Numéro AVS, numéro AVS number, insurance number,
    Italian d'assuré, identifiant national identifier, national insurance
    national, numéro number, social security number, AVH
    d'assurance vieillesse, number
    numéro de sécurité soclale, AHV number, Swiss Registration
    Numéro AVH number, PIN
    AHV-Nummer, Matrikelnumme, AVS, AVH
    Personenidentifikationsnummer
    AVS, AVH

    1158
    Data Identifier Language Keywords English Translation

    Swiss Social Security French, German, Identifikationsnummer, Identification number, social security
    Number (AHV) Italian sozialversicherungsnummer, number, personal identification ID, tax
    identification identification number, tax ID, social
    personnelle ID, security number, tax number
    Steueridentifikationsnummer,
    Steuer ID, codice fiscale,
    Steuernummer
    Taiwan ROC ID Chinese (Traditional) ######### Taiwan ID
    Thailand Passport Number Thai ########### Passport, passport number
    ###,#####################
    Thailand Personal ID Thai ##############, Insurance number, personal
    Number ########################, identification, identification number
    ###########################,
    ###############,
    #########################,
    ###########################
    Turkish Identification Turkish Kimlik Numarası, Türkiye Identification number, Turkish Republic
    Number Cumhuriyeti Kimlik identification number, citizen identity,
    Numarası, vatandaş kimliği, personal identification number, citizen
    kişisel kimlik no, kimlik identification number
    Numarası#, vatandaş kimlik
    numarası, Kişisel kimlik
    Numarası
    Ukraine Identity Card Ukrainian посвідчення особи України Ukraine identity card
    Ukraine Passport Number Ukrainian паспорт, паспорт Passport, Ukraine passport, passport
    (Domestic) України, номер паспорта, number
    персональний
    Ukraine Passport Number Ukranian паспорт, паспорт України, Passport, Ukraine passport, passport
    (International) номер паспорта number
    United Arab Emirates Arabic ‫رقم‬,‫الهوية الشخصية رقم‬ Personal ID Number, PIN, Unique ID
    Personal Number ‫فريدة من‬,‫التعريف الشخصي‬ Number, Insurance Number, Unique
    ‫التأمين‬,‫نوعها هوية رقم‬ Identity #
    ‫هوية فريدة‬,‫التأمينرقم‬,‫رقم‬#
    Venezuela National ID Spanish cédula de identidad National ID number, national
    Number número, clave única de identification number, personal ID
    identidad, personal de number, personal identification, unique
    identidad clave, personal identification number
    de identidad, número de
    identificación nacional,
    número ID nacional

    Enable token validation to match Chinese, Japanese, and Korean keywords on


    the server
    The Content Matches Keyword condition supports both whole word and partial word matching.
    Symantec Data Loss Prevention detection servers support natural language processing for Chinese, Japanese, and
    Korean (CJK) language keywords. If you want to detect CJK keywords, the recommendation is to enable token validation
    on the detection server and to use whole word matching for the keyword condition.
    The DLP Agent does not support token validation for CJK. On the endpoint, for CJK and mixed-language keyword
    matching, consider using partial word matching.

    1159
    With whole word matching, keywords match at word boundaries only (\W in the regular expression lexicon). Any
    characters other than A-Z, a-z, and 0-9 are interpreted as word boundaries. With whole word matching, keywords must
    have at least one alphanumeric character (a letter or a number). A keyword consisting of only white-space characters,
    such as "..", is ignored.
    About keyword matching for Chinese, Japanese, and Korean (CJK) languages

    Introducing file property detection


    Symantec Data Loss Prevention provides various methods for detecting the context of messages, files, and attachments.
    You can detect the type, size, and name of files and attachments. You can also use these conditions to except files and
    attachments from matching.
    About file type matching
    About file size matching
    About file name matching
    Configuring file property matching

    About file type matching


    You use the Message Attachment or File Type Match condition to match the file type of a message attachment.
    Symantec Data Loss Prevention supports the identification of over 300 file types.
    Supported formats for file type identification
    Example uses of message attachment and file type matching are as follows:
    • A certain type of document should never leave the organization (such as a PGP document or AutoCAD file).
    • A certain type of match is likely to occur only in a document of a certain type, such as a Word document.
    The detection engine does not rely on the file name extension to match file format type. The engine checks the binary
    signature of supported file formats. For example, if a user changes a .doc file's extension to .txt and emails the file, the
    detection engine can still register a match because it checks the binary signature of the file to detect it as an DOC file.
    Supported formats for file type identification
    NOTE
    File type matching does not detect the content of the file; it only detects the file type based on its binary
    signature. To detect content, use a content matching condition.
    Configuring the Message Attachment or File Type Match condition
    About custom file type identification

    About file format support for file type matching


    Symantec Data Loss Prevention supports over 300 file formats for file type identification using the Message Attachment
    or File Type Match policy condition.
    Refer to the following link for a complete list of file formats that can be recognized by this policy condition.
    Supported formats for file type identification

    About custom file type identification


    If the type of file you want to detect is not supported as a system default file type, Symantec Data Loss Prevention
    provides you with the ability to identify custom file types using scripts.

    1160
    To detect a custom file type, you use the Symantec Data Loss Prevention Scripting Language to write a custom script
    that detects the binary signature of the file format that you want to protect. To implement this match condition you need to
    enable it on the Enforce Server.
    Enabling the Custom File Type Signature condition in the policy console
    Configuring the Custom File Type Signature condition
    Refer to the Symantec Data Loss Prevention Detection Customization Guide for the language syntax and examples.
    NOTE
    The Symantec Data Loss Prevention Scripting Language only identifies custom file formats; it does not extract
    content from custom file types.

    About file size matching


    Use Message Attachment or File Size Match to detect content based on the size of particular email message
    components.
    Detection Messages and Message Components
    You can also detect matches for the number of files attached to email for SMTP.
    The condition you choose when you configure this rule determines how a match is detected. You choose from these
    options:
    • Single – This condition detects a match when the body of an email message or an email attachment meets or exceeds
    the file size you specify. Detection is based on the each component individually.
    For example, you could specify a condition where the single file size is more than 50 KB (kilobytes). An email message
    with a 20 KB body, and a single 51 KB email attachment matches because the detected attachment exceeds 50 KB.
    However, an email message with a 20 KB body, and a two 20 KB email attachments does not match. Even though the
    entire message is more than 50 KB, each component is less than 50 KB. This rule does not combine the total size of
    the body or the attached email files.
    • Total Attachment File Size – This condition, for SMTP only, detects a match when the size of a single or combined
    email attachments meets or exceeds the file size criteria you specify. Detection is based solely on the email
    attachments and does not factor in the body of the email message.
    For example, you could specify a condition where the total file size is more than 50 KB (kilobytes). An email message
    with a 20 KB body, and a single 40 KB email attachment does not match because while the total email exceeds 50 KB,
    the condition does not factor in the body of the email message. However, an email message with a 20 KB body, and a
    two 30 KB email attachments does match, because the two file attachments exceed 50 KB. In addition, an email with a
    40 KB ZIP archive file attached would not match, even if the extracted size of the files in that archive exceeded 50 KB.
    The default value for the Total Attachment File Size condition is zero. This condition has a character limit of four
    digits. You will encounter validation errors if you include decimal points or other characters when specifying this value.
    • Total Attachment File Count – This condition, for SMTP only, detects a match when the number of combined email
    attachments meets or exceeds the file count criteria you specify. Detection is based solely on the combined number of
    direct email attachments. For example, you could specify a condition where the total file count is more than five files.
    An email with six files attached would match this condition, but an email with a single ZIP archive file attachment would
    not match, even if the ZIP archive contained 20 files.
    The default value for the Total Attachment File Count condition is zero. This condition has a character limit of seven
    digits. You will encounter validation errors if you include decimal points or other characters when specifying this value.
    NOTE
    If the Total Attachment File Size and Total Attachment File Count conditions are ANDed together with a
    content matching rule, the rules will be applied to all message components. Components will only match one
    condition in an incident, even if they violate more than one of the conditions.

    1161
    The Total Attachment File Size and Total Attachment File Count rules are available on both Windows and Mac
    endpoints. On Windows, they apply to Microsoft Outlook and IBM (Lotus) Notes events. On Mac, they apply to Outlook for
    Mac events.
    Configuring the Message Attachment or File Size Match condition

    About file name matching


    You use the Message Attachment or File Name Match condition to detect the names of files and attachments.
    File name matching syntax
    File name matching examples
    Configuring the Message Attachment or File Name Match condition

    Configuring file property matching


    File Properties match conditions lists the conditions available for implementing file property matching.

    Table 595: File Properties match conditions

    Match condition Description

    Message Attachment or File Type Detect or except specific files and attachments by type.
    Match About file type matching
    Configuring the Message Attachment or File Type Match condition
    Message Attachment or File Size Detect or except specific files and attachments by size.
    Match About file size matching
    Configuring the Message Attachment or File Size Match condition
    Message Attachment or File Detect or except specific files and attachments by name.
    Name Match About file name matching
    Configuring the Message Attachment or File Name Match condition
    Custom File Type Signature Detect or except custom file types.

    Configuring the Message Attachment or File Type Match condition


    The Message Attachment or File Type Match condition matches the file type of an attachment message component.
    You can configure an instance of this condition in policy rules and exceptions.
    NOTE
    Beginning with Symantec Data Loss Prevention 15.8 MP1, detection can be performed on emails that are
    signed with S/MIME. However, for opaque-signed S/MIME emails, the original email is sent as an attachment.
    In addition, the email content is not extracted in the same way as it would be for clear-signed S/MIME emails. To
    perform detection on the body of the original S/MIME message in this case, you must select Attachment for all
    policy conditions.
    The following issues apply when detecting on opaque-signed S/MIME emails:
    • The name of the body component in the incident snapshot is changed from body to kveml.mail.
    • If both Microsoft Outlook Express (EML) and ASCII text file type detection are selected, the incident
    snapshot contains two attachment components: kveml.mail and subfile_kv0.tmp. In this case, the

    1162
    subfile_kv0.tmp has duplicate matches as in kveml.mail. The two duplicate matches increase the total
    match count for the incident.
    • If Message Attachment or File Size Match is selected for the file size detection condition, an extra
    attachment that is labeled smime.p7m appears in the incident snapshot. The extra attachment increases the
    match count of the incident.
    • For a plain-text signed S/MIME email (without an attachment), the matches in the body are displayed in the
    subfile_kv0.tmp file.
    • Signed emails with no attachments are displayed with an attachment icon in the incident list, because the
    intermediate file is flagged as an attachment.
    About file type matching
    1. Add a Message Attachment or File Type Match condition to a policy rule or exception, or edit an existing one.
    Configuring policies
    Configuring policy rules
    Configuring policy exceptions
    2. Configure the Message Attachment or File Type Match condition parameters.
    Message Attachment or File Type Match condition parameters
    3. Click Save to save the policy.

    Table 596: Message Attachment or File Type Match condition parameters

    Action Description

    Select the file type or types to Select all the formats that you want to match.
    match. Supported formats for file type identification
    Click select all or deselect all to select or deselect all formats.
    To select all formats within a certain category (for example, all word-processing formats), click the
    section heading.
    The system implies an OR operator among all file types you select. For example, if you select
    Microsoft Word and Microsoft Excel file type attachments, the system detects all messages with
    Word or Excel documents attached. The system does not detect messages with both attachment
    types.
    Match on attachments only. This condition only matches on the Message Attachments component.
    Detection messages and message components
    Also match on one or Select this option to create a rule. All conditions must match to trigger or except an incident.
    more conditions. You can Add any condition available from the list.
    Configuring compound rules

    Configuring the Message Attachment or File Size Match condition


    The Message Attachment or File Size Match condition matches or excludes from matching files of a specified size. You
    can configure an instance of this condition in policy rules and exceptions.
    About file size matching
    To configure the Message Attachment or File Size Match condition
    1. Add Message Attachment or File Size Match to a policy, or edit a policy that already contains this rule.
    Configuring policies
    Configuring Policy Rules

    1163
    Configuring policy exceptions
    2. Select the Message Attachment or File Type Match condition:
    Message Attachment or File Size Match parameters
    3. Click Save to save the policy.

    Table 597: Message Attachment or File Size Match parameters

    Action Description

    Single File Size Select More Than to specify the minimum file size of the file to match or Less Than to specify the
    maximum file size to qualify a match.
    Enter a number, and select the unit of measure: bytes, kilobytes (KB), megabytes (MB), or gigabytes
    (GB).
    Total Attachment File Size Enter a number, and select the unit of measure: bytes, kilobytes (KB), megabytes (MB), or gigabytes
    (GB) to qualify a match.
    Total Attachment File Count Enter a number to specify the number of files to qualify a match.
    Match on attachements only. Select one or both of the following message components on which to base the match:
    • Envelope – The option is not applicable for these options.
    • Subject – The option is not applicable for these options.
    • Body – The content of the message (This option applies only to Single File Size).
    • Attachments – Any files that are attached to the message or transferred by the message.
    Selecting components to match on
    Also match one or more Select this option to create a rule. All conditions must match to trigger or except an incident.
    conditions. You can Add any condition available from the list.
    Configuring compound rules

    Configuring the Message Attachment or File Name Match condition


    The Message Attachment or File Name Match condition matches based on the name of a file attached to the
    message. You can configure an instance of this condition in policy rules and exceptions.
    About file name matching
    To configure the Message Attachment or File Name Match condition
    1. Add a Message Attachment or File Name Match condition to a policy, or edit an existing one.
    Configuring policies
    Configuring Policy Rules
    Configuring policy exceptions
    2. Configure the Message Attachment or File Type Match condition parameters.
    Message Attachment or File Name Match parameters

    1164
    3. Click Save to save the policy.

    Table 598: Message Attachment or File Name Match parameters

    Action Description

    Specify the File Name. Specify the file name to match using the DOS pattern matching language to represent patterns in the
    file name.
    Separate multiple matching patterns with commas or by placing them on separate lines.
    File name matching syntax
    File name matching examples
    Match on attachments. This condition only matches on the Message Attachments component.
    Detection Messages and Message Components
    Also match one or more Select this option to create a rule. All conditions must match to trigger or except an incident.
    conditions. You can Add any condition available from the list.
    Configuring compound rules

    File name matching syntax


    For file name matching, the system supports the DOS pattern matching syntax to detect file names, including wildcards.
    About file name matching
    Any characters you enter (other than the DOS operators) match exactly. To enter multiple file names, enter them as
    comma-separated values or by line space.
    DOS Operators for file name detection describes the syntax for the Message Attachment or File Name Match condition.

    Table 599: DOS Operators for file name detection

    Operator Description

    . Use a dot to separate the file name and the extension.


    * Use an asterisk as a wild card to match any number of characters (including none).
    ? Use a question mark to match a single character.

    File name matching examples


    File name matching examples lists some examples for matching file names using the Message Attachment or File
    Name condition.
    About file name matching

    Table 600: File name matching examples

    Match objective Example

    To match a Word file name that begins with ENG- followed by ENG-????????.doc
    any eight characters:
    If you are not sure that it is a Word document: ENG-????????.*
    If you are not sure how many characters are in the name: ENG-*.*
    To match all file names that begin with ENG- and all file names Enter as comma separated values:
    that begin with ITA-: ENG-*.*,ITA-*

    1165
    Match objective Example

    Or separate the file names by line space:


    ENG-*.*
    ITA-*

    Enabling the Custom File Type Signature Condition in the Policy Console
    By default the Custom File Type Signature policy condition is not enabled. To implement the Custom File Type
    Signature condition, you must first enable it.
    About custom file type identification
    To enable the Custom File Type Signature rule
    1. Using a text editor, open the file \Program Files\Symantec\DataLossPrevention\EnforceServer
    \16.0.10000\Protect\config\Manager.properties
    2. Set the value of the following parameter to "true":
    com.vontu.manager.policy.showcustomscriptrule=true

    3. Stop and then restart the Symantec DLP Manager service.


    4. Log back on to the Enforce Server Administration Console and add a new blank policy.
    5. Add a new detection rule or exception and beneath the File Properties heading you should see the Custom File Type
    Signature condition.
    6. Configure the condition with your custom script.
    Configuring the Custom File Type Signature condition

    Configuring the Custom File Type Signature condition


    The Custom File Type Signature condition matches custom file types that you have scripted. You can implement the
    Custom File Type Signature condition in policy rules and exceptions.
    About custom file type identification
    Enabling the Custom File Type Signature condition in the policy console
    To configure a Custom File Type Signature condition
    1. Add a Custom File Type Signature condition to a policy rule or exception, or edit an existing one.
    Configuring Policy Rules
    Configuring policy exceptions
    2. Configure the Custom File Type Signature condition parameters.
    Custom File Type Signature parameters
    3. Click Save to save the policy.

    Table 601: Custom File Type Signature parameters

    Action Description

    Enter the Script Name. Specify the name of the script. The name must be unique across policies.
    Enter the custom file type Enter the File Type Matches Signature script for detecting the binary signature of the custom file type.
    script. See Detection Customization for details on writing custom scripts.

    1166
    Action Description

    Match only on attachments. This condition only matches on the Message Attachments component.
    Detection Messages and Message Components
    Also match one or more Select this option to create a rule. All conditions must match to trigger or except an incident.
    conditions. You can Add any condition available from the list.
    Configuring compound rules

    Best practices for using file property matching


    This section provides best practices for using file property matching conditions to match file formats, file size, and file
    name.

    Use compound file property rules to protect design and multimedia files
    You can use IDM to protect files, or you can use file property rules. Unless you must protect an exact file, the general
    recommendation is to use the file property rules because there is less overhead in setting up the rules.
    For example, if you want to detect CAD files that contain IP diagrams, you could index these files and apply IDM rules to
    detect them. Alternatively, you could create a policy that contains a file type rule that detects on the CAD file format plus a
    file size rule that specifies a threshold size. The file property approach is preferred because in this scenario all you really
    care about is protecting large CAD files potentially leaving the company. There is no need to gather and index these files
    for IDM if you can simply create rules that will detect on the file type and the size.

    Do Not Use File Type Matching to Detect Content


    File type recognition only detects the file type based on the binary signature of the file. File type recognition does not crack
    the file and detect the content. To detect content, use a content detection rule such as EDM, IDM, Data Identifiers, or
    Keyword matching.
    For custom file type detection, use the DLP Scripting Language.
    About the scripting language

    Calculate file size properly to improve match accuracy


    The file size method counts both the body and any attachments in the file size you specify.

    Use expression patterns to match file names


    The following DOS pattern matching expressions are provided as examples for configuring the Message Attachment or
    File Name condition.

    Table 602: File name detection examples

    Example

    Any characters you enter (other than the DOS operators) match exactly.
    For example, to match a Word file name that begins with ENG- followed by any eight characters, enter: ENG-????????.doc
    If you are not sure that it is a Word document, enter: ENG-????????.*
    If you are not sure how many characters follow ENG-, enter: ENG-*.*
    To match all file names that begin with ENG- and all file names that begin with ITA-, enter: ENG-*.*,ITA-* (comma separated), or you
    can separate the file names by line space.

    1167
    Use scripts and plugins to detect custom file types
    Symantec Data Loss Prevention provides two mechanisms for detecting custom file types: the DLP Scripting Language
    and the Content Extraction SPI. If the only requirement is file type recognition, it may be easier to write a script than an
    SPI plugin. But, there may be occasions where using a script is inadequate.
    The scripting language does not support loops; you cannot iterate over the file type bytes and do some processing. The
    scripting language is designed to detect a known signature at a relatively known offset. You cannot use the scripting
    language detect subtypes of the same document type. For example, if you wanted to detect password protected PDF files,
    you could not use the scripting language. Or, if you wanted to detect only Word documents with track changes enabled,
    you would have to write a plugin. On the other hand, you can deploy a script to the endpoint; currently plugins are server-
    based only.
    For more information on writing custom scripts, see About detection customization.

    About detection customization


    Symantec Data Loss Prevention provides the Data Loss Prevention Scripting Language to help you customize certain
    aspects of detection, including custom file type identification and custom validators for Data Identifiers. The topics in this
    section describe the scripting language, and include syntax, functions, example scripts, and tutorials. You'll also learn how
    you can use the Symantec Data Loss Prevention File Type Analyzer utility to write custom file type identification scripts.
    To implement detection customization, you should have general knowledge or experience of programming.

    Table 603: Detection customization features

    Customization type Description

    Custom file type identification Symantec Data Loss Prevention detects more than 300 file types. However, if the type of file you
    want to detect is not supported, you can detect it using a custom script. Use the Symantec Data Loss
    Prevention Scripting Language to write a script that detects the binary signature of the particular file
    format you want to detect.
    Note: For a complete list of supported file types, see Overview of detection file format support.
    About the scripting language
    Workflow for detecting custom file types
    Custom script validators for Symantec Data Loss Prevention provides you with Data Identifiers to detect file contents. Data
    Data Identifiers Identifiers use validation checks to increase match accuracy and reduce false positives. Symantec
    Data Loss Prevention provides more than 150 system-defined Data Identifier validators. In addition,
    you can use the Data Loss Prevention Scripting Language to write your own custom script validators
    for Data Identifiers.
    Note: For more information about Data Identifiers, see Introducing Data Identifiers.
    About the scripting language
    File Type Analyzer The Symantec Data Loss Prevention File Type Analyzer utility helps you determine the unique bytes
    of the custom file type you want to detect. You can then use the Symantec Data Loss Prevention
    Scripting Language to accurately identify custom file formats.
    About the File Type Analyzer utility

    About the scripting language


    Symantec Data Loss Prevention provides a scripting language that you can use to detect custom file types and to validate
    custom data identifiers. You can deploy custom scripts for both the server and endpoint agent detection. You can extend
    the language using pre-built functions.

    1168
    Table 604: Detection features that support scripting

    Feature Description

    Custom File Type Signature detection The DLP Scripting Language lets you write a script that detects the unique bytes of a
    custom file type.
    Workflow for detecting custom file types
    Custom script validators for Data The DLP Scripting Language lets you write a script to validate patterns in a message.
    Identifiers Implementing custom script validators

    About the scripting language syntax


    The Symantec Data Loss Prevention Scripting Language is similar in syntax to the Perl programming language but
    simplified for ease of use. The Symantec Data Loss Prevention Scripting Language uses statements to perform
    operations on constant or variable values to check or manipulate data.
    The Symantec Data Loss Prevention Scripting Language provides various system variables that you can use to access
    stored data.
    System variables
    The Symantec Data Loss Prevention Scripting Language provides three types of statements that you can use to
    check or manipulate data:
    • Assert
    Assert statement
    • If/Else
    If/Else statements
    • Evaluate
    Evaluate statement
    The Symantec Data Loss Prevention Scripting Language has the following syntactical characteristics:
    • Statements must end in a semicolon.
    • Multiple statements can be included on a single line of code.
    • Each statement must stand alone; nested statements are not supported.
    NOTE
    Symantec Data Loss Prevention may update statement names and may add additional statement functions.

    System variables
    System variables store the data that you can check and manipulate. For custom file type detection, the script has access
    to the entire file by the $data variable. For custom validators, the script has access to the raw message, the normalized
    message, and the 10 bytes preceding and trailing the matched data. For custom validators the script does not have
    access to the entire message.
    WARNING
    Do not assign values to system variables. These variables already hold system-defined data. Use a local
    variable such as $result to assign values. You should not use system variables with logical, assignment, or
    arithmetic operations.

    1169
    Table 605: System variables

    System variable Description

    $data The script engine creates the byte array $data variable when it reads in a file. The $data
    variable stores the entire file.
    $match The script engine stores the data that match the pattern in the $match variable before it is
    normalized.
    $normalizedMatch The script engine stores the normalized matched data in the $normalizedMatch variable
    after it is normalized.
    $matchPrefix You can use this method to verify if a message starts with a certain pattern. The methods
    checks 10 bytes before the matched pattern.
    $matchSuffix You can use this method to verify if a message ends with a certain pattern. The methods
    checks 10 bytes after the matched pattern.

    Assert statement
    The Assert statement evaluates a Boolean expression and asserts the value "true" when the expression returns a match.
    The Assert statement must end with a semicolon.
    The Assert statement supports all regular Boolean expressions:
    • == evaluates to
    • >= greater than or equal to
    • <= less than or equal to
    • > greater than
    • < less than
    • != does not evaluate to

    Table 606: Assert statement

    Statement Use Example

    assertTrue The assertTrue statement checks if the value assertTrue($variable == 3);


    of the $variable evaluates to the specified
    value (in this example, 3). If it does the Boolean
    expression asserts the value of true.
    assertFalse The assertFalse statement asserts that the assertFalse($variable != 4);
    Boolean expression returns false. If the Boolean
    expression is true, this statement stops program
    execution and returns false.

    If/Else statements
    You use the If/Else conditional statement to control the flow of program execution. The If/Else statement lets you include
    conditional logic in your script when you need to evaluate the unique bytes of a complex data set.
    The If/Else condition operates the same as conditional statements that other programming languages provide. The If/Else
    statement takes a Boolean expression, evaluates it, and alters the execution of the program based on the result of the
    expression.
    The following example shows one way to use the If/Else conditional statement:
    if ($var1 == 3)

    1170
    {
    // statement
    // statement
    }
    else
    // statement

    The scripting language supports nested execution of the statements that are contained within the conditional statement.
    To use nested statements, you use brackets within the scope of an If/Else statement to offset the multiple script
    statements.
    If the data set you want to evaluate requires more advanced conditional logic, you can declare multiple If/Else statements
    nested within each other.

    Evaluate statement
    The Evaluate statement provides a number of functions that you can you use to evaluate data. Not all functions are
    available for each feature.

    Table 607: Evaluate statement functions per feature

    Evaluate statement function Custom file type Custom Script Validator

    Addition X X
    AsciiValue X NO
    DataLength X X
    Execute+ X x
    GetAsciiStringAt X X
    GetBinaryIntValue X NO
    GetBinaryValueAt X NO
    GetHexStringValueAt X NO
    GetIntegerAt X X
    GetStringValueAt NO X
    Modulus X X
    Multiply X X
    Print+ X x
    ReadFile+ X x
    Subtract X X

    Key:
    • X = Feature supports the statement on server and endpoint.
    • NO = Statement is not supported by that feature.
    • x = Statement is not supported on the endpoint; server-side only.
    • + = Advanced function, requires you to set the system property "genieScript.ADVANCED_FUNCTION_ENABLED.str"
    to true.

    1171
    Evaluate statement functions
    You use Evaluate statements to execute functions on variable or constant data values. You can save the return value of
    an Evaluate function as a variable or discard the return value. Evaluate statements must end with a semicolon.
    NOTE
    To ensure that your scripts run on the server and the endpoint, script values must be specified in hexadecimal
    (hex) notation. For example, $int4 = getBinaryValueAt($data,0x19,2) is proper. However, if the following
    non-hex value is specified in an endpoint environment, the script causes the DLP Agent to crash: $int4 =
    getBinaryValueAt($data,25,2).

    Table 608: Evaluate statement functions

    Function Description Example

    Addition The Addition function takes two values as Add two variables together and returns the value in
    add arguments and adds them together. The values the variable $result.
    can be variables or constants. You can save the $result = add($var1, $var4);
    returned result as a variable or discard the result. Add two constants together but discards the value.
    The Addition function adds two or more values add(1, 2);
    together and returns the result. The values can be Add three values together.
    variables or constants. You can save the returned $result = add($var1, 2, $var4);
    result as a variable or discard the result.
    AsciiValue The AsciiValue function takes a single ASCII $result = ascii('CFV');
    ascii string as a parameter and assigns it to the The $result variable is assigned the specified ASCII
    specified variable. value.
    The length of the ASCII parameter must be from
    one to four characters.
    You can use this statement for readability
    purposes.
    DataLength The DataLength function counts the length of the $result = datalength($data);
    datalength variable array. The function takes the variable The engine creates the byte array $data variable
    name of a byte array as a parameter and returns when it reads in a file. The $data variable stores up
    the number of bytes in that array. to the first 4 KB of the file.
    Execute (advanced function) The Execute function allows a user to call $result = execute($string1, equals,
    execute methods on any Java objects available as $string2);
    variables in the script's computation state. For Assuming that a String is saved under the variable
    example, if you have a String saved under the $string.
    variable name $data, you can call the String's
    equals method using the execute function.
    GetAsciiStringAt The GetAsciiStringAt function treats the data as The variable $data is a byte array with the values:
    getAsciiStringAt ASCII characters and converts the data into a 'abcdef'.getBytes();
    string. The data is converted starting from the The result should be abc.
    specified offset for the specified number of digits. $result = getAsciiStringAt($data, 0x0,
    3);
    GetBinaryIntValue The GetBinaryIntValue function pulls the byte data $result = getBinaryIntValue($data,
    getBinaryIntValue as an integer from the specified index of a byte 0x0, 1);
    array variable. It also allows a user to specify how The $data variable is byte array with values
    many digits to pull from the data. Since the return {(byte)0x59,(byte) 0xAD,(byte) 0x1C,(byte) 0xDF,
    value is an integer, the number of digits has to be (byte) 0x2B,(byte)0x37}. In this example the $result
    1 – 4 bytes. should equal 89.
    You can use this function to analyze data at
    $result = getBinaryIntValue($data, 1);
    specific offsets of a byte array. The number of
    The $data variable is a byte array with values {1, 2,
    digits are combined to form an integer value.
    3}. The $result should equal 2.

    1172
    Function Description Example

    GetBinaryValuteAt The GetBinaryValuteAt function pulls the byte The variable $data is byte array with values
    getBinaryValueAt data into a new byte array based on the offset and {(byte)0x59,(byte) 0xAD,(byte) 0x1C,(byte) 0xDF,
    length specified. The new byte array can then be (byte) 0x2B,(byte)0x37}. The $result should be a
    compared to other byte arrays for equality. byte array with the byte 0x59.
    This function lets you specify how many digits to $result = getBinaryValueAt($data, 0x0,
    retrieve from the data (from 1 - 4 bytes). You use 1);
    this function to analyze data at specific offsets of a
    The $data variable is a byte array with values {1, 2,
    byte array. 3}. The $result should equal a new byte array with
    Note: GetBinaryValueAt() returns an array with the number 2 in it.
    the bytes, whereas GetBinaryIntValue() returns an $result = getBinaryValueAt($data, 1);
    integer that is composed of the bytes.

    GetHexStringValue The GetHexStringValue function takes a $result = getHexStringValue('D0CF');


    getHexStringValue hexadecimal string as a parameter and converts it
    to the byte (binary) representation.
    GetIntegerAt The GetIntegerAt function is similar to The $data variable is a byte array with the values:
    getIntegerAt GetAsciiStringAt, except GetIntegerAt parses the '12345'.getBytes();
    ASCII characters, and converts them to an integer The result should be 34.
    value. The data is converted starting from the $result = getIntegerAt($data, 0x2, 2);
    specified offset for the specified number of digits.
    If a character is not a numerical value, the script
    throws an exception.
    GetStringValueAt The GetStringValueAt function pulls the data into The variable $data is a byte array with values
    getStringValueAt a new character array based on the offset and {(byte)0x59,(byte) 0xAD,(byte) 0x1C,(byte) 0xDF,
    length specified. The new byte array can then be (byte) 0x2B,(byte)0x37}.
    compared to other byte arrays for equality. $result = getStringValueAt($data, 0x0,
    1);
    The result should be byte 0x59.
    The variable $data is a byte array with values {1, 2,
    3}.
    $result = getStringValueAt($data, 1);
    The result should equal a new byte array with the
    number 2 in it. (Offset starts at 0.)
    Modulus The Modulus (mod) function returns the mod of The result should be 2.
    mod two parameters. The mod is the remainder of the $result = mod(5, 3);
    first parameter divided by the second.
    Multiply The Multiply function takes two arguments and $result = multiply(2, 4);
    multiply multiplies their values. The result should be 8.
    The Multiply function takes two or more $result = multiply(2, 4, 6);
    arguments and multiplies their values. The result should be 48.
    Print (advanced function) The Print function takes its arguments, No results to save, but standard out should have the
    print concatenates them all together and prints it to string.
    standard out. print('hello');
    ReadFile (advanced The ReadFile function takes a file that is saved as The $result variable should contain a byte array of
    function) a variable in the computation state. It reads the the 10 first bytes from the file that is saved under
    readfile specified number of bytes from the file as a byte variable $file.
    array, and returns the byte array. This function $result = readFile($file, 10);
    requires two arguments.
    Subtract The Subtract function subtracts the second $result = sub(10, 4);
    sub parameter from the first. The result should be 6.
    The Subtract function subtracts elements 2 $result = sub(10, 4, 6, 3);
    through N from the first element. The result should be -3.

    1173
    Example scripts for custom file type detection
    Listed here are several example script solutions that detect custom file types. These examples can be used as reference
    for writing your own custom scripts and for detecting the indicated custom file type.
    The following script example detects the Microsoft Word file type:
    $Int1 = getHexStringValue('D0CF');
    $Int2 = getBinaryValueAt($data, 0x0, 2);
    assertTrue($Int1 == $Int2);
    $Int3 = getHexStringValue('ECA5');
    $Int4 = getBinaryValueAt($data, 0x200, 2);
    assertTrue($Int3 == $Int4);

    The following script example detects the CDD file type:


    $Int1 = getBinaryValueAt($data, 0x0, 4);
    $Int2 = getBinaryValueAt($data, 0x8, 4);
    assertTrue($Int1 == $Int2);
    $Int3 = getBinaryValueAt($data, 0x0, 2);
    $Int4 = getBinaryValueAt($data, 0x2, 2);
    assertTrue($Int3 != $Int4);
    $Last = getBinaryValueAt($data, 0x27, 1);
    $RecSep = getHexStringValue('1e');
    assertTrue($Last == $RecSep);

    The following script example detects the CATIA file type:


    $Int1 = ascii('V');
    $Int2 = getBinaryValueAt($data, 0x0, 1);
    assertTrue($Int1 == $Int2);
    $Int3 = ascii('CFV');
    $Int4 = getBinaryValueAt($data, 0x3, 3);
    assertTrue($Int3 == $Int4);

    The following script example detects the EPUB file type.


    $slash=getHexStringValue('2f');
    $epub1=ascii('epub');
    $epub2=ascii('zip');
    $slash1=getBinaryValueAt($data, 0xb, 1);
    assertTrue($slash == $slash1);
    $word1=getBinaryValueAt($data, 0xc, 4);
    assertTrue($word1 == $epub1);
    $word2=getBinaryValueAt($data, 0x11, 3);
    assertTrue($word2 == $epub2);

    NOTE
    EPUB files are in the open book format (XML) encapsulated in a zip file format. You cannot test this script
    using the File Type Analyzer utility because the script detects the "application/epub+zip" string contained in
    the manifest file (named "mimetype"). The utility cannot crack the zip file to read the manifest. However, the
    detection engine can crack the zip file and read the manifest. You can implement this script in an instance of the
    Custom File Type Signature detection rule and detect EPUB files.
    The following script example detects the Amazon Kindle file type:
    $book=ascii('BOOK');

    1174
    $mobi=ascii('MOBI');
    $word1=getBinaryValueAt($data, 0x3c, 4);
    $word2=getBinaryValueAt($data, 0x40, 4);
    assertTrue($book == $word1);
    assertTrue($mobi == $word2);
    $null=getBinaryValueAt($data, 0x3b, 1);
    assertTrue($null == 0);
    $nullx=getBinaryValueAt($data, 0x44, 1);
    assertTrue($nullx == 0);

    The following script example detects the Oracle IRM file type, which is used for Digital Rights Management (DRM):
    $soft=ascii('Soft');
    $seal=ascii('SEAL');
    $word1=getBinaryValueAt($data, 0x0, 4);
    $word2=getBinaryValueAt($data, 0x4, 4);
    assertTrue($soft == $word1);
    assertTrue($seal == $word2);

    In addition, the following two tutorials offer additional examples of the scripting language:
    • Java class files
    Tutorial 1: Detecting Java class files
    • Password-encrypted zip files
    Tutorial 2: Detecting an encrypted ZIP file format

    Example scripts for custom validators


    Provided here are some example custom script validators, including:
    • Basic custom script validator
    Basic custom script validator
    • 10-character custom script validator
    10-character custom script validator
    • Turkish ID custom script validator
    Turkish ID custom script validator
    The following script is a basic custom validator that validates a 5-digit data identifier by retrieving the 5th digit and the first
    four digits, assigning them to variables, and comparing these values against the expected datalength.

    Table 609: Basic custom script validator

    Parameter Description

    Pattern \d{5}

    Normalizer Do Nothing
    Custom Script $s1 = getStringValueAt($normalizedMatch, 0x4,1); // Get the 5th digit
    $s2 = getStringValueAt($normalizedMatch, 0x0,4); // Get the first 4 digits
    $size1 = datalength($s1);// Calculate the length; it should be 1
    $size2 = datalength($s2);// Calculate the length; it should be 4
    assertTrue($size1 == 1); // Check if size = 1
    assertFalse($size2 != 4); // Check if size is anything other than 4

    1175
    The following custom script validates a 10-character string in the form of LL/MM/DD/YYYY. The first two characters
    are the initials of the person and are excluded from validation. The remaining digits are saved into separate variables,
    computed by a multiplier, and added. Then they are compared to ensure that they conform to a proper day (less than 32),
    month (less than 13), and year (less than 2051).

    Table 610: 10-character custom script validator

    Parameter Description

    Pattern \l{2}\d{8}

    Normalizer Digits and Letters


    Custom Script
    $m1 = getIntegerAt($normalizedMatch, 0x2, 1);
    $m2 = getIntegerAt($normalizedMatch, 0x3, 1);
    $d1 = getIntegerAt($normalizedMatch, 0x4, 1);
    $d2 = getIntegerAt($normalizedMatch, 0x5, 1);
    $y1 = getIntegerAt($normalizedMatch, 0x6, 1);
    $y2 = getIntegerAt($normalizedMatch, 0x7, 1);
    $y3 = getIntegerAt($normalizedMatch, 0x8, 1);
    $y4 = getIntegerAt($normalizedMatch, 0x9, 1);

    $m1 = multiply($m1, 10);


    $d1 = multiply($d1, 10);
    $y1 = multiply($y1, 1000);
    $y2 = multiply($y2, 100);
    $y3 = multiply($y3, 10);

    $Day = Add($d1, $d2);


    $Month = Add($m1, $m2);
    $Year = Add($y1, $y2, $y3, $y4);

    assertTrue($Day > 0);


    assertTrue($Day <= 31);
    assertTrue($Month > 0);
    assertTrue($Month <= 12);
    assertTrue($Year >= 1910);
    assertTrue($Year <= 2050);

    The following custom script validator can be used to verify the match of a Turkish ID number. A Turkish ID is an 11-digit
    number. The first digit cannot be zero. The 10th and 11th digits are check digits for error detection.

    Table 611: Turkish ID custom script validator

    Parameter Description

    Pattern \d{11}

    Normalizer Digits Only

    1176
    Parameter Description

    Custom Script
    $k1 = getIntegerAt($normalizedMatch, 0x0, 1);
    $k2 = getIntegerAt($normalizedMatch, 0x1, 1);
    $k3 = getIntegerAt($normalizedMatch, 0x2, 1);
    $k4 = getIntegerAt($normalizedMatch, 0x3, 1);
    $k5 = getIntegerAt($normalizedMatch, 0x4, 1);
    $k6 = getIntegerAt($normalizedMatch, 0x5, 1);
    $k7 = getIntegerAt($normalizedMatch, 0x6, 1);
    $k8 = getIntegerAt($normalizedMatch, 0x7, 1);
    $k9 = getIntegerAt($normalizedMatch, 0x8, 1);
    $c1 = getIntegerAt($normalizedMatch, 0x9, 1);
    $c2 = getIntegerAt($normalizedMatch, 0xA, 1);

    $iOdds = add($k1, $k3, $k5, $k7, $k9);


    $iEvens = add($k2, $k4, $k6, $k8);
    $iOddsMltSeven = multiply($iOdds, 7);
    $iEvensMltNine = multiply($iEvens, 9);
    $iOddsMltEight = multiply($iOdds, 8);
    $iMidSum = add($iOddsMltSeven, $iEvensMltNine);
    $iCheck1 = mod($iMidSum, 10);
    assertTrue($iCheck1 == $c1);
    $iCheck2 = mod($iOddsMltEight, 10);
    assertTrue($iCheck2 == $c2);

    About the File Type Analyzer utility


    To assist you with analyzing custom file types, you can use the Symantec Data Loss Prevention File Type Analyzer utility.
    The File Type Analyzer utility helps you find the commonalities and attributes that describe a custom file type. This data is
    often referred to as "magic bytes" because they are unique the characters that positively identify the file type.
    The File Type Analyzer utility is a standalone Java application that features a graphical user interface. This utility
    enables you to perform the following operations:
    • Read in a collection of files from a directory or directories (the "data set").
    • View and compare the unique bytes for each file in the data set.
    • Analyze the bytes across files and determine those that are consistent.
    • Test a custom file type detection script.
    • Save and open data set configurations and test scripts.

    Installing the File Type Analyzer utility

    Installing the File Type Analyzer utility


    The Symantec Data Loss Prevention File Type Analyzer utility is available for Windows only.

    1177
    The File Type Analyzer is included in the Symantec_DLP_16.0_Platform_(OS)-IN.zip file that can be downloaded
    from the Broadcom Product Downloads portal.
    1. Double-click the fileanalyzer_windows_x64-4_0_1.exe executable.
    2. At the "Welcome" screen, click Next.
    3. Accept the default Destination Directory C:\Program Files\File Analyzer.
    Or, you can change the Destination Directory to one you prefer.
    4. Click Next to install the utility.
    5. Click Finish to complete the installation process.

    About the File Type Analyzer utility

    Launching the File Type Analyzer utility


    You can run the File Type Analyzer utility in GUI mode or from the command line. The GUI mode of operation is
    recommended because it lets you test your script against a configured dataset.
    1. Obtain the File Type Analyzer utility and install it.
    Installing the File Type Analyzer utility
    2. Navigate to the installation folder where you installed the utility.
    For example: C:\Program Files\File Analyzer
    3. Double click the analyzer_gui.exe executable.
    The File Type Analyzer utility interface should appear.

    Creating the data set


    The File Type Analyzer utility offers several parameters for configuring the data set in preparation for analyzing file type
    byte data.

    Table 612: Parameters for configuring the data set

    Parameter Use

    Add Directory This option lets you choose which directories to include in the file analysis. You can add multiple directories to a
    single data set.
    Each directory that you select should contain samples of the file type you want to analyze and ultimately detect.
    To have a useful data set, include several samples of the file type, including different versions of the product with
    different features enabled and disabled.
    Note: To achieve the best results, the recommended minimum sample size is 15 files of the same file type.

    Remove This option lets you remove a directory that you have added to the data set. You can select multiple directories to
    Directory remove. When a directory is removed, it is no longer scanned as part of the data set.

    1178
    Parameter Use

    File Name Filter This field contains a regular expression pattern that tells the utility what files from each directory to include in the data
    set. A regular expression is used because it provides flexibility for filtering the files that you want to include in your
    data set.
    The following regular expression reads in all ASCII file names from a directory (or directories) to a data set:
    [\w\s]+.[\w]+
    The following regular expression lets you filter file the names that use non-ASCII characters:
    [^0x00]+.[\w]+
    Note: For assistance with using regular expressions for file name filtering, see the topic "About writing regular
    expressions" in the Symantec Data Loss Prevention Help Center.

    Number of This field specifies the number of bytes per file to display for analysis.
    Bytes The default maximum value for this field is 1024 bytes.
    Increasing the number of bytes that are analyzed
    Chunk Size This field represents the size of the group of bytes to be displayed in a column. For example, if you enter 2 in this
    field, the utility displays 2 bytes of data in each column (offset).
    Parser Type This option defines how the data is displayed for analysis from the scanned data set.
    • The BYTE option displays the analysis results in hexadecimal format representing the corresponding byte value.
    • The ASCII option displays the analysis results as ASCII characters.
    • The NUMBER option displays the analysis results in integer format.
    Recursive Scan If this box is checked, the utility scans each directory and any subdirectories that are included in the data set. If a
    directory contains subdirectories where files you want to scan are located, choose this option.
    Note: Recursive scanning is memory intensive. If you want to analyze either a large or a recursive data set, consider
    increasing the Java heap size to improve performance.
    Increasing the Java heap size for large or recursive data sets
    Analyze Click this option when you have completed configuring the data set. The File Type Analyzer utility validates the
    Dataset input and initiates the file analysis process. The utility reads in all the necessary data and displays the results in the
    "Analyze Dataset" screen.

    Analyzing data set results


    The Analyze Data set screen displays the results of the data set based on the criteria you specified.
    Once the utility filters the files in your data set, it sorts and displays the data by tabs according to file extension. You can
    further sort the data by clicking the column names. You can also delete columns or rows of irrelevant data by selecting the
    row or column and performing a right-click.
    NOTE
    The File Type Analyzer utility uses the file extension to organize by tab the files in your data set. However, the
    file extension is not a reliable means of detecting a file type because the file extension can easily be changed.
    Symantec Data Loss Prevention detects file type based on uniquely-identifying specific bytes.
    When you analyze data set results, your goal is to locate the unique bytes that are consistent for each instance of the file
    type. These unique bytes are the "magic bytes" for the analyzed file type. You must determine what the magic bytes are to
    write a script that detects the custom file type. For example, the first 2 bytes of a Microsoft Word file (*.doc) are DO CF (in
    hexadecimal format).
    To help you assess the results and find the magic bytes for the custom file type, click the Analyze Table Data option.
    With the default option COLUMN_MATCH selected, the File Type Analyzer utility highlights the columns that are the same
    across all files in the selected tab.
    The ROW_OFFSET_MATCH option looks for byte matches within the same file (row). The offsets (columns) that match in
    the same row are highlighted; those that match the same offset in another row are not. This option is useful for a few file

    1179
    types that use unique bytes within the same file to indicate file type. For example, the CADAM file type (*.cdd) uses the
    same values for bytes 0 – 3 and bytes 8 – 11 within each file, but these values are different across files.
    Once you have analyzed the results and determined the magic bytes, the next step is to write a script to detect the file
    type.
    About the scripting language syntax
    Refer to the tutorials for instructions on creating the data set, analyzing the results, and writing a script to detect a custom
    file type. These tutorials demonstrate how the File Type Analyzer utility works and should help you get started scripting
    solutions to detect custom file types.
    Tutorial 1: Detecting Java class files
    Tutorial 2: Detecting an encrypted ZIP file format

    Testing the script solution


    The File Type Analyzer utility provides fields for entering your custom script solution, annotating it, and testing the solution
    against the data set.

    Table 613: Parameters for testing the script solution against the data set

    Parameter Use

    Solution This field is where you enter the script text you want to use to detect the custom file type.
    About the scripting language syntax
    Notes This field provides a mechanism for annotating the data set you have configured and your script solution.
    Symantec Data Loss Prevention File Type Analyzer utility interface
    This field is useful for saving your data set configurations and script solutions.
    Saving, opening, editing a data set
    Test Solution Click this option to verify that your script accurately detects the custom file type.

    When you test your solution, the utility takes the data from the data set table and filters the files based on the data set
    criteria. Once the data set is built, the script engine runs the solution against the data set. Then it displays the results
    in the "Test Dataset Results" screen. The displayed results give you an indication of how well your script has worked to
    detect the custom file type.
    The "Test Dataset Results" screen displays the results of the test in two tabbed panes:
    • Matched Files – The top pane lists all the files in the configured data set that your script detected.
    • Mismatched Files – The bottom pane displays all the files in the configured data set that your script did not detect.
    This bifurcated display lets you quickly assess the accuracy of your script. You can easily see files matched that should
    not (false positives). You can also see the files that failed to match but should have (false negatives). Finally, you can see
    if there is any discrepancy between a file extension and the actual file type based on its unique bytes.

    Saving, opening, editing a data set


    The File Type Analyzer utility lets you save configured data sets for subsequent reuse. You can open a saved data
    set configuration and reanalyze the data at anytime. You can also edit a configured data set, change its configuration
    parameters, and update your script solution.

    1180
    Table 614: Options for saving, opening, editing a data set

    Parameter Use

    Save You can perform a File > Save action to save your data set configuration and script solution.
    The file is saved as a *.fgi file type.
    Open You can perform a File > Open action to open a saved data set. Browse to the *.fgi file and open it.
    Edit Dataset Use this option to change the configuration parameters of an active data set.
    You can add directories to or remove directories from the data set, change configuration parameters, or
    update the script solution.

    Increasing the Java heap size for large or recursive data sets
    If you analyze a large or a recursive data set, you may have to wait to analyze or test the files in the data set. The File
    Type Analyzer utility needs to scan each directory in the data set. Then it performs I/O operations on each file that meets
    the data set criteria.
    If the utility runs out of memory before it processes the files, it freezes and does not move on to the expected screen.
    If you analyze a large data set (100,000+ files) or use recursive scanning to create the data set, increase the maximum
    Java heap size.
    To increase the Java heap size for the File Type Analyzer utility (GUI version)
    1. Open a command line interface (Windows) or a console interface (Linux).
    2. Launch the File Type Analyzer utility from the command line using the following command:
    analyzer_gui.exe -Xmx1024m

    3. The interface should launch with the Java heap size increased accordingly.
    You should now be able to analyze or test a large or a recursive data set without error or significant delay.

    Increasing the number of bytes that are analyzed


    The maximum value for the number of bytes that the Symantec Data Loss Prevention File Analyzer utility allows for a data
    set is 1024. Generally this value is sufficient to analyze custom file types since the signature bytes typically exist at the
    beginning of the file.
    To analyze more than the first 1024 bytes of data, modify the File Analyzer utility as follows.
    Increasing the number of bytes that are analyzed
    1. Using WinRAR, open the file C:\Program Files\File Analyzer\lib\filegenie.jar.
    2. Within the filegenie.jar file, open the file create-dataset-form-context.xml.
    3. In the first bean, locate the property element maxNumByteSize.
    4. Change the value from "1024" to the desired number of bytes.
    5. Save the XML file and update the JAR.
    6. Run the File Analyzer and verify that the additional bytes are read and displayed in the user interface.

    Detection Customization Tutorials


    This section contains additional information and tutorials for detection customization.

    1181
    • Workflow for detecting custom file types
    • Tutorial 1: Detecting Java class files
    • Tutorial 2: Detecting and encrypted ZIP file format
    • Implementing custom script validators

    Workflow for detecting custom file types


    Symantec Data Loss Prevention detects more than 300 file types. However, if the type of file you want to detect is not
    supported, you can detect it using a custom script. Use the Symantec Data Loss Prevention Scripting Language to write a
    script that detects the binary signature of the particular file format you want to detect.
    In addition, you can use the design-time Symantec Data Loss Prevention File Type Analyzer utility to determine the
    unique bytes of the custom file type you want to detect.
    To detect custom file types
    1. Create a sample archive or directory containing several instances of the custom file or document type you want to
    detect.
    Create different samples of the document, with different features turned on and off, and based on different software
    versions.
    2. Use the Symantec Data Loss Prevention File Type Analyzer utility to read in the bytes of the data set.
    Look for patterns among the file bytes to determine file type recognition characters (also known as "magic bytes").
    Refine the sample and run more scans as necessary.
    About the File Type Analyzer utility
    3. Use the Symantec Data Loss Prevention Scripting Language to write a script that detects the custom file type. Use the
    File Type Analyzer utility to test and refine your script.
    Example scripts for custom file type detection
    Testing the script solution
    4. Enable the Custom File Type Signature detection rule so it appears in the Enforce Server policy builder interface.
    5. Deploy an instance of the Custom File Type Signature condition in one or more detection rules or exceptions.
    6. Author a policy that uses the detection rule or exception. Test and refine the policy as necessary.

    Tutorial 1: Detecting Java class files


    This tutorial provides instructions for using the File Type Analyzer utility to analyze a dataset and determine the magic
    bytes. It also demonstrates how to use the scripting language to author and test a solution.
    In this first tutorial you analyze and detect Java class files. This tutorial assumes that you use the Windows-based GUI
    version of the File Type Analyzer utility.
    1. Install the File Type Analyzer utility.
    Installing the File Type Analyzer utility
    2. Launch the File Type Analyzer utility.
    Launching the File Type Analyzer utility
    3. Prepare the data set for this example.
    Copy several (15 or more) Java class files (*.class) to a directory on your file system. (For the purposes of this tutorial,
    the directory that is used is C:\temp\JavaClassFiles.)

    1182
    In addition, to ensure that your script matches only Java class files, add a few non-Java class files to the same
    directory.
    4. Add the data set directory to the File Type Analyzer utility.
    In the File Type Analyzer utility, click Add Directory. Browse to and select the directory where you copied the files and
    click Open.
    5. In the File Name Filter field enter a regular expression to filter the files.
    For example, the following regular expression screens all files in the selected directory: [\w\s]+.[\w]+
    • (\w) Any alphanumeric character, digit, or underscore
    • (\s) Any whitespace
    • (+) One or more of the previous characters must match
    • (.) Any single character, including itself
    You may need to adjust this expression to find the files you want to analyze in the specified directory. For example, if a
    file name contains a dash (-), adjust the expression as follows: [\w\s-]+.[\w]+
    Creating the data set
    6. In the Number of Bytes field, enter 1024.
    The magic bytes of a file are almost always contained within the first 1024 bytes of a file. If you want to analyze more
    than the first 1024 bytes of data, you must increase the number of bytes that the File Type Analyzer utility can read
    and display.
    Increasing the number of bytes that are analyzed
    7. For the Chunk Size enter 1.
    8. For the Parser Type choose BYTE.
    9. If the files you want to screen are in nested directories, choose the Recursive Scan option.
    NOTE
    If you choose the Recursive Scan option, or you have a large data set, increase the Java heap size allocated
    to the File Type Analyzer utility.
    Increasing the Java heap size for large or recursive data sets
    10. Click Analyze Dataset. The utility analyzes all files in the directory and displays the results. The utility organizes each
    file by tabs according to its extension. In the All tab the utility displays all screened files. In the .class tab the utility
    displays only the Java class files.
    11. Click Analyze Table Data again. This time the utility highlights the bytes within each file that match across all files.
    As you can see, for Java class files there are several bytes in common, including the first four (0 through 3): CA FE
    BA BE. These bytes are the magic bytes for Java class files.
    In the drop-down menu at the bottom you can change how the utility analyzes table data. The default option is
    COLUMN_MATCH, which generally provides the most accurate matching. If you switch to this analysis mode you
    need to click Analyze Table Data again to see the matching bytes by row.
    12. Now that you know what the magic bytes are for Java class files, you can author a script to detect this file type. You
    can then test your script using the File Type Analyzer utility.
    In the Solution field, enter the following script to detect Java class files:
    $Int1 = getHexStringValue('CAFE');
    $Int2 = getBinaryValueAt($data, 0x0, 2);

    1183
    assertTrue($Int1 == $Int2);
    $Int3 = getHexStringValue('BABE');
    $Int4 = getBinaryValueAt($data, 0x2, 2);
    assertTrue($Int3 == $Int4);

    13. Click Test Solution. At the top of the interface you see the Matched Files. Only those files containing the CAFE
    BABE magic bytes appear in the "Matched Files" section of the interface. Files that do not contain these magic bytes
    appear in the Mismatched Files section at the lower-half of the interface.
    • When you analyze the data set, the File Type Analyzer utility indicates that the first 2 bytes of a Java class file are
    CA FE. So, in the first statement of the script you assign that value as a hexadecimal string to the variable $Int1.
    • In the second statement of the script you get the firsts 2 bytes of each file and assign that value to the variable
    $Int2. The "0x0, 2" portion of the statement tells the script engine to start at the first byte and get the first two.
    • In the third statement you compare the values of the two variables and check for a match.
    • The process is repeated for the third and the fourth bytes ("0x2, 2"), looking for a match on BA BE. Files that match
    both evaluations are detectable by the script and appear in the "Matched Files" portion of the interface.
    14. In the Note section enter a comment about the solution, such as "Custom script for detecting Java class
    files."
    15. In the File Type Analyzer interface, select File > Save. Give the file a name and save it to a local directory, such as C:
    \temp\JavaClassFiles.fgi.
    16. Close the File Type Analyzer interface and relaunch it. Choose File > Open then browse to and select the
    JavaClassFiles.fgi file.
    The data set parameters and script solution appear in the interface. From here you can reanalyze the data set and
    refine your solution as necessary. Click Edit Dataset to add or remove directories containing files you want to analyze.
    You can also right-click a row and remove an individual file from the data set.
    17. Once you have debugged your solution, deploy your script to an instance of the Custom File Type Signature rule. You
    can then author and deploy new policies that use this rule to detect the custom file type.

    Tutorial 2: Detecting an encrypted ZIP file format


    This tutorial demonstrates how to write a custom script to detect password protected (encrypted) ZIP files. While a
    Symantec Data Loss Prevention detection server can detect encrypted ZIP files, an endpoint agent cannot. The solution
    that is provided here lets you work around this issue.
    NOTE
    This script detects if a ZIP file is encrypted by checking if the encryption bit is enabled on the first file entry.
    Because ZIP files can only be encrypted on a per-file basis, this script only works if all files or the first file in the
    ZIP archive are encrypted.
    This tutorial assumes that you completed the first tutorial.
    To detect an encrypted ZIP file format
    1. Create several (15 or more) password-protected ZIP files and put them in a directory such as c:\temp\files\ZIP.
    2. Create a second set of ZIP files (5 or more) that are not encrypted so that you have both matched and mismatched
    results.
    Place these non-encrypted ZIP files in a second directory such as c:\temp\files\ZIP2.
    3. Launch the File Type Analyzer utility (analyzer_gui.exe).
    4. Add the c:\temp\files\ZIP directory as the data set.
    Also add the c:\temp\files\ZIP2 directory to the data set.

    1184
    5. Enter and select the required data set parameters:
    • File Name Filter: [\w\s]+.[\w]+
    • Number of Bytes: 1024
    • Chunk Size: 1
    • Parser Types: BYTE
    6. Click Analyze Dataset.
    7. With COLUMN_MATCH selected, click Analyze Table Data.
    The utility highlights the byte matches across all files. Note the exact matches for the first 6 bytes of all files. Note also
    that the seventh byte is 0 for the ZIP files that are not encrypted. The seventh byte is the encryption bit.
    8. In the Solution field, enter the following script:
    $pktag=ascii('PK');
    $frecord=getHexStringValue('0304');
    $pkbytes=getBinaryValueAt($data, 0x0, 2);
    assertTrue($pktag == $pkbytes);
    $recordbytes=getBinaryValueAt($data, 0x2, 2);
    assertTrue($frecord == $recordbytes);
    $cryptByte=getBinaryValueAt($data, 0x6, 1);
    $encrypted=mod($cryptByte, 2);
    assertTrue($encrypted == 1);

    9. The solution should match only those ZIP files in the data set that are encrypted. The ZIP files that are not encrypted
    should appear in the "Mismatched Files" pane.
    • $pktag=ascii('PK');
    The first statement assigns the "$pktag" variable the value "PK." If you switch the Parser Type to ASCII, you see
    that the first 2 bytes of all ZIP files are "P" and "K".
    • $frecord=getHexStringValue('0304');
    The second statement assigns the "$frecord" variable the value of "0304", which are the third and fourth bytes of
    the ZIP files. (Switch back to BYTE for the Parser Type to confirm this value.)
    • $pkbytes=getBinaryValueAt($data, 0x0, 2);
    The third statement gets the binary value of the first 2 bytes.
    • assertTrue($pktag == $pkbytes);
    The fourth statement compares the values of the "$pktag" and "$pkbytes" variables, looking for an exact match of
    "P" and "K". If the values match, the assertTrue value is achieved.
    • $recordbytes=getBinaryValueAt($data, 0x2, 2);
    The fifth statement checks the binary value of the third and fourth bytes (start at the third byte and count 2). Here
    the values (in BYTE mode) are "03" and "04".
    • assertTrue($frecord == $recordbytes);
    The sixth statement compares the values of the "$frecord" and the "$recordbytes" variables. If the returned value
    ("$recordbytes") matches the value assigned to the "$frecord" variable ("03" and "04"), the assertTrue value is
    achieved.
    • $cryptByte=getBinaryValueAt($data, 0x6, 1);
    The seventh statement gets the binary value at the seventh byte (column 6).
    • $encrypted=mod($cryptByte, 2);
    The eighth statement divides the value of the seventh byte (as assigned to the "$cryptByte" variable) by "2." It then
    assigns this remainder to the "$encrypted" variable.
    • assertTrue($encrypted == 1);

    1185
    The ninth statement checks the value of the "$encrypted" variable. If the value is zero (no remainder), then the ZIP
    file is not encrypted. If there is a remainder then the ZIP file is encrypted.

    Implementing custom script validators


    Data identifiers combine pattern matching with data validators to detect content. Validators are validation checks applied
    to the data that is matched by a data identifier pattern. Validators help refine the scope of detection and reduce false
    positives. Symantec Data Loss Prevention provides more than 35 validators to verify data patterns. In addition, you can
    use the DLP Scripting Language to write your own custom script validators.
    See Creating custom data identifiers for details on implementing custom data identifiers.

    Introducing protocol monitoring for network


    Symantec Data Loss Prevention provides the Protocol Monitoring condition which lets you detect network messages
    based on the communications transport method.
    Supported protocols for network monitoring lists the protocols that Data Loss Prevention supports for network detection.

    Table 615: Supported protocols for network monitoring

    Protocol Description

    Email/SMTP Simple Mail Transfer Protocol (SMTP) is a protocol for sending email messages between servers.
    FTP The file transfer protocol (FTP) is used on the Internet for transferring files from one computer to another.
    HTTP The hypertext transfer protocol (HTTP) is the underlying protocol that supports the World Wide Web. HTTP
    defines how messages are formatted and transmitted, and what actions Web servers and browsers should
    take in response to various commands.
    HTTP/SSL Hypertext transfer protocol over Secure Sockets Layer (HTTPS) is a protocol for sending data securely
    between a client and server.
    NNTP Network News Transport Protocol (NNTP), which is used to send, distribute, and retrieve USENET messages.
    TCP:custom_protocol The Transmission Control Protocol (TCP) is used to reliably exchange data between computers across the
    Internet. This option is only available if you have defined a custom TCP port.

    Configuring the Protocol Monitoring condition for network detection

    Configuring the Protocol Monitoring condition for network detection


    You use the Protocol Monitoring condition to detect network incidents. You can implement an instance of the Protocol
    Monitoring condition in one or more policy detection rules and exceptions.

    1186
    Table 616: Protocol Monitoring condition parameters for Network

    Action Description

    Add or modify the Protocol Add a new Protocol or Endpoint Monitoring condition to a policy rule or exception, or modify an
    or Endpoint Monitoring existing rule or exception condition.
    condition. Configuring policies
    Configuring Policy Rules
    Configuring policy exceptions
    Select one or more protocols To detect Network incidents, select one or more Protocols.
    to match. • Email/SMTP
    • FTP
    • HTTP
    • HTTPS/SSL
    • NNTP
    Configure a custom network Select one or more custom protocols: TCP:custom_protocol.
    protocol.
    Configure endpoint Configuring the Endpoint Monitoring condition
    monitoring.
    Match on the entire message. The Protocol Monitoring condition matches on the entire message, not individual message
    components.
    The Envelope option is selected by default. You cannot select individual message components.
    Detection Messages and Message Components
    Also match one or more Select this option to create a rule. All conditions must match to trigger or except an incident.
    conditions. You can Add any condition available from the list.
    Configuring compound rules

    Best practices for using network protocol matching


    This section provides best practices for using file property matching conditions to match file formats, file size, and file
    name.

    Use separate policies for specific protocols


    You can use protocol matching detection to detect network traffic, such as Web mail, social networking, and specific
    protocols. For protocol monitoring, consider implementing different policies for each type of protocol, such as SMTP, TCP,
    HTTP, FTP, etc. Creating separate policies for specific protocols may ease remediation and help you tune the policies.

    Consider detection server network placement to support IP address matching


    You can detect senders/users and recipients based one or more IP addresses. However, to do so you must carefully
    consider the placement of the detection server on your network.
    If the detection server is installed between the Web proxy and the Internet, the IP address of all Web traffic from
    individuals in your organization appears to come from the Web proxy. If the detection server is installed between the Web
    proxy and the internal corporate network, the IP address of all Web traffic from outside your organization appears to go to
    the Web proxy.
    The best practice is to match on domain names instead of IP addresses.

    Introducing endpoint event detection


    Endpoint detection matches events on endpoints where the Symantec DLP Agent is installed.

    1187
    See About Endpoint Prevent monitoring.
    Symantec Data Loss Prevention provides several methods for detecting and excepting endpoint events, and a collection
    of response rules for responding to them.
    See Response rule actions for endpoint detection.

    About endpoint protocol monitoring


    On the endpoint you can detect data loss based on the transport protocol, such as email (SMTP), Web (HTTP), and file
    transfer (FTP).
    Configuring the Endpoint Monitoring condition

    Table 617: Supported protocols for endpoint monitoring

    Protocol Description

    Email/SMTP Simple Mail Transfer Protocol (SMTP) is a protocol for sending email messages between servers.
    FTP The file transfer protocol (FTP) is used on the Internet for transferring files from one computer to another.
    HTTP The hypertext transfer protocol (HTTP) is the underlying protocol that supports the World Wide Web. HTTP
    defines how messages are formatted and transmitted, and what actions Web servers and browsers should
    take in response to various commands.
    HTTP/SSL Hypertext transfer protocol over Secure Sockets Layer (HTTPS) is a protocol for sending data securely
    between a client and server.

    About endpoint destination monitoring


    You can also detect endpoint data loss on the destination where data is copied or moved, such as CD/DVD drive, USB
    device, or the clipboard.
    Configuring the Endpoint Monitoring condition

    Table 618: Supported destinations for endpoint monitoring

    Destination Description

    Local Drive Monitor the local disk.


    CD/DVD The CD/DVD burner on the endpoint computer. This destination can be any type of third-party
    CD/DVD burning software.
    Removable Storage Device Detect data that is transferred to any eSATA, FireWire, or USB connected storage device.
    Copy to Network Share Detect data that is transferred to any network share or remote file access.
    Printer/Fax Detect data that is transferred to a printer or to a fax that is connected to the endpoint computer.
    This destination can also be print-to-file documents.
    Clipboard The Windows Clipboard used to copy and paste data between Windows applications.

    About endpoint global application monitoring


    The DLP Agent monitors applications when they access sensitive files. The DLP Agent monitors any third-party
    application you add and configure at the System > Agents > Global Application Monitoring screen.
    You can create exceptions for allowable use scenarios.

    Configuring the Endpoint Monitoring condition

    1188
    About endpoint location detection
    You can detect or except events based on the location of the endpoint.
    Using the Endpoint Location detection method, you can choose to detect incidents only when the endpoint is on or off the
    network.
    For example, you might configure this condition to match only when users are off the corporate network because you have
    other rules in place for detecting network incidents. In this case implementing the Endpoint Location detection method
    would achieve this result.
    Configuring the Endpoint Location condition

    About endpoint device detection


    Symantec Data Loss Prevention lets you detect or except specific endpoint devices based on described device metadata.
    You can configure a condition to allow endpoint users to copy files to a specific device class, such as USB drives from a
    single manufacturer.
    Manage and add endpoint devices
    For example, a policy author has a set of USB flash drives with serial numbers that range from 001-010. These are the
    only flash drives that should be allowed to access the company’s endpoints. The policy administrator adds the serial
    number metadata into an exception of a policy so that the policy applies to all USB flash drives except for the drives with
    the serial number that falls into the 001-010 metadata. In this fashion the device metadata allows for only “trusted devices”
    to be allowed to carry company data.
    Creating and modifying endpoint device configurations
    The Endpoint Device Class or ID condition detects specific removable storage devices based on their definitions. Endpoint
    Destination parameters in the Endpoint Monitoring condition detect any removable storage device on the endpoint,
    Configuring the Endpoint Device Class or ID condition

    Configuring endpoint event detection conditions


    Detecting endpoint events describes the various methods for implementing endpoint event monitoring.

    Table 619: Detecting endpoint events

    Endpoint match conditions Details

    Endpoint Protocol Monitoring Detect endpoint data based on the protocol.


    About endpoint protocol monitoring
    Configuring the Endpoint Monitoring condition
    Endpoint Destination Monitoring Detect endpoint data based on the destination.
    About endpoint protocol monitoring
    Configuring the Endpoint Monitoring condition
    Endpoint Application Monitoring Detect endpoint data based on the application.
    About endpoint protocol monitoring
    Configuring the Endpoint Monitoring condition
    Endpoint Device or Class ID Detect when users move endpoint data to a specific device.
    About endpoint device detection
    Configuring the Endpoint Device Class or ID condition

    1189
    Endpoint match conditions Details

    Endpoint Location Detect when the endpoint is on or off the corporate network.
    About endpoint location detection
    Configuring the Endpoint Location condition

    Configuring the Endpoint Monitoring condition


    The Endpoint Monitoring condition matches on endpoint message protocols, destinations, and applications.
    You can implement an instance of the Endpoint Monitoring condition in one or more policy detection rules and exceptions.
    NOTE
    This topic does not address network protocol monitoring configuration.
    Configuring the Protocol Monitoring condition for network detection

    Table 620: Configure the Endpoint Monitoring condition

    Action Description

    Add or modify the Endpoint Add a new Protocol or Endpoint Monitoring condition to a policy rule or exception, or modify an
    Monitoring condition. existing rule or exception condition.
    Configuring Policy Rules
    Configuring policy exceptions
    Configuring policies
    Select one or more endpoint To detect Endpoint incidents, select one or more Endpoint Protocols:
    protocols to match. • Email/SMTP
    • HTTP
    • HTTPS/SSL
    • FTP
    About endpoint protocol monitoring
    Select one or more endpoint To detect when users move data on the endpoint, select one or more Endpoint Destinations:
    destinations. • Local Drive
    • CD/DVD
    • Removable Storage Device
    • Copy to Network Share
    • Printer/Fax
    • Clipboard
    About endpoint protocol monitoring
    Monitor endpoint applications. To detect when endpoint applications access files, select the Application File Access option.
    Match on the entire message. The DLP Agent evaluates the entire message, not individual message components.
    The Envelope option is selected by default. You cannot select the other message components.
    Detection Messages and Message Components
    Also match one or more Select this option to create a rule. All conditions must match to trigger or except an incident.
    conditions. You can Add any condition available from the list.
    Configuring compound rules

    Configuring the Endpoint Location condition


    The Endpoint Location condition matches endpoint events based on the location of the endpoint computer where the DLP
    Agent is installed.

    1190
    You can implement an instance of the Endpoint Location condition in one or more policy detection rules and exceptions.
    Configuring policies

    Table 621: Configure the Endpoint Location detection condition

    Action Description

    Add or modify the Endpoint Add a new Endpoint Location detection condition to a policy rule or exception, or modify an existing
    Location condition. policy rule or exception.
    Configuring Policy Rules
    Configuring policy exceptions
    Select the location to monitor. Select one of the following endpoint locations to monitor:
    • Off the corporate network
    Select this option to detect or except events when the endpoint computer is off of the corporate
    network.
    • On the corporate network
    Select this option to detect or except events when the endpoint computer is on the corporate
    network.
    This option is the default selection.
    About endpoint location detection
    Match on the entire message. The DLP Agent evaluates the entire message, not individual message components.
    The Envelope option is selected by default. The other message components are not selectable.
    Detection Messages and Message Components
    Also match one or more Select this option to create a rule. All conditions must match to trigger or except an incident.
    conditions. You can Add any condition available from the list.
    Configuring compound rules

    About endpoint location detection


    Configuring the Endpoint Location condition

    Configuring the Endpoint Device Class or ID condition


    The Endpoint Device Class or ID condition lets you detect when users move endpoint data to specific devices.
    You can implement the Endpoint Device Class or ID condition in one or more policy detection rules or exceptions.
    Configuring policies

    Table 622: Configuring the Endpoint Device Class or ID condition

    Action Description

    Add or modify an Add a new Endpoint Device Class or ID condition to a policy rule or exception, or modify an existing one.
    Endpoint Device Configuring Policy Rules
    condition. Configuring policy exceptions
    Select one or more The condition matches when users move data from an endpoint computer to the selected device(s).
    devices. Click Create an endpoint device to define one or more devices.
    Creating and modifying endpoint device configurations
    Match on the entire The DLP Agent matches on the entire message, not individual message components.
    message. The Envelope option is selected by default. You cannot select other components.
    Detection Messages and Message Components

    1191
    Action Description

    Also match one or more Select this option to create a rule. All conditions must match to trigger or except an incident.
    conditions. You can Add any condition available from the drop-down menu.
    Configuring compound rules

    About endpoint device detection


    Manage and add endpoint devices

    Gathering endpoint device IDs for removable devices


    You add device metadata information to the Enforce Server and create one or more policy detection methods that detect
    or except the specific device instance or class of device. The system supports the regular expression syntax for defining
    the metadata. The system displays the device metadata at the Incident Snapshot screen during remediation.
    Creating and modifying endpoint device configurations
    The metadata the system requires to define the device instance or device class is the Device Instance ID. On Windows
    you can obtain the "Device Instance Id" from the Device Manager.
    In addition, Symantec Data Loss Prevention provides DeviceID.exe for devices attached to Windows endpoints and
    DeviceID for devices attached to Mac endpoints. You can use these utilities to extract Device Instance ID strings and
    device regex information. These utilities also report what devices the system can recognize for detection. These utilities
    are available with the Enforce Server installation files.

    NOTE
    The Device Instance ID is also used by Symantec Endpoint Protection.
    To obtain the Device Instance ID (on Windows)
    1. Right-click My Computer.
    2. Select Manage.
    3. Select the Device Manager.
    4. Click the plus sign beside any device to expand its list of device instances.
    5. Double-click the device instance. Or, right-click the device instance and select Properties.
    6. Look in the Details tab for the Device Instance Id.
    7. Use the ID to create device metadata expressions.
    Creating and modifying endpoint device configurations

    About endpoint device detection


    Manage and add endpoint devices

    Creating and modifying endpoint device configurations


    You can configure one or more devices for specific endpoint detection. Once the device expressions are configured, you
    implement the Endpoint Device Class or ID condition in one or more policy rules or exceptions to deny or allow the use of
    the specific devices.
    You might deny or allow the use of devices if endpoint users must copy sensitive information to company-provided USB
    drives or SD cards.
    Gathering endpoint device IDs for removable devices

    1192
    NOTE
    You can use the DeviceID utility for Windows and Mac endpoints to generate removable storage device
    information.
    To create and modify endpoint device ID expressions
    1. Go to the System > Agent > Endpoint Devices screen.
    2. Click Add Device.
    3. Enter the Device Name.
    4. Enter a Device Description.
    5. Enter the Device Definition expression.
    The device definition must conform to the regular expression syntax.
    Example Windows endpoint regular device expressions
    About writing regular expressions
    6. Click Save to save the device configuration.
    7. Implement the Endpoint Device Class or ID condition in a detection rule or exception.
    Configuring the Endpoint Device Class or ID condition

    Table 623: Example Windows endpoint regular device expressions

    Example device class Expression example

    Generic USB Device USBSTOR\\DISK&VEN_SANDISK&PROD_ULTRA_BACKUP&REV_8\.32\\3485731392112B52


    iPod generic USBSTOR\\DISK&VEN_APPLE&PROD_IPOD&.*
    Lexar generic USBSTOR\\DISK&VEN_LEXAR.*
    CD Drive IDE\\DISKST9160412ASG__________________0002SDM1\\4&F4ACADA&0&0\.0\.0
    Hard drive USBSTOR\\DISK&VEN_MAXTOR&PROD_ONETOUCH_II&REV_023D\\B60899082H____&0
    Blackberry generic USBSTOR\\DISK&VEN_RIM&PROD_BLACKBERRY...&REV.*
    Cell phone USBSTOR\\DISK&VEN_PALM&PROD_PRE&REV_000\\FBB4B8FF4CAEFEC11 24DED689&0

    Table 624: Example Mac endpoint regex information

    Example device class Regex information example

    SanDisk USB SanDisk&Cruzer Blade&20051535820CF1302C2E


    SD Card SDC&346128262
    External hard drive External&RAID&0000000000702293

    About endpoint device detection


    Manage and add endpoint devices

    Best practices for using endpoint detection


    When implementing endpoint match conditions, keep in mind the following considerations:

    1193
    • Any detection method that executes on the endpoint matches on the entire message, not individual message
    components.
    Detection Messages and Message Components
    • The Endpoint Destination and Endpoint Location methods are specific to the endpoint computer and are not user-
    based.
    Distinguish synchronized DGM from other types endpoint detection
    • You might often combine group and detection methods on the endpoint. Keep in mind that the policy language ANDs
    detection and group methods, whereas methods of the same type, two rules for example, are ORed.
    Policy detection execution

    Introducing described identity matching


    Described identity detection matches patterns in messages from email senders and recipients, Windows users, IM users,
    URL domains, and IP addresses.
    Configuring described identity matching policy conditions
    Configuring the Sender/User Matches Pattern condition
    Configuring the Recipient Matches Pattern condition

    Described identity matching examples


    Pattern identity matching examples lists and describes some example described content matching examples.

    Table 625: Pattern identity matching examples

    Example Pattern Matches Does Not Match

    fr, cu All SMTP email that is addressed to Any email that is addressed to French
    a .fr (France) or .cu (Cuba) addresses. company with the .com extension
    instead of .fr.
    Any HTTP post to a .fr address through
    a Web-based mail application, such as
    Yahoo mail.
    company.com All SMTP email that is addressed to Any SMTP email that is not addressed
    the specific domain URL, such as to the specific domain URL.
    symantec.com.
    3rdlevel.company.com All SMTP email that is addressed to Any SMTP email that is not addressed
    the specific 3rd level domain, such as to the specific 3rd level domain.
    dlp.symantec.com.
    bob@company.com All SMTP email that is addressed to Any email not specifically
    bob@company.com. addressed to bob@company.com,
    All SMTP email that is addressed to such as:
    BOB@COMPANY.COM (the pattern is • sally@company.com
    not case-sensitive). • robert.bob@company.com
    • bob@3rdlevel.company.com
    192.168.0.* All email, Web, or URL traffic Note: If the IP address does not
    specifically addressed to 192.168.0. match, use one or more domain URLs
    [0-255]. instead.
    This result assumes that the IP
    address maps to the desired domain,
    such as web.company.com.

    1194
    Example Pattern Matches Does Not Match

    */local/dom1/dom/dom2/Sym These are Lotus Notes example email


    */Sym* addresses.
    */dlp/qa/test/local/Sym*

    Configuring described identity matching policy conditions


    Implementing described identity matching lists and describes the two conditions that Symantec Data Loss Prevention
    provides for matching described identities.
    Described identity matching examples

    Table 626: Implementing described identity matching

    Match condition Description

    Sender/User Matches Pattern Matches on an email address, domain address, IP address, Windows user name, or
    IM screen name/handle.
    Configuring the Sender/User Matches Pattern condition
    Recipient Matches Pattern Matches on an email address, domain address, IP address, or newsgroup.
    Configuring the Recipient Matches Pattern condition

    About Reusable Sender/Recipient Patterns


    You can create Reusable Sender/User and Recipient Patterns for use in your policies. Reusable Sender/Recipient
    Patterns make policy creation and management easier for policies using such patterns. For details about creating and
    using Reusable Sender/Recipient Patterns, refer to the following topics.
    Configuring a Reusable Sender Pattern
    Configuring a Reusable Recipient Pattern

    Configuring the Sender/User Matches Pattern condition


    The Sender/User Matches Pattern condition matches described user and message sender identities. You can use this
    condition in a policy detection rule or exception.
    Introducing described identity matching
    Best practices for using described identity matching
    Configuring the Sender/User Matches Pattern condition describes the process for configuring the Sender/User Matches
    Pattern condition.

    1195
    Table 627: Configuring the Sender/User Matches Pattern condition

    Action Description

    Enter one or more Sender Email Address Pattern:


    Patterns to match one or more • To match a specific email address, enter the full email address:
    message senders. sales@symantec.com
    The Pattern field allows unlimited • To match multiple exact email addresses, enter a comma-separated list:
    data (only limited by the
    john.smith@company.com, johnsmith@company.com, jsmith@company.com
    browser).
    • To match partial email addresses, use a wildcard (*) to substitute for the user name when using
    domains or subdomains:
    *@acme.com
    *@nl.acme.com
    *@subb.acme.com,*@subc.acme.com
    Using a wildcard to substitute for a subdomain does not work. Thus, @*.ap.acme.com would
    not be valid for cloud or on-premises detection.
    • To match partial email addresses, enter one or more domain patterns:
    – Enter one or more top-level domain extensions, for example:
    .fr, .cu, .in, .jp
    – Enter one or more domain names, for example:
    company.com, symantec.com
    – Enter one or more third-level (or lower) domain names:
    web.company.com, mail.yahoo.com, smtp.gmail.com,
    dlp.security.symantec.com
    Windows User Names
    Enter the names of one or more Windows users, for example:
    john.smith, jsmith
    IM Screen Name
    Enter one or more IM screen names that are used in instant messaging systems, for example:
    john_smith, jsmith
    IP Address
    Enter one or more IP addresses that map to the domain you want to match, for example:
    • Exact IP address match, for example:
    192.168.1.1 or for IPv6 fdda:c450:e808:3020:abcd:abcd:0000:5000
    • Wildcard match – The asterisk (*) character can substitute for one or more fields, for example:
    192.168.1.* or 192.*.168.* or for IPv6 fdda:c450:e808:3:*:*:*:*
    For IPv6, use only long format addresses.
    Select a Reusable Sender You can select a Sender Pattern that you have saved for reuse in your policies. Select Reusable
    Pattern Sender Pattern, then choose the pattern you want from the dropdown list.
    Match on the entire message. This condition matches on the entire message. The Envelope option is selected by default. You
    cannot select any other message component.
    Detection Messages and Message Components
    Also match more conditions. Select this option to create a rule. All conditions must match to trigger an incident.
    You can Add any available condition from the list.
    Configuring compound rules

    Configuring a Reusable Sender Pattern


    If you want to use a Sender Pattern in multiple policies, configure a Reusable Sender Pattern. Reusable Sender Patterns
    can be selected for use in your policies from the Configure Policy - Edit Rule page. You can create, edit, and manage
    your Reusable Sender Patterns from the Sender/Recipient Patterns page. For example, if you use a Sender Pattern in

    1196
    50 policies, using a Reusable Sender Pattern lets you enter the Sender Pattern a single time, then select it for each policy.
    In addition, if you need to update the Sender Pattern for those 50 policies, you can edit it from the Configure Reusable
    Sender Pattern page and your changes will be applied automatically to each policy using that pattern.
    To configure a Reusable Sender Pattern
    1. Take one of the following actions:
    • If you are configuring a policy with a Sender/User Matches Pattern rule, from the Manage > Policies > Policy
    List > Configure Policy - Edit Rule page, click Create Reusable Sender Pattern.
    • In the Enforce Server administration console, navigate to Manage > Policies > Sender/Recipient Patterns, then
    click Add > Sender Pattern.
    2. In the General section on the Configure Reusable Sender Pattern page, enter a Name and Description for your
    Reusable Sender Pattern.
    3. In the Sender Pattern section, enter the User Patterns and IP Addresses as described in the "Configuring the
    Sender/User Matches Pattern condition table".
    Configuring the Sender/User Matches Pattern condition
    4. Click Save.
    5. To edit a saved Reusable Sender Pattern, on the Manage > Policies > Sender/Recipient Patterns page, click the
    dropdown arrow next to the name of the pattern you want to edit, then select Edit.
    6. To delete a saved Reusable Sender Pattern, on the Manage > Policies > Sender/Recipient Patterns page, click the
    dropdown arrow next to the name of the pattern you want to delete, then select Delete.
    NOTE
    You cannot delete a Reusable Sender Pattern that is currently in use in any policy.

    Configuring the Recipient Matches Pattern condition


    The Recipient Matches Pattern condition matches the described identity of message recipients. You can use this
    condition in a policy detection rule or exception.
    Introducing described identity matching
    Define precise identity patterns to match users
    Configuring the Recipient Matches Pattern condition defines the process for configuring the Recipient Matches Pattern
    condition.

    Table 628: Recipient Matches Pattern condition parameters

    Action Description

    Enter one or more Recipient Email Address/Newsgroup Pattern


    Patterns to match one or more Enter one or more email or newsgroup addresses to match the desired recipients.
    message recipients. Separate To match specific email addresses, enter the full address, such as sales@symantec.com.
    multiple entries with commas. To match email addresses from a specific domain, enter the domain name only, such as
    Note: The Pattern field allows symantec.com.
    unlimited data (only limited by the IP Address
    browser). Enter one or more IP address patterns that resolve to the domain that you want to match. You can
    use the asterisk (*) wildcard character for one or more fields. You can enter both IPv4 and IPv6
    addresses separated by commas.

    1197
    Action Description

    URL Domain
    Enter one or more URL Domains to match Web-based traffic, including Web-based email and
    postings to a Web site. For example, if you want to prohibit the receipt of certain types of data
    using Hotmail, enter hotmail.com.
    Select a Reusable Recipient You can select a Recipient Pattern that you have saved for reuse in your policies. Select
    Pattern Reusable Recipient Pattern, then choose the pattern you want from the dropdown list.
    Configure match counting. Select one of the following options to specify the number of email recipients that must
    match:
    • All recipients must match (Email Only) does not count a match unless ALL email message
    recipients match the specified pattern.
    • At least _ recipients must match (Email Only) lets you specify the minimum number of
    email message recipients that must match to be counted.
    Select one of the following options to specify how you want to count the matches:
    • Check for existence
    Reports a match count of 1 if there are one or more matches.
    • Count all matches
    Reports the sum of all matches.
    Configuring Match Counting
    Match on the entire message. This condition matches on the entire message. The Envelope option is selected by default. You
    cannot select any other message component.
    Detection Messages and Message Components
    Also match moreconditions. Select this option to create a rule. All conditions in a rule or exception must match to trigger an
    incident.
    You can Add any available condition from the list.
    Configuring compound rules

    Configuring a Reusable Recipient Pattern


    If you want to use a Recipient Pattern in multiple policies, configure a Reusable Recipient Pattern. Reusable Recipient
    Patterns can be selected for use in your policies from the Configure Policy - Edit Rule page. You can create, edit,
    and manage your Reusable Recipient Patterns from the Sender/Recipient Patterns page. For example, if you use a
    Recipient Pattern in 50 policies, using a Reusable Recipient Pattern lets you enter the Recipient Pattern a single time,
    then select it for each policy. In addition, if you need to update the Recipient Pattern for those 50 policies, you can edit
    it from the Configure Reusable Recipient Pattern page and your changes will be applied automatically to each policy
    using that pattern.
    To configure a Reusable Recipient Pattern
    1. Take one of the following actions:
    • If you are configuring a policy with a Recipient Matches Pattern rule, from the Manage > Policies > Policy List >
    Configure Policy - Edit Rule page, click Create Reusable Recipient Pattern.
    • In the Enforce Server administration console, navigate to Manage > Policies > Sender/Recipient Patterns, then
    click Add > Recipient Pattern.
    2. In the General section on the Configure Reusable Recipient Pattern page, enter a Name and Description for your
    Reusable Recipient Pattern.
    3. In the Recipient Pattern section, enter the Email Addresses, IP Addresses, and URL Domains as described in the
    "Recipient Matches Pattern condition table".
    Recipient Matches Pattern condition parameters

    1198
    4. Click Save.
    5. To edit a saved Reusable Recipient Pattern, on the Manage > Policies > Sender/Recipient Patterns page, click the
    dropdown arrow next to the name of the pattern you want to edit, then select Edit.
    6. To delete a saved Reusable Recipient Pattern, on the Manage > Policies > Sender/Recipient Patterns page, click
    the dropdown arrow next to the name of the pattern you want to delete, then select Delete.
    NOTE
    You cannot delete a Reusable Recipient Pattern that is currently in use in any policy.

    Best practices for using described identity matching


    This section provides considerations for implementing the Sender/User or Recipient Matches Pattern conditions in policy
    detection rules or exceptions. Keep in mind these considerations when you implement these conditions.

    Define precise identity patterns to match users


    Both the Sender/User and Recipient conditions match on the entire message, not individual message components. If
    either condition is used as an exception, a match excludes the entire message, not only the header.
    Policy detection execution
    For both described identity matching rules, the system implies an OR between all comma-separated list items and
    between all fields. For example, if any single email address among a list of email addresses matches, the condition
    reports (or excepts) an incident. Or, if either an email address, a domain name, or an IP address matches, the condition
    reports (or excepts) an incident.
    Detection Messages and Message Components
    Patterns for identity matching describes the types of patterns you can use for described identity matching.

    Table 629: Patterns for identity matching

    Pattern Sender/User Matches Pattern Recipient Matches Pattern

    Email address: full and partial matches matches


    Domain address: top-level and subdomains matches matches
    IP address matches matches
    Windows user name matches does not match
    IM screen name / handle matches does not match
    Newsgroup patterns does not match matches

    Specify email addresses exactly to improve accuracy


    An email address must match exactly. For example, bob@company.com does not match bob@something.company.com.
    But, a domain name pattern such as company.com or something.company.com matches bob@something.company.com.
    The email address field does not match the sender or recipient of a Web post. For example, the email address
    bob@yahoo.com does not match if Bob uses a Web browser to send or receive email. In this case, you must use the
    domain pattern mail.yahoo.com to match bob@yahoo.com.

    1199
    Match domains instead of IP addresses to improve accuracy
    The URL Domain pattern matches HTTP traffic to particular URL domains. You do not enter the entire URL. For example,
    you enter mail.yahoo.com not http://www.mail.yahoo.com.
    The system does not resolve URL domains to IP addresses. For example, you specify an IP address of 192.168.1.1
    for a specific domain. If users access the domain URL using a Web browser, the system does not match emails that are
    transmitted by the IP address. In this case, use a domain pattern instead of an IP address, such as internalmemos.com.
    You can detect senders/users and recipients based one or more IP addresses . However, to do so you must carefully
    consider the placement of the detection server on your network. If the detection server is installed between the Web proxy
    and the Internet, the IP address of all Web traffic from individuals in your organization appears to come from the Web
    proxy. If the detection server is installed between the Web proxy and the internal corporate network, the IP address of
    all Web traffic from outside your organization appears to go to the Web proxy. The best practice is to match on domain
    names instead of IP addresses.

    Introducing Synchronized Directory Group Matching (DGM)


    Symantec Data Loss Prevention provides synchronized Directory Group Matching (DGM) to detect data based on the
    exact identities of users, senders, and recipients of that data.
    Using synchronized DGM, you can connect the Enforce Server to a group directory server such as Microsoft Active
    Directory. You can detect users based on their directory group affiliation. For example, you may want to apply policies
    to staff only in the engineering department of your company, but not to staff in the human resources department.
    Synchronized DGM enables you to apply policies at this level of detail.
    Synchronized DGM is based on a User Group configuration that you populate with users synchronized from your
    directory server. When you create a synchronized DGM policy, you reference the User Group in the policy. At runtime,
    the synchronized DGM policy only applies to identities in the User Group reference by the policy. Or, if you can create
    a policy that applies to your everyone in your organization except the CEO. In this case, you can create a User Group
    that contains the identity of the CEO as a sole group member. You then define a policy exception that references the CEO
    User Group. At runtime, the policy ignores messages that are sent or received by the CEO.
    User Groups

    Use Synchronized DGM for Network Prevent for Web Identity Detection
    With Symantec Data Loss Prevention 16.0 MP1, you can use synchronized Directory Group Matching (DGM) with
    Network Prevent for Web and ProxySG.
    An email address header that is sent by ProxySG is used as the user identity for DGM detection.

    About Two-tier Detection for Synchronized DGM


    On the endpoint, the Recipient based on a Directory Server Group condition requires two-tier detection for DLP
    Agents. The corresponding Sender/User based on a Directory Server Group condition does not require two-tier
    detection.
    Be sure understand the implications of two-tier detection before you deploy the synchronized DGM Recipient rule to one
    or more endpoints.
    Two-tier detection for DLP Agents
    To check if two-tier detection is being used, check the c:\ProgramData\Symantec\DataLossPrevention
    \DetectionServer\16.0.10000\Protect\logs \debug\FileReader.log (Windows) or /var/log/
    Symantec/DataLossPrevention/DetectionServer/16.0.10000/debug (Linux) on the Endpoint Server.

    1200
    Troubleshooting policies

    Configuring User Groups


    The Manage > User Groups screen displays configured User Groups and is the starting point for creating a new User
    Group. User Groups are used for implementing synchronized DGM and for assigning user roles based on Active Directory
    common names.
    Introducing synchronized Directory Group Matching (DGM)

    NOTE
    DLP Agents that are installed on Mac endpoints support User Groups that use Active Directory (AD) group
    conditions in policies.
    1. Establish a connection to the Active Directory server you want to synchronize with.
    2. At the Manage > User Groups screen, click Create New Group.
    Or, to edit an existing user group, select the group in the User Groups screen.
    3. Configure the User Group parameters as required.
    Configure a User Group
    NOTE
    If you are configuring User Groups for the first time, you must select the option Refresh the group directory
    index on Save to populate the User Group.
    4. After you locate the users you want, use the Add and Remove options to include or exclude them in the User Group.
    5. Click Save.

    Table 630: Configure a User Group

    Action Description

    Enter the group name. The Group Name is the name that you want to use to identify this group.
    Use a descriptive name so that you can easily identify it later on.
    Enter the group Enter a short Description of the group.
    description.
    Select the usage type. Select an option to designate access:
    • Select Policies to only allow the User Group to access policies.
    • Select Roles to only allow the User Group to access roles.
    View which policies use Initially, when you create a new User Group, the Used in Policy field displays None.
    the group. If the User Group already exists and you modify it, the system displays a list of the policies that implement
    the User Group, assuming one or more group-based policies is created for this User Group.
    Refresh the group Select (check) the Refresh the group directory index on Save option to synchronize the user group
    directory index on profile with the most recent directory server index immediately on Save of the profile. If you leave this box
    Save. unselected (unchecked), the profile is synchronized with the directory server index based on the Directory
    Connection setting.
    If this is the first time you are configuring the User Group profile, you must select the Refresh the group
    directory index on Save option to populate the profile with the latest directory server index replication.
    Select the directory Select the directory server you want to use from the Directory Server list.
    server. You must establish a connection to the directory server before you create the User Group profile.

    1201
    Action Description

    Include email aliases. Check the Include Mail Aliases box to index user email aliases along with primary email addresses.
    For example, if a user has the primary email address "robert_smith@company.com" and an email alias
    "bob_smith@company.com," checking this box will index both email addresses. Be aware that indexing email
    aliases will increase your index size.
    Search the directory for Enter the search string in the search field and click Search to search the directory for specific users. You can
    specific users. search using literal text or wildcard characters (*).
    The search results display the Common Name (CN) and the Distinguished Name (DN) of the directory server
    that contains the user. These names give you the specific user identity. Results are limited to 1000 entries.
    Click Clear to clear the results and begin a new search of the directory.
    Literal text search criteria options:
    • Name of individual node, such as "engineering" or "accounting"
    • Email address, such as "goakham@symantec-dlp.com"
    Wildcard character search criteria options:
    • The supported wildcard character is an asterisk (*)
    • Proper wildcard search examples:
    – Gabriel *akha* returns "Gabriel Oakham"
    – j* jop* returns "Janice Joplin"
    • Improper wildcard search:
    – Do not begin the search string with a wildcard; this will hinder directory server search performance.
    – For example, the following search is not recommended: *Gabriel Oakham.
    Browse the directory for You can browse the directory tree for groups and users by clicking on the individual nodes and expanding
    user groups. them until you see the group or node that you want.
    The browse results display the name of each node. These names give you the specific user identity.
    The results are limited to 20 entries by default. Click See More to view up to 1000 results.
    Add a user group to the To add a group or user to the User Group profile, select it from the tree and click Add.
    profile. After you select and add the node to the Added Groups column, the system displays the Common Name
    (CN) and the Distinguished Name (DN).
    Save the user group. Click Save to save the User Group profile you have configured.

    Configuring synchronized DGM policy conditions


    To implement synchronized DGM policies, you define a Directory Connection using the Enforce Server administration
    console. The Directory Connection specifies the directory server you want to use as source information for defining
    exact identity User Groups. You then define one or more User Groups in the Enforce Server administration console and
    populate the group by synchronizing the User Group with the directory server. You then associate the User Groups with
    the Sender/User based on a Directory Server Group group rule or the Recipient matches User Group based on a
    Directory Server group rule.
    Introducing synchronized Directory Group Matching (DGM)
    Workflow for implementing synchronized DGM describes the process for implementing synchronized DGM.

    1202
    Table 631: Workflow for implementing synchronized DGM

    Step Action Description

    1 Create the connection to the Establish the connection from the Enforce Server to a directory server such as
    directory server. Microsoft Active Directory.
    2 Create the User Group. Create one or more User Groups on the Enforce Server and populate the User
    Groups with the exact identities from the users, groups, and business units that are
    defined in the directory server
    Configuring User Groups
    3 Configure a new policy or edit an Configuring policies
    existing one.
    4 Configure one or more group Choose the type of synchronized DGM rule you want to implement and reference
    rules or exceptions. the User Group. After the policy and the group are linked, the policy applies only to
    those identifies in the referenced User Group.
    Configuring the Sender/User based on a Directory Server Group condition
    Configuring the Recipient based on a Directory Server Group condition

    Configuring the Sender/User based on a Directory Server Group condition


    The condition Sender/User based on a Directory Server Group matches policy violations based on message senders
    and endpoint users synchronized from a directory group server. You can implement this condition in a policy group
    (identity) rule or exception.
    Configuring policies
    NOTE
    If the identity being detected is a user, the user must be actively logged on to a DLP Agent-enabled system for
    the policy to match.

    Table 632: Sender/User matches User Group condition parameters

    Parameter Description

    Select User Groups to include Select one or more User Groups that you want this policy to detect.
    in this policy If you have not created a User Group, click Create a new User Group.
    Configuring User Groups
    Match On This condition matches on the entire message. The Envelope option is selected by default. You
    cannot select any other message component.
    Detection Messages and Message Components
    Also Match Select this option to create a rule. All conditions in a rule or exception must match to trigger an
    incident.
    You can Add any available condition from the list.
    Configuring compound rules

    Introducing synchronized Directory Group Matching (DGM)

    Configuring the Recipient based on a Directory Server Group condition


    The Recipient based on a Directory Server Group condition matches policy violations based on specific message
    recipients synchronized from a directory server. You can implement this condition in a policy group rule or exception.
    Introducing synchronized Directory Group Matching (DGM)

    1203
    NOTE
    The Recipient based on a Directory Server Group condition requires two-tier detection. About two-tier
    detection for synchronized DGM

    Table 633: Configuring the Recipient based on a Directory Server Group condition

    Step Action Description

    1 Select User Groups to Select the User Group(s) that you want this policy to match on.
    include in this policy If you have not created a User Group, click Create a new Endpoint User Group option.
    Configuring User Groups
    2 Match On This rule detects the entire message, not individual components. The Envelope option is
    selected by default. You cannot select any other message component.
    Detection Messages and Message Components
    3 Also Match Select this option to create a rule. All conditions in a rule or exception must match to
    trigger an incident.
    You can Add any available condition from the list.
    Configuring compound rules

    Best Practices for Using Synchronized DGM


    This section contains a few considerations to keep in mind when implementing synchronized DGM conditions in your
    policies.

    Refresh the directory on initial save of the User Group


    To execute a policy rule based on an Active Directory group, the index that you define on the Enforce Server must first be
    populated. When you first define the User Group, the recommendation is to select the option "Refresh the group directory
    index on Save." This ensures proper synchronization of Active Directory with the Enforce Server. Once the User Group is
    populated, you can then set up scheduling to keep the user group on Enforce in sync with the Active Directory server.
    One use case for not indexing immediately is where you are creating multiple User Groups and you want to index after
    you have defined all the groups. In this case you can use scheduling, but keep in mind that any policies based on these
    indices will not execute until they are populated.
    Introducing synchronized Directory Group Matching (DGM)
    Configuring User Groups

    Distinguish Synchronized DGM from Other Types of Endpoint Detection


    When synchronized DGM policies are deployed to endpoint servers, identity-based detection applies to the users in a
    configured group of DLP Agent-based endpoints. With endpoint-based user groups, many different users can log on to the
    same computer depending on business practices. The response that each user sees on that endpoint varies depending
    on how the users are grouped. Contrast this style of endpoint detection with the Endpoint Protocol Destination or
    Endpoint Location methods, which are specific to the endpoint and are not user-based.
    Introducing synchronized Directory Group Matching (DGM)

    Introducing Profiled Directory Group Matching (DGM)


    Profiled Directory Group Matching (DGM) uses Exact Data Matching (EDM) technology to detect identities that you have
    indexed from your database or directory server using an Exact Data Profile. For example, you can use profiled DGM to
    identify network user activity or to analyze content associated with particular users, senders, or recipients. Or, you can

    1204
    exclude certain email addresses from analysis. Or, you might want to prevent certain people from sending confidential
    information by email.
    Configuring Exact Data profiles for DGM
    Profiled DGM is distinguished from synchronized DGM, which uses a connection to a directory server (such as Microsoft
    Active Directory) to match identities.
    Introducing synchronized Directory Group Matching (DGM)

    About two-tier detection for profiled DGM


    Profiled DGM relies on an EDM index, which is server-based. Profiled DMG requires two-tier detection for DLP Agents on
    the endpoint.
    About two-tier detection for EDM on the endpoint
    You cannot combine either type of profiled DGM condition with an Endpoint: Block or Endpoint: Notify response rule in
    a policy. If you do, the system reports that the policy is misconfigured.
    Troubleshooting policies

    Configuring Exact Data profiles for DGM


    To implement profiled DGM, you export identity records from a directory server or database, index the data, and create an
    Exact Data Profile. You then reference this profile in the corresponding Sender/User or Recipient condition.
    Introducing profiled Directory Group Matching (DGM)
    Workflow for implementing profiled DGM describes the procedure for configuring Exact Data profiles for DGM policies.

    Table 634: Workflow for implementing profiled DGM

    Step Action Description

    1 Create the data source file. Create a data source file from the directory server or database you want to profile.
    Make sure the data source file contains the appropriate fields.
    The following fields are supported for profiled DGM:
    • Email address
    • IP address
    • Window user name (in the format domain\user)
    • IM screen name
    Creating the exact data source file for profiled DGM for EDM
    2 Prepare the data source file for Configuring Exact Data profiles for EDM
    indexing. Preparing the exact data source file for indexing for EDM
    3 Create the Exact Data Profile. This includes uploading the data source file to the Enforce Server, mapping the data
    fields, and indexing the data source.
    Uploading exact data source files for EDM to the Enforce Server
    Creating and modifying Exact Data Profiles for EDM
    Mapping Exact Data Profile fields for EDM
    Scheduling Exact Data Profile indexing for EDM
    4 Define the profiled DGM Configuring the Sender/User based on a Profiled Directory condition
    condition. Configuring the Recipient based on a Profiled Directory condition
    5 Test the profiled DGM policy. Use a test policy group and verify that the matches the policy generates are accurate.
    Test and tune policies to improve match accuracy

    1205
    Configuring profiled DGM policy conditions
    Symantec Data Loss Prevention provides two match conditions for profiled DGM: sender/user and recipient. Both
    conditions can be used as policy rules or exceptions. For example, consider a scenario where you index a list of email
    addresses and author profiled DGM policies based on this indexed data. You could write a rule that requires the message
    sender to be from the indexed list to violate the policy. Or, you could write an exception that is not violated if the recipient
    of an email is from the indexed list.
    Creating the exact data source file for profiled DGM for EDM

    Table 635: Profiled DGM conditions

    Group rule Description

    Sender/User based on a Directory from If this condition is implemented as a policy rule, a match occurs only if the sender or
    <EDM Profile> user of the data is contained in the index profile. If this condition is implemented as a
    policy exception, the data will be excepted from matching if it is sent by a sender/user
    listed in the index profile
    Recipient based on a Directory from If this condition is implemented as a policy rule, a match occurs only if the recipient of
    <EDM Profile> the data is contained in the index profile. If this condition is implemented as a policy
    exception, the data will be excepted from matching if it is received by a recipient listed in
    the index profile.

    Configuring the Sender/User Based on a Profiled Directory Condition


    The Sender/User based on a Directory from detection rule lets you create detection rules that are based on a sender
    identity or (for endpoint incidents) user identity. This condition requires an Exact Data Profile.
    Creating the exact data source file for profiled DGM for EDM
    You select the Exact Data Profile. Then, when you configure the rule, the directory you selected and the sender identifier
    appear at the top of the page.
    Configuring the Sender/User based on a Directory from an EDM Profile condition describes the parameters for configuring
    the Sender/User based on a Directory an EDM Profile condition.

    Table 636: Configuring the Sender/User Based on a Directory From an EDM Profile Condition

    Parameter Description

    Where Select this option to have the system match on the specified field values. Select a field from the drop-down list.
    Type the values for that field in the adjacent text box. If you enter more than one value, separate the values with
    commas.
    For example, for an Employees directory group profile that includes a Department field, you would select
    Where, select Department from the drop-down list, and enter Marketing,Sales in the text box. If the condition is
    implemented as a rule, a match occurs only if the sender or user works in Marketing or Sales (as long as the other
    input content meets all other detection criteria). If the condition is implemented as an exception, in this example
    the system ignores from matching messages from a sender or user who works in Marketing or Sales.
    Is Any Of Enter or modify the information that you want to match. For example, if you want to match any sender in the Sales
    department, select Department from the drop-down list, and then enter Sales in this field (assuming that your
    data includes a Department column). Use a comma-separated list if you want to specify more than one value.

    1206
    Configuring the Recipient based on a Profiled Directory condition
    The Recipient based on a Directory from condition lets you create detection methods based on the identity of the
    recipient. This method requires an Exact Data Profile.
    Creating the exact data source file for profiled DGM for EDM
    After you select the Exact Data Profile, when you configure the rule, the directory you selected and the recipient
    identifier(s) appear at the top of the page.
    Configuring the Sender/User based on a Directory from an EDM Profile condition describes the parameters for configuring
    Recipient based on a Directory from an EDM profile condition.

    Table 637: Configuring the Recipient based on a Directory from an EDM profile condition

    Parameter Description

    Where Select this option to have the system match on the specified field values. Specify the values by selecting a field
    from the drop-down list and typing the values for that field in the adjacent text box. If you enter more than one
    value, separate the values with commas.
    For example, for an Employees directory group profile that includes a Department field, you would select
    Where, select Department from the drop-down list, and enter Marketing, Sales in the text box. For a detection
    rule, this example causes the system to capture an incident only if at least one recipient works in Marketing or
    Sales (as long as the input content meets all other detection criteria). For an exception, this example prevents the
    system from capturing an incident if at least one recipient works in Marketing or Sales.
    Is Any Of Enter or modify the information you want to match. For example, if you want to match any recipient in the Sales
    department, select Department from the drop-down list, and then enter Sales in this field (assuming that your
    data includes a Department column). Use a comma-separated list if you want to specify more than one value.

    Best practices for using profiled DGM


    Keep in mind the considerations in this section when implementing profiled Directory Group Matching (DGM)

    Follow EDM best practices when implementing profiled DGM


    Profiled DGM leverages EDM technology. Follow the EDM procedures and best practices when implementing profiled
    DGM.
    About two-tier detection for profiled DGM

    Include an email address field in the Exact Data Profile for profiled DGM
    You must include the appropriate fields in the Exact Data Profile to implement profiled DGM.
    Creating the exact data source file for profiled DGM for EDM
    If you include the email address field in the Exact Data Profile for profiled DGM and map it to the email data validator,
    email address will appear in the Directory EDM drop-down list (at the remediation page).

    Use Profiled DGM for Network Prevent for Web Identity Detection
    Use one of the profiled DGM conditions to implement identity matching to implement DGM for Network Prevent for Web.
    For example, you may want to use identity matching to block all web traffic for specific users.
    Creating the exact data source file for profiled DGM for EDM
    Configuring the Sender/User based on a Profiled Directory condition

    1207
    Introducing Contextual Attributes for User Risk Scores
    Apply the User Risk Score context match condition to apply contextual attributes for the user risk score.
    The User Risk Score context match condition allows you to configure a detection rule based on user risk scores. For
    example, you can create a policy detection rule that includes the User Risk Score condition. The condition can specify
    that the detection rule applies to incidents that list a user risk score that exceeds a specified threshold.
    NOTE
    Rule conditions apply to supported DLP detection channels. See Introducing User Risk Based Detection.
    The User Risk Score condition allows you to specify the following attributes and attribute values:
    • Attribute: User Risk Score
    • Operator
    • Risk score (between between 1 and 100, 100 indicating the highest user risk)
    You can also create a compound condition by selecting Detect based on user risk score in the Also match list. For
    more information, see Configuring compound rules.
    Related Links
    Introducing User Risk Based Detection on page 1033
    Use User Risk-based Detection to trigger policies based on the risk score for a particular user.
    Adding a Rule to a Policy on page 825
    Add one or more rules to a policy to indicate at least one match condition.
    Configuring Policy Rules on page 827
    You configure a policy rule with one or more match conditions. The configuration of each rule condition depends on its
    type.

    Introducing contextual attributes for cloud applications


    You can include contextual attribute conditions in policy detection rules for Application Detection incidents. These
    contextual attributes specify the attributes that are associated with cloud applications monitored or inspected by the Cloud
    Detection Service. For example, you can create a policy detection rule that includes the Application Name: Gatelet
    > Salesforce condition to specify that the detection rule applies to incidents that are associated with the Symantec
    CloudSOC Salesforce Gatelet.
    Contextual attributes are organized by category: General, User, Data Exposure, Data Transfer, and Custom.
    Contextual attribute categories
    Configuring contextual attribute conditions

    Configuring contextual attribute conditions


    You configure contextual attribute conditions as part of a policy rule or exception. The following procedure presumes that
    you are familiar with policy configuration. Refer to the following topics for detailed information about policy configuration:
    Configuring policies
    Configuring policy rules
    Configuring policy exceptions
    To configure a policy rule with a contextual attribute condition, follow this procedure:
    To configure contextual attribute conditions

    1208
    1. Add a Contextual Attributes (Cloud Applications and API Detection Appliance only) condition to a policy rule or
    exception, or edit an existing one.
    2. Select a contextual attribute condition from the Attributes drop-down list.
    Contextual attribute categories
    3. Configure the appropriate contextual attribute values.
    4. Click OK.

    Contextual attribute categories


    Contextual attributes are grouped into categories: General, User, Data Exposure, Data Transfer, and Custom.
    The following tables provide more details about the attributes and attribute values available in each category.
    NOTE
    You can only configure policies using CASB application supported by the current release of Data Loss
    Prevention. Securlets and Gatelets may be retired or added from time to time. If you try to author a policy
    with a retired Securlet or Gatelet, you will see a CASB Applications(s) [name of application] are no longer
    available error message. Incidents that you have already generated against retired Securlets and Gatelets are
    still displayed in the Incident Snapshot.
    General attributes
    General attributes apply to all data types and applications.

    1209
    Table 638: General attributes

    Attribute Value Description

    Application Name Securlets: Specifies the name of the cloud web proxy,
    • Amazon S3 Gatelet, or Securlet.
    • Amazon Web Services
    • Box
    • Cisco Spark
    • Dropbox
    • Google Calendar
    • Google Drive
    • Gmail
    • Microsoft Azure
    • Office 365 Email
    • Office 365 OneDrive
    • Office 365 SharePoint
    • Salesforce
    • SAP
    • ServiceNow
    • Slack
    • Yammer
    Gatelets:
    • 4Shared
    • 4Sync
    • Acrobat.com
    • AIM Mail
    • Alfresco
    • Amazon CloudDrive
    • Amazon Web Services
    • Amazon WorkDocs
    • BitCasa
    • Box
    • BV ShareX
    • cCloud
    • CentralDesktop
    • CloudMe
    • CloudProvider
    • Confluence
    • Copy
    • Cubby
    • DigitalBucket
    • Digital Ocean
    • Dropbox
    • Dynamics
    • Egnyte
    • FilesAnywhere
    • Flow
    • Ftopia
    • Gmail
    • GroupDocs
    • Hightail
    • Huddle
    • IBM Connections
    1210
    • iCloud
    • iDrive
    • Intralinks
    • Joyent
    Attribute Value Description

    Data Type • Data-at-Rest Specifies the data type: data at rest (stored
    • Data-in-Motion in a cloud repository), data in motion (data
    • Custom traveling over the network), or custom.

    User attributes
    User attributes address specific information about the user that is associated with an incident.

    Table 639: User attributes

    Attribute Value Description

    Activity Type • Create Specifies the type of action that was taken
    • Edit by the user on the data of the incident.
    • Rename Symantec Web Security Service does not
    • Upload use this attribute.
    • Download
    • Custom
    Client Tenant Domain Enter the name in the Match field. Specifies the client tenant domain of the
    user. You can match exactly with or without
    case sensitivity, or match on a regular
    expression.
    Client Tenant User ID Enter the user identifier in the Match field. Specifies the client tenant identifier of the
    user. You can match exactly with or without
    case sensitivity, or match on a regular
    expression.
    Exposed Document Count • Is Greater Than Specifies the users with a number of
    • Is Less Than exposed documents above or below a
    • Is Greater Than or Equals certain value, or within a range you specify.
    • Is Less Than or Equals Symantec Web Security Service does not
    use this attribute.
    • Equals
    • Range
    User ID • Match Specifies a user identifier that you provide.
    • Match Type You can match exactly with or without
    case sensitivity, or match on a regular
    expression.
    User Name • Match Specifies a user identifier that you provide.
    • Match Type You can match exactly with or without
    case sensitivity, or match on a regular
    expression.
    Symantec Web Security Service does not
    use this attribute.
    User Threat Score • Is Greater Than Specifies the Shadow IT threat score of the
    • Is Less Than user, above or below a certain value, or
    • Is Greater Than or Equals within a range you specify.
    • Is Less Than or Equals This attribute applies only to Securlet
    policies.
    • Equals
    • Range

    1211
    Attribute Value Description

    User is Internal • True Specifies whether or not the user is part of


    • False your organization.
    Symantec Web Security Service does not
    use this attribute.

    Data exposure attributes


    Data exposure attributes specify information about the documents that are stored in cloud data repositories ("data at
    rest"). Symantec Web Security Services does not use any data exposure attributes.

    Table 640: Data exposure attributes

    Attribute Value Description

    Document Creation Date • After Specifies the date the document was
    • Before created.
    • On or After
    • On or Before
    • On
    • Range
    Document Last Accessed • After Specifies the date the document was last
    • Before accessed.
    • On or After
    • On or Before
    • On
    • Range
    Document Last Modified • After Specifies the date the document was last
    • Before modified.
    • On or After
    • On or Before
    • On
    • Range
    Document Owner • Match Specifies the name of the document owner.
    • Match Type You can match exactly with or without
    case sensitivity, or match on a regular
    expression.
    Document Tag • Match Specifies the metadata tag of the
    • Match Type document. You can match exactly with
    or without case sensitivity, or match on a
    regular expression.
    Document Type • Match Specifies the type of document. You
    • Match Type can match exactly with or without
    case sensitivity, or match on a regular
    expression.

    1212
    Attribute Value Description

    Document is Exposed • True Specifies if the document is shared or


    • False accessible. The document is "exposed"
    when shared with or accessible to everyone
    within your organization, or shared with
    or accessible to anyone outside of your
    organization. If the document is only shared
    with certain members of your organization,
    it is not considered an exposed document.
    Document is Internal • True Specifies if the document is "internal."
    • False A document is considered internal if a
    member of your organization created it.
    Document is Internally Shared • True Specifies if the document is shared with
    • False or accessible to everyone within your
    organization.
    Document is Publically Exposed • True Specifies if the document is shared with
    • False or accessible to everyone outside your
    organization. Such documents are available
    to everyone on the Internet.
    Job ID • Match Specifies the job identifier that is associated
    • Match Type with the document. You can match exactly
    with or without case sensitivity, or match on
    a regular expression.
    Service Classification • Match Specifies the Shadow IT service
    • Match Type classification. You can match exactly with
    or without case sensitivity, or match on a
    regular expression.
    Symantec Web Security Service does not
    use this attribute.
    Service Rating • Is Greater Than Specifies the Shadow IT service score
    • Is Less Than rating, above or below a certain value, or
    • Is Greater Than or Equals within a range you specify.
    • Is Less Than or Equals Symantec Web Security Service does not
    use this attribute.
    • Equals
    • Range
    SharePoint Site Name • Match Specifies the name of a SharePoint Site.
    • Match Type You can match exactly with or without
    case sensitivity, or match on a regular
    expression.
    Symantec Web Security Service does not
    use this attribute.

    Data transfer attributes


    Data transfer attributes specify information about data moving over the network ("data in motion").

    1213
    Table 641: Data transfer attributes

    Attribute Value Description

    Browser • Match Specifies the name of the web browser that


    • Match Type is associated with the detection request.
    You can match exactly with or without
    case sensitivity, or match on a regular
    expression.
    Country Select a country from the drop-down list of Specifies the name of the country that is
    country names. associated with the detection request.
    Symantec Web Security Service does not
    use this attribute.
    Device Inside Office • True Specifies if the device associated with the
    • False detection request is located within your
    office.
    Symantec Web Security Service does not
    use this attribute.
    Device OS • Match Specifies the operating system of the
    • Match Type device that is associated with the detection
    request. You can match exactly with or
    without case sensitivity, or match on a
    regular expression.
    Symantec Web Security Service does not
    use this attribute.
    Device Type • Match Specifies the type of device that is
    • Match Type associated with the detection request.
    You can match exactly with or without
    case sensitivity, or match on a regular
    expression.
    Symantec Web Security Service does not
    use this attribute.
    Device is Compliant • True Specifies whether or not the device is
    • False compliant, based on information from your
    mobile device management system.
    Symantec Web Security Service does not
    use this attribute.
    Device is Managed • True Specifies whether or not your organization
    • False manages the device, based on information
    from your mobile device management
    system.
    Symantec Web Security Service does not
    use this attribute.
    Device is Personal • True Specifies whether or not the user owns the
    • False device, based on information from your
    mobile device management system.
    Symantec Web Security Service does not
    use this attribute.
    Device is Trusted • True Specifies whether or not the device is
    • False trusted, based on information from your
    mobile device management system.
    Symantec Web Security Service does not
    use this attribute.

    1214
    Attribute Value Description

    HTTP Method • GET Specifies the method that is used in the


    • PUT HTTP traffic that is submitted for inspection.
    • DELETE
    • POST
    • Custom
    Network Direction • Upload Specifies the network direction of the
    • Download message that is submitted for inspection.
    • Custom
    Recipient IP • Match Specifies the IP address of the message
    • Match Type recipient. You can match exactly with or
    without case sensitivity, or match on a
    regular expression.
    Recipient Port • Is Greater Than Specifies the network port of the message
    • Is Less Than recipient.
    • Is Greater Than or Equals
    • Is Less Than or Equals
    • Equals
    • Range
    Sender IP • Match Specifies the IP address of the message
    • Match Type sender. You can match exactly with or
    without case sensitivity, or match on a
    regular expression.
    Sender Port • Is Greater Than Specifies the network port of the message
    • Is Less Than sender.
    • Is Greater Than or Equals Symantec Web Security Service does not
    • Is Less Than or Equals use this attribute.
    • Equals
    • Range
    Site Classification • Match Specifies the type of site that is associated
    • Match Type with the detection request, such as "Social
    Media." You can match exactly with or
    without case sensitivity, or match on a
    regular expression.
    Site Risk Score • Is Greater Than Specifies a numeric value indicating the risk
    • Is Less Than level of the target site.
    • Is Greater Than or Equals
    • Is Less Than or Equals
    • Equals
    • Range
    Source Protocol • Match Specifies the OSI Level 7 network
    • Match Type protocol for the detection request. For
    example, SMTP, HTTP, FTP, and so on.
    You can match exactly with or without
    case sensitivity, or match on a regular
    expression.
    User Agent • Match Specifies the user agent for the detection
    • Match Type request that is related to HTTP traffic.
    You can match exactly with or without
    case sensitivity, or match on a regular
    expression.

    1215
    Custom attributes
    Custom attributes let you enter any attributes for your Application Detection policies that are not provided by default.

    Table 642: Custom attributes

    Attribute Value Description

    String Attribute • Name Specifies a custom string attribute. Name


    • Match your attribute, then specify the match and
    • Match Type match type for your string. You can match
    exactly with or without case sensitivity, or
    match on a regular expression.
    Numeric Attribute • Name Specifies a custom numeric attribute. Name
    • Is Greater Than your attribute, then specify the numeric
    • Is Less Than property and value.
    • Is Greater Than or Equals
    • Is Less Than or Equals
    • Equals
    • Range
    Boolean Attribute • Name Specifies a custom Boolean attribute. Name
    • True your attribute, then specify the Boolean
    • False value.

    Date Attribute • Name Specifies a custom date attribute. Name


    • After your attribute, then specify the date
    • Before property and value.
    • On or After
    • On or Before
    • On
    • Range

    Overview of detection file format support


    Symantec Data Loss Prevention detection supports various file formats for performing the following operations:
    • File type identification
    • File contents extraction
    • Subfile extraction
    • Document metadata extraction
    File format support for detection operations summarizes the file formats that Symantec Data Loss Prevention supports for
    file type identification and content, subfile and metadata extraction.
    You configure the system to identify individual file formats using the Message Attachment or File Type Match condition.
    This condition performs a context-based match that only identifies the file format type; it does not extract file contents. In
    addition, you must explicitly select the individual file format(s) you want to detect.
    About file type matching
    When you use a content-based detection condition in a policy (such as Content Matches Keyword), the system
    automatically extracts file contents for supported file formats (such as DOCX, PPTX, XSLX, PDF). In addition, the system
    automatically extracts subfiles from supported encapsulation file formats (such as ZIP, RAR, TAR).
    Content matching conditions

    1216
    Lastly, you can enable metadata extraction for a limited number of document formats (such as DOCX), and use keyword
    matching to detect document metadata.
    About document metadata detection
    NOTE
    While there is some overlap among file types supported for extraction and for identification (because if the
    system can crack the file it must be able to identify its type), the supported formats for each operation are
    distinct and implemented using different match conditions. The number of file formats supported for type
    identification is much broader than those supported for content extraction.

    Table 643: File format support for detection operations

    Operation
    Description Configuration Supported formats
    type
    File type Symantec Data Loss Prevention does not Explicitly using the Message Supported formats for file type
    identification rely on file extensions to identify the format. Attachment or File Type Match identification
    File type is identified by the unique binary file property condition.
    signature of the file format.
    File contents File contents is any text-based content that Implicitly using one or more Supported formats for content
    extraction can be viewed through the native or source content match conditions, extraction
    application. including EDM, IDM, VML, data
    identifiers, keyword, regular
    expressions.
    Subfile Subfiles are files encapsulated in a parent Implicitly using one or more Supported encapsulation formats
    extraction file. Subfiles are extracted and processed content match conditions, for subfile extraction
    (Subfile) individually for identification and content including EDM, IDM, VML, data
    extraction. If the subfile format is not identifiers, keyword, regular
    supported by default, a custom method can expressions.
    be used to detect and crack the file.
    Metadata Metadata is information about the file, Available for content-based match Supported file formats for
    extraction such as author, version, or user-defined conditions. Must be enabled. metadata extraction
    (Metadata) tags. Generally limited to Microsoft Office
    documents (OLE-enabled) and Adobe PDF
    files. Metadata support may differ between
    agent and server.

    Supported formats for file type identification


    Formats supported for file type identification lists the file types you can identify using the Message Attachment or File
    Type Match policy condition.
    About file type matching
    The Unknown file format identifies any format that is unknown to Symantec Data Loss Prevention. The Unknown file
    format is only supported for file type identification. This type identifies files that are not known to Data Loss Prevention and
    blocks them using the file type rule.
    If the file format you want to identify is not supported, you can use the Symantec Data Loss Prevention Scripting
    Language to identify custom file types.
    About custom file type identification

    1217
    NOTE
    The Message Attachment or File Type Match condition is a context-based match condition that only supports
    file type identification. This condition does not support file contents extraction. To extract file contents for policy
    evaluation you must use a content-based detection rule. Supported formats for content extraction
    Overview of detection file format support

    Table 644: Formats supported for file type identification

    Message Attachment or File Type Match formats

    7-Zip Compressed File (7Z)


    Ability Office (SS)
    Ability Office (DB)
    Ability Office (GR)
    Ability Office (WP)
    Ability Office (COM)
    ACT
    Adobe FrameMaker
    Adobe Maker Interchange Format (FrameMaker)
    Adobe FrameMaker Markup Language
    Adobe PDF
    AES Multiplus Comm
    Aldus Freehand (Macintosh)
    Aldus PageMaker (DOS)
    Aldus PageMaker (Macintosh)
    Amiga IFF-8SVX sound
    Amiga MOD sound
    ANSI
    Apple Double
    Apple Single
    Applix Alis
    Applix Asterix
    Applix Graphics
    Applix Presents
    Applix Spreadsheets
    Applix Words
    ARC/PAK Archive
    ASCII
    ASCII-armored PGP encoded
    ASCII-armored PGP Public Keyring
    ASCII-armored PGP signed
    Audio Interchange File Format
    AutoCAD Drawing

    1218
    Message Attachment or File Type Match formats

    AutoCAD Drawing Exchange


    AutoDesk Animator FLIC Animation
    AutoDesk Animator Pro FLIC Animation
    AutoDesk WHIP
    AutoShade Rendering
    BinHex
    CADAM Drawing (CDD) (server only)
    CADAM Drawing Overlay
    CATIA Drawing (CAT) (server only)
    CCITT Group 3 1-Dimensional (G31D)
    COMET TOP Word
    Comma Separated Values
    Compactor/Compact Pro Archive
    Computer Graphics Metafile
    Convergent Tech DEF Comm.
    Corel Draw CMX
    Corel Presentations
    Corel Quattro Pro (WB2)
    Corel Quattro Pro (WB3)
    Corel WordPerfect Linux
    Corel WordPerfect Macintosh
    Corel WordPerfect Windows (WO)
    Corel WordPerfect Windows (WPD)
    CorelDRAW
    cpio Archive (UNIX)
    cpio Archive (VAX)
    cpio Archive (SUN)
    CPT Communication
    Creative Voice (VOC) sound
    Curses Screen Image (UNIX)
    Curses Screen Image (VAX)
    Curses Screen Image (SUN)
    Data Interchange Format
    Data Point VISTAWORD
    dBase Database
    DCX Fax
    DCX Fax System
    DEC WPS PLUS
    DECdx
    Desktop Color Separation (DCS)

    1219
    Message Attachment or File Type Match formats

    Device Independent file (DVI)


    DG CEOwrite
    DG Common Data Stream (CDS)
    DIF Spreadsheet
    Digital Document Interchange Format (DDIF)
    Disk Doubler Compression
    DisplayWrite
    Domino XML Language
    EMC EmailXtender Container File (EMX)
    ENABLE
    ENABLE Spreadsheet (SSF)
    Encapsulated PostScript (raster)
    Enhanced Metafile
    Envoy (EVY)
    Executable- Other
    Executable- UNIX
    Executable- VAX
    Executable- SUN
    FileMaker (Macintosh)
    File Share Encryption
    Folio Flat File
    Framework
    Framework II
    FTP Session Data
    Fujitsu Oasys
    GEM Bit Image
    GIF
    Graphics Environment Manager (GEM VDI)
    GZIP
    Haansoft Hangul (Hangul 2010 SE+)
    Harvard Graphics
    Hewlett-Packard
    Honey Bull DSA101
    HP Graphics Language (HPG) (server only)
    HP Printer Control Language (PCL)
    HTML
    IBM 1403 Line Printer
    IBM DCA/RFT(Revisable Form Text)
    IBM DCA-FFT
    IBM DCF Script

    1220
    Message Attachment or File Type Match formats

    iCalendar
    Informix SmartWare II
    Informix SmartWare II Communication File
    Informix SmartWare II Database
    Informix SmartWare Spreadsheet
    Interleaf
    Java Archive
    JPEG
    JPEG File Interchange Format (JFIF)
    JustSystems Ichitaro
    KW ODA G31D (G31)
    KW ODA G4 (G4)
    KW ODA Internal G32D (G32)
    KW ODA Internal Raw Bitmap (RBM)
    Lasergraphics Language
    Legato Extender
    Link Library- Other
    Link Library UNIX
    Link Library VAX
    Link Library SUN
    Lotus 1-2-3 (123)
    Lotus 1-2-3 (WK4)
    Lotus 1-2-3 Charts
    Lotus AMI Pro
    Lotus AMI Professional Write Plus
    Lotus AMIDraw Graphics
    Lotus Freelance Graphics
    Lotus Freelance Graphics 2
    Lotus Notes Bitmap
    Lotus Notes CDF
    Lotus Notes database
    Lotus Pic
    Lotus Screen Cam
    Lotus SmartMaster
    Lotus Word Pro
    Lyrix MacBinary
    MacBinary
    Macintosh Raster
    MacPaint
    Macromedia (Adobe) Director

    1221
    Message Attachment or File Type Match formats

    Macromedia (Adobe) Flash


    MacWrite
    MacWrite II
    MASS-11
    Micrografx Designer
    Microsoft Access
    Microsoft Advanced Systems Format (ASF)
    Microsoft Compressed Folder (LZH)
    Microsoft Compressed Folder (LHA)
    Microsoft Device Independent Bitmap
    Microsoft Excel Charts
    Microsoft Excel Macintosh
    Microsoft Excel Windows
    Microsoft Excel Windows XML
    Microsoft Office Access (ACCDB)
    Microsoft Office Drawing
    Microsoft OneNote
    Microsoft Outlook Personal Folder
    Microsoft Outlook
    Microsoft Outlook Express
    Microsoft PowerPoint Macintosh
    Microsoft PowerPoint PC
    Microsoft PowerPoint Windows
    Microsoft PowerPoint Windows XML
    Microsoft PowerPoint Windows Macro-Enabled XML
    Microsoft PowerPoint Windows XML Template
    Microsoft PowerPoint Windows Macro-Enabled XML Template
    Microsoft PowerPoint Windows XML Show
    Microsoft PowerPoint Windows Macro-Enabled Show
    Microsoft Project
    Microsoft Publisher
    Microsoft RMS Encrypted Office Binary File
    Microsoft RMS Encrypted Open Packaging Conventions File
    Microsoft Visio
    Microsoft Visio 2013
    Microsoft Visio 2013_Macro Format
    Microsoft Visio 2013_Stencil Format
    Microsoft Visio 2013_Stencil_Macro Format
    Microsoft Visio 2013_Template Format
    Microsoft Visio _Template_Macro

    1222
    Message Attachment or File Type Match formats

    Microsoft Visio XML


    Microsoft Wave Sound
    Microsoft Windows Cursor (CUR) Graphics
    Microsoft Windows Group File
    Microsoft Windows Help File
    Microsoft Windows Icon (ICO)
    Microsoft Windows OLE 2 Encapsulation
    Microsoft Windows Write
    Microsoft Word (UNIX)
    Microsoft Word Macintosh
    Microsoft Word PC
    Microsoft Word Windows
    Microsoft Word Windows XML
    Microsoft Word Windows Template XML
    Microsoft Word Windows Macro-Enabled Template XML
    Microsoft Works (Macintosh)
    Microsoft Works
    Microsoft Works Communication (Macintosh)
    Microsoft Works Communication (Windows)
    Microsoft Works Database (Macintosh)
    Microsoft Works Database (PC)
    Microsoft Works Database (Windows)
    Microsoft Works Spreadsheet (S30)
    Microsoft Works Spreadsheet (S40)
    Microsoft Works Spreadsheet (Macintosh)
    Microstation
    MIDI
    MORE Database Outliner (Macintosh)
    MPEG-1 Audio layer 3
    MPEG-1 Video
    MPEG-2 Audio
    MS DOS Batch File format
    MS DOS Device Driver
    MultiMate 4.0
    Multiplan Spreadsheet
    Navy DIF
    NBI Async Archive Format
    NBI Net Archive Format
    Netscape Bookmark file
    NeWS font file (SUN)

    1223
    Message Attachment or File Type Match formats

    NeXT/Sun Audio
    NIOS TOP
    Nota Bene
    Nurestor Drawing (NUR) (server only)
    Oasis Open Document Format (ODT)
    Oasis Open Document Format (ODS)
    Oasis Open Document Format (ODP)
    Object Module UNIX
    Object Module VAX
    Object Module SUN
    ODA/ODIF
    ODA/ODIF (FOD 26)
    Office Writer
    OLE DIB object
    OLIDIF
    OmniOutliner (OO3)
    OpenOffice Calc (SXC)
    OpenOffice Calc (ODS)
    OpenOffice Impress (SXI)
    OpenOffice Impress (SXP)
    OpenOffice Impress (ODP)
    OpenOffice Writer (SXW)
    OpenOffice Writer (ODT)
    Open PGP
    OS/2 PM Metafile Graphics
    Paradox (PC) Database
    PC COM executable
    PC Library Module
    PC Object Module
    PC PaintBrush
    PC True Type Font
    PCD Image
    PeachCalc Spreadsheet
    Persuasion Presentation
    PEX Binary Archive (SUN)
    PGP Compressed Data
    PGP Encrypted Data
    PGP Public Keyring
    PGP Secret Keyring
    PGP Signature Certificate

    1224
    Message Attachment or File Type Match formats

    PGP Signed and Encrypted Data


    PGP Signed Data
    Philips Script
    PKZIP
    Plan Perfect
    Portable Bitmap Utilities (PBM)
    Portable Greymap Utilities (PGM)
    Portable Network Graphics
    Portable Pixmap Utilities (PPM)
    PostScript File
    PRIMEWORD
    Program Information File
    Q & A for DOS
    Q & A for Windows
    Quadratron Q-One (V1.93J)
    Quadratron Q-One (V2.0)
    Quark Express (Macintosh)
    QuickDraw 3D Metafile (3DMF)
    QuickTime Movie
    RAR archive
    Real Audio
    Reflex Database
    Rich Text Format
    RIFF Device Independent Bitmap
    RIFF MIDI
    RIFF Multimedia Movie
    SAMNA Word IV
    Serialized Object Format (SOF) Encapsulation
    SGI RGB Image
    SGML
    Simple Vector Format (SVF)
    SMTP document
    SolidWorks Drawing (SLDASM, SLDPRT, SLDDRW)
    StarOffice Calc (SXC)
    StarOffice Calc (ODS)
    StarOffice Impress (SXI)
    StarOffice Impress (SXP)
    StarOffice Impress (ODP)
    StarOffice Writer (SXW)
    StarOffice Writer (ODT)

    1225
    Message Attachment or File Type Match formats

    Stuff It Archive (Macintosh)


    Sun Raster Image
    SUN vfont definition
    Supercalc Spreadsheet
    SYLK Spreadsheet
    Symphony Spreadsheet
    Tagged Image File
    Tape Archive
    Targon Word (V 2.0)
    Text Mail (MIME)
    Transmission Neutral Encapsulation Format
    Truevision Targa
    Ultracalc Spreadsheet
    Unicode Text
    Uniplex (V6.01)
    Uniplex Ucalc Spreadsheet
    UNIX Compress
    UNIX SHAR Encapsulation
    UNKNOWN
    Usenet format
    UUEncoding
    Vcard
    VCF
    Volkswriter
    VRML
    Wang Office GDL Header Encapsulation
    WANG PC
    Wang WITA
    WANG WPS Comm.
    Windows Animated Cursor
    Windows Bitmap
    Windows C++ Object Storage
    Windows Icon Cursor
    Windows Metafile
    Windows Micrografx Draw (DRW)
    Windows Palette
    Windows Media Video (WMV)
    Windows Media Audio (WMA)
    Windows Video (AVI)
    WinZip (unzip reader)

    1226
    Message Attachment or File Type Match formats

    WinZip
    Word Connection
    WordERA (V 1.0)
    WordMARC word processor
    WordPad
    WordPerfect General File
    WordPerfect Graphics 1
    WordPerfect Graphics 2
    WordStar
    WordStar 2000
    WordStar 6.0
    WriteNow
    Writing Assistant word processor
    X Bitmap (XBM)
    X Image
    X Pixmap (XPM)
    Xerox 860 Comm.
    Xerox Writer word processor
    XHTML
    XML (generic)
    XML Paper Specification
    XyWrite

    Supported formats for content extraction


    Symantec Data Loss Prevention cracks more than 100 file formats for performing content extraction. You use content-
    based detection conditions to crack a file and extract its contents.
    Content matching conditions
    Supported file format categories for content extraction lists the various file format categories whose content Symantec
    Data Loss Prevention can extract. Refer to the associated link for the individual file formats supported for that category.
    Overview of detection file format support

    Table 645: Supported file format categories for content extraction

    File format category Default support list

    Word-processing file formats Supported word-processing formats for content extraction


    Presentation file formats Supported presentation formats for content extraction
    Spreadsheet file formats Supported spreadsheet formats for content extraction
    Text and markup file formats Supported text and markup formats for content extraction
    Email file formats Supported email formats for content extraction
    CAD file formats Supported CAD formats for content extraction

    1227
    File format category Default support list

    Graphics file formats Supported graphics formats for content extraction


    Database file formats Supported database formats for content extraction
    Microsoft Office Open XML formats About high-performance content extraction for Office Open XML formats
    Other file formats Other file formats supported for content extraction
    Encapsulation file formats Supported encapsulation formats for subfile extraction

    Supported word-processing formats for content extraction


    Supported word-processing file formats for content extraction lists the word-processing file formats whose content
    Symantec Data Loss Prevention can extract for policy evaluation.

    Table 646: Supported word-processing file formats for content extraction

    Format Name Format Extension

    Adobe Maker Interchange Format (FrameMaker) MIF


    Apple iWork Pages PAGES
    ApplixWords AW
    Corel WordPerfect Linux WPS
    Corel WordPerfect Macintosh WPS
    Corel WordPerfect Windows WO
    Corel WordPerfect Windows WPD
    DisplayWrite IP
    Folio Flat file FFF
    Fujitsu Oasys OA2
    Haansoft Hangul HWP
    IBM DCA/RFT (Revisable Form Text) DC
    JustSystems Ichitaro JTD
    Lotus AMI Pro SAM
    Lotus AMI ProfessionalWrite Plus AMI
    LotusWord Pro LWP
    Lotus SmartMaster MWP
    Microsoft Word PC DOC
    Microsoft Word Windows DOC
    Microsoft Word Windows XML DOCX
    Microsoft Word Windows Template XML DOTX
    Microsoft Word Windows Macro-Enabled Template XML DOTM
    Microsoft Word Macintosh DOC
    Microsoft Works WPS
    Microsoft Windows Write WRI
    Microsoft OneNote ONE
    OpenOfficeWriter SXW
    OpenOfficeWriter ODT

    1228
    Format Name Format Extension

    StarOfficeWriter SXW
    StarOfficeWriter ODT
    WordPad RTF
    XML Paper Specification XPS
    XyWrite XY4

    Supported presentation formats for content extraction


    Supported presentation formats for files content extraction lists the presentation file formats whose content Symantec
    Data Loss Prevention can extract for policy evaluation.

    Table 647: Supported presentation formats for files content extraction

    Format Name Format Extension

    Apple iWork Keynote KEYNOTE


    Applix Presents AG
    Corel Presentations SHW
    Lotus Freelance Graphics PRZ
    Lotus Freelance Graphics 2 PRE
    Macromedia Flash SWF
    Microsoft PowerPoint Windows PPT
    Microsoft PowerPoint PC PPT
    Microsoft PowerPoint Windows XML PPTX
    Microsoft PowerPoint Windows Macro-Enabled XML PPTM
    Microsoft PowerPoint Windows XML Template POTX
    Microsoft PowerPoint Windows Macro-Enabled XML Template POTM
    Microsoft PowerPoint Windows XML Show PPSX
    Microsoft PowerPoint Windows Macro-Enabled Show PPSM
    Microsoft PowerPoint Macintosh PPT
    OpenOffice Impress SXI
    OpenOffice Impress SXP
    OpenOffice Impress ODP
    StarOffice Impress SXI
    StarOffice Impress SXP
    StarOffice Impress ODP

    Supported spreadsheet formats for content extraction


    Supported spreadsheet formats for file contents extraction lists the spreadsheet file formats whose content Symantec
    Data Loss Prevention can extract for policy evaluation.

    1229
    Table 648: Supported spreadsheet formats for file contents extraction

    Format Name Format Extension

    Apple iWork Numbers NUMBERS


    Applix Spreadsheets AS
    Comma Separated Values CSV
    Corel Quattro Pro WB2
    Corel Quattro Pro WB3
    Data Interchange Format DIF
    Lotus 1-2-3 123
    Lotus 1-2-3 WK4
    Lotus 1-2-3 Charts 123
    Microsoft Excel Windows XLS
    Microsoft Excel Windows XML XLSX
    Microsoft Excel Charts XLS
    Microsoft Excel 2007 Binary XLSB
    Microsoft Excel Macintosh XLS
    Microsoft Works Spreadsheet S30
    Microsoft Works Spreadsheet S40
    OpenOffice Calc SXC
    OpenOffice Calc ODS
    StarOffice Calc SXC
    StarOffice Calc ODS

    Supported text and markup formats for content extraction


    Supported text and markup file formats for content extraction lists the text and markup file formats whose content
    Symantec Data Loss Prevention can extract for policy evaluation.

    Table 649: Supported text and markup file formats for content extraction

    Format Name Format Extension

    ANSI TXT
    ASCII TXT
    HTML HTM
    Microsoft Excel Windows XML XML
    Microsoft Word Windows XML XML
    Microsoft Visio XML VDX
    Oasis Open Document Format ODT
    Oasis Open Document Format ODS
    Oasis Open Document Format ODP
    Rich Text Format RTF
    Unicode Text TXT

    1230
    Format Name Format Extension

    XHTML HTM
    XML (generic) XML

    Supported email formats for content extraction


    Supported email file formats for content extraction lists the email file formats whose content Symantec Data Loss
    Prevention can extract for evaluation.

    Table 650: Supported email file formats for content extraction

    Format Name Format Extension

    Domino XML Language DXL


    EMC EmailXtender Native Message ONM
    Microsoft Outlook MSG
    Microsoft Outlook Express EML
    Text Mail (MIME) various
    Transfer Neutral Encapsulation Format various

    Supported CAD formats for content extraction


    Supported CAD file formats lists the computer-aided design (CAD) file formats whose content Symantec Data Loss
    Prevention can extract for evaluation.

    Table 651: Supported CAD file formats

    Format Name Format Extension

    AutoCAD Drawing DWG


    AutoCAD Drawing Exchange DFX
    Microsoft Visio 2013 VSD
    Microsoft Visio XML VSDX
    Microsoft Visio 2013_Macro VSDM
    Microsoft Visio 2013_Stencil VSSX
    Microsoft Visio 2013_Stencil_Macro VSSM
    Microsoft Visio 2013_Template VSTX
    Microsoft Visio 2013_Template_Macro VSTM
    Microstation DGN

    Supported graphics formats for content extraction


    Supported graphics file formats for content extraction lists the graphics file formats whose content Symantec Data Loss
    Prevention can extract for evaluation.

    1231
    Table 652: Supported graphics file formats for content extraction

    Format Name Format Extension

    Enhanced Metafile EMF


    Lotus Pic PIC
    Tagged Image File (metadata only) TIFF
    Windows Metafile WMF

    Supported database formats for content extraction


    The following table lists the database file formats whose content Symantec Data Loss Prevention can extract for policy
    evaluation.

    Table 653: Crackable database file formats

    Format Name Format Extension

    Microsoft Access MDB


    Microsoft Project MPP

    Other File Formats Supported for Content Extraction


    Other supported formats for content extraction lists other file format content thatSymantec Data Loss Prevention can
    extract for policy evaluation.

    Table 654: Other supported formats for content extraction

    Format name Format extension

    Adobe PDF PDF


    iCalendar ICS
    MPEG-1 Audio layer 3 (metadata only) MP3
    Microsoft Windows Backup Utility File BKF
    Microsoft Rights Management • PFILE
    protected files • Microsoft Office 2003 and older
    • Files that use Open Packaging Conventions (OPC) file technology, including Office Open
    XML (including Office 2007 and greater), and XML Paper Specification (XPS)
    Note: This type of content extraction is only supported on detection servers running on
    Windows servers.

    File Share Encryption (PGP Netshare) You can decrypt Symantec File Share encrypted files and can extract file contents for policy
    evaluation using the File Share plugin.
    Custom You can write a plug-in to perform content, subfile, and metadata extraction operations on
    custom file formats.
    Note: Content extraction plug-ins are limited to detection servers.

    Virtual Card File VCF and VCARD electronic business card files

    1232
    Supported encapsulation formats for subfile extraction
    Symantec Data Loss Prevention supports various encapsulation formats for subfile extraction, such as ZIP, RAR, and
    TAR. The system automatically performs subfile extraction for supported formats using content-based match conditions.
    Subfile extraction is a subset of content extraction in that, if the system is successful in extracting a subfile from a
    supported encapsulated file, the system automatically extracts the text-based subfile contents if the subfile format is
    supported for content extraction.
    Overview of detection file format support
    Supported encapsulation formats for subfile extraction lists the file formats whose content Symantec Data Loss Prevention
    can extract for content evaluation.

    Table 655: Supported encapsulation formats for subfile extraction

    Format Name Format Extension

    7-Zip 7Z
    BinHex HQX
    GZIP GZ
    iCalendar ICS
    Java Archive JAR
    Microsoft Cabinet CAB
    Microsoft Compressed Folder LZH
    Microsoft Compressed Folder LHA
    Microsoft Visio 2013 VSD
    Microsoft Visio 2013 XML VSDX
    Microsoft Visio 2013_Macro VSDM
    Microsoft Visio 2013_Stencil VSSX
    Microsoft Visio 2013_Stencil_Macro VSSM
    Microsoft Visio 2013_Template VSTX
    Microsoft Visio 2013_Template_Macro VSTM
    PKZIP ZIP
    WinZip ZIP
    RAR archive RAR
    Tape Archive TAR
    UNIX Compress Z
    UUEncoding UUE
    Virtual Card File VCF and VCARD electronic business card files
    YENC YENC (server only)

    Supported file formats for metadata extraction


    Supported file formats for metadata detection lists some of the file formats that Symantec Data Loss Prevention supports
    for metadata detection, and provides some example metadata fields returned for those formats.

    1233
    This list is not exhaustive and is provided for quick reference only. Other file formats may be supported, and other custom
    fields may be returned. The best practice is to always use the filter utility to verify metadata support for each file format
    you want to detect.
    Always use the filter utility to verify file format metadata support

    Table 656: Supported file formats for metadata detection

    File formats Metadata Description

    Example fields:
    Microsoft Office documents, for
    example:
    • Title
    For Microsoft Office documents, the system
    • Word (DOC, DOCX) • Subject
    extracts Object Linking and Embedding
    • Excel (XLS, XLSX) (OLE) metadata. • Author
    • PowerPoint (PPT, PPTX) • Keywords
    • Other custom fields
    Example fields:
    For Adobe PDF files, the system extracts • Author
    Document Information Dictionary (DID)
    • Title
    Adobe PDF files metadata. The system does not support
    Adobe Extensible Metadata Platform (XMP) • Subject
    metadata extraction. • Creation
    • Update dates
    Microsoft Visio Supported format extensions
    Use the filter utility to verify metadata Always use the filter utility to verify file
    Other file formats (including binary and text)
    extraction for other file formats. format metadata support
    Content extraction plug-in that supports the
    Custom file formats Custom file type metadata
    metadata extraction operation.

    About document metadata detection


    In addition to file content and subfile extraction, Symantec Data Loss Prevention supports metadata extraction for many
    file formats. File format metadata is data about a file that is stored as file properties. By default metadata extraction is
    disabled because it can lead to false positives. Used properly, metadata detection can enhance the accuracy of your
    content-based policy rules.
    For example, consider a business that uses Microsoft Office templates for their Word, Excel, and PowerPoint documents.
    The business applies Microsoft OLE metadata properties in the form of keywords to each template. The business has
    enabled metadata extraction and deployed keyword policies to match on metadata keywords. These policies can detect
    keywords in documents that are derived from the templates. The business also has the flexibility to use policy exceptions
    to avoid generating incidents if certain metadata keywords are present.

    Enabling server metadata detection


    By default metadata extraction is disabled for detection servers.
    To enable server metadata extraction

    1234
    1. Log on to the Enforce Server administration console as a system administrator.
    2. Navigate to the System > Servers and Detectors > Overview > Server/Detector Detail - Advanced Settings
    screen for the detection server or cloud detector you want to enable metadata extraction.
    3. Click the Server Settings button.
    4. Locate property ContentExtraction.EnableMetaData in the list.
    5. Enter the value on for this property to enable metadata extraction.
    6. Click Save to save the configuration.
    7. Click Recycle the server at the Server Detail screen to restart the server.
    8. Click Done at the Server Detail screen to complete the process.

    Enabling endpoint metadata detection


    By default metadata extraction is disabled for endpoints.
    To enable endpoint metadata extraction
    1. Log on to the Enforce Server administration console as a system administrator.
    2. Navigate to the System > Agents > Agent Configuration screen for the endpoint server you want to enable
    metadata extraction.
    3. Create a new endpoint configuration for metadata detection, or select the default configuration.
    Create a separate endpoint configuration for metadata detection
    4. Select the Advanced Agent Settings tab.
    5. Locate property Detection.ENABLE_METADATA.str in the list.
    6. Enter the value on for this property to enable metadata extraction.
    7. Click Save and Apply to save the configuration change.

    Best practices for using metadata detection


    Best practices for using metadata detection lists best practices for implementing metadata detection with links to
    corresponding topics for detailed considerations.

    Table 657: Considerations for implementing metadata detection

    Consideration Topic

    Always use filter to verify file format metadata support. Always use the filter utility to verify file format metadata support
    Enable metadata detection only if it is necessary. Distinguish metadata from file content and application data
    Avoid generating false positives by selecting keywords carefully. Use and tune keyword lists to avoid false positives on metadata
    Understand resource implications of endpoint metadata extraction. Understand performance implications of enabling endpoint
    metadata detection
    Create a separate endpoint configuration for metadata detection. Create a separate endpoint configuration for metadata detection
    Use response rules to add metadata tags to incidents. Use response rules to tag incidents with metadata

    Always Use the Filter Utility to Verify File Format Metadata Support
    To help you create policies that detect file format metadata, use the filter utility that is available with any Symantec Data
    Loss Prevention detection or Endpoint Server installation. This utility provides an easy way to determine which metadata

    1235
    fields the system returns for a given file format. The utility generates output that contains the metadata the system will
    extract at runtime for each file format you test using filter.
    To verify file format metadata extraction support using filter describes how to use the filter utility. It is recommended that
    you always follow this process so that you can create and tune policies that accurately detect file format metadata.
    NOTE
    The data output by the filter utility is in ASCII format. Symantec Data Loss Prevention processes data in Unicode
    format. Therefore, you may rely on the existence of the fields returned by the filter utility, but the metadata
    detected by Symantec Data Loss Prevention may not look identical to the filter output.
    To verify file format metadata extraction support using filter
    1. On the file system where a detection server is installed, start a command prompt session.
    2. Change directory to where the filter utility is located.
    For example, on a default 64-bit Windows installation you would issue the following command:
    cd \Program Files\Symantec\DataLossPrevention\EnforceServer\16.0.10000\Protect\plugins
    \contentextraction\Verity\x64

    3. Issue the following command to run the filter program and display its syntax and optional parameters.
    filter -help
    As indicated by the help, you use the following syntax to execute the filter utility:
    filter [options] inputfile outputfile

    The inputfile is an instance of the file format you want to verify. The outputfile is a file the filter utility writes the
    extracted data to.
    • To verify metadata extraction, use the "get doc summary info" option:-i
    • To verify content extraction, use no options: filter inputfile outputfile
    4. Execute filter against an instance of the file format to verify metadata extraction.
    For example, on Windows you would issue the following command:
    filter -i \temp\myfile.doc \temp\metadata_output.txt

    Where myfile.doc is a file containing metadata you want to verify and have copied to the \temp directory, and
    metadata_output.txt is the name of the file you want the system to generate and write the extracted data to.
    5. Review the filter output. The output data should be similar to the following:
    1 2 1252 CodePage 1 1 "S" Title 0 0 (null) 1 1 "P" Author 0 0 (null)
    0 0 (null) 0 1 "" (null) 1 1 "m" LastAuthor 1 1 "1" RevNumber
    1 3 6300 Minutes EditTime 1 3 Mon Aug 27 11:53:07 2007 LastPrinted

    6. Refer to the following tables for an explanation of each metadata extraction field output by the filter utility.
    Example filter metadata output repeats the output from Step 5, formatted for readability.
    Metadata fields generated by the filter utility explains each column field.

    Table 658: Example filter metadata output

    Column 1 Column 2 Column 3 Column 4

    1 2 1252 CodePage
    1 1 "S" Title

    1236
    Column 1 Column 2 Column 3 Column 4

    0 0 (null)
    1 1 "P" Author
    0 0 (null)
    0 0 (null)
    0 1 "" (null)
    1 1 "m" LastAuthor
    1 1 "1" RevNumber
    1 3 6300 Minutes EditTime
    1 3 Mon Aug 27 11:53:07 2007 LastPrinted

    Table 659: Metadata fields generated by the filter utility

    Column 1 Column 2 Column 3 Column 4

    1 = valid field The type of data: The data payload for the field. The name of the field (empty or
    0 = invalid field 1 = String null if the field is invalid).
    Note: You may ignore rows 2 = Integer
    where the first column is 0. 3 = Date/Time
    5 = Boolean

    Distinguish Metadata from File Content and Application Data


    Do not confuse metadata extraction with content extraction or application data. Some text that may appear to be metadata
    is extracted as content or application data. Data not extracted as metadata describes some types of data that is not
    extracted as file format metadata to help you determine if and when you must enable metadata detection.
    NOTE
    This list is not exhaustive and is provided for a quick reference only. There may be other types of data that are
    not extracted as metadata. The best practice is to use the filter utility to verify the file format metadata support.
    Always use the filter utility to verify file format metadata support

    Table 660: Data not extracted as metadata

    Content type Extraction method

    Application data Application data including message transport information is extracted separately from the file
    format extraction. For all inbound messages, the system extracts message envelope (header) and
    subject information as text at the application layer. The type of application data that is extracted
    depends on the channels that are supported by the detection server or endpoint.
    Headers and footers Document header text and footer text are extracted as content, not metadata. To avoid false
    positives, remove or allowlist headers and footers from documents.
    Use Safe Listing to Exclude Non-Sensitive Content from Partial Matching
    See Indexed Document Matching (IDM) for details.
    Markup text Markup text is extracted as content, not metadata. Markup text extraction is supported for HTML,
    XML, SGML, and more. Markup text extraction is disabled by default.
    See Advanced Server Settings to enable Markup text extraction.

    1237
    Content type Extraction method

    Hidden text Hidden text is extracted as content, not metadata. Hidden text extraction in the form of tracked
    changes is supported for some Microsoft Office file formats. Hidden text extraction is disabled by
    default.
    See Advanced Server Settings to enable Hidden text extraction.
    Watermarks Text-based watermarks are extracted as content, not metadata. Text-based watermark detection
    is supported for Microsoft Word documents (versions 2003 and 2007). Text-based watermark
    detection is not supported for other file formats.

    Use and tune keyword lists to avoid false positives on metadata


    Enabling metadata extraction can cause false positives because more text is checked for a match. For example, if you
    have a policy that detects keywords and metadata extraction is enabled, the policy reports a match if a keyword is present
    in the content or in the metadata. Once the system has extracted the content and the metadata, the text is normalized and
    streamed to the detection component for matching. The detection component has no knowledge of the source of the text,
    whether it is application data, content, or metadata.
    To detect file format metadata, you define keyword conditions for rules or exceptions that contain keywords that are
    specific to one or more file formats. To avoid generating false positives, clearly define the keyword lists in your policies.
    The keywords you use to detect metadata should be unique and distinct from keywords or phrases you use to detect
    content. Test and tune keyword lists to improve metadata detection accuracy.

    Understand performance implications of enabling endpoint metadata detection


    On the endpoint, enabling metadata extraction does not add overhead if no content rules are deployed. If content rules
    are deployed to the endpoint, enabling metadata extraction may introduce minor overhead because there is extra data to
    inspect. Test and tune your endpoint policy keyword lists to ensure that metadata detection is efficient.

    Create a separate endpoint configuration for metadata detection


    When you enable endpoint metadata detection, consider creating a custom endpoint configuration specifically for
    metadata detection. By doing so you can easily revert to the default configuration if necessary.

    Use response rules to tag incidents with metadata


    You cannot use metadata detection to apply tags to inbound files or documents that generate incidents. Consider using a
    FlexResponse plug-in if you want to apply tags.
    See the Symantec Data Loss Prevention Help Center for details.

    About high-performance content extraction for Office Open XML


    formats
    High-performance content extraction for Office Open XML formats is enabled by default on Symantec Data Loss
    Prevention cloud detectors. You can enable Office Open XML high-performance content extraction on your on-premises
    detection servers. Office Open XML content extraction is not available on the endpoint DLP Agent.
    Enabling Office Open XML high-performance content extraction on your on-premises detection servers significantly
    improves content extraction performance for such files.

    1238
    WARNING
    Do not enable Office Open XML high-performance content extraction on detection servers using Indexed
    Document Matching (IDM) policies.

    Table 661: Office Open XML formats for high-performance content extraction

    Format name Format extension

    Office Open XML Word Processing DOCX


    Office Open XML Word Processing Template DOTX
    Office Open XML Macro-enabled Word Processing DOCM
    Office Open XML Macro-enabled Word Processing Template DOTM
    Office Open XML Spreadsheet XLSX
    Office Open XML Spreadsheet Template XLTX
    Office Open XML Macro-enabled Spreadsheet XLSM
    Office Open XML Macro-enabled Spreadsheet Template XLTM
    Office Open XML Spreadsheet Add-in XLAM
    Office Open XML Presentation PPTX
    Office Open XML Presentation Template POTX
    Office Open XML Presentation Slide Show PPSX
    Office Open XML Macro-enabled Presentation PPTM
    Office Open XML Macro-enabled Presentation Template POTM
    Office Open XML Presentation Macro-enabled Slide Show PPSM
    Office Open XML Presentation Add-in PPAM

    Enabling High-performance Content Extraction for Office Open XML


    Files
    WARNING
    Do not enable Office Open XML high-performance content extraction on detection servers using Indexed
    Document Matching (IDM) policies.
    The following procedure describes how to enable Office Open XML high-performance content extraction on your on-
    premises detection servers. Note that PowerPoint content extraction is not enabled by default. If you want to extract
    content from PowerPoint files, follow the optional third step in this procedure.
    To enable Office Open XML high-performance content extraction
    1. On your detection server, open the manifest.xml file, located in one of these locations:
    • Linux: opt/Symantec/DataLossPrevention/ContentExtractionService/16.0.10000/Plugins/
    Protect/plugins/contentextraction/OfficeOpenXMLPlugin
    • Windows: \Program Files\Symantec\DataLossPrevention\ContentExtractionService
    \16.0.10000\Plugins\Protect\plugins\contentextraction\OfficeOpenXMLPlugin
    2. Locate the plugin id="OfficeOpenXMLPlugin" line, and set the disabled value to false. The resulting line should
    read as follows (line breaks added for legibility):
    <plugin id="OfficeOpenXMLPlugin"
    version="1.0"

    1239
    spiVersion="1.1"
    disabled="false"
    extractsAllSubfiles="true">

    3. (Optional): To enable PowerPoint content extraction, add the following lines to the manifest.xml file:
    <documentType type="pptx">
    <supportedOperations>
    <operation type="FileTypeIdentification"/>
    <operation type="TextExtraction"/>
    <operation type="SubFileExtraction"/>
    <operation type="MetadataExtraction"/>
    </supportedOperations>
    </documentType>

    4. Save and close the manifest.xml file.


    5. Restart your detection server to apply the change.
    6. Repeat steps 1-5 on all detection servers on which you want to enable Office Open XML content extraction.

    About metadata extraction for Office Open XML files


    High-performance content extraction for Office Open XML formats supports metadata extraction in all localized languages.
    The following table lists the extracted metadata properties:

    Table 662: Office Open XML metadata

    Property type Property

    Core properties Author


    Category
    ContentStatus
    ContentType
    Create_DTM
    Description
    Identifier
    Keywords
    Language
    LastAuthor
    LastPrinted
    LastSave_DTM
    RevNumber
    Subject
    Title
    Version
    Application properties AppName
    AppVersion
    CharCount
    CharactersWithSpaces

    1240
    Property type Property

    Company
    EditTime
    HyperlinkBase
    HyperlinksChanged
    LineCount
    LinksDirty
    Manager
    PageCount
    Parcount
    ScaleCrop
    Security
    SharedDoc
    Template
    TitleOfParts
    WordCount
    Custom properties All other custom properties

    About Subfile Extraction for Office Open XML files


    High-performance content extraction for Office Open XML formats supports subfile extraction for image files, Object
    Linking and Embedding (OLE) Compound Files, and Open Packaging Convention (OPC) container files.
    Image file extraction
    Image file extraction supports Symantec Data Loss Prevention's Form Recognition and Optical Character Recognition
    (OCR) Sensitive Image Recognition features.
    About Form Recognition detection
    About content detection with OCR Sensitive Image Recognition
    Symantec Data Loss Prevention supports content extraction for the following image formats:
    • Bitmap (BMP)
    • Portable Network Graphics (PNG)
    • Joint Photographic Experts Group (JPEG or JPG extensions)
    • Enhanced Metafile (EMF)
    • Windows Metafile (WMF)
    Two categories of EMF/WMF files exist:
    • Files that are attached by users directly to Office Open XML documents.
    • Thumbnail or icon files that are created by Office applications to represent files that are attached to Office Open XML
    documents.
    All EMF and WMF files are counted as images, and therefore count against the maximum image extraction limit. When
    you are near the maximum image extraction limit, due to many EMF/WMF files, you can disable EMF/WMF file extraction.
    OLE and OPC file extraction
    Symantec Data Loss Prevention can extract files that are embedded in Office Open XML documents. Here are the
    supported file formats and embedding types:

    1241
    Table 663:

    File format Embedding type

    Adobe PDF OLE


    Bitmap OLE
    Excel 97 Worksheet OLE/OPC
    Excel Binary OLE/OPC
    Excel Chart OLE/OPC
    Excel Macro-enabled Worksheet OLE/OPC
    Excel Worksheet OLE/OPC
    Graph Chart OLE
    OpenDocument Presentation OLE
    OpenDocument Slide OLE
    OpenDocument Text OLE
    Package 1 (Non-Office files, all formats) OLE
    Package 2 (Non-Office files, all formats) OLE
    PowerPoint 97 Presentation OLE/OPC
    PowerPoint 97 Slide OLE/OPC
    PowerPoint Macro-enabled Presentation OLE/OPC
    PowerPoint Macro-enabled Slide OLE/OPC
    PowerPoint Presentation OLE/OPC
    PowerPoint Slide OLE/OPC
    Visio OLE
    Word OLE/OPC
    Word 97 OLE/OPC
    Word Macro OLE/OPC
    WordPad OLE

    Configuring plug-in settings


    Symantec recommends using the default settings for high-performance Office Open XML content extraction.
    You may encounter situations in which you want to adjust some settings, however. This section documents the
    plugin_settings.txt configuration file, available in one of the following locations on your detection server:
    • On Linux: /opt/Symantec/DataLossPrevention/ContentExtractionService/16.0.10000/Plugins/
    Protect/plugins/contentextraction/OfficeOpenXMLPlugin
    • On Windows: \Program Files\Symantec\DataLossPrevention\ContentExtractionService\
    16.0.10000\Plugins\Protect\plugins\contentextraction\OfficeOpenXMLPlugin
    The plugin_settings.txt file contains these settings (line breaks that are added for legibility):
    dotnetcoreDir=/publish
    extractEmfWmf=on
    streamConfiguration=EmbeddedOdf,false,false;
    CONTENTS,false,false;
    Package,false,false;
    AttachContents,false,false;

    1242
    skipFilesWithSignatures=0x38,0x42,0x50,0x53;
    imageSignatures=0x42,0x4d;
    0xff,0xd8,0xff,0xe0;
    0xff,0xd8,0xff,0xe1;
    0xff,0xd8,0xff,0xe8;
    0xff,0xd8,0xff,0xe2;
    0xff,0xd8,0xff,0xe3;
    0x89,0x50,0x4e,0x47,0x0d,0x0a,0x1a,0x0a;
    0xd7,0xcd,0xc6,0x9a;

    To disable EMF/WMF extraction, set extractEmfWmf=off.


    The streamConfiguration settings contain this information:
    • The name of the stream in the OLE files that includes file content, such as EmbeddedOdf.
    • Whether to continue to the next stream if content is found in the current stream (set to false by default). After it finds
    the first valid content stream, the content extractor does not continue evaluating the subsequent streams.
    • Whether to include the original OLE file as a subfile (set to false by default).
    The skipFilesWithSignatures setting specifies which file types to skip based on their hex file signature. By default the
    content extractor skips PhotoShop Document (PSD) files, as Symantec Data Loss Prevention cannot perform detection on
    these files. The hex file signature for PSD files is 0x38,0x42,0x50,0x53.
    The imageSignatures setting specifies which files should be treated as images based on their hex file signature. By
    default, the list includes BMP, JPG, JPEG, PNG, and WMF file hex file signatures.
    Restart your detection server after editing the plugin_settings.txt file to apply your changes.

    Library of Policy Templates


    This section lists all policy templates provided by the Data Loss Prevention system.

    Caldicott Report Policy Template


    The UK Chief Medical Officer commissioned the Caldicott Report in December 1997 to improve the way the National
    Health Service handles and protects patient information. The Caldicott Committee reviewed the confidentiality of data
    throughout the NHS for purposes other than direct care, medical research, or where there is a statutory requirement
    for information. Its recommendations are now being put into practice throughout the NHS and in the Health Protection
    Agency.
    The Drug, and Disease, and the Treatment keyword lists are updated with recent keywords based on information from the
    U.S. Federal Drug Administration (FDA) and other sources.
    Keep the keyword lists for your HIPAA and Caldicott policies up to date

    1243
    Table 664: Caldicott Report policy template rules

    Rule Type Description

    Patient Data and Compound EDM and This compound rule looks for a match among the following data fields in
    Drug Keywords Keyword Rule combination with a keyword from the "Prescription Drug Names" dictionary.
    Both conditions must be satisfied for the rule to trigger an incident.
    • Account number
    • Email
    • ID card number
    • Last name
    • Phone
    • UK NHS (National Health Service) number
    • UK NIN (National Insurance Number)
    Patient Data and Compound EDM and This compound rule looks for a match among the following EDM data fields
    Disease Keywords Keyword Rule in combination with a keyword from the "Disease Names" dictionary. Both
    conditions must be satisfied for the rule to trigger an incident.
    • Account number
    • Email
    • ID card number
    • Last name
    • Phone
    • UK NHS (National Health Service) number
    • UK NIN (National Insurance Number)
    Patient Data Compound EDM and This compound rule looks for a match among the following EDM data fields in
    and Treatment Keyword Rule combination with a keyword from the "Medical Treatment Keywords" dictionary.
    Keywords Both conditions must be satisfied for the rule to trigger an incident:
    • Account number
    • Email
    • ID card number
    • Last name
    • Phone
    • UK NHS (National Health Service) number
    • UK NIN (National Insurance Number)
    UK NHS Number Simple DCM Rule This rule looks for a keyword from "UK NIN Keywords" dictionary in
    and Drug combination with a pattern matching the UK NIN data identifier and a keyword
    Keywords from the "Prescription Drug Names" dictionary.
    UK NHS Number Simple DCM Rule This rule looks for a keyword from "UK NIN Keywords" dictionary in
    and Disease combination with a pattern matching the UK NIN data identifier and a keyword
    Keywords from the "Disease Names" dictionary.
    UK NHS Number Simple DCM Rule This rule looks for a keyword from "UK NIN Keywords" dictionary in
    and Treatment combination with a pattern matching the UK NIN data identifier and a keyword
    Keywords from the "Medical Treatment Keywords" dictionary.

    Choosing an Exact Data Profile


    Configuring policies
    Exporting policy detection as a template

    1244
    California Consumer Privacy Act Policy Template
    The California Consumer Privacy Act covers the handling and protection of sensitive personal information that individuals
    provide during everyday transactions.
    This template works best with an exact data profile that contains the following columns:
    • personalID
    • uniqueID
    If the chosen exact data profile does not have all recommended columns, the new policy depends on the columns that are
    present.
    Do not use Exact Data Matching. Using this option creates a policy from the template, but any Exact Data Matching rules
    that are contained in the template are not created.

    Table 665: California Consumer Privacy Act template rules

    Rule Description

    Randomized US Social Security Number (SSN) (Data Identifiers) Default severity: High. Check for existence. Look in envelope,
    subject, body, and attachments.
    US Vehicle Identification Number (Data Identifiers) Default severity: High. Check for existence. Look in envelope,
    subject, body, and attachments.
    US Passport Number (Data Identifiers) Default severity: High. Check for existence. Look in envelope,
    subject, body, and attachments.
    Driver's License Number - California State (Data Identifiers) Default severity: High. Check for existence. Look in envelope,
    subject, body, and attachments.
    US Individual Tax Identification Number (ITIN) (Data Identifiers) Default severity: High. Check for existence. Look in envelope,
    subject, body, and attachments.
    US Adoption Taxpayer Identification Number (Data Identifiers) Default severity: High. Check for existence. Look in envelope,
    subject, body, and attachments.
    CCPA Travel Related Keywords (Keyword Match) Match "account number", "bank card number", "driver license
    number", "ID card number", "passenger name", ... Default severity:
    High. Check for existence. Look in envelope, subject, body, and
    attachments. Case insensitive. Match on whole words only.
    US Preparer Taxpayer Identification Number (Data Identifiers) Default severity: High. Check for existence. Look in envelope,
    subject, body, and attachments.

    Canadian Social Insurance Numbers Policy Template


    This policy detects patterns indicating Canadian social insurance numbers (SINs) at risk of exposure.

    DCM Rule Canadian Social Insurance Numbers


    This rule looks for a match to the Canadian Social Insurance Number data identifier and a keyword from the
    "Canadian Social Ins. No. Words" dictionary.

    Configuring policies
    Exporting policy detection as a template

    1245
    CAN-SPAM Act Policy Templates
    The Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM) establishes requirements for
    those who send commercial email.
    The CAN-SPAM Act template detects activity from an organization's bulk mailer to help ensure compliance with the CAN-
    SPAM Act requirements.
    The detection exception Exclude emails that contain the mandated keywords allows messages to pass that have one
    or more keywords from the user-defined "CAN-SPAM Exception Keywords" dictionary.

    Table 666: Detection exception: Exclude emails that contain the mandated keywords

    Method Condition Configuration

    Simple exception Content Matches Exclude emails that contain the mandated keywords (Keyword Match):
    Keyword (DCM) • Match keyword from "[physical postal address]" or "advertisement".
    • Look in envelope, subject, body, attachments.
    • Case insensitive.
    • Match on whole words only.
    Note: After you define the keywords, you can choose to count all matches
    and require 2 keywords from the list to be matched.

    The detection exception CAN-SPAM Compliant Emails excludes from detection document content from the selected IDM
    index with at least 90% match.

    Table 667: Detection exception: CAN-SPAM Compliant Emails

    Method Condition Configuration

    Simple exception Content Matches Exception for CAN-SPAM compliant emails (IDM):
    Document Profile (IDM) • Exact content match (90%)
    • Look in the message body and attachments.
    • Check for existence.
    Choosing an Indexed Document Profile

    If an exception is not met, the detection rule Monitor Email From Bulk Mailer looks for a sender's email address that
    matches one from the "Bulk Mailer Email Address" list, which is user-defined.

    Table 668: Detection rule: Monitor Email From Bulk Mailer

    Method Condition Configuration

    Simple rule Sender/User Matches Monitor Email From Bulk Mailer (Sender):
    Pattern (DCM) • Match sender pattern(s): [bulk-mailer@company.com] (user defined)
    • Severity: High.

    Creating a policy from a template


    Exporting policy detection as a template

    1246
    Colombian Personal Data Protection Law 1581 Policy Template
    The Colombian Personal Data Protection Law 1581 policy template detects the personal data of Colombian citizens at risk
    of exposure.

    Table 669: Colombian Personal Data Protection Law 1581 policy template rules

    Rule Description

    Colombia Address Number Detects Colombian street addresses using the Colombian
    Addresses data identifier.
    Colombia Cell Phone Number Detects Colombian cell phone numbers using the Colombian Cell
    Phone Number data identifier.
    Colombia Personal Identification Number Detects Colombian personal identification numbers using the
    Colombian Personal Identification Number data identifier.
    ColombiaTax Identification Number Detects Colombian tax identification numbers using the Colombian
    Tax Identification Number data identifier.

    Related Links
    Data Identifiers on page 1034

    Common Spyware Upload Sites Policy Template


    The Common Spyware Upload Sites policy detects access to common spyware upload Web sites.

    DCM Rule Forbidden Websites 1


    This is a compound rule that looks for either specified IP addresses or URLs in the "Forbidden Websites 1"
    dictionary.
    DCM Rule Forbidden Websites 2
    This rule looks for a match of a specified URL in the "Forbidden Websites 2" dictionary.

    Configuring policies
    Exporting policy detection as a template

    Confidential Documents Policy Template


    This policy detects company-confidential documents at risk of exposure.

    1247
    Table 670: Rules comprising the Confidential Documents template

    Rule Type Description

    Confidential Documents, Simple IDM Rule with one This rule looks for content from specific documents registered
    Indexed condition as confidential; returns a match if 80% or more of the source
    document is found. If you do not have an Indexed Document
    Profile configured this rule is dropped.
    Confidential Documents Compound DCM Rule: This rule looks for a combination of keywords from the
    Attachment/File Type and "Confidential Keywords" list and the following file types:
    Keyword Match. Both conditions • Microsoft Excel Macro
    must match for the rule to • Microsoft Excel
    trigger an incident.
    • Microsoft Works Spreadsheet
    • SYLK Spreadsheet
    • Corel Quattro Pro
    • Multiplan Spreadsheet
    • Comma Separate Values
    • Applix Spreadsheets
    • Lotus 1-2-3
    • Microsoft Word
    • Adobe PDF
    • Microsoft PowerPoint
    Proprietary Documents Compound DCM Rule: This compound rule looks for a combination of keywords from the
    Attachment/File Type and "Proprietary Keywords" dictionary and the above referenced file
    Keyword Match types.
    Internal Use Only Documents Compound DCM Rule: This compound rule looks for a combination of keywords from the
    Attachment/File Type and "Internal Use Only Keywords" dictionary and the above referenced
    Keyword Match file types.
    Documents Not For Distribution Compound DCM Rule: This compound rule looks for a combination of keywords from the
    Attachment/File Type and "Not For Distribution Words" dictionary and the above referenced
    Keyword Match file types.

    Configuring policies
    Exporting policy detection as a template

    Competitor Communications Policy Template


    The Competitor Communications policy detects forbidden communications with competitors.

    DCM Rule Competitor List


    This rule looks for keywords (domains) from the "Competitor Domains" dictionary, which is user-defined.

    Configuring policies
    Exporting policy detection as a template

    1248
    Credit Card Numbers Policy Template
    This policy detects patterns indicating credit card numbers at risk of exposure.

    DCM Rule Credit Card Numbers, All


    This rule looks for a match to the credit card number system pattern and a keyword from the "Credit Card Number
    Keywords" dictionary.

    Configuring policies
    Exporting policy detection as a template

    Customer Data Protection Policy Template


    This policy detects customer data at risk of exposure.

    Table 671: EDM conditions for the Customer Data Protection Policy Template

    Rule name Type Description Details

    Username/Password EDM Rule This rule looks for usernames and However, the following
    Combinations passwords in combination with three or combinations are not a
    more of the following fields: violation:
    • SSN • Phone, email, and last name
    • Phone • Email, first name, and last
    • Email name
    • First Name • Phone, first name, and last
    • Last Name name
    • Bank Card number
    • Account Number
    • ABA Routing Number
    • Canadian Social Insurance Number
    • UK National Insurance Number
    Date of Birth EDM Rule This rule looks for any three of the However, the following
    following data fields in combination: combinations are not a
    • SSN violation:
    • Phone • Phone, email, and first name
    • Email • Phone, email, and last name
    • First Name • Email, first name, and last
    • Last Name name
    • Bank Card number • Phone, first name, and last
    name
    • Account Number
    • ABA Routing Number
    • Canadian Social Insurance Number
    • UK National Insurance Number
    • Date of Birth
    Exact SSN or CCN EDM Rule This rule looks for an exact social security
    number or bank card number.
    Customer Directory EDM Rule This rule looks for Phone or Email.

    1249
    Table 672: DCM conditions for the Customer Data Protection Policy Template

    Rule name Type Description

    US Social Security Number Compound DCM Rule This rule looks for a match to the Randomized
    Patterns US Social Security number data identifier and a
    keyword from the "US SSN Keywords" dictionary.
    Credit Card Numbers, All Compound DCM Rule This rule looks for a match to the credit card
    number system pattern and a keyword from the
    "Credit Card Number Keywords" dictionary.
    ABA Routing Numbers Compound DCM Rule This rule looks for a match to the ABA Routing
    number data identifier and a keyword from the
    "ABA Routing Number Keywords" dictionary.

    About the Exact Data Profile and index


    Configuring policies
    Exporting policy detection as a template

    Data Protection Act 1998 Policy Template


    The Data Protection Act 1998 (replacement of Data Protection Act 1984) set standards which must be satisfied when
    obtaining, holding, using, or disposing of personal data in the UK. The Data Protection Act 1998 covers anything with
    personal identifiable information (such as data about personal health, employment, occupational health, finance,
    suppliers, and contractors).

    Table 673: Data Protection Act 1998, Personal Data detection rule

    Description

    This EDM rule looks for three of the following columns of data: However, the following combinations are not an
    • NIN (National Insurance Number) incident:
    • Account number • First name, last name, pin
    • Pin • First name, last name, password
    • Bank card number • First name, last name, email
    • First name • First name, last name, phone
    • Last name • First name, last name, mother's maiden name
    • Drivers license
    • Password
    • Tax payer ID
    • UK NHS number
    • Date of birth
    • Mother's maiden name
    • Email address
    • Phone number

    1250
    Table 674: Additional detection rules in the Data Protection Act 1998 Policy Template

    Description

    The UK Electoral Roll Numbers rule implements the UK Electoral Roll Number data identifier.
    The UK National Insurance Numbers rule implements the narrow breadth edition of the UK National Insurance Number data
    identifier.
    The UK Tax ID Numbers rule implements the narrow edition of the UK Tax ID Number data identifier.
    The UK Drivers License Numbers rule implements the narrow breadth edition of the UK Driver's License number data identifier.
    The UK Passport Numbers rule implements the narrow breadth edition of the UK Passport Number data identifier.
    The UK NHS Numbers rule implements the narrow breadth edition of the UK National Health Service (NHS) Number data identifier.

    Choosing an Exact Data Profile


    Configuring policies
    Exporting policy detection as a template

    Data Protection Directives (EU) Policy Template


    Directives 95/46/EC of the European Parliament deal with the protection of individuals with regard to the processing and
    free movement of personal data. This policy detects personal data specific to the EU directives.
    NOTE
    The General Data Protection Regulation (GDPR) replaces the EU Data Protection Directives as of 25 May 2018.

    Table 675: Data Protection Directives (EU) detection rule

    Method Description

    EDM Rule EU Data Protection Directives


    This rule looks for any two of the following data columns:
    • Last Name
    • Bank Card number
    • Drivers license number
    • Account Number
    • PIN
    • Medical account number
    • Medical ID card number
    • User name
    • Password
    • ABA Routing Number
    • Email
    • Phone
    • Mother's maiden name
    However, the following combinations do not create a match:
    • Last name, email
    • Last name, phone
    • Last name, account number
    • Last name, username
    EDM Rule EU Data Protection, Contact Info
    This rule looks for any two of the following data columns: last name, phone, account number, username, and email.

    1251
    Method Description

    Exception Except for email internal to the EU


    This rule is an exception if the recipient is within the EU. This covers recipients with any of the country codes from
    the "EU Country Codes" dictionary.

    Choosing an Exact Data Profile


    Configuring policies
    Exporting policy detection as a template

    Defense Message System (DMS) GENSER Classification Policy Template


    The Defense Information Systems Agency has established guidelines for Defense Message System (DMS) General
    Services (GENSER) message classifications, categories, and markings. These standards specify how to mark classified
    and sensitive documents according to U.S. standards. These standards also provide interoperability with NATO countries
    and other U.S. allies.
    The GENSER policy template enforces GENSER guidelines by detecting information that is classified as confidential. The
    template contains four simple (single condition) keyword matching (DCM) detection rules. If any rule condition matches,
    the policy reports an incident.
    The detection rule Top Secret Information (Keyword Match) looks for any keywords in the "Top Secret Information"
    dictionary.

    Table 676: Detection rule: Top Secret Information (Keyword Match)

    Method Condition Configuration

    Simple rule Content Matches Top Secret Information (Keyword Match):


    Keyword (DCM) • Keyword dictionary: "TOP SECRET//"
    • Severity: High
    • Check for existence.
    • Look in envelope, subject, body, attachments.
    • Case sensitive.
    • Match on whole or partial words.

    The detection rule Secret Information (Keyword Match) looks for any keywords in the "Secret Information" dictionary.

    Table 677: Detection rule: Secret Information (Keyword Match)

    Method Condition Configuration

    Simple rule Content Matches Secret Information (Keyword Match):


    Keyword (DCM) • Keyword dictionary: "SECRET//"
    • Severity: High
    • Check for existence
    • Look in envelope, subject, body, attachments
    • Case sensitive
    • Match on whole or partial words.

    The detection rule Classified or Restricted Information (Keyword Match) looks for any keywords in the "Classified or
    Restricted Information" dictionary.

    1252
    Table 678: Detection rule: Classified or Restricted Information (Keyword Match)

    Method Condition Configuration

    Simple rule Content Matches Classified or Restricted Information (Keyword Match):


    Keyword (DCM) • Keyword dictionary: "CLASSIFIED//,//RESTRICTED//"
    • Severity: High
    • Check for existence.
    • Look in envelope, subject, body, attachments.
    • Case sensitive.
    • Match on whole or partial words.

    The detection rule Other Sensitive Information looks for any keywords in the "Other Sensitive Information" dictionary.

    Table 679: Other Sensitive Information detection rule

    Method Condition Configuration

    Simple rule Content Matches Other Sensitive Information (Keyword Match):


    Keyword (DCM) • Keyword dictionary: FOR OFFICIAL USE ONLY, SENSITIVE BUT
    UNCLASSIFIED,DOD UNCLASSIFIED CONTROLLED NUCLEAR
    INFORMATION
    • Severity: High
    • Check for existence.
    • Look in envelope, subject, body, attachments.
    • Case sensitive.
    • Match on whole words only.

    Configuring policies
    Exporting policy detection as a template

    Design Documents Policy Template


    This policy detects various types of design documents, such as CAD/CAM, at risk of exposure.

    IDM Rule Design Documents, Indexed


    This rule looks for content from specific design documents registered as proprietary. It returns a match if the engine
    detects 80% or more of the source document.
    DCM Rule Design Document Extensions
    This rule looks for the specified file name extensions found in the "Design Document Extensions" dictionary.
    DCM Rule Design Documents
    This rule looks for the following specified file types:
    • cad_draw
    • dwg

    NOTE
    Both file types and file name extensions are used because the policy does not detect the true file type for all the
    required documents.
    Choosing an Indexed Document Profile
    Configuring policies

    1253
    Exporting policy detection as a template

    Developer Keys and Secrets Policy Template


    The Developer Keys and Secrets policy detects SaaS based API keys, tokens, DB connection strings, Private keys and
    Certificates from code repositories.

    Rule Description

    SaaS API Keys - AWS (Data Identifier) SaaS application and service (AWS EC2, AWS Storage
    S3 Account etc.) utilizes keys to identify and authorize API
    transactions. These keys, secrets and tokens often provide
    authorization to sensitive information or action such as DB or File
    access, including CRUD operations.
    Default severity: High. Count all unique matches. Look in
    envelope, subject, body, attachments.
    SaaS API Keys - Azure (Data Identifier) SaaS application and service (Azure Active Directory, Azure
    Storage Account etc.) utilizes keys to identify and authorize client
    transactions. These keys or secrets often provide authorization
    to sensitive information or action such as DB or File access,
    including CRUD operations.
    Default severity: High. Count all unique matches. Look in
    envelope, subject, body, attachments.
    SaaS API Keys - GCP (Data Identifier) SaaS application and service (Secret Key, Access Token,
    Oauth Client ID etc.) utilizes keys to identify and authorize API
    transactions. These keys, secrets and tokens often provide
    authorization to sensitive information or action such as DB or File
    access, including CRUD operations.
    Default severity: High. Count all unique matches. Look in
    envelope, subject, body, attachments.
    GitHub Access Tokens (Data Identifier) GitHub access tokens like GitHub personal access tokens,GitHub
    Oauth tokens and GitHub app tokens are secure way to
    authenticate and authorize access to GitHub resources.
    Default severity: High. Count all unique matches. Look in
    envelope, subject, body, attachments.
    DB Connection strings (Data Identifier) The database connection string is an expression that contains
    the parameters required along with sensitive information for the
    applications to connect a database server.
    Default severity: High. Count all unique matches. Look in
    envelope, subject, body, attachments.
    Private keys and certificates (Data Identifier) The keys, digital certificates, and trusted certificate authorities
    establish and verify the identities of applications.
    Default severity: High. Count all unique matches. Look in
    envelope, subject, body, attachments.
    Slack Access Tokens (Data Identifier) Slack access tokens like User OAuth token, Bot User OAuth token
    etc are authentication tokens used to interact with slack platform
    and it gives authorized access to perform read-write operations on
    slack platform.
    Default severity: High. Count all unique matches. Look in
    envelope, subject, body, attachments.

    1254
    Employee Data Protection Policy Template
    This policy detects employee data at risk of exposure.

    Table 680: EDM rules for Employee Data Protection

    Name Type Description

    Username/Password EDM Rule This rule looks for usernames and passwords in combination with
    Combinations any three of the following data fields.
    • SSN
    • Phone
    • Email
    • First Name
    • Last Name
    • Bank Card Number
    • Account Number
    • ABA Routing Number
    • Canadian Social Insurance Number
    • UK National Insurance Number
    • Date of Birth
    Employee Directory EDM Rule This rule looks for Phone or Email.

    Table 681: DCM rules for Employee Data Protection

    Name Type Description

    US Social Security Number DCM Rule This rule looks for a match from the Randomized US Social
    Patterns Security Number (SSN) data identifier and a keyword from the
    "US SSN Keywords" dictionary.
    Credit Card Numbers, All DCM Rule This rule looks for a match from the credit card number system
    pattern and a keyword from the "Credit Card Number Keywords"
    dictionary.
    ABA Routing Numbers DCM Rule This rule looks for a match from the ABA Routing number
    data identifier and a keyword from the "ABA Routing Number
    Keywords" dictionary.

    Configuring policies
    Exporting policy detection as a template

    Encrypted Data Policy Template


    This policy detects the use of encryption by a variety of methods including S/MIME, PGP, GPG, and file password
    protection.

    DCM Rule Password Protected Files


    This rule looks for the following file types: encrypted_zip, encrypted_doc, encrypted_xls, or encrypted_ppt.
    DCM Rule PGP Files
    This rule looks for the following file type: pgp.
    DCM Rule GPG Files
    This rule looks for a keyword from the "GPG Encryption Keywords" dictionary.

    1255
    DCM Rule S/MIME
    This rule looks for a keyword from the "S/MIME Encryption Keywords" dictionary.
    DCM Rule HushMail Transmissions
    This rule looks for a match from a list of recipient URLs.

    Configuring policies
    Exporting policy detection as a template

    Enhanced Credit Card Numbers with Individual Users PolicyProfile Template


    This policy detects enhanced patterns indicating credit card numbers at risk of exposure.

    Table 682: Enhanced Credit Card Numbers with Individual Issuers policy template rules

    Rule Description Details

    Credit Card Number - American Account number required for processing credit card Count all matches. Look in envelope,
    Express transactions. Often abbreviated as CCN and also subject, body, attachments.
    known as a Primary Account Number (PAN).
    Credit Card Number - Mastercard A payment card number, primary account number Count all matches. Look in envelope,
    (PAN), or card number that is the card identifier that subject, body, attachments.
    found on payment cards, such as credit cards and
    debit cards, issued by Mastercard Inc. It facilitates
    electronic fund transfers throughout the world. Often
    abbreviated as CCN and also known as a Bank
    Card Number.
    Credit Card Number - Visa A payment card number, primary account number Count all matches. Look in envelope,
    (PAN), or simply a card number, is the card identifier subject, body, attachments.
    that is found on payment cards, such as credit
    cards and debit cards, issued by Visa Inc. It
    facilitates electronic fund transfers throughout the
    world. Often abbreviated as CCN and also known
    as a Bank Card Number.
    Credit Card Number - Maestro A payment card number, primary account number Count all matches. Look in envelope,
    (PAN), or simply a card number, is the card identifier subject, body, attachments.
    found on payment cards, such as credit cards and
    debit cards, issued by Maestro. Maestro is a brand
    owned by Mastercard that was introduced in 1991.
    Often abbreviated as CCN and also known as a
    Bank Card Number.
    Credit Card Number - Japan Credit A payment card number, primary account number Count all matches. Look in envelope,
    Bureau (JCB) (PAN), or simply a card number, is the card identifier subject, body, attachments.
    found on payment cards, such as credit cards and
    debit cards, issued by Japan Credit Bureau (JCB).
    Often abbreviated as CCN and also known as a
    Bank Card Number.
    Credit Card Number - Discover Account number required to process credit card Count all matches. Look in envelope,
    transactions. Often abbreviated as CCN and also subject, body, attachments.
    known as a Primary Account Number (PAN).
    Credit Card Number - Diners Club Account number required to process credit card Count all matches. Look in envelope,
    transactions. Often abbreviated as CCN and also subject, body, attachments.
    known as a Primary Account Number (PAN).

    1256
    Export Administration Regulations (EAR) Policy Template
    The U.S. Department of Commerce enforces the Export Administration Regulations (EAR). These regulations primarily
    cover technologies and technical information with commercial and military applicability. These technologies are also
    known as dual-use technologies, for example, chemicals, satellites, software, computers, and so on.
    This Export Administration Regulations (EAR) template detects violations from regulated countries and controlled
    technologies.
    The detection rule Indexed EAR Commerce Control List Items and Recipients looks for a country code in the recipient
    from the "EAR Country Codes" dictionaryand for a specific "SKU" from an Exact Data Profile index (EDM). Both conditions
    must match to trigger an incident.

    Table 683: Detection rule: Indexed EAR Commerce Control List Items and Recipients

    Method Condition Configuration

    Compound rule Content Matches Exact Data Choosing an Exact Data Profile
    (EDM)
    Content Matches Keyword Configuring the Content Matches Keyword condition
    (DCM)

    The detection rule EAR Commerce Control List and Recipients looks for a country code in the recipient from the "EAR
    Country Codes" list and a keyword from the "EAR CCL Keywords" dictionary. Both conditions must match to trigger an
    incident.

    Table 684: Detection rule: EAR Commerce Control List and Recipients

    Method Condition Configuration

    Compound rule Recipient Matches Pattern EAR Commerce Control List and Recipients (Recipient):
    (DCM) • Match: Email address OR URL domain suffixes.
    • Severity: High.
    • Check for existence.
    • At least 1 recipient(s) must match.
    • Matches on entire message.
    Content Matches Keyword EAR Commerce Control List and Recipients (Keyword Match):
    (DCM) • Match: EAR CCL Keywords
    • Severity: High.
    • Check for existence.
    • Look in envelope, subject, body, attachments.
    • Case insensitive.
    • Match on whole words only.

    Configuring policies
    Exporting policy detection as a template

    FACTA 2003 (Red Flag Rules) Policy Template


    This policy helps to address sections 114 and 315 (or Red Flag Rules) of the Fair and Accurate Credit Transactions Act
    (FACTA) of 2003. These rules specify that a financial institution or creditor that offers or maintains covered accounts must

    1257
    develop and implement an identity theft prevention program. FACTA is designed to detect, prevent, and mitigate identity
    theft in connection with the opening of a covered account or any existing covered account.
    The Username/Password Combinations detection rule detects the presence of both a user name and password from a
    profiled database index.

    Table 685: Username/Password Combinations detection rule

    Method Condition Configuration

    Simple rule Content Matches Exact This condition detects exact data containing both of the following data items:
    Data (EDM) • User name
    • Password
    Choosing an Exact Data Profile

    The Exact SSN or CCN detection rule detects the presence of either a social security number or a credit card number
    from a profiled database.

    Table 686: Exact SSN or CCN detection rule

    Method Condition Configuration

    Simple rule Content Matches Exact This condition detects exact data containing either of the following data
    Data (EDM) columns:
    • Social security number (Taxpayer ID)
    • Bank Card Number
    Choosing an Exact Data Profile

    The Customer Directory detection rule detects the presence of either an email address or a phone number from a
    profiled database.

    Table 687: Customer Directory detection rule

    Method Condition Configuration

    Simple rule Content Matches Exact This condition detects exact data containing either of the following data
    Data (EDM) columns:
    • Email address
    • Phone number
    Choosing an Exact Data Profile

    The Three or More Data Columns detection rule detects exact data containing three or more of data items from a
    profiled database index.

    1258
    Table 688: Three or More Data Columns detection rule

    Method Condition Configuration

    Simple rule Content Matches Exact Detects exact data containing three or more of the following data items:
    Data (EDM) • ABA Routing Number
    • Account Number
    • Bank Card Number
    • Birth Date
    • Email address
    • First Name
    • Last Name
    • National Insurance Number
    • Password
    • Phone Number
    • Social Insurance Number
    • Social security number (Taxpayer ID)
    • User name
    However, the following combinations are not a match:
    • Phone Number, Email, First Name
    • Phone Number, First Name, Last Name
    Choosing an Exact Data Profile

    The US Social Security Number Patterns detection rule implements the narrow breadth edition of the Randomized US
    Social Security Number (SSN) system data identifier.
    This data identifier detects nine-digit numbers with the pattern DDD-DD-DDDD separated with dashes or spaces or
    without separators. The number must be in valid assigned number ranges. This condition eliminates common test
    numbers, such as 123456789 or all the same digit. It also requires the presence of a Social Security keyword.

    Table 689: US Social Security Number Patterns detection rule

    Method Condition Configuration

    Simple rule Content Matches Data • Data Identifier: Randomized US Social Security Number (SSN) narrow breadth
    Identifier (DCM) • Severity: High.
    • Count all matches.
    • Look in envelope, subject, body, attachments.

    The Credit Card Numbers, All detection rule implements the narrow breadth edition of the Credit Card Number system
    Data Identifier.
    This data identifier detects valid credit card numbers that are separated by spaces, dashes, periods, or without
    separators. This condition performs Luhn check validation and includes formats for American Express, Diner's Club,
    Discover, Japan Credit Bureau (JCB), MasterCard, and Visa. It eliminates common test numbers, including those
    reserved for testing by credit card issuers. It also requires the presence of a credit card keyword.

    1259
    Table 690: Credit Card Numbers, All detection rule

    Method Condition Configuration

    Simple rule Content Matches Data • Data Identifier: Credit Card Number narrow breadth
    Identifier (DCM) • Severity: High.
    • Count all matches.
    • Look in envelope, subject, body, attachments.

    The ABA Routing Numbers detection rule implements the narrow breadth edition of the ABA Routing Number system
    Data Identifier.
    This data identifier detects nine-digit numbers. It validates the number using the final check digit. This condition eliminates
    common test numbers, such as 123456789, number ranges that are reserved for future use, and all the same digit. This
    condition also requires the presence of an ABA keyword.

    Table 691: ABA Routing Numbers detection rule

    Method Condition Configuration

    Simple rule Content Matches Data • Data Identifier: ABA Routing Number narrow breadth
    Identifier (DCM) • Severity: High.
    • Count all matches.
    • Look in envelope, subject, body, attachments.

    Creating a policy from a template


    Exporting policy detection as a template

    Financial Information Policy Template


    The Financial Information policy detects financial data and information.

    Table 692: Financial Information policy template rules

    Rule Description

    Financial Information, Indexed This rule looks for content from specific financial information files that are registered as
    proprietary; returns a match if 80% or more of the source document is found.
    Financial Information This rule looks for the combination of specified file types, keywords from the Financial
    Keywords dictionary, and keywords from the Confidential/Proprietary Words dictionary.
    The specified file types are:
    • Applix Spreadsheets
    • Comma Separated Values
    • Corel Quattro Pro
    • Lotus 1-2-3
    • Microsoft Excel
    • Microsoft Excel Macro
    • Microsoft Works Spreadsheet
    • Multiplan Spreadsheet
    • SYLK Spreadsheet

    About using IDM

    1260
    Forbidden Websites Policy Template
    The Forbidden Websites policy template is designed to detect access to specified web sites.
    NOTE
    To process HTTP GET requests appropriately, you may need to configure the Network Prevent for Web server.
    To enable a Forbidden Website policy to process GET requests appropriately

    Table 693: Forbidden Websites Policy Template

    DCM Keyword Rule Description

    Forbidden Websites This rule looks for any keywords in the "Forbidden Websites"
    dictionary, which is user-defined.

    To enable a Forbidden Website policy to process GET requests appropriately


    1. Configure your web proxy server to forward GET requests to the Network Prevent for Web server.
    2. Set the L7.processGets Advanced Server Setting on the Network Prevent for Web server to "true" (which is the
    default).
    3. Reduce the L7.minSizeofGetURL Advanced Server Setting on the Network Prevent for Web server from the default of
    100 to a number of bytes (characters) smaller than the length of the shortest web site that the policy specifies
    NOTE
    Reducing the minimum size of GETs increases the number of URLs that have to be processed, which
    increases server traffic load. One approach is to calculate the number of characters in the shortest URL
    specified in the list of forbidden URLs and set the minimum size to that number. Another approach is to set
    the minimum URL size to 10 as that should cover all cases.
    4. You may need to adjust the "Ignore Requests Smaller Than" setting in the ICAP configuration of the Network Prevent
    server from the default 4096 bytes. This value stops processing of incoming web pages that contain fewer bytes than
    the number specified. If a page of a forbidden web site URL might be smaller than that number, the setting should be
    reduced appropriately.

    Configuring policies
    Exporting policy detection as a template

    Gambling Policy Template


    This policy detects any reference to gambling.

    Table 694: Gambling policy template

    DCM Keyword Rule DCM Rule

    Suspicious Gambling Keywords This rule looks for five instances of keywords from the "Gambling Keywords,
    Confirmed" dictionary.
    Less Suspicious Gambling Keywords This rule looks for 10 instances of keywords from the "Gambling Keywords,
    Suspect" dictionary.

    Configuring policies
    Exporting policy detection as a template

    1261
    General Data Protection Regulation (Banking and Finance)
    This template focuses on General Data Protection Regulation (GDPR) banking and finance related keywords, Data
    Identifiers and an EDM profile with related columns.
    The GDPR is a regulation by which the European Commission intends to strengthen and unify data protection for
    individuals within the EU. It also addresses export of personal data outside the EU. The primary objectives of the GDPR
    are to give citizens back the control of their personal data and to simplify the regulatory environment for international
    business by unifying the regulation within the EU. The GDPR replaces the EU Data Protection Directives as of 25 May
    2018.

    Table 695: General Data Protection Regulations (Banking and Finance) detection rules

    Name Type Description

    GDPR Banking and Finance Related Keyword Match Matches a list of related keywords:
    Keywords account number, bank
    card number, driver
    license number, ID card
    number, Kontonummer,
    Bankkartennummer,
    Führerscheinnummer,
    Ausweisnummer, Numéro
    de compte, numéro carte
    bancaire, numéro de permis
    de conduire, numéro de
    carte d'identité, numero di
    conto, banca carta numero,
    carta d'identità numero,
    patente guida numero,
    Número cuenta, número
    tarjeta bancaria, número
    licencia conducir, número
    tarjeta de identificación,
    rekeningnummer, bank
    kaart aantal, rijbewijs
    nummer, ID-kaartnummer,
    bankkortnummer, körkort
    nummer, identitetskortnummer,
    førerkortnummer, ID-
    kortnummer, tilinumero,
    pankkikortin numero,
    ajokortin numero,
    Henkilökortin numero, uimhir
    chuntais, uimhir chárta
    bainc, uimhir ceadúnas
    tiomána, Uimhir chárta
    aitheantais, Kontosnummer,
    Identifikatiounskaart, número
    de conta, número cartão
    bancário, número licença
    motorista, Número do cartão
    de identificação
    Credit Card Number Data Identifiers Account number needed to process credit
    card transactions. Often abbreviated as
    CCN. Also known as a Primary Account
    Number (PAN).

    1262
    Name Type Description

    UK Driver's Licence Number Data Identifiers The UK Drivers Licence Number is the
    identification number for an individual's
    driver's license issued by the Driver and
    Vehicle Licensing Agency of the United
    Kingdom.
    UK Passport Number Data Identifiers The UK Passport Number identifies a
    United Kingdom passport using the current
    official specification of the UK Government
    Standards of the UK Cabinet Office.
    UK Tax ID Number Data Identifiers The UK Tax ID Number is a personal
    identification number provided by the UK
    Government Standards of the UK Cabinet
    Office.
    Credit Card Magnetic Stripe Data Data Identifiers The magnetic stripe of a credit card
    contains information about the card.
    Storage of the complete version of this data
    is a violation of the Payment Card Industry
    (PCI) Data Security Standard.
    French Passport Number Data Identifiers The French passport is an identity
    document issued to French citizens.
    Besides enabling the bearer to travel
    internationally and serving as indication of
    French citizenship, the passport facilitates
    the process of securing assistance from
    French consular officials abroad or other
    European Union member states in case a
    French consular is absent, if needed.
    Belgium National Identity Number Data Identifiers All citizens of Belgium have a National
    Number. Belgians 12 years of age and
    older are issued a Belgian identity card.
    Czech Personal Identification Number Data Identifiers All citizens of the Czech Republic are
    issued a unique personal identification
    number by the Ministry of Interior.
    French INSEE code Data Identifiers The INSEE code in France is used as
    a social insurance number, a national
    identification number, and for taxation and
    employment purposes.
    French Social Security Number Data Identifiers The French Social Security Number (FSSN)
    is a unique number assigned to each
    French citizen or resident foreign national. It
    serves as a national identification number.
    Greek Tax Identification Number Data Identifiers The Arithmo Forologiko Mitro (AFM) is a
    unique personal tax identification number
    assigned to any individual resident in
    Greece or person who owns property in
    Greece.
    Hungarian Social Security Number Data Identifiers The Hungarian Social Security Number
    (TAJ) is a unique identifier issued by the
    Hungarian government.
    Hungarian Tax Identification Number Data Identifiers The Hungarian Tax Identification Number is
    a 10-digit number that always begins with
    the digit "8."

    1263
    Name Type Description

    Hungarian VAT Number Data Identifiers All Hungarian businesses (including non-
    profit organizations) upon registration at the
    court of Registry are granted a value-added
    tax (VAT) number.
    Irish Personal Public Service Number Data Identifiers The format of the number is a unique 8-
    character alphanumeric string ending with
    a letter, such as 8765432A. The number is
    assigned at the registration of birth of the
    child and is issued on a Public Services
    Card and is unique to every person.
    Luxembourg National Register of Data Identifiers The Luxembourg National Register
    Individuals Number of Individuals Number is an 11-digit
    identification number issued to all
    Luxembourg citizens at age 15.
    Polish Identification Number Data Identifiers Every Polish citizen 18 years of age or
    older residing permanently in Poland
    must have an Identity Card, with a unique
    personal number. The number is used as
    identification for almost all purposes.
    Polish REGON Number Data Identifiers Each national economy entity is obligated
    to register in the register of business
    entities called REGON in Poland. It is the
    only integrated register in Poland covering
    all of the national economy entities. Each
    company has a unique REGON number.
    Polish Social Security Number (PESEL) Data Identifiers The Polish Social Security Number
    (PESEL) is the national identification
    number used in Poland. The PESEL
    number is mandatory for all permanent
    residents of Poland and for temporary
    residents living in Poland. It uniquely
    identifies a person and cannot be
    transferred to another.
    Polish Tax Identification Number Data Identifiers The Polish Tax Identification Number
    (NIP) is a number the government gives
    to every Poland citizen who works or does
    business in Poland. All taxpayers have a
    tax identification number called NIP.
    Romanian Numerical Personal Code Data Identifiers In Romania, each citizen has a unique
    numerical personal code (Code Numeric
    Personal, or CNP). The number is used
    by authorities, health care, schools,
    universities, banks, and insurance
    companies for customer identification.
    Spanish DNI ID Data Identifiers The Spanish DNI ID appears on the
    Documento nacional de identidad (DNI)
    and is issued by the Spanish Hacienda
    Publica to every citizen of Spain. It is
    the most important unique identifier in
    Spain used for opening accounts, signing
    contracts, taxes, and elections.

    1264
    Name Type Description

    Spanish Social Security Number Data Identifiers The Spanish Social Security Number is
    a 12-digit number assigned to Spanish
    workers to allow access to the Spanish
    healthcare system.
    Spanish Customer Account Number Data Identifiers The Spanish customer account number
    is the standard customer bank account
    number used across Spain.
    Spanish Tax ID (CIF) Data Identifiers The Spanish Tax Identification corporate
    tax identifier (CIF) is equivalent to the VAT
    number, required for running a business
    in Spain. This identifier is a company's
    identification for tax purposes and is
    required for any legal transactions.
    German Passport Number Data Identifiers The German passport number is issued
    to German nationals for the purpose of
    international travel. A German passport
    is an officially recognized document that
    German authorities accept as proof of
    identity from German citizens.
    Bulgarian Uniform Civil Number Data Identifiers The uniform civil number (EGN) is unique
    number assigned to each Bulgarian citizen
    or resident foreign national. It serves as a
    national identification number. An EGN is
    assigned to Bulgarians at birth, or when a
    birth certificate is issued.
    Austria Social Security Number Data Identifiers A social security number is allocated to
    Austrian citizens who receive available
    social security benefits. It is allocated by the
    umbrella association of the Austrian social
    security authorities.
    Spanish Passport Number Data Identifiers Spanish passports are issued to Spanish
    citizens for the purpose of travel outside
    Spain.
    Swedish Passport Number Data Identifiers Swedish passports are issued to nationals
    of Sweden for the purpose of international
    travel. Besides serving as proof of Swedish
    citizenship, they facilitate the process of
    securing assistance from Swedish consular
    officials abroad or other European Union
    member states in case a Swedish consular
    is absent, if needed.
    German Personal ID Number Data Identifiers The German Personal ID Number is issued
    to all German citizens.
    IBAN Central Data Identifiers The International Bank Account Number
    (IBAN) is an international standard for
    identifying bank accounts across national
    borders.
    The IBAN Central data identifier detects
    IBAN numbers for Andorra, Austria,
    Belgium, Germany, Italy, Liechtenstein,
    Luxembourg, Malta, Monaco, San Marino,
    and Switzerland.

    1265
    Name Type Description

    IBAN East Data Identifiers The International Bank Account Number


    (IBAN) is an international standard for
    identifying bank accounts across national
    borders.
    The IBAN East data identifier detects
    IBAN numbers for Bosnia, Bulgaria,
    Croatia, Cyprus, Czech Republic, Estonia,
    Greece, Hungary, Israel, Latvia, Lithuania,
    Macedonia, Montenegro, Poland, Romania,
    Serbia, Slovakia, Slovenia, Turkey, and
    Tunisia.
    IBAN West Data Identifiers The International Bank Account Number
    (IBAN) is an international standard for
    identifying bank accounts across national
    borders.
    The IBAN West data identifier detects
    IBAN numbers for Denmark, Faroe Islands,
    Finland, France, Gibraltar, Greenland,
    Iceland, Ireland, Netherlands, Norway,
    Portugal, Spain, Sweden, and the United
    Kingdom.
    Burgerservicenummer Data Identifiers In the Netherlands, the
    Burgerservicenummer is used to uniquely
    identify citizens and is printed on driving
    licenses, passports and international ID
    cards under the header Personal Number.
    Codice Fiscale Data Identifiers The Codice Fiscale uniquely identifies an
    Italian citizen or permanent resident alien
    and issuance of the code is centralized
    to the Ministry of Treasure. The Codice
    Fiscale is issued to every Italian at birth.
    Finnish Personal Identification Number Data Identifiers The Finnish Personal Identification Number
    or Personal Identity Code is a unique
    personal identifier used for identifying
    citizens in government and many other
    transactions.
    Swedish Personal Identification Number Data Identifiers The Swedish Personal Identification
    Number is the unique national identification
    for Swedish every citizen. The number
    is used by authorities, health care,
    schools, universities, banks, and insurance
    companies for customer identification.
    Austria Passport Number Data Identifiers Austrian passports are travel documents
    issued to Austrian citizens by the Austrian
    Passport Office of the Department of
    Foreign Affairs and Trade, both in Austria
    and overseas, and enable the passport
    holder to travel internationally.
    Austria Tax Identification Number Data Identifiers Austria issues tax identification numbers to
    individuals based on their area of residence
    to identify taxpayers and facilitate national
    taxes.

    1266
    Name Type Description

    Belgium Passport Number Data Identifiers Belgian passports are passports issued
    by the Belgian state to its citizens to
    facilitate international travel. The Federal
    Public Service Foreign Affairs, formerly
    known as the Ministry of Foreign Affairs,
    is responsible for issuing and renewing
    Belgian passports.
    Belgium Tax Identification Number Data Identifiers Belgium issues a tax identification number
    for persons who has obligations to declare
    taxes in Belgium.
    Belgium Value Added Tax (VAT) Number Data Identifiers VAT is a consumption tax that is borne
    by the end consumer. VAT is paid for
    each transaction in the manufacturing and
    distribution process. For Belgium, the Value
    Added Tax is issued by VAT office for the
    region in which the business is established.
    Belgium Driver Licence Number Data Identifiers Identification number for an individual's
    driver's licence issued by the Driver and
    Vehicle Licensing Agency of Belgium.
    Denmark Personal Identification Number Data Identifiers In Denmark, every citizen has a national
    identification number. The number serves
    as proof of identification for almost all
    purposes.
    Netherlands Bank Account Number Data Identifiers The Netherlands bank account number is
    the standard bank account number used
    across the Netherlands.
    Netherlands Driver's License Number Data Identifiers Identification number for an individual's
    driver's licence issued by the RDW
    government agency of the Netherlands.
    Netherlands Passport Number Data Identifiers Dutch passports are issued to Netherlands
    citizens for the purpose of international
    travel.
    Netherlands Value Added Tax (VAT) Data Identifiers VAT is a consumption tax that is borne
    Number by the end consumer. VAT is paid for
    each transaction in the manufacturing and
    distribution process. For the Netherlands,
    the Value Added Tax is issued by VAT
    office for the region in which the business is
    established.
    France Driver's License Number Data Identifiers Identification number for an individual's
    driver's licence issued by the Driver and
    Vehicle Licensing Agency of France.
    France Tax Identification Number Data Identifiers France issue a tax identification number
    for anyone who has obligations to declare
    taxes in France.
    Germany Driver's License Number Data Identifiers Identification number for an individual's
    driver's licence issued by the Driver and
    Vehicle Licensing Agency of Germany.
    Italy Passport Number Data Identifiers Italian passports are issued to Italian
    citizens for the purpose of international
    travel.

    1267
    Name Type Description

    Italy Value Added Tax (VAT) Number Data Identifiers VAT is a consumption tax that is borne
    by the end consumer. VAT is paid for
    each transaction in the manufacturing and
    distribution process. For Italy, the Value
    Added Tax is issued by VAT office for the
    region in which the business is established.
    Italy Driver's License Number Data Identifiers Identification number for an individual's
    driver's licence issued by the Driver and
    Vehicle Licensing Agency of Italy.
    Netherlands Tax Identification Number Data Identifiers The Netherlands issues a tax identification
    number at birth or at registration at the
    municipality.
    Spain Driver's License Number Data Identifiers Identification number for an individual's
    driver's licence issued by the Driver and
    Vehicle Licensing Agency of Spain.
    Germany Value Added Tax (VAT) Number Data Identifiers VAT is a consumption tax that is borne
    by the end consumer. VAT is paid for
    each transaction in the manufacturing and
    distribution process. For Germany, the
    Value Added Tax is issued by VAT office
    for the region in which the business is
    established.
    France Value Added Tax (VAT) Number Data Identifiers The Value Added Tax (VAT) is a tax levied
    on goods and services provided in France
    and is collected from the final customer.
    Companies must register with the Register
    of Commerce and Companies in France to
    get VAT number allocated.
    Austria Value Added Tax (VAT) Number Data Identifiers VAT is a consumption tax that is borne
    by the end consumer. VAT is paid for
    each transaction in the manufacturing and
    distribution process. For Austria, the VAT
    number is issued by the tax office for the
    region in which the business is established.
    Sweden Tax Identification Number Data Identifiers Sweden uses tax identification numbers
    (TINs) to identify taxpayers and facilitate
    the administration of their national tax
    affairs. TINs are also useful for identifying
    taxpayers who invest in other EU countries
    and are more reliable than other identifiers
    such as name and address.
    Sweden Value Added Tax (VAT) Number Data Identifiers VAT is a consumption tax that is borne
    by the end consumer. VAT is paid for
    each transaction in the manufacturing and
    distribution process.
    Denmark Value Added Tax (VAT) Number Data Identifiers VAT is a consumption tax that is borne
    by the end consumer. VAT is paid for
    each transaction in the manufacturing and
    distribution process. For Denmark, the VAT
    number is issued by the tax office for the
    region in which the business is established.

    1268
    Name Type Description

    Finland Passport Number Data Identifiers Finnish passports are issued to nationals
    of Finland for the purpose of international
    travel. They also facilitate the process of
    securing assistance from Finnish consular
    officials abroad.
    Finland Driver's Licence Number Data Identifiers Identification number for an individual's
    driver's license issued in an EU or EEA
    Member State for a Finnish license.
    Finland Value Added Tax (VAT) Number Data Identifiers VAT is a consumption tax that is borne
    by the end consumer. VAT is paid for
    each transaction in the manufacturing and
    distribution process.
    Ireland Passport Number Data Identifiers An Irish passport is the passport issued
    to citizens of Ireland. An Irish passport
    enables the bearer to travel internationally
    and serves as evidence of Irish citizenship
    and citizenship of the European union.
    It also facilitates the access to consular
    assistance from both Irish embassies and
    any embassy from other European union
    member states while abroad.
    Ireland Value Added Tax (VAT) Number Data Identifiers VAT is a consumption tax that is borne
    by the end consumer. VAT is paid for
    each transaction in the manufacturing and
    distribution process. For Ireland, the VAT
    number is issued by the Irish tax authority.
    Ireland Tax Identification Number Data Identifiers This number is issued by department
    of social protection for natural persons
    and by revenue commissioner for non-
    natural persons. Non-natural persons can
    be companies, partnerships, trusts, and
    unincorporated bodies.
    Luxembourg Passport Number Data Identifiers A Luxembourg passport is an international
    travel document issued to nationals of the
    grand Duchy of Luxembourg, and may
    also serve as proof of Luxembourgish
    citizenship.
    Luxembourg Value Added Tax (VAT) Data Identifiers VAT is a consumption tax that is borne
    Number by the end consumer. VAT is paid for
    each transaction in the manufacturing and
    distribution process.
    Portugal National Identification Number Data Identifiers The national identification number is
    a unique identification number usually
    present on documents like citizen cards
    which are issued by the Portuguese
    government to its citizens. It can be used as
    a travel document within the EU and some
    other European countries.

    1269
    Name Type Description

    Portugal Passport Number Data Identifiers Portuguese passports are issued to


    citizens of Portugal for the purpose of
    international travel. The passport, along
    with the national identity card allows for free
    rights of movement and residence in any
    of the states of the European Union and
    European economic area.
    Portugal Tax Identification Number Data Identifiers A fiscal number is a tax identification
    number that is issued in Portugal to anyone
    who wishes to undertake any official
    matters in Portugal.
    Portugal Value Added Tax (VAT) Number Data Identifiers VAT is a consumption tax that is borne
    by the end consumer. VAT is paid for
    each transaction in the manufacturing and
    distribution process.
    Portugal Driver's Licence Number Data Identifiers The Institute for Mobility and Land
    Transport (IMTT) issues driver's licenses in
    Portugal.
    Denmark Tax Identification Number Data Identifiers Denmark issues a tax identification number
    for persons who have obligations to declare
    taxes in Denmark. The tax identification
    number also serves as a personal health
    insurance number.
    Finland Tax Identification Number Data Identifiers Finland issues a tax identification number
    for persons who have obligations to declare
    taxes in Finland.
    Luxembourg Tax Identification Number Data Identifiers This number is issued by Luxembourg
    inland revenue (Administration des
    contributions directes - ACD) department
    and is used for tax related purposes of
    natural and non natural persons.
    Germany Tax Identification Number Data Identifiers Germany issues a tax identification number
    for persons who have obligations to declare
    taxes in Germany.
    UK Value Added Tax (VAT) Number Data Identifiers VAT is a consumption tax that is borne
    by the end consumer. VAT is paid for
    each transaction in the manufacturing
    and distribution process. For the United
    Kingdom, the VAT number is issued by
    the VAT office for the region in which the
    business is established.
    Spain Value Added Tax (VAT) Number Data Identifiers VAT is a consumption tax that is borne
    by the end consumer. VAT is paid for
    each transaction in the manufacturing
    and distribution process. VAT in Spain is
    overseen by the State Tax Administration
    Agency.
    UK Bank Account Number Sort Code Data Identifiers Sort codes are bank codes used to route
    money transfers between banks within their
    respective countries via their respective
    clearance organizations.

    1270
    Name Type Description

    Greece Social Security Number (AMKA) Data Identifiers The AMKA (social security number) is the
    work and insurance identification number of
    every worker, retired person and protected
    family member in Greece.
    Romania National Identification Number Data Identifiers In Romania each citizen has a personal
    numerical code (Cod Numeric Personal,
    CNP) as unique national identification
    number. This number is also used as a tax
    identification number for financial purposes.
    Slovakia National Identification Number Data Identifiers In Slovakia, identification cards are issued
    by the state authorities at 15 years of age
    for every citizen. This number is used in
    Slovak Republic as the primary unique
    identifier for every person by government
    institutions, banks and so on.
    Slovenia Unique Master Citizen Number Data Identifiers The unique master citizen number is a
    unique identification number assigned
    to every citizen of Slovenia at birth or on
    acquiring citizenship.
    Latvia Personal Identification Number Data Identifiers The Latvian personal identification number
    is used for national identity and as a tax
    identification number for financial purposes.
    It is issued by the office of citizenship and
    migration affairs of the Ministry of Interior.
    Sweden Driver's Licence Number Data Identifiers In Sweden, a driving license is required
    when operating a car, motorcycle or moped
    on public roads. Driving licenses are issued
    by the prefectural governments public
    safety commissions and are overseen on
    a nationwide basis by the National Police
    Agency.
    Greece Passport Number Data Identifiers Greek passports are issued to Greek
    citizens for the purpose of international
    travel. The passport along with the
    national identity card allows for free rights
    of movement and residence in any of
    the states of the European Union and
    European Economic Area.
    Greece Value Added Tax (VAT) Number Data Identifiers Value Added Tax (VAT) is a consumption
    tax that is borne by the end consumer.
    VAT is paid for each transaction in the
    manufacturing and distribution process. For
    Greece, VAT is administered by the VAT
    office for the region in which the business is
    established.
    Poland Passport Number Data Identifiers A Polish passport is an international
    travel document issued to nationals of
    Poland. It may also serve as proof of Polish
    citizenship.

    1271
    Name Type Description

    Poland Value Added Tax (VAT) Number Data Identifiers Value Added Tax (VAT) is a consumption
    tax that is borne by the end consumer.
    VAT is paid for each transaction in the
    manufacturing and distribution process. For
    Poland, VAT is administered by the VAT
    office for the region in which the business is
    established.
    Romania Value Added Tax (VAT) Number Data Identifiers Value Added Tax (VAT) is a consumption
    tax that is borne by the end consumer.
    VAT is paid for each transaction in the
    manufacturing and distribution process. In
    Romania, it is also called TVA or CIF.
    Hungary Passport Number Data Identifiers Hungarian passports are issued to
    Hungarian citizens for international travel by
    the Central Data Processing, Registration,
    and Election Office of the Hungarian
    Ministry of the Interior.
    Czech Republic Value Added Tax (VAT) Data Identifiers Value Added Tax (VAT) is a consumption
    Number tax that is borne by the end consumer.
    VAT is paid for each transaction in the
    manufacturing and distribution process. In
    the Czech Republic, it is also called DPH.
    Slovakia Passport Number Data Identifiers Slovak passports are issued to citizens of
    Slovakia to facilitate international travel.
    Slovakia Value Added Tax (VAT) Number Data Identifiers Value Added Tax (VAT) is a consumption
    tax that is borne by the end consumer.
    VAT is paid for each transaction in the
    manufacturing and distribution process. For
    Slovakia, VAT is administered by the tax
    office for the region in which the business is
    established.
    Slovenia Passport Number Data Identifiers Slovenian passports are issued to citizens
    of Slovenia to facilitate international travel.
    Slovenia Tax Identification Number Data Identifiers The Slovenia Tax Identification Number is
    a unique identifier of individuals and legal
    entities for tax purposes. The Financial
    Administration of the Republic of Slovenia
    issues and administers tax identification
    numbers in Slovenia.
    Slovenia Value Added Tax (VAT) Number Data Identifiers Value Added Tax (VAT) is a consumption
    tax that is borne by the end consumer.
    VAT is paid for each transaction in the
    manufacturing and distribution process. For
    Slovenia, VAT is administered by the tax
    office for the region in which the business is
    established.
    Croatia National Identification Number Data Identifiers The Croatian National Identification number
    (Osobni identifikacijski broj or OIB) is the
    permanent personal and tax identifier for
    Croatian citizens and residents.

    1272
    Name Type Description

    Estonia Personal Identification Number Data Identifiers In Estonia, the personal identification code
    is a number based on the sex and birth
    date of a person. This code is used as a
    unique personal identifier by governmental
    and other systems where identification is
    required, as well as for digital signatures
    using the national identity card and its
    associated certificates. It also serves as tax
    identification number.
    Estonia Value Added Tax (VAT) Number Data Identifiers Value Added Tax (VAT) is a consumption
    tax that is borne by the end consumer.
    VAT is paid for each transaction in the
    manufacturing and distribution process.
    For Estonia, VAT is administered by tax
    office for the region in which the business is
    established.
    Lithuania Personal Identification Data Identifiers In Lithuania, the personal identification
    Number code is a number based on the sex
    and birth date of a person. This code is
    used as a unique personal identifier by
    governmental and other systems where
    identification is required, as well as for
    digital signatures using the national identity
    card and its associated certificates.
    Lithuania Tax Identification Number Data Identifiers The Lithuanian Taxpayer Identification
    Number is used to identify taxpayers and
    facilitate the administration of their national
    tax affairs.
    Estonia Passport Number Data Identifiers The Estonian passport is an international
    travel document issued to citizens of
    Estonia that also serves as proof of
    Estonian citizenship. The Border Guard
    Board in Estonia and Estonian foreign
    representations abroad are responsible for
    issuing Estonian passports.
    Lithuania Value Added Tax (VAT) Data Identifiers Value Added Tax (VAT) is a consumption
    Number tax that is borne by the end consumer.
    VAT is paid for each transaction in the
    manufacturing and distribution process. In
    Lithuania, VAT is administered by the State
    Tax Inspectorate.
    Latvia Passport Number Data Identifiers Latvian passports are issued to citizens of
    Latvia for identity and international travel
    purposes. The territorial section of The
    Office of Citizenship and Migration Affairs
    issues passports.
    Latvia Value Added Tax (VAT) Number Data Identifiers Value Added Tax (VAT) is a consumption
    tax that is borne by the end consumer.
    VAT is paid for each transaction in the
    manufacturing and distribution process. In
    Latvia, VAT is administered by the State
    Revenue Service.

    1273
    Name Type Description

    Bulgaria Value Added Tax (VAT) Number Data Identifiers Value Added Tax (VAT) is a consumption
    tax that is borne by the end consumer.
    VAT is paid for each transaction in the
    manufacturing and distribution process.
    In Bulgaria, VAT is administered by the
    National Revenue Agency, which is
    overseen by the Bulgarian Ministry of
    Finance.
    Malta National Identification Number Data Identifiers Every resident of Malta is assigned a
    national number. For foreigners who are
    authorized to reside in Malta, National
    numbers for foreign resident end with the
    letter A. National numbers for Maltese
    citizens end with M, G, L, H or P.
    Malta Tax Identification Number Data Identifiers The Malta Tax Identification Number
    is assigned by the Inland Revenue
    Department as a means of identification for
    income tax purposes.
    Malta Value Added Tax (VAT) Number Data Identifiers Value Added Tax (VAT) is a consumption
    tax that is borne by the end consumer.
    VAT is paid for each transaction in the
    manufacturing and distribution process.
    In Malta, VAT is administered by tax office
    for the region in which the business is
    established.
    Iceland National Identification Number Data Identifiers The Iceland National Identification
    Number is a unique national identifier
    used by the Icelandic government to
    identify individuals and organizations. It
    is administered by the Registers Iceland.
    Icelandic national identification numbers
    are issued to Icelandic citizens at birth
    and to foreign nationals resident in Iceland
    upon registration. They are also issued to
    corporations and institutions.
    Serbia Unique Master Citizen Number Data Identifiers The Serbian Unique Master Citizen Number
    is a unique identifier for Serbian citizens.
    It is assigned to every citizen of Serbia at
    birth or upon acquiring citizenship.
    Switzerland Passport Number Data Identifiers Swiss passports are issued to citizens of
    Switzerland to facilitate international travel.
    Iceland Value Added Tax (VAT) Number Data Identifiers Value Added Tax (VAT) is a consumption
    tax that is borne by the end consumer.
    VAT is paid for each transaction in the
    manufacturing and distribution process. For
    Iceland, VAT is administered by the VAT
    office for the region in which the business is
    established.
    Iceland Passport Number Data Identifiers Icelandic passports are issued to citizens
    of Iceland for the purpose of international
    travel and may also serve as a proof of
    Iceland citizenship.

    1274
    Name Type Description

    Switzerland Value Added Tax (VAT) Data Identifiers Value Added Tax (VAT) is a consumption
    Number tax that is borne by the end consumer.
    VAT is paid for each transaction in the
    manufacturing and distribution process. For
    Switzerland, VAT is administered by the
    Federal Statistical Office for the region in
    which the business is established.
    Serbia Value Added Tax (VAT) Number Data Identifiers Value Added Tax (VAT) is a consumption
    tax that is borne by the end consumer.
    VAT is paid for each transaction in the
    manufacturing and distribution process.
    In Serbia, VAT is administered by the Tax
    Administration department of the Ministry of
    Finance.
    Liechtenstein Passport Number Data Identifiers Liechtenstein passports are issued to
    nationals of Liechtenstein for the purpose
    of international travel. The passport may
    also serve as proof of Liechtensteiner
    citizenship.
    Norway National Identification Number Data Identifiers The Norway National identification number
    is assigned by the Norwegian state to all
    citizens of the country. It is administered by
    the Tax Administration.
    Norway Value Added Tax (VAT) Number Data Identifiers Value Added Tax (VAT) is a consumption
    tax that is borne by the end consumer.
    VAT is paid for each transaction in the
    manufacturing and distribution process. For
    Norway, VAT Is administered by the VAT
    office for the region in which the business is
    established.
    Romania Driver's Licence Number Data Identifiers A driving license in Romania is a document
    confirming the rights of the holder to drive
    motor vehicles.
    Czech Republic Driver's Licence Data Identifiers The Czech Republic Ministry of Transport
    Number grants driver's licenses in the Czech
    Republic, confirming the rights of the holder
    to drive motor vehicles.
    Slovakia Driver's Licence Number Data Identifiers A Slovak drivers license is a document
    confirming the rights of the holder to drive
    motor vehicles. Slovak driver's licenses are
    granted by the Ministry of Interior.
    Poland Driver's Licence Number Data Identifiers Poland issues driving licenses confirming
    the rights of the holder to drive motor
    vehicles.
    Hungary Driver's Licence Number Data Identifiers A driving license in Hungary is a document
    issued by the Ministry of Economics and
    Transport, confirming the rights of the
    holder to drive motor vehicles.
    Latvia Driver Licence Number Data Identifiers A driver's license in Latvia is a document
    issued by the Road Traffic Safety
    Directorate, confirming the rights of the
    holder to drive motor vehicles.

    1275
    Name Type Description

    Norway Driver Licence Number Data Identifiers A driver's license is required in Norway
    before a person is permitted to drive a
    motor vehicle of any description on a road
    in Norway.
    Cyprus Value Added Tax (VAT) Number Data Identifiers Value Added Tax (VAT) is a consumption
    tax that is borne by the end consumer.
    VAT is paid for each transaction in the
    manufacturing and distribution process.
    For Cyprus, VAT is administered by the tax
    office for the region in which the business is
    established.
    Cyprus Tax Identification Number Data Identifiers The Cyprus Tax Identification Number is a
    unique identifier for Cypriot taxpayers.
    Estonia Driver's Licence Number Data Identifiers The Estonian Road Administration issues
    driving licenses in Estonia, confirming the
    rights of the holder to drive motor vehicles.
    SEPA Creditor Identifier Number North Data Identifiers The Single Euro Payment Area (SEPA) is a
    payments system created by the European
    Union that harmonizes the way cashless
    payments transact between Euro countries.
    SEPA North is for the United Kingdom,
    Sweden, Denmark, Finland, Ireland.
    European consumers, businesses, and
    government agents who make payments
    by direct debit, credit card or through credit
    transfers use the SEPA architecture. The
    Single Euro Payment Area is approved and
    regulated by European Commission.
    SEPA Creditor Identifier Number South Data Identifiers The Single Euro Payment Area (SEPA)
    is a payments system created by the
    European Union that harmonizes the way
    cashless payments transact between
    Euro countries. SEPA South is for Italy,
    Spain, and Portugal. European consumers,
    businesses, and government agents who
    make payments by direct debit, credit
    card or through credit transfers use the
    SEPA architecture. The Single Euro
    Payment Area is approved and regulated
    by European Commission.
    SEPA Creditor Identifier Number West Data Identifiers The Single Euro Payment Area (SEPA)
    is a payments system created by the
    European Union that harmonizes the way
    cashless payments transact between Euro
    countries. SEPA West is for Germany,
    France, Netherlands, Belgium, Austria,
    and Luxembourg. European consumers,
    businesses, and government agents who
    make payments by direct debit, credit
    card, or through credit transfers use
    the SEPA architecture. The Single Euro
    Payment Area is approved and regulated
    by European Commission.

    1276
    General Data Protection Regulation (Digital Identity)
    This template focuses on General Data Protection Regulation (GDPR) digital identity related keywords, Data Identifiers
    and an EDM profile with related columns.
    The GDPR is a regulation by which the European Commission intends to strengthen and unify data protection for
    individuals within the EU. It also addresses export of personal data outside the EU. The primary objectives of the GDPR
    are to give citizens back the control of their personal data and to simplify the regulatory environment for international
    business by unifying the regulation within the EU. The GDPR replaces the EU Data Protection Directives as of 25 May
    2018.

    Table 696: General Data Protection Regulations (Digital Identity) detection rule

    Name Type Description

    International Mobile Equipment Identity Data Identifiers The International Mobile Station Equipment
    Number Identity (IMEI) is a unique identifier for
    3GPP (GSM, UMTS, and LTE) and iDEN
    mobile phones and some satellite phones.

    General Data Protection Regulation (Government Identification)


    This template focuses on General Data Protection Regulation (GDPR) government identification related keywords, data
    identifiers and an EDM profile with related columns.
    The GDPR is a regulation by which the European Commission intends to strengthen and unify data protection for
    individuals within the EU. It also addresses export of personal data outside the EU. The primary objectives of the GDPR
    are to give citizens back the control of their personal data and to simplify the regulatory environment for international
    business by unifying the regulation within the EU. The GDPR replaces the EU Data Protection Directives as of 25 May
    2018.

    1277
    Table 697: General Data Protection Regulations (Government Identification) detection rules

    Name Type Description

    GDPR Government Identification Keyword Match Matches a list of related keywords:


    Keywords driver license number, id
    card number, electoral roll
    number,Führerscheinnummer,
    ID-Kartennummer, Stimmzettel-
    Nummer, Numéro permis
    conduire, numéro carte
    d'identité, numéro du
    rôle électoral, numero
    patente guida, numero carta
    d'identità, elettorale rotolo
    numero, Número licencia
    conducir, número tarjeta
    de identificación, número
    boleta electoral, rijbewijs
    nummer, ID-kaartnummer,
    kiezerslijst nummer, körkort
    nummer, identitetskort
    nummer, førerkortnummer,
    ID-kortnummer, ajokortin
    numero, Henkilökortin numero,
    vaaliluettelon numero,
    uimhir ceadúnas tiomána,
    Uimhir chárta aitheantais,
    uimhir rolla toghcháin,
    Identifikatiounskaart, número
    licença motorista, Número
    do cartão de identificação,
    número leitoral
    UK Driver's Licence Number Data Identifiers The UK Drivers Licence Number is the
    identification number for an individual's
    driver's license issued by the Driver and
    Vehicle Licensing Agency of the United
    Kingdom.
    UK Electoral Roll Number Data Identifiers The Electoral Roll Number is the
    identification number issued to an individual
    for UK election registration. The format
    of this number is specified by the UK
    Government Standards of the UK Cabinet
    Office.
    UK National Health Service (NHS) Data Identifiers The UK National Health Service (NHS)
    Number is the personal identification
    number issued by the U.K. National Health
    Service (NHS) for administration of medical
    care.
    UK National Insurance Number Data Identifiers The UK National Insurance Number is
    issued by the United Kingdom Department
    for Work and Pensions (DWP) to identify
    an individual for the national insurance
    program. It is also known as a NI number,
    NINO or NINo.

    1278
    Name Type Description

    UK Passport Number Data Identifiers The UK Passport Number identifies a


    United Kingdom passport using the current
    official specification of the UK Government
    Standards of the UK Cabinet Office.
    UK Tax ID Number Data Identifiers The UK Tax ID Number is a personal
    identification number provided by the UK
    Government Standards of the UK Cabinet
    Office.
    French Passport Number Data Identifiers The French passport is an identity
    document issued to French citizens.
    Besides enabling the bearer to travel
    internationally and serving as indication of
    French citizenship, the passport facilitates
    the process of securing assistance from
    French consular officials abroad or other
    European Union member states in case a
    French consular is absent, if needed.
    Belgian National Number Data Identifiers All citizens of Belgium have a National
    Number. Belgians 12 years of age and
    older are issued a Belgian identity card.
    Czech Personal Identification Number Data Identifiers All citizens of the Czech Republic are
    issued a unique personal identification
    number by the Ministry of Interior.
    French INSEE code Data Identifiers The INSEE code in France is used as
    a social insurance number, a national
    identification number, and for taxation and
    employment purposes.
    French Social Security Number Data Identifiers The French Social Security Number (FSSN)
    is a unique number assigned to each
    French citizen or resident foreign national. It
    serves as a national identification number.
    Greek Tax Identification Number Data Identifiers The Arithmo Forologiko Mitro (AFM) is a
    unique personal tax identification number
    assigned to any individual resident in
    Greece or person who owns property in
    Greece.
    Hungarian Social Security Number Data Identifiers The Hungarian Social Security Number
    (TAJ) is a unique identifier issued by the
    Hungarian government.
    Hungarian Tax Identification Number Data Identifiers The Hungarian Tax Identification Number is
    a 10-digit number that always begins with
    the digit "8."
    Hungarian VAT Number Data Identifiers All Hungarian businesses (including non-
    profit organizations) upon registration at the
    court of Registry are granted a value-added
    tax (VAT) number.
    Irish Personal Public Service Number Data Identifiers The format of the number is a unique 8-
    character alphanumeric string ending with
    a letter, such as 8765432A. The number is
    assigned at the registration of birth of the
    child and is issued on a Public Services
    Card and is unique to every person.

    1279
    Name Type Description

    Luxembourg National Register of Data Identifiers The Luxembourg National Register


    Individuals Number of Individuals Number is an 11-digit
    identification number issued to all
    Luxembourg citizens at age 15.
    Polish Identification Number Data Identifiers Every Polish citizen 18 years of age or
    older residing permanently in Poland
    must have an Identity Card, with a unique
    personal number. The number is used as
    identification for almost all purposes.
    Polish REGON Number Data Identifiers Each national economy entity is obligated
    to register in the register of business
    entities called REGON in Poland. It is the
    only integrated register in Poland covering
    all of the national economy entities. Each
    company has a unique REGON number.
    Polish Social Security Number (PESEL) Data Identifiers The Polish Social Security Number
    (PESEL) is the national identification
    number used in Poland. The PESEL
    number is mandatory for all permanent
    residents of Poland and for temporary
    residents living in Poland. It uniquely
    identifies a person and cannot be
    transferred to another.
    Polish Tax Identification Number Data Identifiers The Polish Tax Identification Number
    (NIP) is a number the government gives
    to every Poland citizen who works or does
    business in Poland. All taxpayers have a
    tax identification number called NIP.
    Romanian Numerical Personal Code Data Identifiers In Romania, each citizen has a unique
    numerical personal code (Code Numeric
    Personal, or CNP). The number is used
    by authorities, health care, schools,
    universities, banks, and insurance
    companies for customer identification.
    Spanish DNI ID Data Identifiers The Spanish DNI ID appears on the
    Documento nacional de identidad (DNI)
    and is issued by the Spanish Hacienda
    Publica to every citizen of Spain. It is
    the most important unique identifier in
    Spain used for opening accounts, signing
    contracts, taxes, and elections.
    Spanish Social Security Number Data Identifiers The Spanish Social Security Number is
    a 12-digit number assigned to Spanish
    workers to allow access to the Spanish
    healthcare system.
    Spanish Customer Account Number Data Identifiers The Spanish customer account number
    is the standard customer bank account
    number used across Spain.

    1280
    Name Type Description

    Spanish Tax ID (CIF) Data Identifiers The Spanish Tax Identification corporate
    tax identifier (CIF) is equivalent to the VAT
    number, required for running a business
    in Spain. This identifier is a company's
    identification for tax purposes and is
    required for any legal transactions.
    German Passport Number Data Identifiers The German passport number is issued
    to German nationals for the purpose of
    international travel. A German passport
    is an officially recognized document that
    German authorities accept as proof of
    identity from German citizens.
    Bulgarian Uniform Civil Number Data Identifiers The uniform civil number (EGN) is unique
    number assigned to each Bulgarian citizen
    or resident foreign national. It serves as a
    national identification number. An EGN is
    assigned to Bulgarians at birth, or when a
    birth certificate is issued.
    Austrian Social Security Number Data Identifiers A social security number is allocated to
    Austrian citizens who receive available
    social security benefits. It is allocated by the
    umbrella association of the Austrian social
    security authorities.
    Spanish Passport Number Data Identifiers Spanish passports are issued to Spanish
    citizens for the purpose of travel outside
    Spain.
    Swedish Passport Number Data Identifiers Swedish passports are issued to nationals
    of Sweden for the purpose of international
    travel. Besides serving as proof of Swedish
    citizenship, they facilitate the process of
    securing assistance from Swedish consular
    officials abroad or other European Union
    member states in case a Swedish consular
    is absent, if needed.
    German Personal ID Number Data Identifiers The German Personal ID Number is issued
    to all German citizens.
    Burgerservicenummer Data Identifiers In the Netherlands, the
    Burgerservicenummer is used to uniquely
    identify citizens and is printed on driving
    licenses, passports and international ID
    cards under the header Personal Number.
    Codice Fiscale Data Identifiers The Codice Fiscale uniquely identifies an
    Italian citizen or permanent resident alien
    and issuance of the code is centralized
    to the Ministry of Treasure. The Codice
    Fiscale is issued to every Italian at birth.
    Finnish Personal Identification Number Data Identifiers The Finnish Personal Identification Number
    or Personal Identity Code is a unique
    personal identifier used for identifying
    citizens in government and many other
    transactions.

    1281
    Name Type Description

    Swedish Personal Identification Number Data Identifiers The Swedish Personal Identification
    Number is the unique national identification
    for Swedish every citizen. The number
    is used by authorities, health care,
    schools, universities, banks, and insurance
    companies for customer identification.
    Austria Passport Number Data Identifiers Austrian passports are travel documents
    issued to Austrian citizens by the Austrian
    Passport Office of the Department of
    Foreign Affairs and Trade, both in Austria
    and overseas, and enable the passport
    holder to travel internationally.
    Austria Tax Identification Number Data Identifiers Austria issues tax identification numbers to
    individuals based on their area of residence
    to identify taxpayers and facilitate national
    taxes.
    Belgium Passport Number Data Identifiers Belgian passports are passports issued
    by the Belgian state to its citizens to
    facilitate international travel. The Federal
    Public Service Foreign Affairs, formerly
    known as the Ministry of Foreign Affairs,
    is responsible for issuing and renewing
    Belgian passports.
    Belgium Tax Identification Number Data Identifiers Belgium issues a tax identification number
    for persons who has obligations to declare
    taxes in Belgium.
    Belgium Value Added Tax (VAT) Number Data Identifiers VAT is a consumption tax that is borne
    by the end consumer. VAT is paid for
    each transaction in the manufacturing and
    distribution process. For Belgium, the Value
    Added Tax is issued by VAT office for the
    region in which the business is established.
    Belgium Driver's License Number Data Identifiers Identification number for an individual's
    driver's licence issued by the Driver and
    Vehicle Licensing Agency of Belgium.
    Denmark Personal Identification Number Data Identifiers In Denmark, every citizen has a national
    identification number. The number serves
    as proof of identification for almost all
    purposes.
    Netherlands Bank Account Number Data Identifiers The Netherlands bank account number is
    the standard bank account number used
    across the Netherlands.
    Netherlands Driver's License Number Data Identifiers Identification number for an individual's
    driver's licence issued by the RDW
    government agency of the Netherlands.
    Netherlands Passport Number Data Identifiers Dutch passports are issued to Netherlands
    citizens for the purpose of international
    travel.

    1282
    Name Type Description

    Netherlands Value Added Tax (VAT) Data Identifiers VAT is a consumption tax that is borne
    Number by the end consumer. VAT is paid for
    each transaction in the manufacturing and
    distribution process. For the Netherlands,
    the Value Added Tax is issued by VAT
    office for the region in which the business is
    established.
    France Driver's License Number Data Identifiers Identification number for an individual's
    driver's licence issued by the Driver and
    Vehicle Licensing Agency of France.
    France Health Insurance Number Data Identifiers A Carte Vitale is social insurance card used
    in France that contains medical information
    for the card holder. It has a unique 21-digit
    serial number.
    France Tax Identification Number Data Identifiers France issue a tax identification number
    for anyone who has obligations to declare
    taxes in France.
    Germany Driver's License Number Data Identifiers Identification number for an individual's
    driver's licence issued by the Driver and
    Vehicle Licensing Agency of Germany.
    Italy Passport Number Data Identifiers Italian passports are issued to Italian
    citizens for the purpose of international
    travel.
    Italy Value Added Tax (VAT) Number Data Identifiers VAT is a consumption tax that is borne
    by the end consumer. VAT is paid for
    each transaction in the manufacturing and
    distribution process. For Italy, the Value
    Added Tax is issued by VAT office for the
    region in which the business is established.
    Italy Driver's License Number Data Identifiers Identification number for an individual's
    driver's licence issued by the Driver and
    Vehicle Licensing Agency of Italy.
    Netherlands Tax Identification Number Data Identifiers The Netherlands issues a tax identification
    number at birth or at registration at the
    municipality.
    Spain Driver's License Number Data Identifiers Identification number for an individual's
    driver's licence issued by the Driver and
    Vehicle Licensing Agency of Spain.
    Germany Value Added Tax (VAT) Number Data Identifiers VAT is a consumption tax that is borne
    by the end consumer. VAT is paid for
    each transaction in the manufacturing and
    distribution process. For Germany, the
    Value Added Tax is issued by VAT office
    for the region in which the business is
    established.
    France Value Added Tax (VAT) Number Data Identifiers The Value Added Tax (VAT), is a tax levied
    on goods and services provided in France
    and is collected from the final customer.
    Companies must register with the Register
    of Commerce and Companies in France to
    get VAT number allocated.

    1283
    Name Type Description

    Ireland Passport Number Data Identifiers An Irish passport is the passport issued
    to citizens of Ireland. An Irish passport
    enables the bearer to travel internationally
    and serves as evidence of Irish citizenship
    and citizenship of the European union.
    It also facilitates the access to consular
    assistance from both Irish embassies and
    any embassy from other European union
    member states while abroad.
    Luxembourg Passport Number Data Identifiers A Luxembourg passport is an international
    travel document issued to nationals of the
    grand Duchy of Luxembourg, and may
    also serve as proof of Luxembourgish
    citizenship.
    Portugal Passport Number Data Identifiers Portuguese passports are issued to
    citizens of Portugal for the purpose of
    international travel. The passport, along
    with the national identity card allows for free
    rights of movement and residence in any
    of the states of the European Union and
    European economic area.
    Finland Passport Number Data Identifiers Finnish passports are issued to nationals
    of Finland for the purpose of international
    travel. They also facilitate the process of
    securing assistance from Finnish consular
    officials abroad.
    Finland Driver's Licence Number Data Identifiers Identification number for an individual's
    driver's license issued in an EU or EEA
    Member State for a Finnish license.
    Austria Value Added Tax (VAT) Number Data Identifiers VAT is a consumption tax that is borne
    by the end consumer. VAT is paid for
    each transaction in the manufacturing and
    distribution process. For Austria, the VAT
    number is issued by the tax office for the
    region in which the business is established.
    Sweden Tax Identification Number Data Identifiers Sweden uses tax identification numbers
    (TINs) to identify taxpayers and facilitate
    the administration of their national tax
    affairs. TINs are also useful for identifying
    taxpayers who invest in other EU countries
    and are more reliable than other identifiers
    such as name and address.
    Sweden Value Added Tax (VAT) Number Data Identifiers VAT is a consumption tax that is borne
    by the end consumer. VAT is paid for
    each transaction in the manufacturing and
    distribution process.
    Denmark Value Added Tax (VAT) Number Data Identifiers VAT is a consumption tax that is borne
    by the end consumer. VAT is paid for
    each transaction in the manufacturing and
    distribution process. For Denmark, the VAT
    number is issued by the tax office for the
    region in which the business is established.

    1284
    Name Type Description

    Finland Value Added Tax (VAT) Number Data Identifiers VAT is a consumption tax that is borne
    by the end consumer. VAT is paid for
    each transaction in the manufacturing and
    distribution process.
    Ireland Value Added Tax (VAT) Number Data Identifiers VAT is a consumption tax that is borne
    by the end consumer. VAT is paid for
    each transaction in the manufacturing and
    distribution process. For Ireland, the VAT
    number is issued by the Irish tax authority.
    Ireland Tax Identification Number Data Identifiers This number is issued by department
    of social protection for natural persons
    and by revenue commissioner for non-
    natural persons. Non-natural persons can
    be companies, partnerships, trusts, and
    unincorporated bodies.
    Portugal Tax Identification Number Data Identifiers A fiscal number is a tax identification
    number that is issued in Portugal to anyone
    who wishes to undertake any official
    matters in Portugal.
    Portugal Value Added Tax (VAT) Number Data Identifiers VAT is a consumption tax that is borne
    by the end consumer. VAT is paid for
    each transaction in the manufacturing and
    distribution process.
    Luxembourg Value Added Tax (VAT) Data Identifiers VAT is a consumption tax that is borne
    Number by the end consumer. VAT is paid for
    each transaction in the manufacturing and
    distribution process.
    Portugal National Identification Number Data Identifiers The national identification number is
    a unique identification number usually
    present on documents like citizen cards
    which are issued by the Portuguese
    government to its citizens. It can be used as
    a travel document within the EU and some
    other European countries.
    Portugal Driver's Licence Number Data Identifiers The Institute for Mobility and Land
    Transport (IMTT) issues driver's licenses in
    Portugal.
    Denmark Tax Identification Number Data Identifiers Denmark issues a tax identification number
    for persons who have obligations to declare
    taxes in Denmark. The tax identification
    number also serves as a personal health
    insurance number.
    Finland Tax Identification Number Data Identifiers Finland issues a tax identification number
    for persons who have obligations to declare
    taxes in Finland.
    Luxembourg Tax Identification Number Data Identifiers This number is issued by Luxembourg
    inland revenue (Administration des
    contributions directes - ACD) department
    and is used for tax related purposes of
    natural and non natural persons.

    1285
    Name Type Description

    Germany Tax Identification Number Data Identifiers Germany issues a tax identification number
    for persons who have obligations to declare
    taxes in Germany.
    UK Value Added Tax (VAT) Number Data Identifiers VAT is a consumption tax that is borne
    by the end consumer. VAT is paid for
    each transaction in the manufacturing
    and distribution process. For the United
    Kingdom, the VAT number is issued by
    the VAT office for the region in which the
    business is established.
    Spain Value Added Tax (VAT) Number Data Identifiers VAT is a consumption tax that is borne
    by the end consumer. VAT is paid for
    each transaction in the manufacturing
    and distribution process. VAT in Spain is
    overseen by the State Tax Administration
    Agency.
    UK Bank Account Number Sort Code Data Identifiers Sort codes are bank codes used to route
    money transfers between banks within their
    respective countries via their respective
    clearance organizations.
    Greece Social Security Number (AMKA) Data Identifiers The AMKA (social security number) is the
    work and insurance identification number of
    every worker, retired person and protected
    family member in Greece.
    Romania National Identification Number Data Identifiers In Romania each citizen has a personal
    numerical code (Cod Numeric Personal,
    CNP) as unique national identification
    number. This number is also used as a tax
    identification number for financial purposes.
    Slovakia National Identification Number Data Identifiers In Slovakia, identification cards are issued
    by the state authorities at 15 years of age
    for every citizen. This number is used in
    Slovak Republic as the primary unique
    identifier for every person by government
    institutions, banks and so on.
    Slovenia Unique Master Citizen Number Data Identifiers The unique master citizen number is a
    unique identification number assigned
    to every citizen of Slovenia at birth or on
    acquiring citizenship.
    Latvia Personal Identification Number Data Identifiers The Latvian personal identification number
    is used for national identity and as a tax
    identification number for financial purposes.
    It is issued by the office of citizenship and
    migration affairs of the Ministry of Interior.
    Finland European Health Insurance Data Identifiers The unique 20 digit numeric identifier that is
    Number assigned to every person who uses health
    services in Finland.

    1286
    Name Type Description

    Sweden Driver's Licence Number Data Identifiers In Sweden, a driving license is required
    when operating a car, motorcycle or moped
    on public roads. Driving licenses are issued
    by the prefectural governments public
    safety commissions and are overseen on
    a nationwide basis by the National Police
    Agency.
    Greece Passport Number Data Identifiers Greek passports are issued to Greek
    citizens for the purpose of international
    travel. The passport along with the
    national identity card allows for free rights
    of movement and residence in any of
    the states of the European Union and
    European Economic Area.
    Greece Value Added Tax (VAT) Number Data Identifiers Value Added Tax (VAT) is a consumption
    tax that is borne by the end consumer.
    VAT is paid for each transaction in the
    manufacturing and distribution process. For
    Greece, VAT is administered by the VAT
    office for the region in which the business is
    established.
    Poland Passport Number Data Identifiers A Polish passport is an international
    travel document issued to nationals of
    Poland. It may also serve as proof of Polish
    citizenship.
    Poland Value Added Tax (VAT) Number Data Identifiers Value Added Tax (VAT) is a consumption
    tax that is borne by the end consumer.
    VAT is paid for each transaction in the
    manufacturing and distribution process. For
    Poland, VAT is administered by the VAT
    office for the region in which the business is
    established.
    Romania Value Added Tax (VAT) Number Data Identifiers Value Added Tax (VAT) is a consumption
    tax that is borne by the end consumer.
    VAT is paid for each transaction in the
    manufacturing and distribution process. In
    Romania, it is also called TVA or CIF.
    Hungary Passport Number Data Identifiers Hungarian passports are issued to
    Hungarian citizens for international travel by
    the Central Data Processing, Registration,
    and Election Office of the Hungarian
    Ministry of the Interior.
    Czech Republic Value Added Tax (VAT) Data Identifiers Value Added Tax (VAT) is a consumption
    Number tax that is borne by the end consumer.
    VAT is paid for each transaction in the
    manufacturing and distribution process. In
    the Czech Republic, it is also called DPH.
    Slovakia Passport Number Data Identifiers Slovak passports are issued to citizens of
    Slovakia to facilitate international travel.

    1287
    Name Type Description

    Slovakia Value Added Tax (VAT) Number Data Identifiers Value Added Tax (VAT) is a consumption
    tax that is borne by the end consumer.
    VAT is paid for each transaction in the
    manufacturing and distribution process. For
    Slovakia, VAT is administered by the tax
    office for the region in which the business is
    established.
    Slovenia Passport Number Data Identifiers Slovenian passports are issued to citizens
    of Slovenia to facilitate international travel.
    Slovenia Tax Identification Number Data Identifiers The Slovenia Tax Identification Number is
    a unique identifier of individuals and legal
    entities for tax purposes. The Financial
    Administration of the Republic of Slovenia
    issues and administers tax identification
    numbers in Slovenia.
    Slovenia Value Added Tax (VAT) Number Data Identifiers Value Added Tax (VAT) is a consumption
    tax that is borne by the end consumer.
    VAT is paid for each transaction in the
    manufacturing and distribution process. For
    Slovenia, VAT is administered by the tax
    office for the region in which the business is
    established.
    Croatia National Identification Number Data Identifiers The Croatian National Identification number
    (Osobni identifikacijski broj or OIB) is the
    permanent personal and tax identifier for
    Croatian citizens and residents.
    Estonia Personal Identification Number Data Identifiers In Estonia, the personal identification code
    is a number based on the sex and birth
    date of a person. This code is used as a
    unique personal identifier by governmental
    and other systems where identification is
    required, as well as for digital signatures
    using the national identity card and its
    associated certificates. It also serves as tax
    identification number.
    Estonia Value Added Tax (VAT) Number Data Identifiers Value Added Tax (VAT) is a consumption
    tax that is borne by the end consumer.
    VAT is paid for each transaction in the
    manufacturing and distribution process.
    For Estonia, VAT is administered by tax
    office for the region in which the business is
    established.
    Lithuania Personal Identification Data Identifiers In Lithuania, the personal identification
    Number code is a number based on the sex
    and birth date of a person. This code is
    used as a unique personal identifier by
    governmental and other systems where
    identification is required, as well as for
    digital signatures using the national identity
    card and its associated certificates.

    1288
    Name Type Description

    Lithuania Tax Identification Number Data Identifiers The Lithuanian Taxpayer Identification
    Number is used to identify taxpayers and
    facilitate the administration of their national
    tax affairs.
    Estonia Passport Number Data Identifiers The Estonian passport is an international
    travel document issued to citizens of
    Estonia that also serves as proof of
    Estonian citizenship. The Border Guard
    Board in Estonia and Estonian foreign
    representations abroad are responsible for
    issuing Estonian passports.
    Lithuania Value Added Tax (VAT) Data Identifiers Value Added Tax (VAT) is a consumption
    Number tax that is borne by the end consumer.
    VAT is paid for each transaction in the
    manufacturing and distribution process. In
    Lithuania, VAT is administered by the State
    Tax Inspectorate.
    Latvia Passport Number Data Identifiers Latvian passports are issued to citizens of
    Latvia for identity and international travel
    purposes. The territorial section of The
    Office of Citizenship and Migration Affairs
    issues passports.
    Latvia Value Added Tax (VAT) Number Data Identifiers Value Added Tax (VAT) is a consumption
    tax that is borne by the end consumer.
    VAT is paid for each transaction in the
    manufacturing and distribution process. In
    Latvia, VAT is administered by the State
    Revenue Service.
    Bulgaria Value Added Tax (VAT) Number Data Identifiers Value Added Tax (VAT) is a consumption
    tax that is borne by the end consumer.
    VAT is paid for each transaction in the
    manufacturing and distribution process.
    In Bulgaria, VAT is administered by the
    National Revenue Agency, which is
    overseen by the Bulgarian Ministry of
    Finance.
    Malta National Identification Number Data Identifiers Every resident of Malta is assigned a
    national number. For foreigners who are
    authorized to reside in Malta, National
    numbers for foreign resident end with the
    letter A. National numbers for Maltese
    citizens end with M, G, L, H or P.
    Malta Tax Identification Number Data Identifiers The Malta Tax Identification Number
    is assigned by the Inland Revenue
    Department as a means of identification for
    income tax purposes.
    Malta Value Added Tax (VAT) Number Data Identifiers Value Added Tax (VAT) is a consumption
    tax that is borne by the end consumer.
    VAT is paid for each transaction in the
    manufacturing and distribution process.
    In Malta, VAT is administered by tax office
    for the region in which the business is
    established.

    1289
    Name Type Description

    Iceland National Identification Number Data Identifiers The Iceland National Identification
    Number is a unique national identifier
    used by the Icelandic government to
    identify individuals and organizations. It
    is administered by the Registers Iceland.
    Icelandic national identification numbers
    are issued to Icelandic citizens at birth
    and to foreign nationals resident in Iceland
    upon registration. They are also issued to
    corporations and institutions.
    Serbia Unique Master Citizen Number Data Identifiers The Serbian Unique Master Citizen Number
    is a unique identifier for Serbian citizens.
    It is assigned to every citizen of Serbia at
    birth or upon acquiring citizenship.
    Switzerland Passport Number Data Identifiers Swiss passports are issued to citizens of
    Switzerland to facilitate international travel.
    Iceland Value Added Tax (VAT) Number Data Identifiers Value Added Tax (VAT) is a consumption
    tax that is borne by the end consumer.
    VAT is paid for each transaction in the
    manufacturing and distribution process. For
    Iceland, VAT is administered by the VAT
    office for the region in which the business is
    established.
    Iceland Passport Number Data Identifiers Icelandic passports are issued to citizens
    of Iceland for the purpose of international
    travel and may also serve as a proof of
    Iceland citizenship.
    Switzerland Value Added Tax (VAT) Data Identifiers Value Added Tax (VAT) is a consumption
    Number tax that is borne by the end consumer.
    VAT is paid for each transaction in the
    manufacturing and distribution process. For
    Switzerland, VAT is administered by the
    Federal Statistical Office for the region in
    which the business is established.
    Serbia Value Added Tax (VAT) Number Data Identifiers Value Added Tax (VAT) is a consumption
    tax that is borne by the end consumer.
    VAT is paid for each transaction in the
    manufacturing and distribution process.
    In Serbia, VAT is administered by the Tax
    Administration department of the Ministry of
    Finance.
    Liechtenstein Passport Number Data Identifiers Liechtenstein passports are issued to
    nationals of Liechtenstein for the purpose
    of international travel. The passport may
    also serve as proof of Liechtensteiner
    citizenship.
    Norway National Identification Number Data Identifiers The Norway National identification number
    is assigned by the Norwegian state to all
    citizens of the country. It is administered by
    the Tax Administration.

    1290
    Name Type Description

    Norway Value Added Tax (VAT) Number Data Identifiers Value Added Tax (VAT) is a consumption
    tax that is borne by the end consumer.
    VAT is paid for each transaction in the
    manufacturing and distribution process. For
    Norway, VAT Is administered by the VAT
    office for the region in which the business is
    established.
    Romania Driver's Licence Number Data Identifiers A driving license in Romania is a document
    confirming the rights of the holder to drive
    motor vehicles.
    Czech Republic Driver's Licence Data Identifiers The Czech Republic Ministry of Transport
    Number grants driver's licenses in the Czech
    Republic, confirming the rights of the holder
    to drive motor vehicles.
    Slovakia Driver's Licence Number Data Identifiers A Slovak drivers license is a document
    confirming the rights of the holder to drive
    motor vehicles. Slovak driver's licenses are
    granted by the Ministry of Interior.
    Poland Driver's Licence Number Data Identifiers Poland issues driving licenses confirming
    the rights of the holder to drive motor
    vehicles.
    Hungary Driver's Licence Number Data Identifiers A driving license in Hungary is a document
    issued by the Ministry of Economics and
    Transport, confirming the rights of the
    holder to drive motor vehicles.
    Latvia Driver's Licence Number Data Identifiers A driver's license in Latvia is a document
    issued by the Road Traffic Safety
    Directorate, confirming the rights of the
    holder to drive motor vehicles.
    Norway Driver's Licence Number Data Identifiers A driver's license is required in Norway
    before a person is permitted to drive a
    motor vehicle of any description on a road
    in Norway.
    Cyprus Value Added Tax (VAT) Number Data Identifiers Value Added Tax (VAT) is a consumption
    tax that is borne by the end consumer.
    VAT is paid for each transaction in the
    manufacturing and distribution process.
    For Cyprus, VAT is administered by the tax
    office for the region in which the business is
    established.
    Cyprus Tax Identification Number Data Identifiers The Cyprus Tax Identification Number is a
    unique identifier for Cypriot taxpayers.
    Switzerland Health Insurance Card Data Identifiers Swiss insurance providers issue health
    Number insurance cards to their customers. Swiss
    health insurance cards can also be used to
    access European health services.
    Estonia Driver's Licence Number Data Identifiers The Estonian Road Administration issues
    driving licenses in Estonia, confirming the
    rights of the holder to drive motor vehicles.

    1291
    Name Type Description

    SEPA Creditor Identifier Number North Data Identifiers The Single Euro Payment Area (SEPA) is a
    payments system created by the European
    Union that harmonizes the way cashless
    payments transact between Euro countries.
    SEPA North is for the United Kingdom,
    Sweden, Denmark, Finland, Ireland.
    European consumers, businesses, and
    government agents who make payments
    by direct debit, credit card or through credit
    transfers use the SEPA architecture. The
    Single Euro Payment Area is approved and
    regulated by European Commission.
    SEPA Creditor Identifier Number South Data Identifiers The Single Euro Payment Area (SEPA)
    is a payments system created by the
    European Union that harmonizes the way
    cashless payments transact between
    Euro countries. SEPA South is for Italy,
    Spain, and Portugal. European consumers,
    businesses, and government agents who
    make payments by direct debit, credit
    card or through credit transfers use the
    SEPA architecture. The Single Euro
    Payment Area is approved and regulated
    by European Commission.
    SEPA Creditor Identifier Number West Data Identifiers The Single Euro Payment Area (SEPA)
    is a payments system created by the
    European Union that harmonizes the way
    cashless payments transact between Euro
    countries. SEPA West is for Germany,
    France, Netherlands, Belgium, Austria,
    and Luxembourg. European consumers,
    businesses, and government agents who
    make payments by direct debit, credit
    card, or through credit transfers use
    the SEPA architecture. The Single Euro
    Payment Area is approved and regulated
    by European Commission.
    European Health Insurance Number Data Identifiers The European Health Insurance Card
    (EHIC) allows anyone insured by or
    covered by a statutory social security
    scheme of the European Economic Area
    countries and Switzerland to receive
    medical treatment in another member state
    free or at a reduced cost.

    General Data Protection Regulation (Healthcare and Insurance)


    This template focuses on General Data Protection Regulation (GDPR) healthcare and insurance related keywords, Data
    Identifiers and an EDM profile with related columns.
    The GDPR is a regulation by which the European Commission intends to strengthen and unify data protection for
    individuals within the EU. It also addresses export of personal data outside the EU. The primary objectives of the GDPR
    are to give citizens back the control of their personal data and to simplify the regulatory environment for international

    1292
    business by unifying the regulation within the EU. The GDPR replaces the EU Data Protection Directives as of 25 May
    2018.

    Table 698: General Data Protection Regulations (Healthcare and Insurance) detection rules

    Name Type Description

    GDPR Healthcare and Insurance Related Keyword Match Matches a list of related keywords:
    Keywords account number, bank
    card number,ID card
    number, medical record
    number,Kontonummer,
    Bankkartennummer, ID-
    Kartennummer, medizinische
    Datensatznummer, Numéro
    compte, banque carte nombre,
    numéro de carte d'identité,
    numéro d'enregistrement
    médical, numero conto,
    numero carta banca, numero
    carta d'identità, numero
    cartella clinica, número
    cuenta, Número cuenta
    bancaria, Numero de la
    tarjeta identificacion,
    número registro
    médico, rekeningnummer,
    bank kaartnummer,
    identiteitskaartnummer,
    medisch dossier
    nummer, bankkortnummer,
    identitetskortnummer, ID-
    kortnummer, tilinumero,
    pankkikortin numero,
    Henkilökortin numero,
    lääketieteellisen
    ennätysnumero, uimhir
    chuntais, uimhir chárta
    bainc, Uimhir chárta
    aitheantais, uimhir taifead
    leighis, Kontosnummer,
    Identifikatiounskaart,
    medizinescher
    Dateschutznummer, número
    de conta, número cartão
    bancário, Número do cartão de
    identificação
    UK Driver's Licence Number Data Identifiers The UK Drivers Licence Number is the
    identification number for an individual's
    driver's license issued by the Driver and
    Vehicle Licensing Agency of the United
    Kingdom.
    UK National Health Service (NHS) Data Identifiers The UK National Health Service (NHS)
    Number is the personal identification
    number issued by the U.K. National Health
    Service (NHS) for administration of medical
    care.

    1293
    Name Type Description

    UK National Insurance Number Data Identifiers The UK National Insurance Number is


    issued by the United Kingdom Department
    for Work and Pensions (DWP) to identify
    an individual for the national insurance
    program. It is also known as a NI number,
    NINO or NINo.
    Belgian National Number Data Identifiers All citizens of Belgium have a National
    Number. Belgians 12 years of age and
    older are issued a Belgian identity card.
    Czech Personal Identification Number Data Identifiers All citizens of the Czech Republic are
    issued a unique personal identification
    number by the Ministry of Interior.
    French INSEE code Data Identifiers The INSEE code in France is used as
    a social insurance number, a national
    identification number, and for taxation and
    employment purposes.
    French Social Security Number Data Identifiers The French Social Security Number (FSSN)
    is a unique number assigned to each
    French citizen or resident foreign national. It
    serves as a national identification number.
    Hungarian Social Security Number Data Identifiers The Hungarian Social Security Number
    (TAJ) is a unique identifier issued by the
    Hungarian government.
    Irish Personal Public Service Number Data Identifiers The format of the number is a unique 8-
    character alphanumeric string ending with
    a letter, such as 8765432A. The number is
    assigned at the registration of birth of the
    child and is issued on a Public Services
    Card and is unique to every person.
    Luxembourg National Register of Data Identifiers The Luxembourg National Register
    Individuals Number of Individuals Number is an 11-digit
    identification number issued to all
    Luxembourg citizens at age 15.
    Polish Identification Number Data Identifiers Every Polish citizen 18 years of age or
    older residing permanently in Poland
    must have an Identity Card, with a unique
    personal number. The number is used as
    identification for almost all purposes.
    Polish REGON Number Data Identifiers Each national economy entity is obligated
    to register in the register of business
    entities called REGON in Poland. It is the
    only integrated register in Poland covering
    all of the national economy entities. Each
    company has a unique REGON number.
    Polish Social Security Number (PESEL) Data Identifiers The Polish Social Security Number
    (PESEL) is the national identification
    number used in Poland. The PESEL
    number is mandatory for all permanent
    residents of Poland and for temporary
    residents living in Poland. It uniquely
    identifies a person and cannot be
    transferred to another.

    1294
    Name Type Description

    Romanian Numerical Personal Code Data Identifiers In Romania, each citizen has a unique
    numerical personal code (Code Numeric
    Personal, or CNP). The number is used
    by authorities, health care, schools,
    universities, banks, and insurance
    companies for customer identification.
    Spanish DNI ID Data Identifiers The Spanish DNI ID appears on the
    Documento nacional de identidad (DNI)
    and is issued by the Spanish Hacienda
    Publica to every citizen of Spain. It is
    the most important unique identifier in
    Spain used for opening accounts, signing
    contracts, taxes, and elections.
    Spanish Social Security Number Data Identifiers The Spanish Social Security Number is
    a 12-digit number assigned to Spanish
    workers to allow access to the Spanish
    healthcare system.
    Bulgarian Uniform Civil Number Data Identifiers The uniform civil number (EGN) is unique
    number assigned to each Bulgarian citizen
    or resident foreign national. It serves as a
    national identification number. An EGN is
    assigned to Bulgarians at birth, or when a
    birth certificate is issued.
    Austrian Social Security Number Data Identifiers A social security number is allocated to
    Austrian citizens who receive available
    social security benefits. It is allocated by the
    umbrella association of the Austrian social
    security authorities.
    German Personal ID Number Data Identifiers The German Personal ID Number is issued
    to all German citizens.
    Burgerservicenummer Data Identifiers In the Netherlands, the
    Burgerservicenummer is used to uniquely
    identify citizens and is printed on driving
    licenses, passports and international ID
    cards under the header Personal Number.
    Codice Fiscale Data Identifiers The Codice Fiscale uniquely identifies an
    Italian citizen or permanent resident alien
    and issuance of the code is centralized
    to the Ministry of Treasure. The Codice
    Fiscale is issued to every Italian at birth.
    Finnish Personal Identification Number Data Identifiers The Finnish Personal Identification Number
    or Personal Identity Code is a unique
    personal identifier used for identifying
    citizens in government and many other
    transactions.
    Swedish Personal Identification Number Data Identifiers The Swedish Personal Identification
    Number is the unique national identification
    for Swedish every citizen. The number
    is used by authorities, health care,
    schools, universities, banks, and insurance
    companies for customer identification.

    1295
    Name Type Description

    Belgium Driver's License Number Data Identifiers Identification number for an individual's
    driver's licence issued by the Driver and
    Vehicle Licensing Agency of Belgium.
    Denmark Personal Identification Number Data Identifiers In Denmark, every citizen has a national
    identification number. The number serves
    as proof of identification for almost all
    purposes.
    Netherlands Driver's License Number Data Identifiers Identification number for an individual's
    driver's licence issued by the RDW
    government agency of the Netherlands.
    France Driver's License Number Data Identifiers Identification number for an individual's
    driver's licence issued by the Driver and
    Vehicle Licensing Agency of France.
    France Health Insurance Number Data Identifiers A Carte Vitale is social insurance card used
    in France that contains medical information
    for the card holder. It has a unique 21-digit
    serial number.
    Germany Driver's License Number Data Identifiers Identification number for an individual's
    driver's licence issued by the Driver and
    Vehicle Licensing Agency of Germany.
    Italy Health Insurance Number Data Identifiers The Italian Health Insurance Card is issued
    to every Italian citizen by the Italian Ministry
    of Economy and Finance in cooperation
    with the Italian Agency of Revenue. The
    objective of the card is to improve the social
    security services through expenditure
    control and performance, and to optimize
    the use health services to citizens.
    Italy Driver's License Number Data Identifiers Identification number for an individual's
    driver's licence issued by the Driver and
    Vehicle Licensing Agency of Italy.
    Spain Driver's License Number Data Identifiers Identification number for an individual's
    driver's licence issued by the Driver and
    Vehicle Licensing Agency of Spain.
    Finland Driver's Licence Number Data Identifiers Identification number for an individual's
    driver's license issued in an EU or EEA
    Member State for a Finnish license.
    Portugal National Identification Number Data Identifiers The national identification number is
    a unique identification number usually
    present on documents like citizen cards
    which are issued by the Portuguese
    government to its citizens. It can be used as
    a travel document within the EU and some
    other European countries.
    Portugal Driver's Licence Number Data Identifiers The Institute for Mobility and Land
    Transport (IMTT) issues driver's licenses in
    Portugal.
    Greece Social Security Number (AMKA) Data Identifiers The AMKA (social security number) is the
    work and insurance identification number of
    every worker, retired person and protected
    family member in Greece.

    1296
    Name Type Description

    Romania National Identification Number Data Identifiers In Romania each citizen has a personal
    numerical code (Cod Numeric Personal,
    CNP) as unique national identification
    number. This number is also used as a tax
    identification number for financial purposes.
    Slovakia National Identification Number Data Identifiers In Slovakia, identification cards are issued
    by the state authorities at 15 years of age
    for every citizen. This number is used in
    Slovak Republic as the primary unique
    identifier for every person by government
    institutions, banks and so on.
    Slovenia Unique Master Citizen Number Data Identifiers The unique master citizen number is a
    unique identification number assigned
    to every citizen of Slovenia at birth or on
    acquiring citizenship.
    Latvia Personal Identification Number Data Identifiers The Latvian personal identification number
    is used for national identity and as a tax
    identification number for financial purposes.
    It is issued by the office of citizenship and
    migration affairs of the Ministry of Interior.
    Finland European Health Insurance Data Identifiers The unique 20 digit numeric identifier that is
    Number assigned to every person who uses health
    services in Finland.
    Sweden Driver's Licence Number Data Identifiers In Sweden, a driving license is required
    when operating a car, motorcycle or moped
    on public roads. Driving licenses are issued
    by the prefectural governments public
    safety commissions and are overseen on
    a nationwide basis by the National Police
    Agency.
    Croatia National Identification Number Data Identifiers The Croatian National Identification number
    (Osobni identifikacijski broj or OIB) is the
    permanent personal and tax identifier for
    Croatian citizens and residents.
    Estonia Personal Identification Number Data Identifiers In Estonia, the personal identification code
    is a number based on the sex and birth
    date of a person. This code is used as a
    unique personal identifier by governmental
    and other systems where identification is
    required, as well as for digital signatures
    using the national identity card and its
    associated certificates. It also serves as tax
    identification number.
    Lithuania Personal Identification Data Identifiers In Lithuania, the personal identification
    Number code is a number based on the sex
    and birth date of a person. This code is
    used as a unique personal identifier by
    governmental and other systems where
    identification is required, as well as for
    digital signatures using the national identity
    card and its associated certificates.

    1297
    Name Type Description

    Malta National Identification Number Data Identifiers Every resident of Malta is assigned a
    national number. For foreigners who are
    authorized to reside in Malta, National
    numbers for foreign resident end with the
    letter A. National numbers for Maltese
    citizens end with M, G, L, H or P.
    Iceland National Identification Number Data Identifiers The Iceland National Identification
    Number is a unique national identifier
    used by the Icelandic government to
    identify individuals and organizations. It
    is administered by the Registers Iceland.
    Icelandic national identification numbers
    are issued to Icelandic citizens at birth
    and to foreign nationals resident in Iceland
    upon registration. They are also issued to
    corporations and institutions.
    Serbia Unique Master Citizen Number Data Identifiers The Serbian Unique Master Citizen Number
    is a unique identifier for Serbian citizens.
    It is assigned to every citizen of Serbia at
    birth or upon acquiring citizenship.
    Norway National Identification Number Data Identifiers The Norway National identification number
    is assigned by the Norwegian state to all
    citizens of the country. It is administered by
    the Tax Administration.
    Romania Driver's Licence Number Data Identifiers A driving license in Romania is a document
    confirming the rights of the holder to drive
    motor vehicles.
    Czech Republic Driver's Licence Data Identifiers The Czech Republic Ministry of Transport
    Number grants driver's licenses in the Czech
    Republic, confirming the rights of the holder
    to drive motor vehicles.
    Slovakia Driver's Licence Number Data Identifiers A Slovak drivers license is a document
    confirming the rights of the holder to drive
    motor vehicles. Slovak driver's licenses are
    granted by the Ministry of Interior.
    Poland Driver's Licence Number Data Identifiers Poland issues driving licenses confirming
    the rights of the holder to drive motor
    vehicles.
    Hungary Driver's Licence Number Data Identifiers A driving license in Hungary is a document
    issued by the Ministry of Economics and
    Transport, confirming the rights of the
    holder to drive motor vehicles.
    Latvia Driver's Licence Number Data Identifiers A driver's license in Latvia is a document
    issued by the Road Traffic Safety
    Directorate, confirming the rights of the
    holder to drive motor vehicles.
    Norway Driver's Licence Number Data Identifiers A driver's license is required in Norway
    before a person is permitted to drive a
    motor vehicle of any description on a road
    in Norway.

    1298
    Name Type Description

    Switzerland Health Insurance Card Data Identifiers Swiss insurance providers issue health
    Number insurance cards to their customers. Swiss
    health insurance cards can also be used to
    access European health services.
    Estonia Driver's Licence Number Data Identifiers The Estonian Road Administration issues
    driving licenses in Estonia, confirming the
    rights of the holder to drive motor vehicles.
    European Health Insurance Number Data Identifiers The European Health Insurance Card
    (EHIC) allows anyone insured by or
    covered by a statutory social security
    scheme of the European Economic Area
    countries and Switzerland to receive
    medical treatment in another member state
    free or at a reduced cost.

    General Data Protection Regulation (Personal Profile) Policy Template


    This template focuses on General Data Protection Regulation (GDPR) personal profile related keywords , Data Identifiers
    and an EDM profile with related columns.
    The GDPR is a regulation by which the European Commission intends to strengthen and unify data protection for
    individuals within the EU. It also addresses export of personal data outside the EU. The primary objectives of the GDPR
    are to give citizens back the control of their personal data and to simplify the regulatory environment for international
    business by unifying the regulation within the EU. The GDPR replaces the EU Data Protection Directives as of 25 May
    2018.

    1299
    Table 699: General Data Protection Regulations (Personal Profile) detection rule

    Name Type Description

    GDPR Personal Profile Keywords Keyword Match Matches a list of related keywords:
    academic details, work
    history, professional
    qualification, summary
    of qualifications, bio
    data, bio-data, CV,
    curriculum vitae, Akademische
    Details, Arbeitsgeschichte,
    Berufsqualifikation,
    Zusammenfassung der
    Qualifikationen, Bio-
    Daten, Lebenslauf,
    Bio Daten, Les données
    académiques, la qualification
    professionnelle, le résumé
    des qualifications, Bio
    données, le curriculum vitae,
    dettagli accademici, storia
    del lavoro, qualificazione
    professionale, sintesi delle
    qualifiche, i dati bio, bio-
    dati, Datos académicos,
    historial de trabajo,
    calificación profesional,
    resumen de calificaciones,
    datos bio, bio-datos,
    academische informatie,
    werk geschiedenis,
    beroepskwalificatie,
    samenvatting van
    kwalificaties, bio gegevens,
    bio-gegevens, leerplan
    vitae, akademiska detaljer,
    Jobbhistorik, professionell
    kvalifikation, sammanfattning
    av kvalifikationer,
    meritförteckning, akademiske
    detaljer, arbejdshistorie,
    professionel kvalifikation,
    Resumé af kvalifikationer,
    Genoptag, akateemiset
    yksityiskohdat, työhistoria,
    ammattipätevyys, yhteenveto
    tutkinnoist, sonraí acadúla,
    stair oibre, cáilíocht
    ghairmiúil, achoimre ar
    cháilíochtaí, akademesch
    Detailer, Aarbechtsgeschicht,
    berufflech Qualifikatioun,
    Zesummefaassung vu
    Qualifikatiounen, Liewenslaf,
    detalhes acadêmicos,
    histórico de trabalho,
    qualificação profissional,
    sumário de qualificações,
    Currículo
    1300
    General Data Protection Regulation (Travel)
    This template focuses on General Data Protection Regulation (GDPR) travel related keywords, Data Identifiers and an
    EDM profile with related columns.
    The GDPR is a regulation by which the European Commission intends to strengthen and unify data protection for
    individuals within the EU. It also addresses export of personal data outside the EU. The primary objectives of the GDPR
    are to give citizens back the control of their personal data and to simplify the regulatory environment for international
    business by unifying the regulation within the EU. The GDPR replaces the EU Data Protection Directives as of 25 May
    2018.

    1301
    Table 700: General Data Protection Regulations (Travel) detection rules

    Name Type Description

    GDPR Travel Related Keywords Keyword Match Matches a list of related keywords:
    account number, bank card
    number, driver license
    number, ID card number,
    passenger name, seat number,
    luggage details, journey
    details, purchase details,
    purchase invoice, travel
    ticket, travel invoice,
    passenger details, tourist
    details, Kontonummer,
    Bankkartennummer,
    Führerscheinnummer,
    Ausweisnummer, Passagiername,
    Sitzplatznummer,
    Einkaufsdetails,
    Kaufrechnungen,
    Passagierdetails,
    Touristendetails,
    Gepäckdetails, Fahrtdetails,
    ReiseFahrkarte,
    ReiseRechnung, numéro compte,
    numéro carte bancaire, numéro
    de permis de conduire,
    numéro de carte d'identité,
    passager nom, numéro du
    siège, bagage détails,
    détails voyage, l'achat
    détails, la facture d'achat,
    billet de voyage, la facture
    voyage, détails passager,
    détails touristiques, numero
    di conto, numero carta banca,
    numero patente di guida,
    numero carta d'identità,
    nome passeggero, numero del
    posto, dettagli dei bagagli,
    dettagli di viaggio, dettagli
    acquisto, fattura acquisto,
    biglietto viaggio, fattura
    viaggio, dati passeggeri,
    dettagli turistiche, Número
    cuenta, número tarjeta
    bancaria, número licencia de
    conducir, número de tarjeta
    identificación, nombre
    pasajero, número asiento,
    detalles equipaje, detalles
    de viaje, detalles de
    compra, viaje factura, viaje
    billete, factura de viaje,
    pasajeros detalles, detalles
    turísticos, rekeningnummer,
    bankkaart nummer, rijbewijs
    nummer, ID-kaart nummer,
    naam passagier, stoelnummer,
    bagage-informatie, reis 1302
    informatie, aankoopgegevens,
    aankoopfactuur,
    reizenreisbiljet, reizen
    factuur, passagiersgegevens,
    toeristische informatie,
    Name Type Description

    UK Passport Number Data Identifiers The UK Passport Number identifies a


    United Kingdom passport using the current
    official specification of the UK Government
    Standards of the UK Cabinet Office.
    French Passport Number Data Identifiers The French passport is an identity
    document issued to French citizens.
    Besides enabling the bearer to travel
    internationally and serving as indication of
    French citizenship, the passport facilitates
    the process of securing assistance from
    French consular officials abroad or other
    European Union member states in case a
    French consular is absent, if needed.
    German Passport Number Data Identifiers The German passport number is issued
    to German nationals for the purpose of
    international travel. A German passport
    is an officially recognized document that
    German authorities accept as proof of
    identity from German citizens.
    Spanish Passport Number Data Identifiers Spanish passports are issued to Spanish
    citizens for the purpose of travel outside
    Spain.
    Swedish Passport Number Data Identifiers Swedish passports are issued to nationals
    of Sweden for the purpose of international
    travel. Besides serving as proof of Swedish
    citizenship, they facilitate the process of
    securing assistance from Swedish consular
    officials abroad or other European Union
    member states in case a Swedish consular
    is absent, if needed.
    Austria Passport Number Data Identifiers Austrian passports are travel documents
    issued to Austrian citizens by the Austrian
    Passport Office of the Department of
    Foreign Affairs and Trade, both in Austria
    and overseas, and enable the passport
    holder to travel internationally.
    Belgium Passport Number Data Identifiers Belgian passports are passports issued
    by the Belgian state to its citizens to
    facilitate international travel. The Federal
    Public Service Foreign Affairs, formerly
    known as the Ministry of Foreign Affairs,
    is responsible for issuing and renewing
    Belgian passports.
    Belgium Driver's License Number Data Identifiers Identification number for an individual's
    driver's licence issued by the Driver and
    Vehicle Licensing Agency of Belgium.
    Netherlands Bank Account Number Data Identifiers The Netherlands bank account number is
    the standard bank account number used
    across the Netherlands.
    Netherlands Driver's License Number Data Identifiers Identification number for an individual's
    driver's licence issued by the RDW
    government agency of the Netherlands.

    1303
    Name Type Description

    Netherlands Passport Number Data Identifiers Dutch passports are issued to Netherlands
    citizens for the purpose of international
    travel.
    France Driver's License Number Data Identifiers Identification number for an individual's
    driver's licence issued by the Driver and
    Vehicle Licensing Agency of France.
    Germany Driver's License Number Data Identifiers Identification number for an individual's
    driver's licence issued by the Driver and
    Vehicle Licensing Agency of Germany.
    Italy Passport Number Data Identifiers Italian passports are issued to Italian
    citizens for the purpose of international
    travel.
    Italy Driver's License Number Data Identifiers Identification number for an individual's
    driver's licence issued by the Driver and
    Vehicle Licensing Agency of Italy.
    Spain Driver's License Number Data Identifiers Identification number for an individual's
    driver's licence issued by the Driver and
    Vehicle Licensing Agency of Spain.
    Ireland Passport Number Data Identifiers An Irish passport is the passport issued
    to citizens of Ireland. An Irish passport
    enables the bearer to travel internationally
    and serves as evidence of Irish citizenship
    and citizenship of the European union.
    It also facilitates the access to consular
    assistance from both Irish embassies and
    any embassy from other European union
    member states while abroad.
    Luxembourg Passport Number Data Identifiers A Luxembourg passport is an international
    travel document issued to nationals of the
    grand Duchy of Luxembourg, and may
    also serve as proof of Luxembourgish
    citizenship.
    Portugal Passport Number Data Identifiers Portuguese passports are issued to
    citizens of Portugal for the purpose of
    international travel. The passport, along
    with the national identity card allows for free
    rights of movement and residence in any
    of the states of the European Union and
    European economic area.
    Finland Passport Number Data Identifiers Finnish passports are issued to nationals
    of Finland for the purpose of international
    travel. They also facilitate the process of
    securing assistance from Finnish consular
    officials abroad.
    Finland Driver's Licence Number Data Identifiers Identification number for an individual's
    driver's license issued in an EU or EEA
    Member State for a Finnish license.
    Portugal Driver's Licence Number Data Identifiers The Institute for Mobility and Land
    Transport (IMTT) issues driver's licenses in
    Portugal.

    1304
    Name Type Description

    Sweden Driver's Licence Number Data Identifiers In Sweden, a driving license is required
    when operating a car, motorcycle or moped
    on public roads. Driving licenses are issued
    by the prefectural governments public
    safety commissions and are overseen on
    a nationwide basis by the National Police
    Agency.
    Greece Passport Number Data Identifiers Greek passports are issued to Greek
    citizens for the purpose of international
    travel. The passport along with the
    national identity card allows for free rights
    of movement and residence in any of
    the states of the European Union and
    European Economic Area.
    Poland Passport Number Data Identifiers A Polish passport is an international
    travel document issued to nationals of
    Poland. It may also serve as proof of Polish
    citizenship.
    Hungary Passport Number Data Identifiers Hungarian passports are issued to
    Hungarian citizens for international travel by
    the Central Data Processing, Registration,
    and Election Office of the Hungarian
    Ministry of the Interior.
    Slovakia Passport Number Data Identifiers Slovak passports are issued to citizens of
    Slovakia to facilitate international travel.
    Slovenia Passport Number Data Identifiers Slovenian passports are issued to citizens
    of Slovenia to facilitate international travel.
    Estonia Passport Number Data Identifiers The Estonian passport is an international
    travel document issued to citizens of
    Estonia that also serves as proof of
    Estonian citizenship. The Border Guard
    Board in Estonia and Estonian foreign
    representations abroad are responsible for
    issuing Estonian passports.
    Latvia Passport Number Data Identifiers Latvian passports are issued to citizens of
    Latvia for identity and international travel
    purposes. The territorial section of The
    Office of Citizenship and Migration Affairs
    issues passports.
    Switzerland Passport Number Data Identifiers Swiss passports are issued to citizens of
    Switzerland to facilitate international travel.
    Iceland Passport Number Data Identifiers Icelandic passports are issued to citizens
    of Iceland for the purpose of international
    travel and may also serve as a proof of
    Iceland citizenship.
    Liechtenstein Passport Number Data Identifiers Liechtenstein passports are issued to
    nationals of Liechtenstein for the purpose
    of international travel. The passport may
    also serve as proof of Liechtensteiner
    citizenship.

    1305
    Name Type Description

    Romania Driver's Licence Number Data Identifiers A driving license in Romania is a document
    confirming the rights of the holder to drive
    motor vehicles.
    Czech Republic Driver's Licence Data Identifiers The Czech Republic Ministry of Transport
    Number grants driver's licenses in the Czech
    Republic, confirming the rights of the holder
    to drive motor vehicles.
    Slovakia Driver's Licence Number Data Identifiers A Slovak drivers license is a document
    confirming the rights of the holder to drive
    motor vehicles. Slovak driver's licenses are
    granted by the Ministry of Interior.
    Poland Driver's Licence Number Data Identifiers Poland issues driving licenses confirming
    the rights of the holder to drive motor
    vehicles.
    Hungary Driver's Licence Number Data Identifiers A driving license in Hungary is a document
    issued by the Ministry of Economics and
    Transport, confirming the rights of the
    holder to drive motor vehicles.
    Latvia Driver's Licence Number Data Identifiers A driver's license in Latvia is a document
    issued by the Road Traffic Safety
    Directorate, confirming the rights of the
    holder to drive motor vehicles.
    Norway Driver's Licence Number Data Identifiers A driver's license is required in Norway
    before a person is permitted to drive a
    motor vehicle of any description on a road
    in Norway.
    Estonia Driver's Licence Number Data Identifiers The Estonian Road Administration issues
    driving licenses in Estonia, confirming the
    rights of the holder to drive motor vehicles.

    Gramm-Leach-Bliley Policy Template


    The Gramm-Leach-Bliley (GLB) Act gives consumers the right to limit some sharing of their information by financial
    institutions.
    The Gramm-Leach-Bliley policyprofile template detects transmittal of customer data.

    Table 701: Gramm-Leach-Bliley policy template conditions

    Detection method Type Description

    Username/Password Simple rule: EDM This rule looks for user names and passwords in combination.
    Combinations Choosing an Exact Data Profile
    Exact SSN or CCN Simple rule: EDM This rule looks for SSN or Credit Card Number.
    Customer Directory Simple rule: EDM This rule looks for Phone or Email.

    1306
    Detection method Type Description

    3 or more critical customer fields Simple rule: EDM This rule looks for a match among any three of the following fields:
    • Account number
    • Bank card number
    • Email address
    • First name
    • Last name
    • PIN number
    • Phone number
    • Social security number
    • ABA Routing Number
    • Canadian Social Insurance Number
    • UK National Insurance Number
    • Date of Birth
    However, the following combinations are not a match:
    • Phone, email, and first name
    • Phone, email, and last name
    • Email, first name, and last name
    • Phone, first name, and last name
    ABA Routing Numbers Simple rule: DCM This condition detects nine-digit numbers. It validates the number using the
    (DI) final check digit. This condition eliminates common test numbers, such as
    123456789, number ranges that are reserved for future use, and all the same
    digit. This condition also requires the presence of an ABA-related keyword.
    US Social Security Numbers Simple rule: DCM This rule looks for social security numbers. For this rule to match, there must
    (DI) be a number that fits the Randomized US SSN data identifier. There must
    also be a keyword or phrase that indicates the presence of a US SSN with
    a keyword from "US SSN Keywords" dictionary. The keyword condition is
    included to reduce false positives with any numbers that may match the SSN
    format.
    Credit Card Numbers Simple rule: DCM This condition detects valid credit card numbers that are separated by
    (DI) spaces, dashes, periods, or without separators. This condition performs
    Luhn check validation and includes the following credit card formats:
    • American Express
    • Diner's Club
    • Discover
    • Japan Credit Bureau (JCB)
    • MasterCard
    • Visa
    This rule eliminates common test numbers, including those reserved for
    testing by credit card issuers, and also requires the presence of a credit card-
    related keyword.

    Configuring policies
    Exporting policy detection as a template

    HIPAA and HITECH (including PHI) Policy Template


    The HIPAA and HITECH (including PHI) policy strictly enforces the US Health Insurance Portability and Accountability
    Act (HIPAA). Health Information Technology for Economic and Clinical Health Act (HITECH) is the first national law that
    mandates breach notification for protected health information (PHI).

    1307
    This policy template detects data concerning prescription drugs, diseases, and treatments in combination with PHI.
    Organizations that are not subject to HIPAA can also use this policy to control PHI data.
    The HIPAA and HITECH (including PHI) policy template is updated with recent Drug, and Disease, and Treatment
    keyword lists based on information from the U.S. Federal Drug Administration (FDA) and other sources. The policy
    template is also updated to use the Randomized US Social Security Number (SSN) data identifier, which detects both
    traditional and randomized SSNs.
    Keep the keyword lists for your HIPAA and Caldicott policies up to date
    Updating policies to use the US Randomized SSN data identifier
    TPOs (Treatment, Payment, or health care Operations) are service providers to health care organizations and have
    an exception for HIPAA information restrictions. The template requires that you enter the allowed email addresses. If
    implemented the exception is evaluated before detection rules and the policy does not trigger an incident if the protected
    information is sent to one of the allowed partners.

    Table 702: TPO exception

    Name Type Configuration

    TPO Exception Content Matches Keyword Simple exception (single condition match).
    (DCM) Looks for a recipient email address matching one from the "TPO
    Email Addresses" user-defined keyword dictionary.

    Patient Data detection rule is a rule that looks for an exact data match against any single column from a profiled Patient
    Data database record.

    Table 703: Patient Data detection rule

    Name Type Configuration

    Patient Data Content Matches Exact Data Match data from any single field:
    (EDM) • Last name
    • Tax payer ID (SSN)
    • Email address
    • Account number
    • ID card number
    • Phone number
    Choosing an Exact Data Profile

    Patient Data and Drug Codes detection rule is a compound detection rule that requires a Patient Data exact match and a
    match from the "Drug Code" data identifier.

    Table 704: Patient Data and Drug Codes detection rule

    Name Condition types Configuration

    Patient Data and Drug Codes Content Matches Exact Data Looks for a match against any single column from a profiled
    (EDM) Patient Data database record and a match from the National
    And Drug Code data identifier.
    Content Matches Data Identifier Patient Data detection rule

    Patient Data and Prescription Drug Names detection rule is a compound detection rule that requires a Patient Data exact
    match and a keyword match from the "Prescription Drug Names" dictionary.

    1308
    Table 705: Patient Data and Prescription Drug Names detection rule

    Name Condition type Configuration

    Patient Data and Prescription Content Matches Exact Data Looks for a match against any single column from a profiled
    Drug Names (EDM) Patient Data database record and a keyword match from the
    AND Prescription Drug Names dictionary
    Content Matches Keyword (DCM) Patient Data detection rule
    Updating policies after upgrading to the latest version

    Patient Data and Treatment Keywords detection rule is a compound detection rule that requires a Patient Data exact
    match and keyword match from the "Medical Treatment Keywords" dictionary.

    Table 706: Patient Data and Treatment Keywords detection rule

    Name Condition type Configuration

    Patient Data and Treatment Content Matches Exact Data Looks for a match against any single column from a profiled
    Keywords (EDM) Patient Data database record and a keyword match from the
    And Medical Treatment Keywords dictionary.
    Content Matches Keyword (DCM) Patient Data detection rule
    Updating policies after upgrading to the latest version

    Patient Data and Disease Keywords detection rule is a compound detection rule that requires a Patient Data exact match
    and a keyword match from the "Disease Names" dictionary.

    Table 707: Patient Data and Disease Keywords detection rule

    Name Condition type Configuration

    Patient Data and Disease Content Matches Exact Data Looks for a match against any single column from a profiled
    Keywords (EDM) Patient Data database record and a keyword match from the
    And Disease Names dictionary.
    Content Matches Keyword (DCM) Patient Data detection rule
    Updating policies after upgrading to the latest version

    SSN and Drug Keywords detection rule is a compound detection rule that looks for SSNs using the Randomized US
    Social Security Number (SSN) data identifier and for a keyword from the "Prescription Drug Names" dictionary.

    Table 708: SSN and Drug Keywords detection rule

    Name Condition type Configuration

    SSN and Drug Keywords Content Matches Data Identifier US Randomized Social Security Number (SSN) data identifier
    And (narrow breadth)
    Content Matches Keyword Prescription Drug Names keyword dictionary
    Updating policies after upgrading to the latest version

    SSN and Treatment Keywords detection rule is a compound detection rule that looks for SSNs using the Randomized US
    Social Security Number (SSN) data identifier and for a keyword match from the "Medical Treatment Keywords" dictionary.

    1309
    Table 709: SSN and Treatment Keywords detection rule

    Name Condition type Configuration

    SSN and Treatment Keywords Content Matches Data Identifier US Randomized Social Security Number (SSN) data identifier
    And (narrow breadth)
    Content Matches Keyword Medical Treatment Keywords keyword dictionary.
    Updating policies after upgrading to the latest version

    SSN and Disease Keywords detection rule is a compound detection rule that looks for SSNs using the US Randomized
    Social Security Number (SSN) data identifier and for a keyword match from the "Disease Names" dictionary.

    Table 710: SSN and Disease Keywords detection rule

    Name Condition type Configuration

    SSN and Disease Keywords Content Matches Data Identifier US Randomized Social Security Number (SSN) data identifier
    And (narrow breadth)
    Content Matches Keyword Disease Names keyword dictionary
    Updating policies after upgrading to the latest version

    SSN and Drug Code detection rule is a compound detection rule that looks for SSNs using the US Randomized Social
    Security Number (SSN) data identifier and for a drug code using the Drug Code data identifier.

    Table 711: SSN and Drug Code detection rule

    Name Condition type Configuration

    SSN and Drug Code Content Matches Data Identifier US Randomized Social Security Number (SSN) data identifier
    And (narrow breadth)
    Content Matches Keyword Drug Code data identifier (narrow breadth)

    Configuring policies
    Exporting policy detection as a template

    Human Rights Act 1998 policy Template


    The Human Rights Act 1998 allows UK citizens to assert their rights under the European Convention on Human Rights
    in UK courts and tribunals. The Act states that "so far as possible to do so, legislation must be read and given effect in a
    way which is compatible with convention rights." The Human Rights Act 1998 policy enforces Article 8 by ensuring that the
    private lives of British citizens stay private.

    EDM Rule UK Data Protection Act, Personal Data


    This compound rule looks for two data types, last name and electoral roll number, in combination with a keyword
    from the "UK Personal Data Keywords" dictionary.
    DCM Rule UK Electoral Roll Numbers
    This rule looks for a single condition with four parts:
    • A single keyword from the "UK Keywords" dictionary
    • A pattern matching that of the UK Electoral Roll Number data identifier
    • A single keyword from the "UK Electoral Roll Number Words" dictionary
    • A single keyword from the "UK Personal Data Keywords" dictionary

    1310
    Choosing an Exact Data Profile
    Configuring policies
    Exporting policy detection as a template

    Illegal Drugs Policy Template


    This policy detects conversations about illegal drugs and controlled substances.

    DCM Rule Street Drugs


    This rule looks for five instances of keywords from the "Street Drug Names" dictionary.
    DCM Rule Mass Produced Controlled Substances
    This rule looks for five instances of keywords from the "Manufactured Controlled Substances" dictionary.

    Configuring policies
    Exporting policy detection as a template

    Individual Taxpayer Identification Numbers (ITIN) Policy Template


    An Individual Taxpayer Identification Number (ITIN) is a tax-processing number issued by the US Internal Revenue
    Service (IRS). The IRS issues ITINs to track individuals are not eligible to obtain Social Security Numbers (SSNs).

    Table 712: ITIN policy template conditions

    DCM Keyword Rule Description

    ITIN This rule looks for a match to the US ITIN data identifier and a keyword from the "US ITIN
    Keywords" dictionary.

    Configuring policies
    Exporting policy detection as a template

    International Traffic in Arms Regulations (ITAR) Policy Template


    The International Traffic in Arms Regulations (ITAR) are enforced by the US Department of State. Exporters of defense
    services or related technical data are required to register with the federal government and may need export licenses. This
    policy detects potential violations based on countries and controlled assets designated by the ITAR.
    The Indexed ITAR Munition Items and Recipients detection rule looks for a country code in the recipient from the "ITAR
    Country Codes" dictionaryand for a specific "SKU" from an indexed EDM file.

    Table 713: Indexed ITAR Munition Items and Recipients detection rule

    Conditions (both
    Method Configuration
    must match)
    Compound rule Recipient Matches Pattern Match recipient email or URL domain from ITAR Country Codes list:
    (DCM) • Severity: High.
    • Check for existence.
    • At least 1 recipient(s) must match.
    Content Matches Exact Data Choosing an Exact Data Profile
    (EDM)

    1311
    The ITAR Munitions List and Recipients detection rule looks for both a country code in the recipient from the "ITAR
    Country Codes" dictionary and a keyword from the "ITAR Munition Names" dictionary.

    Table 714: ITAR Munitions List and Recipients detection rule

    Conditions (both
    Method Configuration
    must match)
    Compound rule Recipient Matches Pattern Match recipient email or URL domain from ITAR Country Codes list:
    (DCM) • Severity: High.
    • Check for existence.
    • At least 1 recipient pattern must match.
    Content Matches Keyword Match any keyword from the ITAR Munitions List:
    (DCM) • Severity: High.
    • Check for existence.
    • Look in envelope, subject, body, attachments.
    • Case insensitive.
    • Match on whole words only.
    • Severity: High.

    Configuring policies
    Exporting policy detection as a template

    Media Files Policy template


    The Media Files policy detects various types of video and audio files (including mp3).

    DCM Rule Media Files


    This rule looks for the following media file types:
    • qt
    • riff
    • macromedia_dir
    • midi
    • mp3
    • mpeg_movie
    • quickdraw
    • realaudio
    • wav
    • video_win
    • vrml
    DCM Rule Media Files Extensions
    This rule looks for file name extensions from the "Media Files Extensions" dictionary.

    Configuring policies
    Exporting policy detection as a template

    Medicare and Medicaid (including PHI)


    This policy detects protected health information (PHI) associated with the United States Medicare and Medicaid programs,
    including Medicare Beneficiary Numbers, Health Insurance Claim Numbers and Current Procedural Terminology codes
    used by the Healthcare Common Procedure Coding System.

    1312
    Table 715: Medicare and Medicaid (including PHI) detection rules

    Name Condition type Description

    Healthcare Common Procedure Coding Data Identifiers These three rules match the medium
    System (HCPCS CPT Codes) and breadth of the Healthcare Common
    Keywords Procedure Coding System (HCPCS CPT
    Codes) data identifier.
    They match all unique occurrences in the
    message envelope, subject line, body,
    or attachments. Matches are given High
    severity.
    They also require the presence related
    keywords.
    Medicare Beneficiary Identifier Data Identifiers This rule matches the narrow breadth of
    the Medicare Beneficiary Identifier data
    identifier.
    It matches all unique occurrences in the
    message envelope, subject line, body,
    or attachments. Matches are given High
    severity.
    Health Insurance Claim Number Data Identifiers This rule matches the narrow breadth of
    the Health Insurance Claim Number data
    identifier.
    It matches all unique occurrences in the
    message envelope, subject line, body,
    or attachments. Matches are given High
    severity.

    Merger and Acquisition Agreements Policy Template


    The Mergers and Acquisition Agreements Policy template detects contracts and official documentation concerning merger
    and acquisition activity.
    You can modify this template with company-specific code words to detect specific deals.
    The Merger and Acquisition Agreements Policy template provides a single compound detection rule. All conditions in the
    rule must match for the rule to trigger an incident.

    1313
    Table 716: Merger and Acquisition Agreements compound detection rule

    Condition Configuration

    Contract Specific Keywords • Match any keyword: merger, agreement, contract, letter of intent,
    (Keyword Match) term sheet, plan of reorganization
    • Severity: High.
    • Check for existence.
    • Look in envelope, subject, body, attachments.
    • Case insensitive.
    • Match on whole words only.
    Acquisition Corporate Structure • Match any keyword: subsidiary, subsidiaries, affiliate, acquiror,
    Keywords (Keyword Match) merger sub, covenantor, acquired company, acquiring company,
    surviving corporation, surviving company
    • Severity: High.
    • Check for existence.
    • Look in envelope, subject, body, attachments.
    • Case insensitive.
    • Match on whole words only.
    Merger Consideration Keywords • Match any keyword: merger stock, merger consideration, exchange
    (Keyword Match) shares, capital stock, dissenting shares, capital structure,
    escrow fund, escrow account, escrow agent, escrow shares,
    escrow cash, escrow amount, stock consideration, break-up fee,
    goodwill
    • Severity: High.
    • Check for existence.
    • Look in envelope, subject, body, attachments.
    • Case insensitive.
    • Match on whole words only.
    Legal Contract Keywords (Keyword • Match any keyword: recitals, in witness whereof, governing law,
    Match) Indemnify, Indemnified, indemnity, signature page, best
    efforts, gross negligence, willful misconduct, authorized
    representative, severability, material breach
    • Severity: High.
    • Check for existence.
    • Look in envelope, subject, body, attachments.
    • Case insensitive.
    • Match on whole words only.

    Configuring policies
    Exporting policy detection as a template

    NASD Rule 2711 and NYSE Rules 351 and 472 Policy Template
    This policy protects the name(s) of any companies involved in an upcoming stock offering, internal project names for the
    offering, and the stock ticker symbols for the offering companies.
    The NASD Rule 2711 Documents, Indexed detection rule looks for content from specific documents registered as
    sensitive and known to be subject to NASD Rule 2711 or NYSE Rules 351 and 472. This rule returns a match if 80% or
    more of the source document is found.

    1314
    Table 717: NASD Rule 2711 Documents, Indexed detection rule

    Method Condition Configuration

    Simple rule Content Matches NASD Rule 2711 Documents, Indexed (IDM):
    Document Signature • Detect documents in selected Indexed Document Profile
    (IDM) • Require at least 80% content match.
    • Severity: High.
    • Check for existence.
    • Look in body, attachments.
    Choosing an Indexed Document Profile

    The NASD Rule 2711 and NYSE Rules 351 and 472 detection rule is a compound rule that contains a sender condition
    and a keyword condition. The sender condition is based on a user-defined list of email addresses of research analysts
    at the user's company ("Analysts' Email Addresses" dictionary). The keyword condition looks for any upcoming stock
    offering, internal project names for the offering, and the stock ticker symbols for the offering companies ("NASD 2711
    Keywords" dictionary). Like the sender condition, it requires editing by the user.

    Table 718: NASD Rule 2711 and NYSE Rules 351 and 472 detection rule

    Method Condition Configuration

    Compound rule Sender/User Matches NASD Rule 2711 and NYSE Rules 351 and 472 (Sender):
    Pattern (DCM) • Match sender pattern(s) [research_analyst@company.com] (user defined)
    • Severity: High.
    • Matches on entire message.
    Content Matches NASD Rule 2711 and NYSE Rules 351 and 472 (Keyword Match):
    Keyword (DCM) • Match "[company stock symbol]", "[name of offering company]", "[offering name
    (internal name)]".
    • Severity: High.
    • Check for existence.
    • Look in envelope, subject, body, attachments.
    • Case insensitive.
    • Match on whole words only.

    Configuring policies
    Exporting policy detection as a template

    NASD Rule 3010 and NYSE Rule 342 Policy Template


    NASD Rule 3010 and NYSE Rule 342 require brokers-dealers to supervise certain brokerage employees'
    communications. The NASD Rule 3010 and NYSE Rule 342 Policy monitors the communications of registered principals
    who are subject to these regulations.
    The Stock Recommendation detection rule looks for a keyword from the "NASD 3010 Stock Keywords" dictionary and
    the "NASD 3010 Buy/Sell Keywords" dictionary. In addition, this rule requires evidence of a stock recommendation in
    combination with a buy or sell action.

    1315
    Table 719: Stock Recommendation detection rule

    Method Conditions (all must match) Configuration

    Compound rule Content Matches Keyword Match keyword: "recommend"


    (DCM) • Severity: High.
    • Check for existence.
    • Look in envelope, subject, body, attachments.
    • Case insensitive.
    • Match on whole words only.
    Content Matches Keyword Match keyword: "buy" or "sell"
    (DCM) • Severity: High.
    • Check for existence.
    • Look in envelope, subject, body, attachments.
    • Case insensitive.
    • Match on whole words only.
    Content Matches Keyword Match keyword: "stock, stocks, security, securities, share, shares"
    (DCM) • Severity: High.
    • Check for existence.
    • Look in envelope, subject, body, attachments.
    • Case insensitive.
    • Match on whole words only.

    The NASD Rule 3010 and NYSE Rule 342 Keywords detection rule looks for keywords in the "NASD 3010 General
    Keywords" dictionary, which look for any general stock broker activity, and stock keywords.

    Table 720: NASD Rule 3010 and NYSE Rule 342 Keywords detection rule

    Conditions (both
    Method Configuration
    must match)
    Compound rule Content Matches Keyword Match keyword: "authorize", "discretion", "guarantee", "options"
    (DCM) • Severity: High.
    • Check for existence.
    • Look in envelope, subject, body, attachments.
    • Case insensitive.
    • Match on whole words only.
    Content Matches Keyword Match keyword: "stock, stocks, security, securities, share, shares"
    (DCM) • Severity: High.
    • Check for existence.
    • Look in envelope, subject, body, attachments.
    • Case insensitive.
    • Match on whole words only.

    Configuring policies
    Exporting policy detection as a template

    NERC Security Guidelines for Electric Utilities policy template


    The North American Electric Reliability Council (NERC) Guideline for Protecting Potentially Sensitive Information
    describes how to protect and secure data about critical electricity infrastructure.

    1316
    This policy detects the information outlined in the NERC security guidelines for the electricity sector.

    Table 721: Key Response Personnel detection rule

    Detection method Match condition Configuration

    Simple rule Content Matches Exact Data Match any three of the following data items:
    (EDM) • First name
    • Last name
    • Phone
    • Email
    Choosing an Exact Data Profile

    Table 722: Network Infrastructure Maps detection rule

    Detection method Match condition Configuration

    Simple rule Content Matches Indexed This rule requires a 90% binary match.
    Documents (IDM) Choosing an Indexed Document Profile

    The Sensitive Keywords and Vulnerability Keywords detection rule looks for any keyword matches from the "Sensitive
    Keywords" dictionary and the "Vulnerability Keywords" dictionary.

    Table 723: Sensitive Keywords and Vulnerability Keywords detection rule

    Detection method Match conditions Configuration

    Compound rule Content Matches Keyword Match any Sensitive Keyword:


    (DCM) • Severity: High.
    • Check for existence.
    • Look in envelope, subject, body, attachments.
    • Case insensitive.
    • Match on whole words only.
    Content Matches Keyword Match any Vulnerability Keyword:
    (DCM) • Severity: High.
    • Check for existence.
    • Look in envelope, subject, body, attachments.
    • Case insensitive.
    • Match on whole words only.

    Configuring policies
    Exporting policy detection as a template

    1317
    Network Diagrams Policy Template
    The Network Diagrams Policy detects computer network diagrams at risk of exposure.

    IDM Rule Network Diagrams, Indexed


    This rule looks for content from specific network diagrams that are registered as confidential. This rule returns a
    match if 80% or more of the source document is detected.
    DCM Rule Network Diagrams with IP Addresses
    This rule looks for a Visio file type in combination with an IP address data identifier.
    DCM Rule Network Diagrams with IP Address Keyword
    This rule looks for a Visio file type in combination with phrase variations of "IP address" with a data identifier.

    Configuring policies
    Exporting policy detection as a template

    Network Security Policy Template


    The Network Security Policy detects evidence of hacking tools and attack planning.

    DCM Rule GoToMyPC Activity


    This rule looks for a GoToMyPC command format with a data identifier.
    DCM Rule Hacker Keywords
    This rule looks for a keyword from the "Hacker Keywords" dictionary.
    DCM Rule KeyLoggers Keywords
    This rule looks for a keyword from the "Keylogger Keywords" dictionary.

    Configuring policies
    Exporting policy detection as a template

    Offensive Language Policy Template


    The Offensive Language Policy detects the use of offensive language.

    DCM Rule Offensive Language, Explicit


    This rule looks for any single keyword in the "Offensive Language, Explicit" dictionary.
    DCM Rule Offensive Language, General
    This rule looks for any three instances of keywords in the "Offensive Language, General" dictionary.

    Configuring policies
    Exporting policy detection as a template

    Office of Foreign Assets Control (OFAC) Policy Template


    The Office of Foreign Assets Control of the U.S. Department of the Treasury administers and enforces economic and
    trade sanctions. These sanctions are based on US foreign policy and national security goals against certain countries,
    individuals, and organizations. The Office of Foreign Assets Control (OFAC) policy detects communications involving
    these targeted groups.
    The OFAC policy has two primary parts. The first deals with the Specially Designated Nationals (SDN) list, and the second
    deals with general OFAC policy restrictions.

    1318
    The SDN list refers to specific people or organizations that are subject to trade restrictions. The U.S. Treasury Department
    provides text files with specific names, last known addresses, and known aliases for these individuals and entities. The
    Treasury Department stipulates that the addresses may not be correct or current, and different locations do not change
    the restrictions on people and organizations.
    In the OFAC policy template, Symantec Data Loss Prevention has scrubbed the list to make it more usable and practical.
    This includes extracting keywords and key phrases from the list of names and aliases, since names do not always appear
    in the same format as the list. Also, common names have been removed to reduce false positives. For example, one
    organization on the SDN list is known as "SARA." Leaving this on the list would generate a high false positive rate. "SARA
    Properties" is another entry on the list. It is used as a key phrase in the template because the incidence of this phrase
    is much lower than "SARA" alone. The list of names and organizations is considered in combination with the commonly
    found countries in the SDN address list. The top 12 countries on the list are considered, after again removing more
    commonly occurring countries. The template looks for recipients with any of the listed countries as the designated country
    code. This SDN list minimizes false positives while still detecting transactions or communications with known restricted
    parties.
    The OFAC policy also provides guidance around the restrictions the U.S. Treasury Department has placed on general
    trade with specific countries. This is distinct from the SDN list, since individuals and organizations are not specified. The
    list of general sanctions can be found here: http://www.treasury.gov/offices/enforcement/ofac/programs/index.shtml
    The Office of Foreign Assets Control (OFAC) template looks for recipients on the OFAC- listed countries by designated
    country code.
    The OFAC Special Designated Nationals List and Recipients detection rule looks for a recipient with a country code
    matching entries in the "OFAC SDN Country Codes" specification in combination with a match on a keyword from the
    "Specially Designated Nationals List" dictionary.

    Table 724: OFAC Special Designated Nationals List and Recipients detection rule

    Method Condition Configuration

    Compound rule Recipient Matches OFAC Special Designated Nationals List and Recipients (Recipient):
    Pattern (DCM) • Match email or URL domain by OFAC SDN Country Code.
    • Severity: High.
    • Check for existence.
    • At least 1 recipient(s) must match.
    • Matches on the entire message.
    Content Matches Specially Designated Nationals List (Keyword Match):
    Keyword (DCM) • Match keyword from the Specially Designated Nationals List.
    • Severity: High.
    • Check for existence.
    • Look in envelope, subject, body, attachments.
    • Case insensitive.
    • Match on whole words only.

    The Communications to OFAC countries detection rule looks for a recipient with a country code matching entries from the
    "OFAC Country Codes" list.

    1319
    Table 725: Communications to OFAC countries detection rule

    Method Condition Configuration

    Simple rule Recipient Matches Communications to OFAC countries (Recipient):


    Pattern (DCM) • Match email or URL domain by OFAC Country Code.
    • Severity: High.
    • Check for existence.
    • At least 1 recipient(s) must match.
    • Matches on the entire message.

    Configuring policies
    Exporting policy detection as a template

    OMB Memo 06-16 and FIPS 199 Regulations Policy Template


    This Policy detects information classified as confidential according to the guidelines established in the Federal Information
    Processing Standards (FIPS) Publication 199 from the National Institute of Standards and Technology (NIST). NIST
    is responsible for establishing standards and guidelines for data security under the Federal Information Security
    Management Act (FISMA).
    This template contains three simple detection rules. If any rule reports a match, the Policy triggers an incident.
    The High Confidentiality Indicators detection rule looks for any keywords in the "High Confidentiality" dictionary.

    Table 726: High Confidentiality Indicators detection rule

    Method Condition Configuration

    Simple rule Content Matches High Confidentiality Indicators (Keyword Match):


    Keyword • Match "(confidentiality, high)", "(confidentiality,high)"
    • Severity: High.
    • Check for existence.
    • Look in envelope, subject, body, attachments.
    • Case insensitive.
    • Match on whole words only.

    The Moderate Confidentiality Indicators detection rule looks for any keywords in the "Moderate Confidentiality" dictionary.

    Table 727: Moderate Confidentiality Indicators detection rule

    Method Condition Configuration

    Simple rule Content Matches Moderate Confidentiality Indicators (Keyword Match):


    Keyword • Match "(confidentiality, moderate)", "(confidentiality,moderate)"
    • Severity: High.
    • Check for existence.
    • Look in envelope, subject, body, attachments.
    • Case insensitive.
    • Match on whole words only.

    The Low Confidentiality Indicators detection rule looks for any keywords in the "Low Confidentiality" dictionary.

    1320
    Table 728: Low Confidentiality Indicators detection rule

    Method Condition Configuration

    Simple rule Content Matches Low Confidentiality Indicators (Keyword Match):


    Keyword • Match "(confidentiality, low)", "(confidentiality,low)"
    • Severity: High.
    • Check for existence.
    • Look in envelope, subject, body, attachments.
    • Case insensitive.
    • Match on whole words only.

    Configuring policies
    Exporting policy detection as a template

    Passwords Policy Template


    The Symantec Data Loss Prevention Passwords Policy Template uses a regular expression to detect user passwords.
    Regular Expression for the Passwords Policy Template
    (\s|^)(?=\S{0,15}[a-z])(?=\S{0,15}[A-Z])(?=\S{0,15}\d)(?=\S{0,15}[-!@#$&*])(?i)(?!([\d.-]{0,13}(jan|feb|mar|
    apr|may|jun|jul|aug|sep|oct|nov|dec)))(?![\d.,-]{1,15}\p{Sc}|\p{Sc}[\d.,-]{1,15})(?![\d.,-]{0,13}(AED|AFN|ALL|
    AMD|ANG|AOA|ARS|AUD|AWG|AZN|BAM|BBD|BDT|BGN|BHD|BIF|BMD|BND|BOB|BOV|BRL|BSD|BTN|BWP|BYN|BZD|CAD|CDF|CHE|CHF|
    CHW|CLF|CLP|CNY|COP|COU|CRC|CUC|CUP|CVE|CZK|DJF|DKK|DOP|DZD|EGP|ERN|ETB|EUR|FJD|FKP|GBP|GEL|GHS|GIP|GMD|GNF|
    GTQ|GYD|HKD|HNL|HRK|HTG|HUF|IDR|ILS|INR|IQD|IRR|ISK|JMD|JOD|JPY|KES|KGS|KHR|KMF|KPW|KRW|KWD|KYD|KZT|LAK|LBP|
    LKR|LRD|LSL|LYD|MAD|MDL|MGA|MKD|MMK|MNT|MOP|MRU|MUR|MVR|MWK|MXN|MXV|MYR|MZN|NAD|NGN|NIO|NOK|NPR|NZD|OMR|PAB|
    PEN|PGK|PHP|PKR|PLN|PYG|QAR|RON|RSD|RUB|RWF|SAR|SBD|SCR|SDG|SEK|SGD|SHP|SLE|SOS|SRD|SSP|STN|SVC|SYP|SZL|THB|
    TJS|TMT|TND|TOP|TRY|TTD|TWD|TZS|UAH|UGX|USD|USN|UYI|UYU|UZS|VED|VEF|VND|VUV|WST|XAF|XCD|XDR|XOF|XPF|XSU|XUA|
    YER|ZAR|ZMW|ZWL))\S{5,16}(?=\s|$)

    You can use positive look ahead (?=), look behind (?<=), and negative lookahead (?!) assertions in regular expressions
    to validate the conditions for required fields.
    This regular expression matches a 5-digit to a 16-digit non-blankspace string that must contain at least one of each of the
    following character types:
    • one lower case letter
    • one upper case letter
    • one digit
    • at least one of these symbols: - ! @ # $ & "

    Table 729: Details of the Regular Expression Used in the Passwords Policy Template

    Regular Expression Section Usage


    \S{5,16} Used to specify a minimum length (5) and a maximum length (16)
    of a password.
    (?=\S{0,15}[a-z]) Ensures the presence of at least one lower case letter in the
    password.
    (?=\S{0,15}[A-Z]) Ensures the presence of at least one upper case letter in the
    password.
    (?=\S{0,15}\d) Ensures the presence of at least one digit in the password.

    1321
    (?=\S{0,15}[-!@#$&*]) Validates at least one symbol from the list of allowed special
    characters, such as -!@#$&*.
    (?!([\d.-]{0,13}(jan|feb|mar|apr|may|jun| Ensures that dates, such as 01-JAN-2022 are excluded from
    jul|aug|sep|oct|nov|dec))) the password.
    (?![\d.,-]{1,15}\p{Sc}|\p{Sc}[\d.,-]{1,15}) Ensures that currency symbols such as $ or ¥ are excluded
    from the password.
    (?![\d.,-]{0,13}(AED|AFN|ALL|AMD|ANG|AOA| Ensures that currency codes such as USD or INR are excluded
    ARS|AUD|AWG|AZN|BAM|BBD|BDT|BGN|BHD|BIF| from the password;
    BMD|BND|BOB|BOV|BRL|BSD|BTN|BWP|BYN|BZD|
    CAD|CDF|CHE|CHF|CHW|CLF|CLP|CNY|COP|COU|
    CRC|CUC|CUP|CVE|CZK|DJF|DKK|DOP|DZD|EGP|
    ERN|ETB|EUR|FJD|FKP|GBP|GEL|GHS|GIP|GMD|
    GNF|GTQ|GYD|HKD|HNL|HRK|HTG|HUF|IDR|ILS|
    INR|IQD|IRR|ISK|JMD|JOD|JPY|KES|KGS|KHR|
    KMF|KPW|KRW|KWD|KYD|KZT|LAK|LBP|LKR|LRD|
    LSL|LYD|MAD|MDL|MGA|MKD|MMK|MNT|MOP|MRU|
    MUR|MVR|MWK|MXN|MXV|MYR|MZN|NAD|NGN|NIO|
    NOK|NPR|NZD|OMR|PAB|PEN|PGK|PHP|PKR|PLN|
    PYG|QAR|RON|RSD|RUB|RWF|SAR|SBD|SCR|SDG|
    SEK|SGD|SHP|SLE|SOS|SRD|SSP|STN|SVC|SYP|
    SZL|THB|TJS|TMT|TND|TOP|TRY|TTD|TWD|TZS|
    UAH|UGX|USD|USN|UYI|UYU|UZS|VED|VEF|VND|
    VUV|WST|XAF|XCD|XDR|XOF|XPF|XSU|XUA|YER|
    ZAR|ZMW|ZWL))

    Configuring policies
    Customizations
    You can customize the Passwords Policy Template according to your requirements (such as length and character set).
    You can also modify parts of the regular expression, as explained in the following table of modifiers for various use cases.
    Passwords Policy Regular Expression Modifiers
    Customization Use Case Regular Expression Modifiers
    Passwords contain only letters and digits (no special characters (?<=\s|^)(?=\S{0,15}[A-Za-z])(?=
    are required). \S{0,15}\d)\S{5,16}(?=\s|$)
    Passwords contain only letters and special symbols (no digits are (?<=\s|^)(?=\S{0,15}[A-Za-z])(?=\S{0,15}[-!
    required). @#$&*])\S{5,16}(?=\s|$)
    Passwords contain digits and special symbols only (no letters are (?<=\s|^)(?=\S{0,15}[A-Z])(?=\S{0,15}[a-z])
    required). (?=\S{0,15}\d)(?=\S{0,15}[-!@#$&*])\S{5,16}
    (?=\s|$)
    Passwords contain one capital case letter, one lower case letter, (?<=\s|^)(?=\S{0,15}[A-Z])(?=\S{0,15}[a-z])
    one symbol, and one digit. (?=\S{0,15}\d)(?=\S{0,15}[-!@#$&*])\S{5,16}
    (?=\s|$)
    Passwords that are 5 through 20 characters long. (?<=\s|^)(?=\S{0,19}[A-Za-z])(?=\S{0,19}\d)
    (?=\S{0,19}[!@#$%^&*()])\S{5,20}(?=\s|$)
    Passwords contain the user-defined set of special characters; for (?<=\s|^)(?=\S{0,15}[A-Za-z])(?=\S{0,15}\d)
    example,“!@#$%^&*(),.”. (?=\S{0,15}[!@#$%^&*(),.])\S{5,16}(?=\s|$)
    Passwords contain one letter, one digit, and one special symbol (?<=\s|^)(?=\S{0,15}[A-Za-z])(?=\S{0,15}\d)
    with the exclusion of a date, such as 01-JAN-2022. (?=\S{0,15}[-!@#$&*])(?i)(?!([\d.-]{0,13}
    (jan|feb|mar|apr|may|jun|jul|aug|sep|oct|
    nov|dec)))\S{5,16}(?=\s|$)

    1322
    Customization Use Case Regular Expression Modifiers
    Passwords contain one letter, one digit, and one special symbol (?<=\s|^)(?=\S{0,15}[A-Za-z])(?=\S{0,15}\d)
    with the exclusion of a currency symbol such as $ or ¥. For (?=\S{0,15}[-!@#$&*])(?![\d.,-]{1,15}\p{Sc}|
    example: 1200,00$, amount: $1200,00. \p{Sc}[\d.,-]{1,15})\S{5,16}(?=\s|$

    Password Files Policy Template


    The Password Files Policy detects password file formats, such as SAM, password, and shadow.

    DCM Rule Password Filenames


    This rule looks for the file names "passwd" or "shadow."
    DCM Rule /etc/passwd Format
    This rule looks for a regular expression pattern with the /etc/passwd format.
    DCM Rule /etc/shadow Format
    This rule looks for a regular expression pattern with the /etc/shadow format.
    DCM Rule SAM Passwords
    This rule looks for a regular expression pattern with the SAM format.

    Configuring policies
    Exporting policy detection as a template

    Payment Card Industry (PCI) Data Security Standard Policy Template


    The Payment Card Industry (PCI) data security standards are jointly determined by Visa and MasterCard to protect
    cardholders by safeguarding personally identifiable information. Visa's Cardholder Information Security Program (CISP)
    and MasterCard's Site Data Protection (SDP) program both work toward enforcing these standards. The Payment Card
    Industry (PCI) Data Security Standards Policy detects Visa and MasterCard credit card number data.
    The Card Numbers, Exact detection rule detects exact credit card numbers profiled from a database or other data source.

    Table 730: Credit Card Numbers, Exact detection rule

    Method Condition Configuration

    Simple rule Content Matches Exact This rule detects credit card numbers.
    Data (EDM) Choosing an Exact Data Profile

    The Credit Card Numbers, All detection rule detects credit card numbers using the Credit Card Number system Data
    Identifier.

    Table 731: Credit Card Numbers, All detection rule

    Method Condition Configuration

    Simple rule Content Matches Data Credit Card Numbers, All (Data Identifiers):
    Identifier (DCM) • Data Identifier: Credit Card Number (narrow breadth)
    • Severity: High.
    • Count all matches.
    • Look in envelope, subject, body, attachments.

    1323
    The Magnetic Stripe Data for Credit Cards detection rule detects raw data from the credit card magnetic stripe using the
    Credit Card Magnetic Stripe system Data Identifier.

    Table 732: Magnetic Stripe Data for Credit Cards detection rule

    Method Condition Configuration

    Simple rule Content Matches Data Magnetic Stripe Data for Credit Cards (Data Identifiers):
    Identifier (DCM) • Data Identifier: Credit Card Magnetic Stripe (medium breadth)
    • Data Severity: High.
    • Count all matches.
    • Look in envelope, subject, body, attachments.

    Configuring policies
    Exporting policy detection as a template

    PIPEDA Policy Template


    Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) protects personal information in the
    hands of private sector organizations. This act provides guidelines for the collection, use, and disclosure of personal
    information.
    The PIPEDA Policy detects customer data that PIPEDA regulations protect.
    The PIPEDA detection rule looks for a match of two data items, with certain data combinations excluded from matching.

    Table 733: PIPEDA detection rule

    Detection
    Description Excluded combinations
    method
    EDM Rule The PIPEDA detection rule matches any two of However, the following combinations do not create a match:
    the following data items: • Last name, email
    • Last name • Last name, phone
    • Bank card • Last name, account number
    • Medical account number • Last name, user name
    • Medical record
    • Agency number
    • Account number
    • PIN
    • User name
    • Password
    • SIN
    • ABA routing number
    • Email
    • Phone
    • Mother's maiden name
    Choosing an Exact Data Profile

    The PIPEDA Contact Info detection rule looks for a match of two data items, with certain data combinations excepted from
    matching.

    1324
    Table 734: PIPEDA Contact Info detection rule

    Detection method Description

    EDM Rule This rule looks for any two of the following data columns:
    • Last name
    • Phone
    • Account number
    • User name
    • Email
    Choosing an Exact Data Profile

    Table 735: Canadian Social Insurance Numbers detection rule

    Detection method Description

    DCM Rule This rule implements the narrow breadth edition of the Canadian Social Insurance Number data identifier.

    Table 736: ABA Routing Numbers detection rule

    Detection method Description

    DCM Rule This rule implements the narrow breadth edition of the ABA Routing Number data identifier.

    Table 737: Credit Card Numbers, All detection rule

    Detection method Description

    DCM Rule This rule implements the narrow breadth edition of the Credit Card Number data identifier.

    Configuring policies
    Exporting policy detection as a template

    Price Information Policy Template


    The Price Information policy detects specific SKU and pricing information at risk of exposure.

    EDM Rule Price Information


    This rule looks for the combination of user-specified Stock Keeping Unit (SKU) numbers and the price for that SKU
    number.

    NOTE
    This template contains one EDM detection rule. If you do not have an EDM profile configured, or you are using
    Symantec Data Loss Prevention Standard, this policy template is empty and contains no rule to configure.
    Configuring policies
    Exporting policy detection as a template
    About the Exact Data Profile and index

    1325
    Project Data Policy Template
    The Project Data Policy detects discussions of sensitive projects.

    IDM Rule Project Documents, Indexed


    This rule looks for content from specific project data files registered as proprietary. It returns a match if the engine
    detects 80% or more of the source document.
    DCM Rule Project Activity
    This rule looks for any keywords in the "Sensitive Project Code Names" dictionary, which is user-defined.

    Configuring policies
    Exporting policy detection as a template

    Proprietary Media Files Policy Template


    The Proprietary Media Files Policy detects various types of video and audio files that can be proprietary intellectual
    property of your organization at risk for exposure.

    IDM Rule Media Files, Indexed


    This rule looks for content from specific media files registered as proprietary.
    DCM Rule Media Files
    This rule looks for the following media file types:
    • qt
    • riff
    • macromedia_dir
    • midi
    • mp3
    • mpeg_movie
    • quickdraw
    • realaudio
    • wav
    • video_win
    • vrml
    DCM Rule Media Files Extensions
    This rule looks for file name extensions from the "Media Files Extensions" dictionary.

    Configuring policies
    Exporting policy detection as a template

    1326
    Publishing Documents Policy Template
    The Publishing Documents Policy detects various types of publishing documents, such as Adobe FrameMaker files, at risk
    of exposure.

    IDM Rule Publishing Documents, Indexed


    This rule looks for content from specific publishing documents registered as proprietary. It returns a match if the
    engine detects 80% or more of the source document.
    DCM Rule Publishing Documents
    This rule looks for the specified file types:
    • qxpress
    • frame
    • aldus_pagemaker
    • publ
    DCM Rule Publishing Documents, extensions
    This rule looks for specified file name extensions found in the "Publishing Document Extensions" dictionary.

    NOTE
    Both file types and file name extensions are required for this policy because the detection engine does not
    detect the true file type for all the required documents. As such, the file name extension must be used with the
    file type.
    Configuring policies
    Exporting policy detection as a template

    Racist Language Policy Template


    The Racist Language Policy detects the use of racist language.

    DCM Rule Racist Language


    This rule looks for any single keyword in the "Racist Language" dictionary.

    Configuring policies
    Exporting policy detection as a template

    Restricted Files Policy Template


    The Restricted Files Policy detects various file types that are generally inappropriate to send out of the company, such as
    Microsoft Access and executable files.

    DCM Rule MSAccess Files and Executables


    This rule looks for files of the specified types: access, exe, and exe_unix.

    Configuring policies
    Exporting policy detection as a template

    1327
    Restricted Recipients Policy Template
    The Restricted Recipients policy detects communications with specified recipients, such as former employees.

    DCM Rules Restricted Recipients


    This rule looks for messages to recipients with email addresses in the "Restricted Recipients" dictionary.

    Configuring policies
    Exporting policy detection as a template

    Resumes Policy Template


    The Resumes policy detects active job searches.

    EDM Rule Resumes, Employee


    This rule is a compound rule with two conditions; both must match to trigger an incident. This rule contains an EDM
    condition for first and last names of employees provided by the user. This rule also looks for a specific file type
    attachment (.doc) that is less than 50 KB and contains at least one keyword from each of the following dictionaries:
    • Job Search Keywords, Education
    • Job Search Keywords, Work
    • Job Search Keywords, General
    DCM Rule Resumes, All
    This rule looks for files of a specified type (.doc) that are less than 50 KB and match at least one keyword from each
    of the following dictionaries:
    • Job Search Keywords, Education
    • Job Search Keywords, Work
    • Job Search Keywords, General
    DCM Rule Job Search Websites
    This rule looks for URLs of Web sites that are used in job searches.

    Configuring policies
    Exporting policy detection as a template
    About the Exact Data Profile and index

    Russian Federal Law on Personal Data (No. 152-FZ) PolicyProfile Template


    The Russian Federal Law on Personal Data (No. 152-FZ) constitutes the backbone of Russian privacy laws and requires
    data operators to take all the necessary organizational and technical measures that are required for protecting personal
    data against unlawful or accidental access.

    1328
    Table 738: The Russian Federal Law on Personal Data (No. 152-FZ) template rules

    Rule Description

    Russia Cargo Customs Declaration The Cargo Customs Declaration (CCD) is one of the main
    documents that are drawn up when moving goods across the
    customs border of the state. CCD is issued by the manager of the
    goods and certified by the customs inspector, in the future serves
    as the basis for passing through the border. The declaration
    contains information about the cargo and its customs value, the
    means of delivery, the sender, and the recipient.
    Default severity: High. Check for existence. Look in envelope,
    subject, body, and attachments.
    Russia Insurance Account Number (SNILS) Individual insurance account number (SNILS) is a personal
    number that is used by the Pension Fund of the Russian
    Federation to track people's accounts for social security purposes.
    Default severity: High. Count all unique matches. Look in
    envelope, subject, body, and attachments.
    Russia Military Identity Number Military identity card of the Russian Armed Forces is a document
    that is issued to soldiers of the Armed Forces of the Russian
    Federation and other "power" agencies, where military service is
    provided, and to those who are exempt from military service or
    upon admission to the reserve.
    Default severity: High. Check for existence. Look in envelope,
    subject, body, and attachments.
    Russian Passport Identification Number There are two types of passports in Russia, domestic passport
    and international passport. Every Russian citizen has domestic
    passport. The main document used for identification of a person.
    Default severity: High. Check for existence. Look in envelope,
    subject, body, and attachments.
    Russian Taxpayer Identification Number Taxpayer identification number (TIN or also called INN) is a
    multidigit number that enables the tax inspectorate to identify the
    tax status of legal entities and individuals.
    Default severity: High. Count all unique matches. Look in
    envelope, subject, body, and attachments.
    Russia Phone Number Detects the phone numbers of Russia.
    Default severity: High. Check for existence. Look in envelope,
    subject, body, and attachments.
    Russia Vehicle Identification Number A vehicle identification number (VIN) is a unique code, including a
    serial number, which is used by the automotive industry to identify
    individual motor vehicles, towed vehicles, motorcycles, scooters,
    and mopeds.
    Default severity: High. Count all unique matches. Look in
    envelope, subject, body, and attachments.
    Russia Employment Record Employment record is an official personal document containing
    records of the employment of a citizen; most widely distributed in
    the USSR, used in many CIS countries.
    Default severity: High. Check for existence. Look in envelope,
    subject, body, and attachments.

    1329
    Rule Description

    Russia OMS Number Compulsory medical insurance (OMS) is a type of compulsory


    social insurance. Healthcare in Russia is provided by the state
    through the Federal Compulsory Medical Insurance Fund, and
    regulated through the Ministry of Health.
    Default severity: High. Count all unique matches. Look in
    envelope, subject, body, and attachments.

    Sarbanes-Oxley Policy Template


    The US Sarbanes-Oxley Act (SOX) imposes requirements on financial accounting, including the preservation of data
    integrity and the ability to create an audit trail. The Sarbanes-Oxley Policy detects sensitive financial data.
    The Sarbanes-Oxley Documents, Indexed detection rule looks for content from specific documents registered as being
    subject to Sarbanes-Oxley Act. This rule returns a match if 80% or more of the source document is found.

    Table 739: Sarbanes-Oxley Documents, Indexed detection rule

    Method Condition Configuration

    Simple rule Content Matches Indexed Choosing an Indexed Document Profile


    Document Profile

    The SEC Fair Disclosure Regulation compound detection rule looks for the following conditions; all must be
    satisfied for the rule to trigger an incident:
    • The SEC Fair Disclosure keywords indicate possible disclosure of advance financial information ("SEC Fair Disclosure
    Keywords" dictionary).
    • An attachment or file type that is a commonly used document or spreadsheet format. The detected file types are
    Microsoft Word, Excel Macro, Excel, Works Spreadsheet, SYLK Spreadsheet, Corel Quattro Pro, WordPerfect, Lotus
    123, Applix Spreadsheets, CSV, Multiplan Spreadsheet, and Adobe PDF.
    • The company name keyword list requires editing by the user, which can include any name, alternate name, or
    abbreviation that might indicate a reference to the company.

    Table 740: SEC Fair Disclosure Regulation detection rule

    Method Condition Configuration

    Compound rule Content Matches SEC Fair Disclosure Regulation (Keyword Match):
    Keyword • Match keyword: earnings per share, forward guidance
    • Severity: High.
    • Check for existence.
    • Look in envelope, subject, body, attachments.
    • Case insensitive.
    • Match on whole words only.
    • Match on same component.
    The keyword must be in the attachment or file type detected by that condition.
    Message Attachment or SEC Fair Disclosure Regulation (Attachment/File Type):
    File Type Match • File type detected: excel_macro, xls, works_spread, sylk, quattro_pro, mod,
    csv, applix_spread, 123, doc, wordperfect, and pdf.
    • Severity: High.
    • Match on: Attachments and same component.

    1330
    Method Condition Configuration

    Content Matches SEC Fair Disclosure Regulation (Keyword Match):


    Keyword • Match "[company name]"
    • Severity: High.
    • Check for existence.
    • Look in envelope, subject, body, attachments.
    • Case insensitive.
    • Match on whole words only.
    • Match on same component.
    The keyword must be in the attachment or file type detected by that condition.

    The Financial Information detection rule looks for a specific file type containing a word from the "Financial Keywords"
    dictionary and a word from the "Confidential/Proprietary Words" dictionary. The spreadsheet file types detected are
    Microsoft Excel Macro, Microsoft Excel, Microsoft Works Spreadsheet, SYLK Spreadsheet, Corel Quattro Pro, and more.

    Table 741: Financial Information detection rule

    Method Condition Configuration

    Compound rule Content Matches Indexed Financial Information (Attachment/File Type):


    Document Profile • Match file type: excel_macro, xls, works_spread, sylk, quattro_pro, mod, csv,
    applix_spread, Lotus 1-2-3
    • Severity: High.
    • Match on attachments, same component.
    Content Matches Financial Information (Keyword Match):
    Keyword • Match "accounts receivable turnover", "adjusted gross margin", "adjusted
    operating expenses", "adjusted operating margin", "administrative
    expenses", ....
    • Severity: High.
    • Check for existence.
    • Look in envelope, subject, body, attachments.
    • Case insensitive.
    • Match on whole words only.
    • Keyword must be detected in the attachment (same component).
    Content Matches Financial Information (Keyword Match):
    Keyword • Match "confidential", "internal use only", "proprietary".
    • Severity: High.
    • Check for existence.
    • Look in envelope, subject, body, attachments.
    • Case insensitive.
    • Match on whole words only.
    • Keyword must be detected in the attachment (same component).

    Configuring policies
    Exporting policy detection as a template

    SEC Fair Disclosure Regulation PolicyProfile Template


    The US SEC Selective Disclosure and Insider Trading Rules prohibit public companies from selectively divulging material
    information to analysts and institutional investors before its general release to the public.

    1331
    The SEC Fair Disclosure Regulation template detects data indicating disclosure of material financial information.
    The SEC Fair Disclosure Regulation Documents, Indexed (IDM) detection rule looks for content from specific documents
    subject to SEC Fair Disclosure regulation. This rule returns a match if 80% or more of the source document content is
    found.

    Table 742: SEC Fair Disclosure Regulation Documents, Indexed (IDM) detection rule

    Method Condition Configuration

    Simple rule Content Matches SEC Fair Disclosure Regulation Documents, Indexed (IDM):
    Document Signature • Detect documents from the selected Indexed Document Profile.
    (IDM) Choosing an Indexed Document Profile
    • Match documents with at least 80% content match.
    • Severity: High.
    • Check for existence.
    • Look in body, attachments.

    The SEC Fair Disclosure Regulation detection rule looks for the a keyword match from the "SEC Fair Disclosure
    Keywords" dictionary, an attachment or file type that is a commonly used document or spreadsheet, and a keyword match
    from the "Company Name Keywords" dictionary.
    All three conditions must be satisfied for the rule to trigger an incident:
    • The SEC Fair Disclosure keywords indicate possible disclosure of advance financial information.
    • The file types detected are Microsoft Word, Excel Macro, Excel, Works Spreadsheet, SYLK Spreadsheet, Corel
    Quattro Pro, WordPerfect, Lotus 123, Applix Spreadsheets, CSV, Multiplan Spreadsheet, and Adobe PDF.
    • The company name keyword list requires editing by the user, which can include any name, alternate name, or
    abbreviation that might indicate a reference to the company.

    Table 743: SEC Fair Disclosure Regulation detection rule

    Method Condition Configuration

    Compound rule Content Matches SEC Fair Disclosure Regulation (Keyword Match):
    Keyword (DCM) • Match "earnings per share", "forward guidance".
    • Severity: High.
    • Check for existence.
    • Look in envelope, subject, body, attachments.
    • Case insensitive.
    • Match on whole words only.
    Message Attachment or SEC Fair Disclosure Regulation (Attachment/File Type):
    File Type Match (DCM) • Match file type: excel_macro, xls, works_spread, sylk, quattro_pro, mod, csv,
    applix_spread, 123, doc, wordperfect, pdf
    • Severity: High.
    • Match on attachments.
    • Require content match to be in the same component (attachment).

    1332
    Method Condition Configuration

    Content Matches SEC Fair Disclosure Regulation (Keyword Match):


    Keyword (DCM) • Match "[company name]" (user defined)
    • Severity: High.
    • Check for existence.
    • Look in envelope, subject, body, attachments, same component.
    • Case insensitive.
    • Match on whole words only.

    Configuring policies
    Exporting policy detection as a template

    Sexually Explicit Language Policy Template


    The Sexually Explicit Language policy detects vulgar, sexually explicit, and pornographic language content.

    Table 744: Sexually Explicit Language profile template

    DCM Rule Sexually Explicit Keywords, Confirmed


    This rule looks for any single keyword in the "Sex. Explicit Keywords, Confirmed" dictionary.
    DCM Rule Sexually Explicit Keywords, Suspected
    This rule looks for any three instances of keywords in the "Sex. Explicit Words, Suspect" dictionary.
    DCM Rule Sexually Explicit Keywords, Possible
    This rule looks for any three instances of keywords in the "Sex. Explicit Words, Possible" dictionary.

    Configuring policies
    Exporting policy detection as a template

    Source Code Policy Template


    The Source Code Policy template provides match conditions for detecting various types of source code at risk of
    exposure, including C, Java, Perl, and Visual Basic (VB).

    Table 745: Source code policy template match conditions

    Name Type Description

    Source Code Documents IDM This rule looks for specific user-provided source code from a
    Document Profile.
    This rule returns a match if it detects 80% or more of the source
    document.
    This rule is not available if you do not select a profile when creating
    the policy.
    Source Code Extensions File Name Match This rule looks for a match among file name extensions from the
    "Source Code Extensions" dictionary.
    Java Source Code Regular Expressions This compound rule looks for matches on two different regular
    expression patterns: Java Import Statements and Java Class Files.
    C Source Code Regular Expression This rule looks for matches on the C Source Code regular expression
    pattern.

    1333
    Name Type Description

    VB Source Code Regular Expression This rule looks for matches on the VB Source Code regular expression
    pattern.
    Perl Source Code Regular Expressions This compound rule looks for matches on three different Perl-related
    regular expressions patterns.

    Configuring policies
    Exporting policy detection as a template

    State Data Privacy Policy Template


    Many states in the US have adopted statutes mandating data protection and public disclosure of information security
    breaches in which confidential data of individuals is compromised. The State Data Privacy policy template is designed to
    address these types of confidential data breaches.
    The State Data Privacy Policy template provides several individual detection rules and produces an incident if any of
    these rules are violated. This Policy template also provides a configurable exception condition that allows one or more
    authorized email recipients to receive otherwise confidential data.
    The following table lists and describes the acceptable use condition implemented by the State Data Privacy Policy. You
    must configure the exception for it to apply.

    Table 746: Email to Affiliates policy exception

    Name Type Description Configuration details

    Email to Described identity Email to Affiliates is a policy exception that allows email • Simple exception (single
    Affiliates (DCM) messages to be sent to affiliates who are legitimately condition)
    (Recipient) Recipient Matches allowed to receive information covered under the State • Match email recipient:
    Pattern Data Privacy regulations. [affiliate1], [affiliate2].
    Policy exceptions are evaluated before detection match • Edit the "Affiliate Domains" list
    conditions. If there is an exception, in this case an and enter the email address for
    affiliate email address that you have entered, the entire each recipient who may make
    message is discarded and not available for evaluation acceptable use of the confidential
    by detection. data.
    • At least 1 recipient(s) must match
    for the exception to trigger.
    • Matches on the entire message.

    The State Data Privacy policy template implements Exact Data Matching (State Data Privacy EDM rule). If you do not
    select an Exact Data profile when you first create a policy based on this template, the EDM condition is not available for
    use.
    Choosing an Exact Data Profile

    1334
    Table 747: State Data Privacy EDM rule

    Rule name Condition type Description Configuration details

    State Data Content matches This rule looks for an exact data match on three of When you are creating the EDM
    Privacy, Exact Data (EDM) the following: profile, you should validate it against
    Consumer Data • ABA Routing Number the State Data Privacy template
    • Account Number to ensure that the resulting index
    includes expected fields.
    • Bank Card Number (credit card number)
    • Birth Date • Simple rule (single match
    condition)
    • Driver License Number
    • Severity: High
    • First Name
    • Report incident if 1 match
    • Last Name
    • Look in envelope, body,
    • Password attachments
    • PIN Number
    • Social Security Number
    • State ID Card Number
    Exception conditions: the following combinations
    do not match:
    • First Name, Last Name, PIN
    • First Name, Last Name, Password

    State Data Privacy detection rules lists and describes the DCM detection rules implemented by the State Data Privacy
    policy. If any one of these rules is violated the policy produces an incident, unless you have configured the exception
    condition and the message recipient is an acceptable use affiliate.

    Table 748: State Data Privacy detection rules

    Rule name Condition type Description Configuration details

    US Social Content Matches The US Social Security Number Patterns rule is • Simple rule (single match
    Security Number Data Identifier designed to detect US social security numbers (SSNs). condition)
    Patterns (DCM) The Randomized US SSN data identifier detects SSN • Severity: High.
    patterns, both traditional and those issued under the • Count all matches.
    new randomization scheme.
    • Look in envelope, subject, body,
    attachments.
    ABA Routing Content Matches The ABA Routing Numbers rule is designed to detect • Simple rule (single match
    Numbers Data Identifier ABA Routing Numbers. condition)
    (DCM) The ABA Routing Numbers data identifier detects ABA • Severity: High.
    routing numbers. • Count all matches.
    • Look in envelope, subject, body,
    attachments.
    Credit Card Content Matches The Credit Card Numbers rule is designed to match on • Simple rule (single condition)
    Numbers, All Data Identifier credit card numbers. • Severity: High.
    (DCM) To detect credit card numbers, this rule implements • Count all matches.
    the Credit Card Number narrow breadth system data • Look in envelope, subject, body,
    identifier. attachments
    CA Drivers Content Matches The CA Drivers License Numbers rule looks for a match • Simple rule (single condition)
    License Data Identifier for the CA drivers license number pattern, a match for a • Severity: High.
    Numbers (DCM) data identifier for terms relating to "drivers license," and • Count all matches.
    a keyword from the "California Keywords" dictionary.
    • Look in envelope, subject, body,
    attachments

    1335
    Rule name Condition type Description Configuration details

    NY Drivers Content Matches The NY Drivers License Numbers rule looks for a match • Simple rule (single condition)
    License Data Identifier for the NY drivers license number pattern, a match • Severity: High.
    Numbers (DCM) for a regular expression for terms relating to "drivers • Count all matches.
    license," and a keyword from the "New York Keywords"
    • Look in envelope, subject, body,
    dictionary. attachments
    IL Drivers Content Matches The IL Drivers License Numbers detection rule looks • Simple rule (single condition)
    License Data Identifier for a match for the IL drivers license number pattern, • Severity: High.
    Numbers (DCM) a match for a regular expression for terms relating • Count all matches.
    to "drivers license," and a keyword from the "Illinois
    • Look in envelope, subject, body,
    Keywords" dictionary. attachments
    NJ Drivers Content Matches The NJ Drivers License Numbers detection rule looks • Simple rule (single condition)
    License Data Identifier for a match for the NJ drivers license number pattern, • Severity: High.
    Numbers (DCM) a match for a regular expression for terms relating to • Count all matches.
    "drivers license," and a keyword from the "New Jersey
    • Look in envelope, subject, body,
    Keywords" dictionary. attachments
    This condition implements the Driver's License Number-
    NJ State medium breadth system Data Identifier.

    Configuring policies
    Exporting policy detection as a template

    SWIFT Codes Policy Template


    The Society for Worldwide Interbank Financial Telecommunication (SWIFT) is a cooperative organization under Belgian
    law and is owned by its member financial institutions. The SWIFT code (also known as a Bank Identifier Code, BIC,
    or ISO 9362) has a standard format to identify a bank, location, and the branch involved. These codes are used when
    transferring money between banks, particularly across international borders.

    DCM Rule SWIFT Code Regular Expression


    This rule looks for a match to the SWIFT code regular expression and a keyword from the "SWIFT Code Keywords"
    dictionary.

    Configuring policies
    Exporting policy detection as a template

    Turkish Personal Data Protection Law 6698 policy Templates


    This policyprofile detects Turkish personal data including Turkish identities, phone numbers, email/IP addresses and
    financial information. The policyprofile' template works best with an exact data profile that contains the following columns:
    EmailAddress, cepnumarası, contactnumber, iletişimnumarası, localphonenumber, mobilenumber, phonenumber,
    telefonnumarası, and yereltelefonnumarası.

    Table 749:

    Rule Description

    Turkey Person Identification Number (Data Identifiers) Default severity: High. Count all unique matches. Look in
    envelope, subject, body, and attachments.
    Turkey Passport Number (Data Identifiers) Default severity: High. Count all unique matches. Look in
    envelope, subject, body, and attachments.

    1336
    Rule Description

    IPv6 Address (Data Identifiers) Default severity: High. Count all unique matches. Look in
    envelope, subject, body, and attachments.
    IBAN East (Data Identifiers) Default severity: High. Count all unique matches. Look in
    envelope, subject, body, and attachments.
    Credit Card Number (Data Identifiers) Default severity: High. Count all unique matches. Look in
    envelope, subject, body, and attachments.
    TSWIFT Codes (Data Identifiers) Default severity: High. Count all unique matches. Look in
    envelope, subject, body, and attachments.
    Turkey Tax Identification Number (Data Identifiers) Default severity: High. Count all unique matches. Look in
    envelope, subject, body, and attachments.

    Symantec DLP Awareness and Avoidance Policy Template


    The Symantec DLP Awareness & Avoidance Policy detects any communications that refer to Symantec Data Loss
    Prevention or data loss prevention systems and possible avoidance of detection. The Symantec DLP Awareness &
    Avoidance Policy is most useful for the deployments that are not widely known among monitored users.

    DCM Rule Symantec DLP Awareness


    Checks for a keyword match from the "Symantec DLP Awareness" dictionary.
    DCM Rule Symantec DLP Avoidance
    This rule is a compound rule with two conditions; both must be matched to trigger an incident. This rule looks for a
    keyword match from the "Symantec DLP Awareness" dictionary and a keyword from the "Symantec DLP Avoidance"
    dictionary.

    Configuring policies
    Exporting policy detection as a template

    UK Drivers License Numbers Policy Template


    The UK Drivers License Numbers Policy detects UK Drivers License Numbers using the official specification of the UK
    Government Standards of the UK Cabinet Office.

    DCM Rule UK Drivers License Numbers


    This rule is a compound rule with the following conditions:
    • A single keyword from the "UK Keywords" dictionary
    • The pattern matching that of the UK drivers license data identifier
    • Different combinations of the phrase "drivers license" using a data identifier

    Configuring policies
    Exporting policy detection as a template

    1337
    UK Electoral Roll Numbers Policy Template
    The UK Electoral Roll Numbers Policy detects UK Electoral Roll Numbers using the official specification of the UK
    Government Standards of the UK Cabinet Office.

    DCM Rule UK Electoral Roll Numbers


    This rule is a compound rule with the following conditions:
    • A single keyword from the "UK Keywords" dictionary
    • A pattern matching the UK Electoral Roll Number data identifier
    • A single keyword from the "UK Electoral Roll Number Words" dictionary

    Configuring policies
    Exporting policy detection as a template

    UK National Health Service (NHS) Number Policy Template


    The UK National Health Service (NHS) Number Policy detects the personal identification number issued by the U.K.
    National Health Service (NHS) for administration of medical care.

    Rule Configuration
    UK NHS NumbersThis rule looks for a match to the UK National Health Service (NHS) Number data identifier.

    Configuring policies
    Exporting policy detection as a template

    UK National Insurance Numbers Policy Template


    The National Insurance Number is issued to individuals by the UK Department for Work and Pensions and Inland
    Revenue (DWP/IR) for administering the national insurance system. The UK National Insurance Numbers Policy detects
    these insurance policy numbers.

    DCM Rule UK National Insurance Numbers


    This rule looks for a match to the UK National Insurance number data identifier and a keyword from the dictionary
    "UK NIN Keywords."

    Configuring policies
    Exporting policy detection as a template

    UK Passport Numbers Policy Template


    The UK Passport Numbers Policy detects valid UK passports using the official specification of the UK Government
    Standards of the UK Cabinet Office.

    DCM Rule UK Passport Numbers (Old Type)


    This rule looks for a keyword from the "UK Passport Keywords" dictionary and a pattern matching the regular
    expression for UK Passport Numbers (Old Type).
    DCM Rule UK Passport Numbers (New Type)
    This rule looks for a keyword from the "UK Passport Keywords" dictionary and a pattern matching the regular
    expression for UK Passport Numbers (New Type).

    1338
    Configuring policies
    Exporting policy detection as a template

    UK Tax ID Numbers Policy Template


    The UK Tax ID Numbers Policy detects UK Tax ID Numbers using the official specification of the UK Government
    Standards of the UK Cabinet Office.

    DCM Rule UK Tax ID Numbers


    This rule looks for a match to the UK Tax ID number data identifier and a keyword from the dictionary "UK Tax ID
    Number Keywords."

    Configuring policies
    Exporting policy detection as a template

    US Intelligence Control Markings (CAPCO) and DCID 1/7 Policy Template


    The US Intelligence Control Markings (CAPCO) & DCID 1/7 Policy detects authorized terms to identify classified
    information in the US Federal Intelligence community as defined in the Control Markings Register, which is maintained by
    the Controlled Access Program Coordination Office (CAPCO) of the Community Management Staff (CMS). The register
    was created in response to the Director of Central Intelligence Directive (DCID) 1/7.
    This rule looks for a keyword match on the phrase "TOP SECRET."

    Table 750: Top Secret Information detection rule

    Method Condition Configuration

    Simple rule Content Matches Keyword Match "TOP SECRET//"


    (DCM) • Severity: High.
    • Check for existence.
    • Look in envelope, subject, body, attachments.
    • Case sensitive.
    • Match on whole or partial words.

    This rule looks for a keyword match on the phrase "SECRET."

    Table 751: Secret Information detection rule

    Method Condition Configuration

    Simple rule Content Matches Keyword Match "SECRET//"


    (DCM) • Severity: High.
    • Check for existence.
    • Look in envelope, subject, body, attachments.
    • Case sensitive.
    • Match on whole or partial words.

    This rule looks for a keyword match on the phrases "CLASSIFIED" or "RESTRICTED."

    1339
    Table 752: Classified or Restricted Information (Keyword Match) detection rule

    Method Condition Configuration

    Simple rule Content Matches Keyword Match "CLASSIFIED//,//RESTRICTED//"


    (DCM) • Severity: High.
    • Check for existence.
    • Look in envelope, subject, body, attachments.
    • Case sensitive.
    • Match on whole or partial words.

    Configuring policies
    Exporting policy detection as a template

    US Social Security Numbers Policy Template


    The US Social Security Numbers Policy detects patterns indicating social security numbers at risk of exposure.

    Table 753: US Social Security Numbers Policy Template

    Rule name Rule type Description

    US Social Security Number Patterns DCM Rule This rule looks for a match to the social security
    number regular expression and a keyword from the
    dictionary "US SSN Keywords."

    Table 754: US Social Security Numbers profile template

    Rule Configuration

    US Social Security Number Patterns This rule looks for a match from the US Randomized Social
    Security Number data identifier and a keyword listed in the Match
    Any Keyword field.

    Configuring policies
    Exporting policy detection as a template

    US States Driver's License Number Policy Template


    This Policy detects the driving license number of the 50 US states, District of Columbia, and territories.
    This following four data identifiers have been added to this policy template in CP-2021-02:
    • Driver's License Number - CO State
    • Driver's License Number - AL State
    • Driver's License Number - PA State
    • Driver's License Number - WY State

    1340
    Table 755:

    Rule Description

    Driver's License Number - AR State (Data Identifiers) Identification number for an individual driver's license issued by
    the State of Arkansas Department of Finance and Administration,
    Office of Driver Services.
    Default severity: High. Check for existence. Look in envelope,
    subject body, attachments.
    Driver's License Number - AZ State (Data Identifiers) Identification number for an individual driver's license issued by
    the State of Arizona Department of Transportation, Motor Vehicle
    Division.
    Default severity: High. Check for existence. Look in envelope,
    subject body, attachments.
    Driver's License Number - CA State (Data Identifiers) Identification number for an individual driver's license issued by
    the State of California Department of Motor Vehiclespa.
    Default severity: High. Check for existence. Look in envelope,
    subject body, attachments.
    Driver's License Number - DC State (Data Identifiers) Identification number for an individual driver's license issued by
    the District of Columbia Department of Motor Vehicles.
    Default severity: High. Check for existence. Look in envelope,
    subject body, attachments.
    Driver's License Number - FL State (Data Identifiers) Identification number for an individual driver's license issued by
    the State of Florida Department of Highway Safety and Motor
    Vehicles.
    Default severity: High. Check for existence. Look in envelope,
    subject body, attachments.
    Driver's License Number - HI State (Data Identifiers) Identification number for an individual driver's license issued by
    the State of Hawaii Department of Finance, Vehicle Registration
    and Licensing Division.
    Default severity: High. Check for existence. Look in envelope,
    subject body, attachments.
    Driver's License Number - ID State (Data Identifiers) Identification number for an individual driver's license issued by
    the State of Idaho Transportation Department, Division of Motor
    Vehicles.
    Default severity: High. Check for existence. Look in envelope,
    subject body, attachments.
    Driver's License Number - IA State (Data Identifiers) Identification number for an individual driver's license issued by
    the State of Iowa Department of Transportation, Motor Vehicle
    Division, Office of Driver Services.
    Default severity: High. Check for existence. Look in envelope,
    subject body, attachments.
    Driver's License Number - IL State (Data Identifiers) Identification number for an individual driver's license issued by
    the State of Illinois.
    Default severity: High. Check for existence. Look in envelope,
    subject body, attachments.
    Driver's License Number - LA State (Data Identifiers) Identification number for an individual's driver's license issued by
    the State of Louisiana.
    Default severity: High. Check for existence. Look in envelope,
    subject body, attachments.

    1341
    Rule Description

    Driver's License Number - NJ State (Data Identifiers) Identification number for an individual's driver's license issued by
    the State of New Jersey.
    Default severity: High. Check for existence. Look in envelope,
    subject body, attachments.
    Driver's License Number - NY State (Data Identifiers) Identification number for an individual driver's license issued by
    the State of New York.
    Default severity: High. Check for existence. Look in envelope,
    subject body, attachments.
    Driver's License Number - OK State (Data Identifiers) Identification number for an individual driver's license issued by
    the State of Oklahoma Department of Public Safety.
    Default severity: High. Check for existence. Look in envelope,
    subject body, attachments.
    Driver's License Number - OR State (Data Identifiers) Identification number for an individual driver's license issued by
    the State of Oregon Department of Transportation, Driver and
    Motor Vehicle Services Division.
    Default severity: High. Check for existence. Look in envelope,
    subject body, attachments.
    Driver's License Number - US Virgin Islands (Data Identifiers) Identification number for an individual driver's license issued by
    the US Virgin Islands Department of Motor Vehicles.
    Default severity: High. Check for existence. Look in envelope,
    subject body, attachments.
    Driver's License Number - WA State (Data Identifiers) Identification number for an individual driver's license issued by
    the State of Washington.
    Default severity: High. Check for existence. Look in envelope,
    subject body, attachments.
    Driver's License Number - WI State (Data Identifiers) Wisconsin driver's license issued by the State of Wisconsin.
    Default severity: High. Check for existence. Look in envelope,
    subject body, attachments.
    Driver's License Number - CT State (Data Identifiers) Connecticut driver's license issued by the State of Connecticut
    Department of Motor Vehicles.
    Default severity: High. Check for existence. Look in envelope,
    subject body, attachments.
    Driver's License Number - IN State (Data Identifiers) Indiana driver's license issued by the State of Indiana Bureau of
    Motor Vehicles.
    Default severity: High. Check for existence. Look in envelope,
    subject body, attachments.
    Driver's License Number - KS State (Data Identifiers) Kansas driver's license issued by the State of Kansas Department
    of Revenue.
    Default severity: High. Check for existence. Look in envelope,
    subject body, attachments.
    Driver's License Number - KY State (Data Identifiers) Identification number for an individual driver's license issued by
    the State of Kentucky Transportation Cabinet.
    Default severity: High. Check for existence. Look in envelope,
    subject body, attachments.
    Driver's License Number - MA State (Data Identifiers) Identification number for an individual driver's license issued by
    the State of Massachusetts Registry of Motor Vehicles.
    Default severity: High. Check for existence. Look in envelope,
    subject body, attachments.

    1342
    Rule Description

    Driver's License Number - MD State (Data Identifiers) Identification number for an individual driver's license issued by
    the State of Maryland Department of Transportation.
    Default severity: High. Check for existence. Look in envelope,
    subject body, attachments.
    Driver's License Number - MI State (Data Identifiers) Identification number for an individual driver's license issued by
    the State of Michigan Secretary of State Department.
    Default severity: High. Check for existence. Look in envelope,
    subject body, attachments.
    Driver's License Number - MN State (Data Identifiers) Identification number for an individual driver's license issued by
    the State of Montana Department of Justice.
    Default severity: High. Check for existence. Look in envelope,
    subject body, attachments.
    Driver's License Number - MO State (Data Identifiers) Identification number for an individual driver's license issued by
    the State of Missouri Department of Motor Vehicles.
    Default severity: High. Check for existence. Look in envelope,
    subject body, attachments.
    Driver's License Number - MT State (Data Identifiers) Identification number for an individual driver's license issued by
    the State of Montana Department of Transportation, Motor Vehicle
    Division, Office of Driver Services
    Default severity: High. Check for existence. Look in envelope,
    subject body, attachments.
    Driver's License Number - MS State (Data Identifiers) Identification number for an individual driver's license issued by
    the State of Mississippi Department of Public Safety.
    Default severity: High. Check for existence. Look in envelope,
    subject body, attachments.
    Driver's License Number - ND State (Data Identifiers) Identification number for an individual driver's license issued by
    the State of North Dakota Department of Transportation.
    Default severity: High. Check for existence. Look in envelope,
    subject body, attachments.
    Driver's License Number - NE State (Data Identifiers) Identification number for an individual driver's license issued by
    the State of Nebraska Department of Motor Vehicle Division.
    Default severity: High. Check for existence. Look in envelope,
    subject body, attachments.
    Driver's License Number - NH State (Data Identifiers) Identification number for an individual driver's license issued by
    the State of New Hampshire Department of Transportation, Motor
    Vehicle Division, Office of Driver Services
    Default severity: High. Check for existence. Look in envelope,
    subject body, attachments.
    Driver's License Number - OH State (Data Identifiers) Identification number for an individual driver's license issued by
    the State of Ohio Department of Public Safety.
    Default severity: High. Check for existence. Look in envelope,
    subject body, attachments.
    Driver's License Number - RI State (Data Identifiers) Identification number for an individual driver's license issued by
    the State of Rhode Island Department of Motor Vehicle Division.
    Default severity: High. Check for existence. Look in envelope,
    subject body, attachments.
    Driver's License Number - TN State (Data Identifiers) Identification number for an individual driver's license issued by
    the State of Tennessee Department of Motor Vehicles.
    Default severity: High. Check for existence. Look in envelope,
    subject body, attachments.

    1343
    Rule Description

    Driver's License Number - VA State (Data Identifiers) Identification number for an individual driver's license issued by
    the State of Virginia Department of Motor Vehicles.
    Default severity: High. Check for existence. Look in envelope,
    subject body, attachments.
    Driver's License Number - VT State (Data Identifiers) Identification number for an individual driver's license issued by
    the State of Vermont Department of Motor Vehicles.
    Default severity: High. Check for existence. Look in envelope,
    subject body, attachments.
    Driver's License Number - WV State (Data Identifiers) Identification number for an individual driver's license issued by
    the State of West Virginia Division of Motor Vehicles.
    Default severity: High. Check for existence. Look in envelope,
    subject body, attachments.
    Driver's License Number - Guam (Data Identifiers) Identification number for an individual driver's license issued by
    the Guam Department of Revenue and Taxation.
    Default severity: High. Check for existence. Look in envelope,
    subject body, attachments.
    Driver's License Number - CO State (Data Identifiers) Identification number for an individual driver's license issued by
    the State of Colorado.
    Default severity: High. Check for existence. Look in envelope,
    subject body, attachments.
    Driver's License Number - AL State (Data Identifiers) Identification number for an individual driver's license issued by
    the State of Alaska.
    Default severity: High. Check for existence. Look in envelope,
    subject body, attachments.
    Driver's License Number - PA State (Data Identifiers) Identification number for an individual driver's license issued by
    the State of Pennsylvania.
    Default severity: High. Check for existence. Look in envelope,
    subject body, attachments.
    Driver's License Number - WY State (Data Identifiers) Identification number for an individual driver's license issued by
    the State of Wyoming.
    Default severity: High. Check for existence. Look in envelope,
    subject body, attachments.

    Violence and Weapons Policy Template


    The Violence and Weapons Policy detects violent language and discussions about weapons.

    Table 756: Violence and Weapons Policy Template

    Name Type Description

    Violence and DCM Rule This rule is a compound rule with two conditions; both must match to trigger an incident. This
    Weapons rule looks for a keyword from the "Violence Keywords" dictionary and a keyword from the
    "Weapons Keywords" dictionary.

    Configuring policies
    Exporting policy detection as a template

    1344
    Virginia Consumer Data Protection Act Policy Template
    This policy establishes a framework for controlling and processing personal data in the State of Virginia.

    Table 757: Virginia Consumer Data Protection policy template rules

    Rule Description Details

    Randomized US Social Security As of June 25th, 2011 the SSA issues "randomized Severity: High. Check for
    Number (SSN) (Data Identifiers) SSNs." The high group number (second part of the existence. Look in envelope, subject,
    SSN) will no longer correspond to the area number body attachments.
    (first part of the SSN). In addition, the range of the
    area number will increase from 773 to 899.
    US Passport Number (Data Identifiers) United States passports are passports issued to Severity: High. Check for
    citizens and non-citizen nationals of the United existence. Look in envelope, subject,
    States of America. They are issued exclusively by body attachments.
    the U.S. Department of State.
    US Driver License Number - VA State The Virginia Department of Motor Vehicles issues Severity: High. Check for
    (Data Identifiers) driving license to the citizens of Virginia. existence. Look in envelope, subject,
    body attachments.
    US Individual Tax Identification Number Used for tax processing number and issued by the Severity: High. Check for
    (ITIN) (Data Identifiers) United States Internal Revenue Service (IRS). The existence. Look in envelope, subject,
    IRS issues ITINs to track individuals who are not body attachments.
    eligible to obtain Social Security Numbers (SSNs).
    US Adoption Taxpayer Identification An ATIN is an Adoption Taxpayer Identification Severity: High. Check for
    Number Number issued by the Internal Revenue Service as existence. Look in envelope, subject,
    a temporary taxpayer identification number for the body attachments.
    child in a domestic adoption, where the adopting
    taxpayers do not have, or are unable to obtain, the
    child's Social Security Number (SSN).
    US Preparer Taxpayer Identification The Preparer Tax Identification Number (PTIN) Severity: High. Check for
    Number (Data Identifiers) is an identification number that all paid tax return existence. Look in envelope, subject,
    preparers must use on U.S. federal tax returns or body attachments.
    claims for refund submitted to the Internal Revenue
    Service (IRS).

    Webmail Policy Template


    The Webmail policy detects the use of a variety of Webmail services, including Yahoo, Google, and Hotmail.

    Table 758: Webmail policy template rules

    Name Type Condition(s) Description

    Yahoo Compound detection Recipient Matches Pattern This condition checks for the URL domain
    rule (DCM) mail.yahoo.com.
    Content Matches Keyword This condition checks for the keyword ym/compose.
    (DCM)
    Hotmail Compound detection Recipient Matches Pattern This condition checks for the URL domain
    rule (DCM) hotmail.msn.com.
    Content Matches Keyword This condition checks for the keyword compose?&curmbox.
    (DCM)

    1345
    Name Type Condition(s) Description

    Go Compound detection Recipient Matches Pattern This condition checks for the URL gomailus.go.com.
    rule (DCM)
    Content Matches Keyword This condition checks for the keyword compose.
    (DCM)
    AOL Compound detection Recipient Matches Pattern This condition checks for the URL domain aol.com.
    rule (DCM)
    Content Matches Keyword This condition checks for the keyword compose.
    (DCM)
    Gmail Compound detection Recipient Matches Pattern This condition checks for the URL domain
    rule (DCM) gmail.google.com.
    Content Matches Keyword This condition checks for the keyword gmail.
    (DCM)

    Configuring policies
    Exporting policy detection as a template

    Yahoo Message Board Activity Policy Template


    The Yahoo Message Board policy template detects Yahoo message board activity.
    The Yahoo Message Board detection rule is a compound method that looks for messages posted to the Yahoo message
    board you specify.
    The following table describes the Yahoo Message Board detection rule configuration details.

    Table 759: Yahoo Message Board detection rule

    Method Condition Configuration

    Compound rule Content Matches Keyword Yahoo Message Board (Keyword Match):
    (DCM) • Case insensitive.
    • Match Keyword: post.messages.yahoo.com/bbs.
    • Match on whole words only.
    • Check for existence (do not count multiple matches).
    • Look in envelope, subject, body, attachments.
    • Match must occur in the same component for both conditions.
    AND
    Content Matches Keyword Yahoo Message Board (Keyword Match):
    (DCM) • Case insensitive.
    • Match Keyword: board=<enter board number>.
    • Match on whole words only.
    • Check for existence (do not count multiple matches).
    • Look in envelope, subject, body, attachments.
    • Match must occur in the same component for both conditions.

    The Finance Message Board URL detection rule detects messages posted to the Yahoo Finance message board.
    The following table describes the Finance Message Board URL detection rule configuration.

    1346
    Table 760: Finance Message Board URL detection rule

    Method Condition Configuration

    Simple rule Content Matches Keyword Finance Message Board URL (Keyword Match):
    (DCM) • Case insensitive.
    • Match Keyword: messages.finance.yahoo.com.
    • Match on whole words only.
    • Check for existence (do not count multiple matches).
    • Look in envelope, subject, body, attachments.

    The Board URLs detection rule detects messages posted to the Yahoo or Yahoo Finance message boards by the URL of
    either.
    The following table describes the Board URLs detection rule configuration details.

    Table 761: Board URLs detection rule

    Method Condition Configuration

    Simple rule Recipient Matches Pattern Board URLs (Recipient):


    (DCM) • Recipient URL:
    messages.yahoo.com,messages.finance.yahoo.com.
    • At least 1 recipient(s) must match.
    • Matches on the entire message (not configurable).

    Creating a policy from a template


    Exporting policy detection as a template

    Yahoo and MSN Messengers on Port 80 Policy Template


    The Yahoo and MSN Messengers on Port 80 policy detects Yahoo and MSN Messenger activity over port 80.
    The Yahoo IM detection rule looks for keyword matches on both ymsg and shttp.msg.yahoo.com.

    Table 762: Yahoo IM detection rule

    Method Condition Configuration

    Yahoo IM (Keyword Match):


    • Case insensitive.
    • Match keyword: ymsg.
    Content Matches Keyword
    • Match on whole words only.
    Compound rule (DCM)
    • Count all matches and report an incident for each match.
    • Look for matches in the envelope, subject, body, and attachments.
    • Match must occur in the same component for both conditions in the rule.
    AND

    1347
    Method Condition Configuration

    Yahoo IM (Keyword Match):


    • Case insensitive.
    • Match keyword: shttp.msg.yahoo.com.
    Content Matches Keyword
    (DCM)
    • Match on whole words only.
    • Count all matches and report an incident for each match.
    • Look for matches in the envelope, subject, body, and attachments.
    • Match must occur in the same component for both conditions in the rule.

    The MSN IM detection rule looks for matches on three keywords in the same message component.

    Table 763: MSN IM detection rule

    Method Condition Configuration

    MSN IM (Keyword Match):


    • Case insensitive.
    • Match keyword: msg.
    Content Matches Keyword
    (DCM)
    • Match on whole words only.
    • Count all matches and report an incident for each match.
    • Look for matches in the envelope, subject, body, and attachments.
    • Match must occur in the same component for all conditions in the rule.
    AND
    MSN IM (Keyword Match):
    • Case insensitive.
    • Match keyword: x-msn.
    Content Matches Keyword
    Compound rule
    (DCM)
    • Match on whole words only.
    • Count all matches and report an incident for each match.
    • Look for matches in the envelope, subject, body, and attachments.
    • Match must occur in the same component for all conditions in the rule.
    AND
    MSN IM (Keyword Match):
    • Case insensitive.
    • Match keyword: charset=utf-8.
    Content Matches Keyword
    (DCM)
    • Match on whole words only.
    • Count all matches and report an incident for each match.
    • Look for matches in the envelope, subject, body, and attachments.
    • Match must occur in the same component for all conditions in the rule.

    1348
    Table 764: Yahoo IM profile

    Rule Configuration

    Yahoo IM Keyword:
    • Case insensitive.
    • Match keyword: ymsg.
    • Match on whole words only.
    • Count all matches and report an incident for each match.
    • Look for matches in the envelope, subject, body, and
    attachments.
    • Match must occur in the same component for both conditions
    in the rule.

    AND
    Yahoo IM Keyword
    • Case insensitive.
    • Match keyword: shttp .msg.yahoo.com.
    • Match on whole words only.
    • Count all matches and report an incident for each match.
    • Look for matches in the envelope, subject, body, and
    attachments.
    • Match must occur in the same component for both conditions
    in the rule.

    Creating a policy from a template


    Exporting policy detection as a template

    1349
    Response Rules
    Configure policy response rules.
    You can implement one or more response rules in a policy to remedy, escalate, resolve, and dismiss incidents when a
    violation occurs. For example, if a policy is violated, a response rule blocks the transmission of a file containing sensitive
    content.
    About response rule actions
    You create, modify, and manage response rules separate from the policies that declare them. This decoupling allows
    response rules to be updated and reused across policies.
    Implementing response rules
    The detection server automatically executes response rules. Or, you can configure Smart Response rules for manual
    execution by an incident remediator.
    About response rule execution types
    You can implement conditions to control how and when response rules execute.
    About response rule conditions
    You can sequence the order of execution for response rules of the same type.
    About response rule action execution priority
    You must have response rule authoring privileges to create and manage response rules.
    About response rule authoring privileges

    About response rule actions


    Response rule actions are the components that take action when a policy violation occurs. Response rule actions are
    mandatory components of response rules. If you create a response rule, you must define at least one action for the
    response rule to be valid.
    Symantec Data Loss Prevention provides several response rule actions. Many are available for all types of detection
    servers. Others are available for specific detection servers.
    Implementing response rules
    The detection server where a policy is deployed executes a response rule action any time a policy violation occurs. Or,
    you can configure a response rule condition to dictate when the response rule action executes.
    About response rule conditions
    For example, any time a policy is violated, send an email to the user who violated the policy and the manager. Or, if a
    policy violation severity level is medium, present the user with an on-screen warning. Or, if the severity is high, block a file
    from being copied to an external device.

    Table 765: Response rule actions by server type

    Server type Description

    All detection servers Response rule actions for all detection servers
    Endpoint detection servers Response rule actions for endpoint detection

    1350
    Server type Description

    Network Prevent detection servers Response rule actions for Network Prevent detection
    Network Protect detection servers Response rule actions for Network Protect detection
    Cloud Detection Service REST detectors Response rule actions for Cloud Applications and API appliance detectors
    and API Detection for Developer Apps
    Appliances

    Response rule actions for all detection servers


    Symantec Data Loss Prevention provides several response rule actions for Endpoint Prevent, Endpoint Discover, Network
    Prevent for Web, Network Prevent for Email, and Network Protect.

    Table 766: Available response rule actions for all detection servers

    Response rule action Description

    Add Note Add a field to the incident record that the remediator can annotate at the Incident
    Snapshot screen.
    Configuring the Add Note action
    Limit Incident Data Retention Discard or retain matched data with the incident record.
    Configuring the Limit Incident Data Retention action
    Log to a Syslog Server Log the incident to a syslog server.
    Configuring the Log to a Syslog Server action
    Send Email Notification Send an email you compose to recipients you specify.
    Configuring the Send Email Notification action
    Server FlexResponse Execute a custom Server FlexResponse action.
    Note: This response rule action is available only if you deploy one or more custom
    Server FlexResponse plug-ins to Symantec Data Loss Prevention.
    Note:

    Set Attribute Add a custom value to the incident record.


    Configuring the Set Attribute action
    Set Status Change the incident status to the specified value.
    Configuring the Set Status action

    About response rules


    Implementing response rules

    Response rule actions for endpoint detection


    Symantec Data Loss Prevention provides several response rule actions for Endpoint Prevent and Endpoint Discover.

    Table 767: Available Endpoint response rule actions

    Response rule action Description

    Endpoint: FlexResponse Take custom action using the FlexResponse API.


    Configuring the Endpoint: FlexResponse action
    Endpoint Discover: Information Centric The Endpoint Discover: Information Centric Defense response rule action flags
    Defense sensitive files for Symantec Endpoint Protection (SEP) monitoring.

    1351
    Response rule action Description

    Endpoint Discover: Quarantine File Quarantine a discovered sensitive file.


    Configuring the Endpoint Discover: Quarantine File action
    Endpoint Prevent: Block Block the transfer of data that violates the policy.
    For example, block the copy of confidential data from an endpoint to a USB flash
    drive.
    Configuring the Endpoint Prevent: Block action
    Endpoint Prevent: Notify Display an on-screen notification to the endpoint user when confidential data is
    transferred.
    Configuring the Endpoint Prevent: Notify action
    Endpoint Prevent: User Cancel Allow the user to cancel the transfer of a confidential file. The override is time
    sensitive.
    Configuring the Endpoint Prevent: User Cancel action

    About response rules


    Implementing response rules

    Response rule actions for Network Prevent detection


    Symantec Data Loss Prevention provides several response rule actions for Network Prevent for Web and Network
    Prevent for Email.

    Table 768: Available Network response rule actions

    Response rule action Description

    Network Prevent: Block FTP Request Block FTP transmissions.


    Configuring the Network Prevent for Web: Block FTP Request action
    Note: Only available with Network Prevent for Web.

    Network Prevent: Block HTTP/S Block Web postings.


    Configuring the Network Prevent for Web: Block HTTP/S action
    Note: Only available with Network Prevent for Web.

    Network Prevent: Block SMTP Message Block email that causes an incident.
    Configuring the Network Prevent: Block SMTP Message action
    Network Prevent: Modify SMTP Message Modify sensitive email messages.
    For example, change the email subject to include information about the violation.
    Configuring the Network Prevent: Modify SMTP Message action
    Network Prevent: Remove HTTP/S Content Remove confidential content from Web posts.
    Configuring the Network Prevent for Web: Remove HTTP/S Content action
    Note: Only available with Network Prevent for Web.

    About response rules


    Implementing response rules

    Response rule actions for Network Protect detection


    Symantec Data Loss Prevention provides several response rule actions for Network Protect (Discover).

    1352
    Table 769: Available Network Protect response rule actions

    Response rule action Description

    Network Protect: Copy File Copy sensitive files to a location you specify.
    Configuring the Network Protect: Copy File action
    Note: Only available with Network Protect.

    Network Protect: Quarantine File Quarantine sensitive files.


    Configuring the Network Protect: Quarantine File action
    Note: Only available with Network Protect.

    About response rules


    Implementing response rules

    Response rule actions for Cloud Applications and API appliance


    detectors
    The Symantec Data Loss Prevention Cloud Detection Service enables you to connect Symantec Data Loss Prevention
    to your cloud access security broker (CASB) solution. You can use the public REST API to send sensitive data from your
    CASB solution to Symantec Data Loss Prevention for inspection. Symantec Data Loss Prevention responds with policy
    violation information and recommendations for remediation action where appropriate.
    The API Detection for Developer Apps Appliance enables you to connect with on-premises applications. You can use the
    REST API to submit data from your applications to Symantec Data Loss Prevention for inspection. Symantec Data Loss
    Prevention responds with policy violation information and recommendations for remediation action where appropriate.
    These Cloud Applications and API appliance response rules let you configure the remediation recommendation messages
    that Symantec Data Loss Prevention includes in the detection responses it sends back to the REST client in the
    customResponsePayload or message parameters.

    Table 770: Available Cloud Applications and API appliance Smart Response rule actions

    Response rule action Description

    Encrypt The Encrypt Smart Response action lets you encrypt sensitive
    files in cloud applications through the Symantec Data Loss
    Prevention Cloud Detection Service.
    Configuring the Encrypt Smart Response action
    Remove Collaborator Access The Remove Collaborator Access Smart Response action
    removes collaborator access from shared files in cloud
    applications through the Cloud Detection Service.
    Configuring the Remove Collaborator Access Smart Response
    action
    Remove Shared Links The Remove Shared Links Smart Response action removes
    shared links from files in cloud applications through the Cloud
    Detection Service.
    Configuring the Remove Shared Links Smart Response action

    1353
    Table 771: Available Cloud Applications and API appliance (Data-at-Rest) automated response rule actions

    Response rule action Description

    Custom Action on Data-at-Rest The Custom Action on Data-at-Rest action returns a


    recommendation to perform some custom action on the sensitive
    data with the detection result.
    Configuring the Custom Action on Data-at-Rest action
    Delete Data-at-Rest The Delete Data-at-Rest action deletes sensitive data in the
    following cloud applications through the Cloud Detection Service:
    • Dropbox
    • Gmail
    • Office 365 Email
    Configuring the Delete Data-at-Rest action
    Encrypt Data-at-Rest The Encrypt Data-at-Rest action encrypts sensitive data in the
    following applications through the Cloud Detection Service:
    • Office 365 OneDrive
    • Office 365 SharePoint
    Configuring the Encrypt Data-at-Rest action
    Perform DRM on Data-at-Rest The Perform DRM on Data-at-Rest action applies Digital Rights
    Management (DRM) to the sensitive data.
    Configuring the Perform DRM on Data-at-Rest action
    Quarantine Data-at-Rest The Quarantine Data-at-Rest action quarantines sensitive data
    in the following cloud applications through the Cloud Detection
    Service:
    • Box
    • Office 365 OneDrive
    • Office 365 SharePoint
    • Salesforce
    • Slack
    Configuring the Quarantine Data-at-Rest action
    Remove Shared Links in Data-at-Rest The Remove Shared Links in Data-at-Rest action removes
    shared links to sensitive data in the following cloud applications
    through the Cloud Detection Service:
    • Box
    • Dropbox
    • Google Drive
    • Office 365 OneDrive
    • Salesforce
    Configuring the Remove Shared Links in Data-at-Rest action
    Tag Data-at-Rest The Tag Data-at-Rest action tags the sensitive data.
    Configuring the Tag Data-at-Rest action

    1354
    Table 772: Available Cloud Applications and API appliance (Additional Data-at-Rest Actions) automated response
    rule actions

    Response rule action Description

    Prevent download, copy, print The Prevent download, copy, print action prevents download,
    copy, and print options for the sensitive data in Google Drive.
    Configuring the Prevent download, copy, print action
    Remove Collaborator Access The Remove Collaborator Access action removes access
    from collaborators to sensitive data files in the following cloud
    applications through the Cloud Detection Service:
    • Box
    • Dropbox
    • Google Drive
    • Office 365 SharePoint
    • Salesforce
    Configuring the Remove Collaborator Access action
    Set Collaborator Access to 'Edit' The Set Collaborator Access to 'Edit' action grants collaborators
    edit access to sensitive data files in the following cloud
    applications through the Cloud Detection Service:
    • Box
    • Dropbox
    • Google Drive
    • Office 365 SharePoint
    • Salesforce
    Configuring the Set Collaborator Access to 'Edit' action
    Set Collaborator Access to 'Preview' The Set Collaborator Access to 'Preview' action grants
    collaborators preview access to sensitive data files in the Box
    cloud application through the Cloud Detection Service.
    Configuring the Set Collaborator Access to 'Preview' action
    Set Collaborator Access to 'Read' The Set File Access to 'Internal Edit' action grants edit access
    to all members of your organization to sensitive files in the
    following cloud applications through the Cloud Detection Service:
    • Box
    • Dropbox
    • Google Drive
    • Office 365 SharePoint
    • Salesforce
    Configuring the Set Collaborator Access to 'Read' action
    Set File Access to 'All Read' The Set File Access to 'All Read' action grants public read
    access to sensitive data files in the following cloud applications
    through the Cloud Detection Service.
    • Google Drive
    • Office 365 OneDrive
    • Office 365 SharePoint
    Configuring the Set File Access to 'All Read' action

    1355
    Response rule action Description

    Set File Access to 'Internal Edit' The Set File Access to 'Internal Edit' action grants edit access
    to all members of your organization to sensitive files in the
    following cloud applications through the Cloud Detection Service:
    • Box
    • Google Drive
    • Office 365 OneDrive
    • Office 365 SharePoint
    • Salesforce
    Configuring the Set File Access to 'Internal Edit'
    Set File Access to 'Internal Read' The Set File Access to 'Internal Read' action grants read access
    to all members of your organization to sensitive data files in the
    following cloud applications through the Cloud Detection Service:
    • Box
    • Google Drive
    • Office 365 SharePoint
    • Salesforce
    Configuring the Set File Access to 'Internal Read' action

    Table 773: Available Cloud Applications and API appliance (Data-in-Motion) automated response rule actions

    Response rule action Description

    Add two-factor authentication The Add two-factor authentication action adds two-factor
    authentication to the sensitive data.
    Configuring the Add two-factor authentication action
    Block Data-in-Motion The Block Data-in-Motion action blocks the sensitive data.
    Note: Large files uploaded to online services such as DropBox,
    OneDrive, and GoogleDrive may upload large files in chunks.
    Symantec Data Loss Prevention cannot seamlessly process file
    contents that are split across multiple HTTP messages. If the
    files are uploaded in chunks, Symantec Web Prevent detects the
    offending content but does not block the offending content from
    upload.
    Note: For DropBox, files that are over 8 MB are uploaded in
    chunks. For OneDrive and Google Drive, files that are over 1 MB
    are uploaded in chunks.
    Note: You may see different results with different browsers.
    Note:
    Configuring the Block Data-in-Motion action
    Custom Action on Data-in-Motion The Custom Action on Data-in-Motion action returns a
    recommendation to take some custom action on the sensitive data
    with the detection result.
    Configuring the Custom Action on Data-in-Motion action
    Encrypt Data-in-Motion The Encrypt Data-in-Motion action encrypts the sensitive data.
    Configuring the Encrypt Data-in-Motion action
    Perform DRM on Data-in-Motion The Perform DRM on Data-in-Motion action applies Digital
    Rights Management (DRM) to the sensitive data.
    Configuring the Perform DRM on Data-in-Motion action

    1356
    Response rule action Description

    Quarantine Data-in-Motion The Quarantine Data-in-Motion action quarantines the sensitive


    data.
    Configuring the Quarantine Data-in-Motion action
    Redact Data-in-Motion The Redact Data-in-Motion action redacts the sensitive data.
    Configuring the Redact Data-in-Motion action

    About response rule execution types


    Symantec Data Loss Prevention provides two types of policy response rules: Automated and Smart.
    The detection server that reports a policy violation executes Automated Response rules. Users such as incident
    remediators execute Smart Response rules on demand from the Enforce Server administration console.

    Table 774: Response rule types

    Response rule execution type Description

    Automated Response rules When a policy violation occurs, the detection server automatically executes response
    rule actions.
    About Automated Response rules
    Smart Response rules When a policy violation occurs, an authorized user manually triggers the response rule.
    About Smart Response rules

    About response rule actions


    Implementing response rules

    About Automated Response rules


    The system executes Automated Response rules when the detection engine reports a policy violation. However, if you
    implement a response rule condition, the condition must be met for the system to execute the response rule. Conditions
    let you control the automated execution of response rule actions.
    About response rule conditions
    For example, the system can automatically block certain policy violating actions, such as the attempted transfer of high
    value customer data or sensitive design documents. Or, the system can escalate an incident to a workflow management
    system for immediate attention. Or, you can set a different severity level for an incident involving 1000 customer records
    than for one involving only 10 records.
    Implementing response rules

    About Smart Response rules


    Users execute Smart Response rules on demand in response to policy violations from the Enforce Server administration
    console Incident Snapshot screen.
    About response rule actions
    You create Smart Response rules for the situations that require human remediation. For example, you might create a
    Smart response rule to dismiss false positive incidents. An incident remediator can review the incident, identify the match
    as a false positive, and dismiss it.
    About configuring Smart Response rules

    1357
    Only some response rules are available for manual execution.

    Table 775: Available Smart Response rules for manual execution

    Smart response rule Description

    Add Note Add a field to the incident record that the remediator can annotate at the Incident
    Snapshot screen.
    Configuring the Add Note action
    Log to a Syslog Server Log the incident to a syslog server for workflow remediation.
    Configuring the Log to a Syslog Server action
    Quarantine Quarantine sensitive data in cloud applications.
    Restore File Restore a previously quarantined cloud application file.
    Send Email Notification Send an email you compose to recipients you specify.
    Configuring the Send Email Notification action
    Server FlexResponse Execute a custom Server FlexResponse action.
    Note: This response rule action is available only if you deploy one or more custom
    Server FlexResponse plug-ins to Symantec Data Loss Prevention.
    Note:

    Set Status Set the incident status to the specified value.


    Configuring the Set Status action
    Network Protect SharePoint Quarantine Quarantine sensitive data stored on a Microsoft SharePoint server.
    Configuring the Network Protect: SharePoint Quarantine smart response action
    Network Protect SharePoint Release from Release sensitive files that were quarantined from a Microsoft SharePoint server.
    Quarantine Configuring the Network Protect: SharePoint Release from Quarantine smart response
    action

    Implementing response rules

    Response Rule Conditions


    Use response rule conditions to trigger response rule actions.
    Response rule conditions are optional response rule components. Conditions define how and when the system triggers
    response rule actions. Conditions give you multiple ways to prioritize incoming incidents to focus remediation efforts and
    take appropriate response.
    Implementing response rules
    Response rule conditions trigger action based on detection match criteria. For example, you can configure a condition to
    trigger action for high severity incidents, certain types of incidents, or after a specified number of incidents.
    Configuring response rule conditions
    Conditions are not required. If a response rule does not declare a condition, the response rule action always executes
    each time an incident occurs. If a condition is declared, it must be met for the action to trigger. If more than one condition
    is declared, all must be met for the system to take action.
    Configuring response rules

    1358
    Table 776: Available Response Rule Conditions

    Condition Type Description

    Endpoint Location Triggers a response action when the endpoint is on or off the corporate network.
    Configuring the Endpoint Location response condition
    Endpoint Device Triggers a response action when an event occurs on a configured endpoint device.
    Configuring the Endpoint Device response condition
    Incident Type Triggers a response action when the specified type of detection server reports a match.
    Configuring the Incident Type response condition
    Incident Match Count Triggers a response action when the volume of policy violations exceeds a threshold or
    range.
    Configuring the Incident Match Count response condition
    Protocol or Endpoint Monitoring Triggers a response action when an incident is detected on a specified network
    communications protocol (such as HTTP) or endpoint destination (such as CD/DVD).
    Configuring the Protocol or Endpoint Monitoring response condition
    Severity Triggers a response action when the policy violation is a certain severity level.
    Configuring the Severity response condition
    User Risk Score Triggers a response action when a user risk score is at a specified count.
    Configuring the User Risk Response Condition

    About response rule action execution priority


    A Symantec Data Loss Prevention server executes response rule actions according to a system-defined prioritized order.
    You cannot modify the order of execution among response rules of different types.
    In all cases, when a server executes two or more different response rules for the same policy, the higher priority response
    action takes precedence.
    Consider the following example(s):
    • One endpoint response rule lets a user cancel an attempted file copy and another rule blocks the attempt.
    The detection server blocks the file copy.
    • One network response rule action copies a file and another action quarantines it.
    The detection server quarantines the file.
    • One network response rule action modifies the content of an email message and another action blocks the
    transmission.
    The detection server blocks the email transmission.
    You cannot change the priority execution order for different response rule action types. But, you can modify the order of
    execution for the same type of response rule action with conflicting instructions.
    Modifying response rule ordering

    Table 777: System-defined response rule execution priority

    Execution priority
    Description
    (from highest to lowest)
    Endpoint Prevent: Block Configuring the Endpoint Prevent: Block action
    Endpoint Prevent: User Cancel Configuring the Endpoint Prevent: User Cancel action
    Endpoint: FlexResponse Configuring the Endpoint: FlexResponse action
    Endpoint Prevent: Notify Configuring the Endpoint Prevent: Notify action

    1359
    Execution priority
    Description
    (from highest to lowest)
    Endpoint Discover: Quarantine File Configuring the Endpoint Discover: Quarantine File action
    All: Limit Incident Data Retention Configuring the Limit Incident Data Retention action
    Network Prevent: Block SMTP Message Configuring the Network Prevent: Block SMTP Message action
    Network Prevent: Modify SMTP Message Configuring the Network Prevent: Modify SMTP Message action
    Network Prevent for Web: Remove HTTP/HTTPS Configuring the Network Prevent for Web: Remove HTTP/S Content action
    Content
    Network Prevent for Web: Block HTTP/HTTPS Configuring the Network Prevent for Web: Block HTTP/S action
    Network Prevent for Web: Block FTP Request Configuring the Network Prevent for Web: Block FTP Request action
    Network Protect: Copy File Configuring the Network Protect: Copy File action
    Network Protect: Quarantine File Configuring the Network Protect: Quarantine File action
    All: Set Status Configuring the Set Status action
    All: Set Attribute Configuring the Set Attribute action
    All: Add Note Configuring the Add Note action
    All: Log to a Syslog Server Configuring the Log to a Syslog Server action
    All: Send Email Notification Configuring the Send Email Notification action
    Server FlexResponse
    Note: Server FlexResponse actions that are part of Automated Response rules
    execute on the Enforce Server, rather than the detection server.

    Cloud Applications and API appliance (Data-in- Configuring the Block Data-in-Motion action
    Motion): Block Data-in-Motion
    Cloud Applications and API appliance (Data-in- Configuring the Redact Data-in-Motion action
    Motion): Redact Data-in-Motion
    Cloud Applications and API appliance (Data-in- Configuring the Encrypt Data-in-Motion action
    Motion): Encrypt Data-in-Motion
    Cloud Applications and API appliance (Data-in- Configuring the Quarantine Data-in-Motion action
    Motion): Quarantine Data-in-Motion
    Cloud Applications and API appliance (Data-in- Configuring the Perform DRM on Data-in-Motion action
    Motion): Perform DRM on Data-in-Motion
    Cloud Applications and API appliance (Data-in- Configuring the Custom Action on Data-in-Motion action
    Motion): Custom Action on Data-in-Motion
    Cloud Applications and API appliance (Data-at- Configuring the Encrypt Data-at-Rest action
    Rest): Encrypt Data-at-Rest
    Cloud Applications and API appliance (Data-at- Configuring the Delete Data-at-Rest action
    Rest): Delete Data-at-Rest
    Cloud Applications and API appliance (Data-at- Configuring the Quarantine Data-at-Rest action
    Rest): Quarantine Data-at-Rest
    Cloud Applications and API appliance (Data-at- Configuring the Tag Data-at-Rest action
    Rest): Tag Data-at-Rest
    Cloud Applications and API appliance (Data-at- Configuring the Perform DRM on Data-at-Rest action
    Rest): Perform DRM on Data-at-Rest
    Cloud Applications and API appliance (Data-at- Configuring the Remove Shared Links in Data-at-Rest action
    Rest): Break Links in Data-at-Rest
    Cloud Applications and API appliance (Data-at- Configuring the Custom Action on Data-at-Rest action
    Rest): Custom Action on Data-at-Rest

    1360
    Execution priority
    Description
    (from highest to lowest)
    Cloud Applications and API appliance (Additional Configuring the Set File Access to 'All Read' action
    Data-at-Rest Actions): Set File Access to 'All Read'
    Cloud Applications and API appliance (Additional Configuring the Prevent download, copy, print action
    Data-at-Rest Actions): Prevent download, copy,
    print
    Cloud Applications and API appliance (Additional Configuring the Set File Access to 'Internal Read' action
    Data-at-Rest Actions): Set File Access to 'Internal
    Read'
    Cloud Applications and API appliance (Additional Configuring the Set File Access to 'Internal Edit'
    Data-at-Rest Actions): Set File Access to 'Internal
    Edit'
    Cloud Applications and API appliance (Additional Configuring the Set Collaborator Access to 'Read' action
    Data-at-Rest Actions): Set Collaborator Access to
    'Read'
    Cloud Applications and API appliance (Additional Configuring the Set Collaborator Access to 'Edit' action
    Data-at-Rest Actions): Set Collaborator Access to
    'Edit'
    Cloud Applications and API appliance (Additional Configuring the Remove Collaborator Access action
    Data-at-Rest Actions): Remove Collaborator
    Access
    Cloud Applications and API appliance (Additional Configuring the Set Collaborator Access to 'Preview' action
    Data-at-Rest Actions): Set Collaborator Access to
    'Preview'
    Cloud Applications and API appliance (Data-in- Configuring the Add two-factor authentication action
    Motion): Add two-factor authentication

    Implementing response rules


    Manage response rules

    About response rule authoring privileges


    To manage and create response rules, you must be assigned to a role with response rule authoring privileges. To add a
    response rule to a policy, you must have policy authoring privileges.

    For business reasons, you may want to grant response rule authoring and policy authoring privileges to the same role. Or,
    you may want to keep these roles separate.

    If you log on to the system as a user without response rule authoring privileges, the Manage > Policies > Response
    Rules screen is not available.

    Implementing response rules


    You define response rules independent of policies.
    About response rules
    You must have response rule authoring privileges to create and manage response rules.
    About response rule authoring privileges

    1361
    Table 778: Workflow for implementing policy response rules

    Step Action Description

    1 Review the available response rules. The Manage > Policies > Response Rules screen displays all
    configured response rules.
    Manage response rules
    The solution pack for your system provides configured response rules.
    You can use these response rules in your policies as they exist, or you
    can modify them.
    2 Decide the type of response rule to implement: Decide the type of response rules based on your business
    Smart, Automated, both. requirements.
    About response rule execution types
    3 Determine the type of actions you want to About response rule conditions
    implement and any triggering conditions. About response rule actions
    4 Understand the order of precedence among About response rule action execution priority
    response rule actions of different and the same Modifying response rule ordering
    types.
    5 Integrate the Enforce Server with an external Some response rules may require integration with external systems.
    system (if required for the response rule). These may include:
    • A SIEM system for the Log to a Syslog Server response rule.
    • An SMTP email server for the Send Email Notification response
    rule
    • A Web proxy host for Network Prevent for Web response rules.
    • An MTA for Network Prevent for Email response rules.
    6 Add a new response rule. Adding a new response rule
    7 Configure response rules. Configuring response rules
    8 Configure one or more response rule conditions Configuring response rule conditions
    (optional).
    9 Configure one or more response rule actions You must define at least one action for a valid response rule.
    (required). Configuring response rule actions
    The action executes when a policy violation is reported or when a
    response rule condition is matched.
    10 Add response rules to policies. You must have policy authoring privileges to add response rules to
    policies.

    Response rule best practices


    When implementing response rules, consider the following:
    • Response rules are not required for policy execution. In general it is best to implement and fine-tune your policy rules
    and exceptions before you implement response rules. Once you achieve the desired policy detection results, you can
    then implement and refine response rules.
    • Response rules require at lease one rule action; a condition is optional. If you do not implement a condition, the action
    always executes when an incident is reported. If you configure more than one response rule condition, all conditions
    must match for the response rule action to trigger.
    About response rule actions
    • Response rule conditions are derived from policy rules. Understand the type of rule and exception conditions that the
    policy implements when you configure response rule conditions. The system evaluates the response rule condition
    based on how the policy rule counts matches.

    1362
    • The system displays only the response rule name for policy authors to select when they add response rules to policies.
    Be sure to provide a descriptive name that helps policy authors identify the purpose of the response rule.
    • You cannot combine an Endpoint Prevent: Notify or Endpoint Prevent: Block response rule action with EDM, IDM, or
    DGM detection methods. If you do, the system displays a warning for the policy that it is misconfigured.
    • If you combine multiple response rules in a single policy, make sure that you understand the order of precedence
    among response rules.
    About response rule action execution priority
    • Use Smart Response rules only where it is appropriate for human intervention.
    About configuring Smart Response rules
    • Microsoft SharePoint enables users to upload HTML files that are no larger than 256 MB in size. To ensure that
    sensitive files in SharePoint can be encrypted successfully, do not upload files that are 256 MB in size or greater.
    • If you configure multiple Server FlexResponse response rule actions for Microsoft SharePoint scan targets, the
    response rule actions could be executed in order of response rule action priority.
    About response rule action execution priority

    Manage response rules


    The Manage > Policies > Response Rules screen is the home page for managing response rules, and the starting point
    for adding new ones.
    About response rules
    You must have response rule authoring privileges to manage and add response rules.
    About response rule authoring privileges

    Table 779: Response Rules screen actions

    Action Description

    Add Response Rule Click Add Response Rule to define a new response rule.
    Adding a new response rule
    Modify Response Rule Order Click Modify Response Rule Order to modify the response rule order of precedence.
    Modifying response rule ordering
    Edit an existing response rule Click the response rule to modify it.
    Configuring response rules
    Delete an existing response Click the red X icon next to the far right of the response rule to delete it.
    rule You must confirm the operation before deletion occurs.
    About removing response rules
    Refresh the list Click the refresh arrow icon at the upper right of the Response Rules screen to fetch the latest
    status of the rule.

    Table 780: Response Rules screen display

    Display column Description

    Order The Order of precedence when more than one response rule is configured.
    Modifying response rule ordering
    Rule The Name of the response rule.
    Configuring response rules

    1363
    Display column Description

    Actions The type of Action the response rule can take to respond to an incident (required).
    Configuring response rule actions
    Conditions The Condition that triggers the response rule (if any).
    Configuring response rule conditions

    Implementing response rules

    Adding a new response rule


    Add a new response rule from the Manage > Policies > Response Rules > New Response Rule screen.
    About response rules
    To add a new response rule
    1. Click Add Response Rule at the Manage > Policies > Response Rules screen.
    Manage response rules
    2. At the New Response Rule screen, select one of the following options:
    • Automated Response
    The system automatically executes the response action as the server evaluates incidents (default option).
    About Automated Response rules
    • Smart Response
    An authorized user executes the response action from the Incident Snapshot screen in the Enforce Server
    administration console.
    About Smart Response rules
    3. Click Next to configure the response rule.
    Configuring response rules

    Implementing response rules

    Configuring response rules


    You configure response rules at the Manage > Policies > Response Rules > Configure Response Rule screen.
    About response rules
    To configure a response rule
    1. Add a new response rule, or modify an existing one.
    Adding a new response rule
    Manage response rules
    2. Enter a response Rule Name and Description.
    3. Optionally, define one or more Conditions to dictate when the response rule executes.
    Configuring response rule conditions
    If no condition is declared, the response rule action always executes when there is a match (assuming that the
    detection rule is set the same).
    Skip this step if you selected the Smart Response rule option.

    1364
    About configuring Smart Response rules
    4. Select and configure one or more Actions. You must define at least one action.
    Configuring response rule actions
    5. Click Save to save the response rule definition.
    Manage response rules

    Implementing response rules

    About configuring Smart Response rules


    When implementing Smart Response rules, consider the following:
    • Smart Response rules are best suited for the incidents that warrant user review to determine if any response action is
    required.
    If you do not want user involvement in triggering a response rule action, use Automated Response rules instead.
    • You cannot configure any triggering conditions with Smart Response rules.
    Authorized users decide when a detection incident warrants a response.
    • You are limited in the actions you can take with Smart Response rules (note, log, email, status).
    If you need to block or modify an action, use Automated Response rules.
    About Smart Response rules
    Implementing response rules

    Configuring response rule conditions


    You can add one or more conditions to a response rule. An incident must meet all response rule conditions before the
    system executes any response rule actions.
    About response rule conditions
    To configure a response rule condition
    1. Configure a response rule at the Configure Response Rule screen.
    Configuring response rules
    2. Click Add Condition to add a new condition.
    Conditions are optional and based on detection rule matches. Each type of response rule condition performs a
    different function.
    About response rule conditions
    3. Choose the condition type from the Conditions list.
    For example, select the condition Incident Match Count and Is Greater Than and enter 15 in the textbox. This
    condition triggers the response rule action after 15 policy violation matches.
    4. To add another condition, click Add Condition and repeat the process.
    If all conditions do not match, no action is taken.
    5. Click Save to save the condition.
    Click Cancel to not save the condition and return to the previous screen.
    Click the red X icon beside the condition to delete it from the response rule.

    1365
    Manage response rules

    Implementing response rules

    Configuring Response Rule Actions


    Configure at least one action for the response rule to be valid. You can configure multiple response rule actions. Each
    action is evaluated independently.

    Follow these steps to define a response rule action:


    1. Configure a response rule at the Configure Response Rule screen.
    Configuring response rules
    2. Choose an action type from the Actions list and click Add Action.
    For example, add the All: Add Note action to the response rule. This action lets the remediator annotate the incident.
    3. Configure the action type by specifying the expected parameters for the chosen action type.
    Configure a response rule action
    4. Repeat these steps for each action that you want to add.
    If you add more actions, consider the execution order and possible modification of similar types.
    Modifying response rule ordering
    5. Click Save to save the response rule.
    Manage response rules

    Table 781: Configure a response rule action

    Incident type Response rule Description

    All Add Note Configuring the Add Note action


    All Limit Incident Data Retention Configuring the Limit Incident Data Retention action
    All Log to a Syslog Server Configuring the Log to a Syslog Server action
    All Send Email Notification Configuring the Send Email Notification action
    All Server FlexResponse Configuring the Server FlexResponse action
    All Set Attribute Configuring the Set Attribute action
    All Set Status Configuring the Set Status action
    Applications: Data- Break Links in Data-at-Rest Configuring the Remove Shared Links in Data-at-Rest action
    at-Rest (DAR)
    Applications: Data- Custom Action on Data-at- Configuring the Custom Action on Data-at-Rest action
    at-Rest (DAR) Rest
    Applications: Data- Delete Data-at-Rest Configuring the Delete Data-at-Rest action
    at-Rest (DAR)
    Applications: Data- Encrypt Data-at-Rest Configuring the Encrypt Data-at-Rest action
    at-Rest (DAR)
    Applications: Data- Perform DRM on Data-at-Rest Configuring the Perform DRM on Data-at-Rest action
    at-Rest (DAR)

    1366
    Incident type Response rule Description

    Applications: Data- Quarantine Data-at-Rest Configuring the Quarantine Data-at-Rest action


    at-Rest (DAR)
    Applications: Data- Tag Data-at-Rest Configuring the Tag Data-at-Rest action
    at-Rest (DAR)
    Applications: Data- Add two-factor authentication Configuring the Add two-factor authentication action
    in-Motion (DIM)
    Applications: Data- Block Data-in-Motion Configuring the Block Data-in-Motion action
    in-Motion (DIM)
    Applications: Data- Custom Action on Data-in- Configuring the Custom Action on Data-in-Motion action
    in-Motion (DIM) Motion
    Applications: Data- Encrypt Data-in-Motion Configuring the Encrypt Data-in-Motion action
    in-Motion (DIM)
    Applications: Data- Perform DRM on Data-in- Configuring the Perform DRM on Data-in-Motion action
    in-Motion (DIM) Motion
    Applications: Data- Quarantine Data-in-Motion Configuring the Quarantine Data-in-Motion action
    in-Motion (DIM)
    Applications: Data- Redact Data-in-Motion Configuring the Redact Data-in-Motion action
    in-Motion (DIM)
    Applications: Data- Prevent download, copy, Configuring the Prevent download, copy, print action
    at-Rest (DAR) print
    Applications: Data- Remove Collaborator Access Configuring the Remove Collaborator Access action
    at-Rest (DAR)
    Applications: Data- Set Collaborator Access to Configuring the Set Collaborator Access to 'Edit' action
    at-Rest (DAR) 'Edit'
    Applications: Data- Set Collaborator Access to Configuring the Set Collaborator Access to 'Preview' action
    at-Rest (DAR) 'Preview'
    Applications: Data- Set Collaborator Access to Configuring the Set Collaborator Access to 'Read' action
    at-Rest (DAR) 'Read'
    Applications: Data- Set File Access to 'All Read' Configuring the Set File Access to 'All Read' action
    at-Rest (DAR)
    Applications: Data- Set File Access to 'Internal Configuring the Set File Access to 'Internal Edit'
    at-Rest (DAR) Edit'
    Applications: Data- Set File Access to 'Internal Configuring the Set File Access to 'Internal Read' action
    at-Rest (DAR) Read'
    Endpoint FlexResponse Configuring the Endpoint: FlexResponse action

    Endpoint MIP Classification Configuring the Endpoint: MIP Classification action


    Endpoint Discover Information Centric Defense
    Endpoint Discover Quarantine File Configuring the Endpoint Discover: Quarantine File action
    Endpoint Prevent Block Configuring the Endpoint Prevent: Block action
    Endpoint Prevent Encrypt Configuring the Endpoint Prevent: Encrypt action
    Endpoint Prevent Notify Configuring the Endpoint Prevent: Notify action
    Endpoint Prevent User Cancel Configuring the Endpoint Prevent: User Cancel action
    Network Prevent Block FTP Request Configuring the Network Prevent for Web: Block FTP Request action
    for Web

    1367
    Incident type Response rule Description

    Network Prevent Block HTTP/S Configuring the Network Prevent for Web: Block HTTP/S action
    for Web
    Network Prevent Block SMTP Message Configuring the Network Prevent: Block SMTP Message action
    for Email
    Network Prevent Modify SMTP Message Configuring the Network Prevent: Modify SMTP Message action
    for Email
    Network Prevent Remove HTTP/S Content Configuring the Network Prevent for Web: Remove HTTP/S Content action
    for Web
    Network Protect Copy File Configuring the Network Protect: Copy File action
    Network Protect Quarantine File Configuring the Network Protect: Quarantine File action

    Implementing response rules

    Modifying response rule ordering


    You cannot change the system-defined execution priority for different types of response rule actions. But, you can modify
    the order of execution for response rule actions of the same type with conflicting instructions.
    About response rule action execution priority
    For example, consider a scenario where you include two response rules in a policy. Each response rule implements
    a Limit Incident Data Retention action. One action discards all attachments and the other action discards only those
    attachments that are not violations. In this case, when the policy is violated, the detection server looks to the response
    rule order priority to determine which action takes precedence. This type of ordering is configurable.
    To modify response rule action ordering
    1. Navigate to the Manage > Policies > Response Rules screen.
    Manage response rules
    2. Note the Order column and number beside each configured response rule.
    By default the system sorts the list of response rules by the Order column in descending order from highest priority (1)
    to lowest. Initially the system orders the response rules in the order they are created. You can modify this order.
    3. To enable modification mode, click Modify Response Rule Order.
    The Order column now displays a drop-down menu for each response rule.
    4. To modify the ordering, for each response rule you want to reorder, select the desired order priority from the drop-down
    menu.
    For example, for a response rule with order priority of 2, you can modify it to be 1 (highest priority).
    Modifying an order number moves that response rule to its modified position in the list and updates all other response
    rules.
    5. Click Save to save the modifications to the response rule ordering.
    6. Repeat these steps as necessary to achieve the desired results.

    Implementing response rules

    About removing response rules


    You can delete response rules at the Manage > Policies > Response Rules screen.

    1368
    Manage response rules
    When deleting a response rule, consider the following:
    • A user must have response rule authoring privileges to delete an existing response rule.
    • A response rule author cannot delete an existing response rule while another user modifies it.
    • A response rule author cannot delete a response rule if a policy declares that response rule. In this case you must
    remove the response rule from all policies that declare the response rule before you can delete it.

    Configuring the Endpoint Location response condition


    The Endpoint Location condition triggers response rule action based on the connection status of the DLP Agent when an
    endpoint policy is violated.
    About response rule conditions
    NOTE
    This condition is specific to endpoint incidents. You should not implement this condition for Network or Discover
    incidents. If you do the response rule action does not to execute.
    To configure the Endpoint Location condition
    1. Configure a response rule at the Configure Response Rule screen.
    Configuring response rules
    2. Select the Endpoint Location condition from the Conditions list.
    Configuring response rule conditions
    3. Select the endpoint location requirements to trigger actions.
    Endpoint Location condition parameters

    Table 782: Endpoint Location condition parameters

    Qualifier Condition Description

    Is Any Of Off the corporate This combination triggers a response rule action if an incident occurs when the endpoint is
    network off the corporate network.
    Is None Of Off the corporate This combination does not trigger a response rule action if an incident occurs when the
    network endpoint is off the corporate network.
    Is Any Of On the corporate This combination triggers a response rule action if an incident occurs when the endpoint is
    network on the corporate network.
    Is None Of On the corporate This combination does not trigger a response rule action if an incident occurs when the
    network endpoint is on the corporate network.

    Implementing response rules


    Manage response rules

    Configuring the Endpoint Device response condition


    The Endpoint Device condition triggers response rule action when an incident is detected from one or more configured
    endpoint devices.
    About response rule conditions
    You configure endpoint devices at the System > Agents > Endpoint Devices screen.

    1369
    NOTE
    This condition is specific to endpoint incidents. You should not implement this condition for Network or Discover
    incidents. If you do the response rule action does not to execute.
    To configure the Endpoint Device response condition
    1. Configure a response rule at the Configure Response Rule screen.
    Configuring response rules
    2. Select the Endpoint Device condition from the Conditions list.
    Configuring response rule conditions
    3. Select to detect or except specific endpoint devices.
    Endpoint Device condition parameters

    Table 783: Endpoint Device condition parameters

    Qualifier Condition Description

    Is Any Of Configured device Triggers a response rule action when an incident is detected on a configured endpoint device.
    Is None Of Configured device Does not trigger (excludes from executing) a response rule action when an incident is
    detected on a configured endpoint device.

    Implementing response rules


    Manage response rules

    Configuring the Incident Type response condition


    The Incident Type condition triggers a response rule action based on the type of detection server that reports the incident.
    About response rule conditions
    To configure the Incident Type condition
    1. Configure a response rule at the Configure Response Rule screen.
    Configuring response rules
    2. Choose the Incident Type condition from the Conditions list.
    Configuring response rule conditions
    3. Select one or more incident types.
    Use the Ctrl key to select multiple types.
    Incident Type condition parameters

    1370
    Table 784: Incident Type condition parameters

    Parameter Server Description

    Is Any Of Cloud Detection Triggers a response rule action for any incident detected by the Cloud Detection Service or
    Service or API API Detection for Developer Apps Appliance.
    Detection for
    Is None Of Does not trigger a response rule action for any incident detected by the Cloud Detection
    Developer Apps Service or API Detection for Developer Apps Appliance.
    Appliance
    Is Any Of Discover Triggers a response rule action for any incident that Network Discover detects.
    Is None Of Does not trigger a response rule action for any incident that Network Discover detects.
    Is Any Of Endpoint Triggers a response rule action for any incident that Endpoint Prevent detects.
    Is None Of Does not trigger a response rule action for any incident that Endpoint Prevent detects.
    Is Any Of Network Triggers a response rule action for any incident that Network Prevent detects.
    Is None Of Does not trigger a response rule action for any incident that Network Prevent detects.

    Implementing response rules


    Manage response rules

    Configuring the Incident Match Count response condition


    The Incident Match Count condition triggers a response rule action based on the number of policy violations reported.
    About response rule conditions
    To configure the Incident Match Count condition
    1. Configure a response rule at the Configure Response Rule screen.
    Configuring response rules
    2. Choose the Incident Match Count condition from the Conditions list.
    Configuring response rule conditions
    3. In the text field, enter a numeric value that indicates the threshold above which you want the response rule to trigger.
    For example, if you enter 15 the response rule triggers after 15 policy violations have been detected.
    Incident Match Count condition parameters

    Table 785: Incident Match Count condition parameters

    Parameter Input Description

    Is Greater Than User-specified number Triggers a response rule action if the threshold number of incidents is eclipsed.
    Is Greater Than or User-specified number Triggers a response rule action if the threshold number of incidents is met or
    Equals eclipsed.
    Is Between User-specified pair of Triggers a response rule action when the number of incidents is between the range
    numbers of numbers specified.
    Is Less Than User-specified number Triggers a response rule action if the number of incidents is less than the specified
    number.
    Is Less Than or User-specified number Triggers a response rule action when the number of incidents is equal to or less
    Equals than the specified number.

    1371
    Implementing response rules
    Manage response rules

    Configuring the Protocol or Endpoint Monitoring response condition


    The Protocol or Endpoint Monitoring condition triggers action based on the protocol or the endpoint destination, device, or
    application where the policy violation occurred.
    About response rule conditions
    To configure the Protocol or Endpoint Monitoring condition
    1. Configure a response rule at the Configure Response Rule screen.
    Configuring response rules
    2. Choose the Protocol or Endpoint Monitoring condition from the Conditions list.
    Configuring response rule conditions
    3. Use the Ctrl key to select multiple conditions. Use the Shift key to select a range.
    Protocol or Endpoint Destination condition parameters
    The system lists any additional network protocols that you configure at the System > Settings > Protocols screen.

    Table 786: Protocol or Endpoint Destination condition parameters

    Qualifier Condition Description

    Is Any Of Endpoint Application File Triggers an action if an endpoint application file has been accessed.
    Is None Of Access Does not trigger action if an endpoint application file has been accessed.
    Is Any Of Triggers an action if an endpoint CD/DVD has been written to.
    Endpoint CD/DVD
    Is None Of Does not trigger action if an endpoint CD/DVD has been written to.
    Is Any Of Triggers an action if the endpoint clipboard has been copied or pasted to.
    Endpoint Clipboard
    Is None Of Does not trigger action if the endpoint clipboard has been copied or pasted to.
    Is Any Of Triggers an action if sensitive information is copied to or from a network share.
    Endpoint Copy to Network
    Is None Of Share Does not trigger action if sensitive information is copied to or from a network
    share.
    Is Any Of Triggers an action if sensitive files are discovered on the local drive.
    Endpoint Local Drive
    Is None Of Does not trigger action if sensitive files are discovered on the local drive.
    Is Any Of Triggers an action if an endpoint printer or fax has been sent to.
    Endpoint Printer/Fax
    Is None Of Does not trigger action if an endpoint printer or fax has been sent to.
    Is Any Of Endpoint Removable Triggers an action if sensitive data is copied to a removable storage device.
    Is None Of Storage Device Does not trigger action if sensitive data is copied to a removable storage device.
    Is Any Of Triggers an action if sensitive data is copied through FTP.
    FTP
    Is None Of Does not trigger action if sensitive data is copied through FTP.
    Is Any Of Triggers an action if sensitive data is sent through HTTP.
    HTTP
    Is None Of Does not trigger action if sensitive data is sent through HTTP.
    Is Any Of Triggers an action if sensitive data is sent through HTTPS.
    HTTPS
    Is None Of Does not trigger action if sensitive data is sent through HTTPS.
    Is Any Of NNTP Triggers an action if sensitive data is sent through NNTP.

    1372
    Qualifier Condition Description

    Is None Of Does not trigger action if sensitive data is sent through NNTP.
    Is Any Of Triggers an action if sensitive data is sent through SMTP.
    SMTP
    Is None Of Does not trigger action if sensitive data is sent through SMTP.

    Implementing response rules


    Manage response rules

    Configuring the Severity response condition


    The Severity condition triggers a response rule action based on the severity of the policy rule violation.
    About response rule conditions
    To configure the Severity condition
    1. Configure a response rule at the Configure Response Rule screen.
    Configuring response rules
    2. Select the Severity condition from the Conditions list.
    Configuring response rule conditions
    3. Select one or more severity levels.
    Use the Ctrl key to select multiple levels. Use the Shift key to select a range.
    Severity condition parameters

    Table 787: Severity condition parameters

    Parameter Severity Description

    Is Any Of High Triggers a response rule action when a detection rule with severity set to high is
    matched.
    Is None Of High Does not trigger a response rule action when a detection rule with severity set
    to high is matched.
    Is Any Of Medium Triggers a response rule action when a detection rule with severity set to
    medium is matched.
    Is None Of Medium Does not trigger a response rule action when a detection rule with severity set
    to medium is matched.
    Is Any Of Low Triggers a response rule action when a detection rule with severity set to low is
    matched.
    Is None Of Low Does not trigger a response rule action when a detection rule with severity set
    to low is matched.
    Is Any Of Info Triggers a response rule action when a detection rule with severity set to info is
    matched.
    Is None Of Info Does not trigger a response rule action when a detection rule with severity set
    to info is matched.

    Implementing response rules


    Manage response rules

    1373
    Configuring the Add Note action
    The Add Note response rule action lets an incident responder enter a note about a particular incident.
    The limit for the Add Note field is 4000 bytes.
    About response rule actions
    The Add Note response rule action is available for all types of detection servers.
    Response rule actions for all detection servers
    To configure the Add Note action
    1. Configure a response rule at the Configure Response Rule screen.
    Configuring response rules
    2. Add the All: Add Note action type from the Actions list.
    The system displays a Note field. Generally you leave the field blank and allow remediators to add comments when
    they evaluate incidents. However, you can add comments at this level of configuration as well.
    The limit for the Add Note field is 4000 bytes.
    Configuring response rule actions
    3. Click Save to save the configuration.
    Manage response rules

    Implementing response rules

    Configuring the Encrypt Smart Response action


    The Encrypt Smart Response action lets you encrypt sensitive files in cloud applications through the Symantec Data Loss
    Prevention Cloud Detection Service.
    About response rule actions
    This response rule is available for Cloud Applications and API appliance detectors.
    Response rule actions for Cloud Applications and API appliance detectors
    To configure the Encrypt Smart Response action
    1. Configure a response rule at the Configure Response Rule screen.
    Configuring response rules
    2. Add the Encrypt action type from the Actions list.
    Configuring response rule actions
    3. Click Save to save the configuration.
    Manage response rules

    Implementing response rules

    Configuring the Limit Incident Data Retention action


    The Limit Incident Data Retention response rule action lets you modify the default incident data retention behavior of the
    detection server.
    About response rule actions

    1374
    This response rule is available for all types of detection servers except Endpoint Discover. If existing policies use this
    response rule, policy violations do not trigger an incident.
    Response rule actions for all detection servers
    To configure incident data retention
    1. Configure a response rule at the Configure Response Rule screen.
    Configuring response rules
    2. Add the action type All: Limit Incident Data Retention from the Actions list.
    Configuring response rule actions
    3. Choose to retain Endpoint Incident data by selecting this option.
    By default, the agent discards the original message and any attachments for endpoint incidents.
    Retaining data for endpoint incidents
    4. Choose to discard Network Incident data by selecting this option.
    By default, the system retains the original message and any attachments for network incidents.
    Discarding data for network incidents
    5. Click Save to save the response rule configuration.
    Manage response rules

    Implementing response rules

    Retaining data for endpoint incidents


    By default, the system discards original messages (including files and attachments) for endpoint incidents. You can
    implement the Limit Incident Data Retention response rule action to override this default behavior and retain original email
    attachments for endpoint incidents.
    NOTE
    Limit Incident Data Retention does not apply to Endpoint Clipboard incidents and is not supported for Endpoint
    Discover.
    Configuring the Limit Incident Data Retention action
    Select All Endpoint Incidents to retain the original file attachment for Endpoint Prevent incidents.
    If you combine a server-side detection rule (EDM/IDM/DGM) with a Limit Incident Data Retention response rule action on
    the endpoint, consider the network bandwidth implications. When an Endpoint Agent sends content to an Endpoint Server
    for analysis, it sends text or binary data according to detection requirements. If possible, Symantec DLP Agents send text
    to reduce bandwidth use. When you retain the original messages for endpoint incidents, in every case the system requires
    agents to send binary data to the Endpoint Server. As such, make sure that your network can handle the increased traffic
    between Endpoint Agents and Endpoint Servers without degrading performance.

    Consider the system behavior for any policies that combine an agent-side detection rule (any DCM rule, such as a
    keyword rule). If you implement the Limit Incident Data Retention response rule action, the increased use bandwidth
    depends on the number of incidents the detection engine matches. For such policies, the DLP Agent does not send all
    original files to the Endpoint Server, but only those associated with confirmed incidents. If there are not many incidents,
    the effect is small.

    1375
    Discarding data for network incidents
    For network incidents, by default the detection server retains the original message and any attachments that trigger an
    incident.
    You can implement the Limit Incident Data Retention response rule action to override the default behavior and discard
    original messages and some or all attachments.
    Configuring the Limit Incident Data Retention action
    NOTE
    The default data retention behavior for network incidents applies to Network Prevent for Web and Network
    Prevent for Email incidents. The default behavior does not apply to Network Discover incidents. For Network
    Discover incidents, the system provides a link in the Incident Snapshot that points to the offending file at its
    original location. Incident data retention for Network Discover is not configurable.

    Table 788: Discarding data from network incidents

    Parameter Description

    Discard Original Check this option to discard the original message.


    Message Use this configuration to save disk space when you are only interested in statistical data.
    Discard Attachment Select All to discard all message attachments.
    Select Attachments with no Violations to save only relevant message attachments, that is, those that
    trigger a policy violation.
    Note: You must select something other than None for this action option. If you leave None selected and
    do not check the box next to Discard Original Message, the action has no effect. Such a configuration
    duplicates the default incident data retention behavior for network servers.

    Configuring the Log to a Syslog Server action


    The Log to a Syslog Server response rule action logs the incident to a syslog server. These logs can be useful if you use a
    security information and events management (SIEM) system.
    About response rule actions
    This response rule action is available for all types of detection servers.
    Response rule actions for all detection servers
    NOTE
    You use this response rule in conjunction with a syslog server.
    To configure the Log to a Syslog Server response rule action
    1. Configure a response rule at the Configure Response Rule screen.
    Configuring response rules
    2. Add the Log to a Syslog Server action type from the Actions list.
    Configuring response rule actions
    3. Enter the Host name of the syslog server.
    4. Edit the Port for the syslog server, if necessary.
    The default port is 514.

    1376
    5. Select a communication protocol.
    You can select UDP or TCP. If you select TCP, you can secure communications to the syslog server by selecting
    Enable TLS Client Authentication.
    6. Enter the text of the Message to log on the syslog server.
    You can include response action variables in your syslog server messages.

    7. Select the Level to apply to the log message from the drop-down list.
    • 0 - Kernel panic
    • 1 - Needs immediate attention
    • 2 - Critical condition
    • 3 - Error
    • 4 - Warning
    • 5 - May need attention
    • 6 - Informational
    • 7- Debugging
    8. Save the response rule.
    Manage response rules

    Implementing response rules

    Configuring the Send Email Notification action


    The Send Email Notification action enables you to compose an email and send it to recipients you specify.
    About response rule actions
    This response rule action is available for all types of detection servers.
    Response rule actions for all detection servers
    You must integrate the Enforce Server with an SMTP email server to implement this response rule action.

    To configure the Send Email Notification response rule action


    1. Configure a response rule at the Configure Response Rule screen.
    Configuring response rules
    2. Add the All: Send Email Notification action type from the Actions list.
    Configuring response rule actions
    3. Configure the recipient(s), sender, format, incident inclusion, and messages per day.
    Sender and recipient information
    4. Configure the Notification Content of the email notification: language, subject, body.
    Notification content
    5. Click Save to save the configuration.
    Manage response rules

    1377
    Table 789: Sender and recipient information

    Parameter Description

    To: Sender Select this option to send the email notification to the email sender. This recipient only applies to email
    message violations.
    To: Data Owner Select this option to send email notification to the data owner that the system identifies by email address in
    the incident.
    To: Other Email This option can include any custom attributes designated as email addresses (such as "manager@email").
    Address For example, if you define a custom attribute that is an email address, or retrieve one via a lookup plug-in,
    that address will appear in the "To" field for selection, to the right of "To: Sender" and "To: Data Owner."
    Custom To Enter one or more specific email addresses separated by commas.
    CC Enter one or more specific email addresses separated by commas for people you want to copy on the
    notification.
    Custom From You can specify the sender of the message.
    If this field is blank, the message appears to come from the system email address.
    Notification Format Select either HTML or plain-text format.
    Include Original Select this option to include the message that generated the incident with the notification email.
    Message
    Max Per Day Enter a number to restrict the maximum number of notifications that the system sends in a day.

    Table 790: Notification content

    Parameter Description

    Language Select the language for the message from the drop-down menu.
    Add Language Click the icon to add multiple language(s) for the message.
    Subject Enter a subject for the message that indicates what the message is about.
    Body Enter the body of the message.
    Insert Variables You can add one or more variables to the subject or body of the email message by selecting the desired
    value(s) from the Insert Variables list.
    Variables can be used to include the file name, policy name, recipients, and sender in both the subject and
    the body of the email message. For example, to include the policy and rules violated, you would insert the
    following variables.
    A message has violated the following rules in $POLICY$: $RULES$

    Implementing response rules

    Configuring the Server FlexResponse action


    The All: Server FlexResponse action enables you to remediate any incident type using a custom, server-side
    FlexResponse plug-in. You can configure a Server FlexResponse response action for either automated response rules or
    smart response rules.
    The All: Server FlexResponse action is available only if you have have deployed one or more Server FlexResponse
    plug-ins to Symantec Data Loss Prevention.

    1378
    Deploying a Server FlexResponse plug-in
    1. Log on to the Enforce Server administration console.
    2. Create a new Response Rule for each custom Server FlexResponse plug-in.
    Click Manage > Policies > Response Rules.
    3. Click Add Response Rule.
    4. Select either Automated Response or Smart Response. Click Next.
    5. Enter a name for the rule in the Rule Name field. (For Smart Response rules, this name appears as the label on the
    button that incident responders select during remediation.)
    6. Enter an optional description for the rule in the Description field.
    7. In the Actions (executed in the order shown) menu, select the action All: Server FlexResponse.
    8. Click Add Action.
    9. In the FlexResponse Plugin menu, select a deployed Server FlexResponse plug-in to execute with this Response
    Rule action.
    The name that appears in this drop-down menu is the value specified in the display-name property from either the
    configuration properties file or the plug-in metadata class.
    10. Click Save.
    11. Repeat this procedure, adding a Response Rule for any additional Server FlexResponse plug-ins that you have
    deployed.

    Configuring the Set Attribute action


    The Set Attribute response rule action sets the incident status to the specified value.
    About response rule actions
    This response rule action is available for all detection servers.
    Response rule actions for all detection servers
    The Set Attribute action is based on custom attributes you define at the System > Incident Data > Attributes screen.

    To configure the Set Attribute action


    1. Configure a response rule at the Configure Response Rule screen.
    Configuring response rules
    2. Add the All: Set Attribute action type from the Actions list.
    Configuring response rule actions
    3. Select the Attribute from the drop-down list (if more than one custom attribute is defined).
    4. Enter an incident status Value for the selected custom attribute.
    5. Click Save to save the configuration.
    Manage response rules

    Implementing response rules

    1379
    Configuring the Set Status action
    The Set Status response rule action sets the incident status to the specified value.
    About response rule actions
    This response rule is available for all detection servers.
    Response rule actions for all detection servers
    This response rule action is based on the incident Status Values you configure at the System > Incident Data >
    Attributes screen.

    To configure the Set Status response rule action


    1. Configure a response rule at the Configure Response Rule screen.
    Configuring response rules
    2. Add the All: Set Status action type from the Actions list.
    3. Configuring response rule actions
    4. Select the Status to assign to the incident from the list.
    • New
    • Escalated
    • Investigation
    • Resolved
    • Dismissed
    5. Click Save to save the configuration.
    Manage response rules

    Implementing response rules

    Configuring the Quarantine Smart Response action


    The Quarantine Smart Response action quarantines files in the Salesforce, Box, and OneDrive cloud applications
    through the Cloud Detection Service. The quarantine path is relative to the user's root folder.
    To configure the Quarantine Smart Response action
    1. Configure a Smart Response rule at the Configure Response Rule screen.
    Configuring response rules
    2. Add the Quarantine action type from the Actions list.
    The system displays the Quarantine field.
    Configuring response rule actions
    3. Configure the Quarantine parameters.
    Quarantine (Smart Response) configuration parameters
    4. Click Save to save the configuration.
    Manage response rules

    1380
    Table 791: Quarantine (Smart Response) configuration parameters

    Parameter Description

    File Path Enter the file path for the quarantine location. This file path is relative to the user's root folder.
    Use Marker Select Use Marker File to create a marker text file to replace the original file. This action notifies the user what
    File happened to the file instead of quarantining or deleting the file without any explanation.

    Implementing response rules

    Configuring the Network Protect: SharePoint Quarantine smart


    response action
    The SharePoint Quarantine smart response action quarantines files that are stored in Microsoft SharePoint repositories.
    You can quarantine files to either a SharePoint repository or to a file share (File System) location.
    NOTE
    Upon quarantine, file metadata is not saved for attachment-type SharePoint items such as lists, announcements,
    tasks, and so on.
    To configure the SharePoint Quarantine smart response action
    1. Configure a Smart Response rule at the Configure Response Rule screen.
    Configuring response rules
    2. Add the Network Protect SharePoint Quarantine action type from the Actions list.
    The system displays the Network Protect SharePoint Quarantine field.
    Configuring response rule actions
    3. Configure the Network Protect SharePoint Quarantine parameters.
    Network Protect SharePoint Quarantine parameters
    4. Click Save to save the configuration.
    Manage response rules

    Table 792: Network Protect SharePoint Quarantine parameters

    Parameter Description

    Source
    Use Saved Select Use Saved Credentials to choose a named credential from the credential store in the Use Saved
    Credentials Credentials drop-down menu if you don't want to enter it manually.
    To move the files for quarantine during remediation, the specified SharePoint user account must have write access
    for the original file location.
    Use These Select Use These Credentials to manually enter the write-access credential for the original location of the scanned
    Credentials file. Then, enter the following: parameters
    • Name - The user name of the account with write access for the location of the scanned file.
    • Password - The password of the account with write access for the location of the scanned file.
    • Confirm Password - Confirm the password of the account with write access for the location of the scanned file.
    To move the files for quarantine during remediation, the specified SharePoint user account must have write access
    for the original file location.
    Destination

    1381
    Parameter Description

    Target Specify whether the files are to be quarantined in a SharePoint repository or in a file share (File System).
    Repository
    Quarantine Path Enter the SharePoint path where the confidential files are to be quarantined.
    Use Saved Select Use Saved Credentials to choose a named credential for the quarantine location from the credential store in
    Credentials the Use Saved Credentials drop-down menu if you don't want to enter it manually.
    To move the files for quarantine during remediation, the specified SharePoint user account must have write access
    for the quarantine location.
    Use These Select Use These Credentials to manually enter the write-access credential for the quarantine location. Then, enter
    Credentials the following: parameters
    • Name - The user name of the account with write access for the quarantine location.
    • Password - The password of the account with write access for the quarantine location.
    • Confirm Password - Confirm the password of the account with write access for the quarantine location.
    To move the files for quarantine during remediation, the specified SharePoint user account must have write access
    for the quarantine location.
    Marker File
    (Optional) Select Leave marker file in place of remediated file to create a marker text file to replace the original file. This
    Leave marker action notifies the user about what happened to the file instead of moving the file without any explanation.
    file in place of
    remediated file
    (Optional) Specify the text that appears in the marker file to notify users about what happened to the file that was quarantined.
    Marker Text The marker text can contain substitution variables. Click inside the Marker Text box to see a list of insertion
    variables.

    Implementing response rules

    Configuring the Network Protect: SharePoint Release from Quarantine


    smart response action
    The SharePoint Release from Quarantine smart response action releases files that were quarantined from SharePoint
    repositories. When you execute the SharePoint Release from Quarantine smart response action, you can release files
    back to their original location in sharePoint from either a SharePoint location or a file share location. Marker files that were
    created when the file was originally quarantined are not deleted upon release from quarantine.
    You can release files that were previously quarantined using the deprecated SharePoint Quarantine FlexResponse Plug-
    in. If you have installed the SharePoint solution and if a SharePoint file was quarantined using Symantec Data Loss
    Prevention 15.1, file metadata is restored when you release the file from quarantine. If the file was quarantined using a
    version earlier than 15.1, the file is released without restoring its metadata.
    When you attempt to release a quarantined file, if a file with the same name exists at the destination location, the released
    file is named using the following format:
    FileName.<N>Released.FileExtension, wherein <N> is a number in the range of 1 to 10. Therefore, you can
    release a file that shares a name with another file in the destination directory up to ten times before the release fails
    NOTE
    Network Protect does not access file metadata for inline attachments during the quarantine process. As a result,
    file metadata for inline attachments cannot be restored upon release from quarantine.
    To configure the SharePoint Release from Quarantine smart response action
    1. Configure a Smart Response rule at the Configure Response Rule screen.
    Configuring response rules

    1382
    2. Add the Network Protect SharePoint Release from Quarantine action type from the Actions list.
    The system displays the Network Protect SharePoint Release from Quarantine field.
    Configuring response rule actions
    3. Configure the Network Protect SharePoint Release from Quarantine parameters.
    Network Protect SharePoint Release from Quarantine parameters
    4. Click Save to save the configuration.
    Manage response rules

    Table 793: Network Protect SharePoint Release from Quarantine parameters

    Parameter Description

    Add Row Click Add Row to start mapping a new file path. The file path could be either the location to which files are
    quarantined, or the original SharePoint location to which files should be released.
    Path Specify the location to which files are quarantined, or the original SharePoint location to which files should be
    released.
    Credentials Specify the write-access credentials for the file path that you want to map.
    Delete Delete the corresponding file path.

    Implementing response rules

    Configuring the Remove Collaborator Access Smart Response action


    The Remove Collaborator Access Smart Response action removes collaborator access from shared files in cloud
    applications through the Cloud Detection Service.
    To configure the Remove Collaborator Access Smart Response action
    1. Configure a response rule at the Configure Response Rule screen.
    Configuring response rules
    2. Add the Remove Collaborator Access action type from the Actions list.
    Configuring response rule actions
    3. Click Save to save the configuration.
    Manage response rules

    Implementing response rules

    Configuring the Remove Shared Links Smart Response action


    The Remove Shared Links Smart Response action removes shared links from files in cloud applications through the
    Cloud Detection Service.
    To configure the Remove Shared Links Smart Response action
    1. Configure a response rule at the Configure Response Rule screen.
    Configuring response rules
    2. Add the Remove Shared Links action type from the Actions list.
    Configuring response rule actions

    1383
    3. Click Save to save the configuration.
    Manage response rules

    Implementing response rules

    Configuring the Restore File Smart Response action


    The Restore File Smart Response action restores a quarantined file in the Salesforce, Box, and OneDrive cloud
    applications through the Cloud Detection Service.
    To configure the Restore File Smart Response action
    1. Configure a Smart Response rule at the Configure Response Rule screen.
    Configuring response rules
    2. Add the Restore File action type from the Actions list.
    The system displays the Restore File field.
    3. Click Save to save the configuration.
    4. Manage response rules

    Implementing response rules

    Configuring the Remove Shared Links in Data-at-Rest action


    The Remove Shared Links in Data-at-Rest action breaks links to sensitive data in the following cloud applications
    through the Cloud Detection Service:
    • Box
    • Dropbox
    • Google Drive
    • OneDrive
    • Salesforce
    You can configure a custom payload with additional details about this recommendation. The custom payload appears in
    the customResponsePayload parameter of the detection response.
    To configure the Remove Shared Links in Data-at-Rest action
    1. Configure a response rule at the Configure Response Rule screen.
    Configuring response rules
    2. Add the Remove Shared Links in Data-at-Rest action type from the Actions list.
    The system displays the Remove Shared Links in Data-at-Rest field.
    Configuring response rule actions
    3. Configure the Remove Shared Links in Data-at-Rest parameter.
    Remove Shared Links in Data-at-Rest configuration parameter
    4. Click Save to save the configuration.
    Manage response rules

    1384
    Table 794: Remove Shared Links in Data-at-Rest configuration parameter

    Parameter Description

    Custom Enter details about the Remove Shared Links in Data-at-Rest action in the custom payload field. These details are
    payload returned in the customResponsePayload parameter of the detection result.

    Implementing response rules

    Configuring the Custom Action on Data-at-Rest action


    The Custom Action on Data-at-Rest action returns a recommendation to perform some custom action on the sensitive
    data with the detection result.
    You can configure a custom payload with additional details about this recommendation. The custom payload appears in
    the customResponsePayload parameter of the detection response.
    To configure the Custom Action on Data-at-Rest action
    1. Configure a response rule at the Configure Response Rule screen.
    Configuring response rules
    2. Add the Custom Action on Data-at-Rest action type from the Actions list.
    The system displays the Custom Action on Data-at-Rest field.
    Configuring response rule actions
    3. Configure the Custom Action on Data-at-Rest parameter.
    Custom Action on Data-at-Rest configuration parameter
    4. Click Save to save the configuration.
    Manage response rules

    Table 795: Custom Action on Data-at-Rest configuration parameter

    Parameter Description

    Custom Enter details about the Custom Action on Data-at-Rest action in the custom payload field. These details are returned
    payload in the customResponsePayload parameter of the detection result.

    Implementing response rules

    Configuring the Delete Data-at-Rest action


    The Delete Data-at-Rest action deletes sensitive data in the following cloud applications through the Cloud Detection
    Service:
    • Dropbox
    • Gmail
    • Microsoft Office 365 Email
    To configure the Delete Data-at-Rest action
    1. Configure a response rule at the Configure Response Rule screen.
    Configuring response rules

    1385
    2. Add the Delete Data-at-Rest action type from the Actions list.
    The system displays the Delete Data-at-Rest field.
    Configuring response rule actions
    3. Click Save to save the configuration.
    Manage response rules

    Implementing response rules

    Configuring the Encrypt Data-at-Rest action


    The Encrypt Data-at-Rest action encrypts sensitive data in the following applications through the Cloud Detection
    Service:
    • OneDrive
    • SharePoint
    You can configure a custom payload with additional details about this recommendation. The custom payload appears in
    the customResponsePayload parameter of the detection response.
    To configure the Encrypt Data-at-Rest action
    1. Configure a response rule at the Configure Response Rule screen.
    Configuring response rules
    2. Add the Encrypt Data-at-Rest action type from the Actions list.
    The system displays the Encrypt Data-at-Rest field.
    Configuring response rule actions
    3. Configure the parameter.
    Encrypt Data-at-Rest configuration parameter
    4. Click Save to save the configuration.
    Manage response rules

    Table 796: Encrypt Data-at-Rest configuration parameter

    Parameter Description

    Custom Enter details about the Encrypt Data-at-Rest action in the Custom payload field. These details are returned in the
    payload customResponsePayload parameter of the detection result.

    Implementing response rules

    Configuring the Perform DRM on Data-at-Rest action


    The Perform DRM on Data-at-Rest action applies Digital Rights Management (DRM) to sensitive data in applications
    through the Cloud Detection Service or API Detection for Developer Apps Appliance.
    You can configure a custom payload with additional details about this recommendation. The custom payload appears in
    the customResponsePayload parameter of the detection response.
    To configure the Perform DRM on Data-at-Rest action

    1386
    1. Configure a response rule at the Configure Response Rule screen.
    Configuring response rules
    2. Add the Perform DRM on Data-at-Rest action type from the Actions list.
    The system displays the field.
    Configuring response rule actions
    3. Configure the Perform DRM on Data-at-Rest parameter.
    Perform DRM on Data-at-Rest configuration parameter
    4. Click Save to save the configuration.
    Manage response rules

    Table 797: Perform DRM on Data-at-Rest configuration parameter

    Parameter Description

    Custom Enter details about the Perform DRM on Data-at-Rest action in the Custom payload field. These details are returned
    payload in the customResponsePayload parameter of the detection result.

    Implementing response rules

    Configuring the Quarantine Data-at-Rest action


    The Quarantine Data-at-Rest action quarantines sensitive data in the following cloud applications through the Cloud
    Detection Service:
    • Box
    • OneDrive
    • Salesforce
    • SharePoint
    • Slack
    To configure the Quarantine Data-at-Rest action
    1. Configure a response rule at the Configure Response Rule screen.
    Configuring response rules
    2. Add the Quarantine Data-at-Rest action type from the Actions list.
    The system displays the Quarantine Data-at-Rest field.
    Configuring response rule actions
    3. Configure the Quarantine Data-at-Rest parameter.
    Quarantine Data-at-Rest configuration parameter
    4. Click Save to save the configuration.
    Manage response rules

    1387
    Table 798: Quarantine Data-at-Rest configuration parameter

    Parameter Description

    File Path Enter the file path for the quarantine location. This file path is relative to the user's root folder.
    Use Marker Select Use Marker File to create a marker text file to replace the original file. This action notifies the user what
    File happened to the file instead of quarantining or deleting the file without any explanation.
    Marker Text Enter the text you want to display in the marker file. You can select and insert variables from the Insert Variable list.

    Implementing response rules

    Configuring the Tag Data-at-Rest action


    The Tag Data-at-Rest action tags sensitive data in applications through the Cloud Detection Service or API Detection for
    Developer Apps Appliance.
    You can configure a custom payload with additional details about this recommendation. The custom payload appears in
    the customResponsePayload parameter of the detection response.
    To configure the Tag Data-at-Rest action
    1. Configure a response rule at the Configure Response Rule screen.
    Configuring response rules
    2. Add the Tag Data-at-Rest action type from the Actions list.
    The system displays the Tag Data-at-Rest field.
    Configuring response rule actions
    3. Configure the Tag Data-at-Rest parameter.
    Tag Data-at-Rest configuration parameter
    4. Click Save to save the configuration.
    Manage response rules

    Table 799: Tag Data-at-Rest configuration parameter

    Parameter Description

    Custom Enter details about the Tag Data-at-Rest action in the Custom payload field. These details are returned in the
    payload customResponsePayload parameter of the detection result.

    Implementing response rules

    Configuring the Prevent download, copy, print action


    The Prevent download, copy, print action prevents sensitive data files from being downloaded, copied, or printed from
    the Google Drive cloud application through the Cloud Detection Service.
    To configure the Prevent download, copy, print action
    1. Configure a response rule at the Configure Response Rule screen.
    Configuring response rules

    1388
    2. Add the Prevent download, copy, print action type from the Actions list.
    Configuring response rule actions
    3. Click Save to save the configuration.
    Manage response rules

    Implementing response rules

    Configuring the Remove Collaborator Access action


    The Remove Collaborator Access action removes access from collaborators to sensitive data files in the following cloud
    applications through the Cloud Detection Service:
    • Box
    • Dropbox
    • Google Drive
    • Salesforce
    • SharePoint
    To configure the Remove Collaborator Access action
    1. Configure a response rule at the Configure Response Rule screen.
    Configuring response rules
    2. Add the Remove Collaborator Access action type from the Actions list.
    Configuring response rule actions
    3. Click Save to save the configuration.
    Manage response rules

    Implementing response rules

    Configuring the Set Collaborator Access to 'Edit' action


    The Set Collaborator Access to 'Edit' action grants collaborators edit access to sensitive data files in the following cloud
    applications through the Cloud Detection Service:
    • Box
    • Dropbox
    • Google Drive
    • Salesforce
    • SharePoint
    To configure the Set Collaborator Access to 'Edit' action
    1. Configure a response rule at the Configure Response Rule screen.
    Configuring response rules
    2. Add the Set Collaborator Access to 'Edit' action type from the Actions list.
    Configuring response rule actions
    3. Click Save to save the configuration.
    Manage response rules

    1389
    Implementing response rules

    Configuring the Set Collaborator Access to 'Preview' action


    The Set Collaborator Access to 'Preview' action grants collaborators preview access to sensitive data files in the Box
    cloud application through the Cloud Detection Service.
    To configure the Set Collaborator Access to 'Preview' action
    1. Configure a response rule at the Configure Response Rule screen.
    Configuring response rules
    2. Add the Set Collaborator Access to 'Preview' action type from the Actions list.
    Configuring response rule actions
    3. Click Save to save the configuration.
    Manage response rules

    Implementing response rules

    Configuring the Set Collaborator Access to 'Read' action


    The Set Collaborator Access to 'Read' action grants collaborators read access to sensitive data files in the following
    cloud applications through the Cloud Detection Service:
    • Box
    • Dropbox
    • Google Drive
    • Salesforce
    • SharePoint
    To configure the Set Collaborator Access to 'Read' action
    1. Configure a response rule at the Configure Response Rule screen.
    Configuring response rules
    2. Add the Set Collaborator Access to 'Read' action type from the Actions list.
    Configuring response rule actions
    3. Click Save to save the configuration.
    Manage response rules

    Implementing response rules

    Configuring the Set File Access to 'All Read' action


    The Set File Access to 'All Read' action grants public read access to sensitive data files in the following cloud
    applications through the Cloud Detection Service.
    • Google Drive
    • OneDrive
    • SharePoint
    To configure the Set File Access to 'All Read' action

    1390
    1. Configure a response rule at the Configure Response Rule screen.
    Configuring response rules
    2. Add the Set File Access to 'All Read' action type from the Actions list.
    Configuring response rule actions
    3. Click Save to save the configuration.
    Manage response rules

    Implementing response rules

    Configuring the Set File Access to 'Internal Edit'


    The Set File Access to 'Internal Edit' action grants edit access to all members of your organization to sensitive files in
    the following cloud applications through the Cloud Detection Service:
    • Box
    • Google Drive
    • OneDrive
    • Salesforce
    • SharePoint
    To configure the Set File Access to 'Internal Edit' action
    1. Configure a response rule at the Configure Response Rule screen.
    Configuring response rules
    2. Add the Set File Access to 'Internal Edit' action type from the Actions list.
    Configuring response rule actions
    3. Click Save to save the configuration.
    Manage response rules

    Implementing response rules

    Configuring the Set File Access to 'Internal Read' action


    The Set File Access to 'Internal Read' action grants read access to all members of your organization to sensitive data
    files in the following cloud applications through the Cloud Detection Service:
    • Box
    • Google Drive
    • Salesforce
    • SharePoint
    To configure the Set File Access to 'Internal Read' action
    1. Configure a response rule at the Configure Response Rule screen.
    Configuring response rules
    2. Add the Set File Access to 'Internal Read' action type from the Actions list.
    Configuring response rule actions

    1391
    3. Click Save to save the configuration.
    Manage response rules

    Implementing response rules

    Configuring the Add two-factor authentication action


    The Add two-factor authentication action adds two-factor authentication to sensitive data files in applications through
    the Cloud Detection Service or API Detection for Developer Apps Appliance.
    To configure the Add two-factor authentication action
    1. Configure a response rule at the Configure Response Rule screen.
    Configuring response rules
    2. Add the Add two-factor authentication action type from the Actions list.
    Configuring response rule actions
    3. Click Save to save the configuration.
    Manage response rules

    Implementing response rules

    Configuring the Block Data-in-Motion action


    The Block Data-in-Motion action blocks sensitive data in applications through the Cloud Detection Service or API
    Detection for Developer Apps Appliance.
    NOTE
    Large files uploaded to online services such as DropBox, One Drive, and Google Drive may get uploaded in
    chunks. Symantec Data Loss Prevention cannot seamlessly process file contents that are split across multiple
    HTTP messages. If the files are uploaded in chunks, Symantec Web Prevent detects the offending content but
    does not block the offending content from upload.
    For DropBox, files that are over 8 MB are uploaded in chunks. For OneDrive and Google Drive, files that are
    over 1 MB are uploaded in chunks.
    You may see different results with different browsers.

    You can configure a message for your users to inform them why the sensitive data was blocked. The message appears in
    the message parameter of the detection response.
    To configure the Data-in-Motion (DIM) REST API action
    1. Configure a response rule at the Configure Response Rule screen.
    Configuring response rules
    2. Add the Block Data-in-Motion action type from the Actions list.
    The system displays the Block Data-in-Motion field.
    Configuring response rule actions
    3. Configure the Block Data-in-Motion parameter.
    Block Data-in-Motion configuration parameter

    1392
    4. Click Save to save the configuration.
    Manage response rules

    Table 800: Block Data-in-Motion configuration parameter

    Parameter Description

    Message Enter a user-facing message for the Block Data-in-Motion action in the message field. These details are returned in
    the message parameter of the detection result.

    Implementing response rules

    Configuring the Custom Action on Data-in-Motion action


    The Custom Action on Data-in-Motion action returns a recommendation to take some custom action on the sensitive
    data with the detection result.
    You can configure a custom payload with additional details about this recommendation. The custom payload appears in
    the customResponsePayload parameter of the detection response.
    To configure the Custom Action on Data-in-Motion action
    1. Configure a response rule at the Configure Response Rule screen.
    Configuring response rules
    2. Add the Custom Action on Data-in-Motion action type from the Actions list.
    The system displays the Custom Action on Data-in-Motion field.
    Configuring response rule actions
    3. Configure the parameter.
    Custom Action on Data-in-Motion configuration parameter
    4. Click Save to save the configuration.
    Manage response rules

    Table 801: Custom Action on Data-in-Motion configuration parameter

    Parameter Description

    Custom Enter details about the Custom Action on Data-in-Motion action in the custom payload field. These details are
    payload returned in the customResponsePayload parameter of the detection result.

    Implementing response rules

    Configuring the Encrypt Data-in-Motion action


    The Encrypt Data-in-Motion action encrypts sensitive data in the Box cloud application through the Cloud Detection
    Service.
    You can configure a custom payload with additional details about this recommendation. The custom payload appears in
    the customResponsePayload parameter of the detection response.
    To configure the Encrypt Data-in-Motion action

    1393
    1. Configure a response rule at the Configure Response Rule screen.
    Configuring response rules
    2. Add the Encrypt Data-in-Motion action type from the Actions list.
    The system displays the Encrypt Data-in-Motion field.
    Configuring response rule actions
    3. Configure the Encrypt Data-in-Motion parameter.
    Encrypt Data-in-Motion configuration parameter
    4. Click Save to save the configuration.
    Manage response rules

    Table 802: Encrypt Data-in-Motion configuration parameter

    Parameter Description

    Custom Enter details about the Encrypt Data-in-Motion action in the custom payload field. These details are returned in the
    payload customResponsePayload parameter of the detection result.

    Implementing response rules

    Configuring the Perform DRM on Data-in-Motion action


    The Perform DRM on Data-in-Motion action applies Digital Rights Management (DRM) to sensitive data in cloud
    applications through the Cloud Detection Service.
    You can configure a custom payload with additional details about this recommendation. The custom payload appears in
    the customResponsePayload parameter of the detection response.
    To configure the Perform DRM on Data-in-Motion action
    1. Configure a response rule at the Configure Response Rule screen.
    Configuring response rules
    2. Add the Perform DRM on Data-in-Motion action type from the Actions list.
    The system displays the Perform DRM on Data-in-Motion field.
    Configuring response rule actions
    3. Configure the Perform DRM on Data-in-Motion parameter.
    Perform DRM on Data-in-Motion configuration parameter
    4. Click Save to save the configuration.
    Manage response rules

    Table 803: Perform DRM on Data-in-Motion configuration parameter

    Parameter Description

    Custom Enter details about the Perform DRM on Data-in-Motion action in the custom payload field. These details are
    payload returned in the customResponsePayload parameter of the detection result.

    Implementing response rules

    1394
    Configuring the Quarantine Data-in-Motion action
    The Quarantine Data-in-Motion action quarantines sensitive data in the Salesforce, Box, and OneDrive cloud
    applications through the Cloud Detection Service.
    You can configure a custom payload with additional details about this recommendation. The custom payload appears in
    the customResponsePayload parameter of the detection response.
    To configure the Quarantine Data-in-Motion action
    1. Configure a response rule at the Configure Response Rule screen.
    Configuring response rules
    2. Add the Quarantine Data-in-Motion action type from the Actions list.
    The system displays the Quarantine Data-in-Motion field.
    Configuring response rule actions
    3. Configure the Quarantine Data-in-Motion parameter.
    Quarantine Data-in-Motion configuration parameter
    4. Click Save to save the configuration.
    Manage response rules

    Table 804: Quarantine Data-in-Motion configuration parameter

    Parameter Description

    Custom Enter details about the Quarantine Data-in-Motion action in the custom payload field. These details are returned in
    payload the customResponsePayload parameter of the detection result.

    Implementing response rules

    Configuring the Redact Data-in-Motion action


    The Redact Data-in-Motion action redacts sensitive data in applications through the Cloud Detection Service or API
    Detection for Developer Apps Appliance.
    You can configure a message for your users to inform them why the sensitive data was redacted. The message appears
    in the message parameter of the detection response.
    To configure the Redact Data-in-Motion action
    1. Configure a response rule at the Configure Response Rule screen.
    Configuring response rules
    2. Add the Redact Data-in-Motion action type from the Actions list.
    The system displays the Redact Data-in-Motion field.
    Configuring response rule actions
    3. Configure the Redact Data-in-Motion parameter.
    Redact Data-in-Motion configuration parameter
    4. Click Save to save the configuration.
    Manage response rules

    1395
    Table 805: Redact Data-in-Motion configuration parameter

    Parameter Description

    Message Enter a user-facing message for the Redact Data-in-Motion action in the message field. These details are returned
    in the message parameter of the detection result.

    Implementing response rules

    Configuring the Endpoint: FlexResponse action


    The Endpoint: FlexResponse response rule action lets you implement one or more custom responses you have
    developed using the FlexResponse API.

    This response rule is available for Endpoint Discover.


    NOTE
    This feature is not available for agents running on Mac endpoints.
    Response rule actions for endpoint detection
    To configure the Endpoint: FlexResponse response rule action
    1. Configure a response rule at the Configure Response Rule screen.
    Configuring response rules
    2. Add the Endpoint: FlexResponse action type from the Actions list.
    Configuring response rule actions
    3. Enter the FlexResponse plug-in Name and configure its Parameters.
    Endpoint: FlexResponse response rule action parameters
    4. Click Save to save the configuration.
    Manage response rules

    Table 806: Endpoint: FlexResponse response rule action parameters

    Parameter Description

    FlexResponse Enter the script module name with packages separated by a period (.).
    Python Plugin
    Plugin parameters Click Add Parameter to add one or more parameters to the script.
    Enter the Key/Value pair for each parameter.
    Credentials You can add credentials for accessing the plugin.
    You can add and store credentials at the System > Settings > Credentials screen.

    Implementing response rules

    Configuring the Endpoint Discover: Quarantine File action


    The Endpoint Discover: Quarantine File response rule action removes a file containing sensitive information from a non-
    secure location and places it in a secure location.

    1396
    This response rule action is specific to Endpoint Discover incidents. This response rule is not applicable to two-tiered
    detection methods requiring a Data Profile.

    If you use multiple endpoint response rules in a single policy, make sure that you understand the order of precedence for
    such rules.
    About response rule action execution priority
    NOTE
    This feature is not available for agents running on Mac endpoints.
    To configure the Endpoint Discover: Quarantine File response rule action
    1. Configure a response rule at the Configure Response Rule screen.
    Configuring response rules
    2. Add the Endpoint Discover: Quarantine File action type from the Actions list.
    Configuring response rule actions
    3. Enter the Quarantine Path and the Marker File settings.
    Endpoint Discover: Quarantine File response rule action parameters
    4. Click Save to save the configuration.
    Manage response rules

    Table 807: Endpoint Discover: Quarantine File response rule action parameters

    Parameter Description

    Quarantine Path Enter the path to the secured location where you want files to be placed. The secure location can either be on
    the local drive of the endpoint, or can be on a remote file share. EFS folders can also be used as the quarantine
    location.
    Access Mode If your secure location is on a remote file share, you must select how the Symantec DLP Agent accesses that file
    share.
    Select one of the following credential access types:
    • Anonymous Access
    • Use Saved Credentials
    In anonymous mode, the Symantec DLP Agent runs as LocalSystem user to move the confidential file. You can
    use anonymous mode to move files to a secure location on a local drive or to remote share if it allows anonymous
    access.
    Note: EFS folders cannot accept anonymous users.
    A specified credential lets the Symantec DLP Agent impersonate the specified user to access the secure location.
    The credentials must be in the following format:
    domain\user
    You must enter the specified credentials you want to use through the System Credentials page.
    Marker File Select the Leave marker in place of the remediated file check box to create a placeholder file that replaces the
    confidential file.

    1397
    Parameter Description

    Marker Text Specify the text to appear in the marker file. If you selected the option to leave the marker file in place of the
    remediated file, you can use variables in the marker text.
    To specify the marker text, select the variable from the Insert Variable list.
    For example, for Marker Text you might enter:
    A message has violated the following rules in $POLICY$: $RULES
    Or, you might enter:
    $FILE_NAME$ has been moved to $QUARANTINE_PARENT_PATH$

    About response rule actions


    Response rule actions for endpoint detection

    Configuring the Endpoint Prevent: Block action


    The Endpoint Prevent: Block response rule action blocks the movement of confidential data on the endpoint and optionally
    displays an on-screen notification to the endpoint user.
    About response rule actions
    This response rule action is specific to Endpoint Prevent incidents. This response rule is not applicable to two-tiered
    detection methods requiring a Data Profile.

    If you combine multiple endpoint response rules in a single policy, make sure that you understand the order of precedence
    for such rules.
    About response rule action execution priority
    NOTE
    The block action is not triggered for a copy of sensitive data to a local drive.
    To configure the Endpoint Prevent: Block response rule action
    1. Configure a response rule at the Configure Response Rule screen.
    Configuring response rules
    2. Add the Endpoint Prevent: Block action type from the Actions list.
    3. Configuring response rule actions
    4. Enter the Endpoint Notification Content settings.
    Endpoint Prevent: Block response rule action parameters
    5. Click Save to save the configuration.
    Manage response rules

    1398
    Table 808: Endpoint Prevent: Block response rule action parameters

    Parameter Configuration

    Language Select the language you want the response rule to execute on. Click Add Language to add more than one
    language.
    Display Alert Box This field is optional for Endpoint Block actions. Select an Endpoint Block action to display an on-screen notification
    with this message to the endpoint user when the system blocks an attempt to copy confidential data.
    Enter the notification message in the text box. You can add variables to the message by selecting the appropriate
    value(s) from the Insert Variable box.
    Optionally, you can configure the on-screen notification to include user justifications as well as an option for users
    to enter their own justification.
    You can also add hyperlinks to refer users to URLs that contain company security information. To add hyperlinks
    you use standard HTML syntax, tags, and URLs. Tags are case-sensitive. You can include hyperlinked text
    between regular text. For example, you would enter:
    The $CONTENT_TYPE$ "$CONTENT_NAME$" contains sensitive information. <a
    href="http://www.company.com">Click here for information</a>. Contact the <a
    href="mailto:admin@company.com">administrator</a> if you have questions.
    Insert Variable Select the variables to include in the on-screen notification to the endpoint when the system blocks an attempt to
    copy confidential data.
    You can select variables based on the following types:
    • Application
    • Content Name
    • Content Type
    • Matching Attachments
    • Matching Recipient Domains
    • Device Type
    • Matching Recipients
    • Policy Names
    • Protocol

    1399
    Parameter Configuration

    Allow user Select this option to display up to four user justifications in the on-screen notification. When the notification appears
    to choose on the endpoint, the user is required to choose one of the justifications. (If you select Allow user to enter text
    explanation explanation, the user can enter a justification.) Symantec Data Loss Prevention provides four default justifications,
    which you can modify or remove as needed.
    Justification:
    • User Education
    • Broken Business Process
    • Manager Approved
    • False positive
    Each justification entry consists of the following options:
    • Check box
    This option indicates whether to include the associated justification in the notification. To remove a justification,
    clear the check box next to it. To include a justification, select the check box next to it.
    • Justification
    The system label for the justification. This value appears in reports (for ordering and filtering purposes), but the
    user does not see it. You can select the desired option from the drop-down list.
    • Option Presented to End User
    The justification text the system displays in the notification. This value appears in reports with the justification
    label. You can modify the default text as desired.
    To add a new justification, select New Justification from the drop-down list. In the Enter new justification text
    box that appears, enter the justification name. When you save the rule, Symantec Data Loss Prevention includes it
    as an option (in alphabetical order) in all Justification drop-down lists.
    Note: You should be selective when adding new justifications. Deleting new justifications is not currently
    supported.

    Allow user Select this option to include a text box into which users can enter their own justification.
    to enter text
    explanation

    Response rule actions for endpoint detection

    Configuring the Endpoint Prevent: Encrypt action


    The Endpoint Prevent: Encrypt response rule action automatically encrypts a sensitive file and displays a notification when
    a user attempts to do any of the following:
    • Transfer a sensitive file to a removable storage device
    A user can copy a sensitive file to the removable storage device through Windows Explorer, Command Line, or
    PowerShell. The DLP Agent blocks the Save As operation for an encrypted file on a removable storage device.
    • Transfer a sensitive file to a cloud storage application
    Examples of commonly used cloud storage applications are Box, Google Drive, Microsoft OneDrive, and so on.
    • Upload a sensitive file or folder with encrypted files with browsers using HTTPS on Windows endpoints
    When a user uploads a sensitive file or folder using a browser, the DLP Agent blocks a user action and automatically
    encrypts the file with an .html extension and replaces the original file at the source location. A user is then prompted to
    upload this encrypted file or folder using the browser to protect sensitive information.
    The maximum supported file size for the Endpoint Prevent: Encrypt response action is 150 MB.
    About response rule actions
    For information about the Endpoint Prevent: Encrypt response rule action, Response rule best practices

    1400
    When a violation is detected, the DLP Agent encrypts the file, the data transfer completes, and an incident is created. You
    can provide a reason for the notification as well as options for the endpoint user to enter a justification for the action. This
    response rule action is available for Endpoint Prevent on Windows and Mac endpoints.
    To configure the Endpoint Prevent: Encrypt action
    1. Navigate to Policies > Response Rules, click Add Response Rule, and select the type of response rule to add:
    Automated Response or Smart Response.
    2. Configure a response rule at the Configure Response Rule screen.
    Configuring response rules
    Add the Endpoint Prevent: Encrypt action type from the Actions list.
    Configuring response rule actions
    3. Configure the Endpoint Prevent: Encrypt parameters.
    Endpoint Prevent: Encrypt parameters
    4. Click Save to save the configuration.
    Manage response rules

    Table 809: Endpoint Prevent: Encrypt parameters

    Parameter Description

    Language Select the language you want the response rule to apply to. Click Add Language to add more than one
    language.
    Display Block This field is required to notify users that the data transfer was blocked.
    Alert Box with this Enter the notification message in the text box. You can add variables to the message by selecting the
    message appropriate value(s) from the Insert Variable box.
    A user must click OK to acknowledge the alert and dismiss the pop-up dialog.
    Display Encrypt This field is required to notify users that the file that they tried to transfer was encrypted.
    Alert Box with this Enter the notification message in the text box. You can add variables to the message by selecting the
    message appropriate value(s) from the Insert Variable box.
    User must click OK to acknowledge the alert and dismiss the pop-up dialog.
    Display Retry Alert This field is required to notify users that the file they tried to upload using the browser was encrypted at the
    with this message source location, and the original file was deleted. The users should upload this encrypted file using the browser.
    Enter the notification message in the text box. You can add variables to the message by selecting the
    appropriate value(s) from the Insert Variable box.
    User must click OK to acknowledge the alert and dismiss the pop-up dialog.
    Insert Variable Select the variables that you want to include in the on-screen notification to the endpoint user.
    You can select variables based on the following types:
    • Application
    • Content Name
    • Content Type
    • Device Type
    • Policy Name
    • Protocol

    1401
    Parameter Description

    Allow user to choose Select this option to display up to four user justifications in the on-screen notification. When the notification
    explanation appears on the endpoint, the user is required to choose one of the justifications. (If you select Allow user
    to enter text explanation, the user can enter a justification.) Symantec Data Loss Prevention provides four
    default justifications, which you can modify or remove as needed.
    Available justifications:
    • Broken Business Process
    • False positive
    • Manager Approved
    • User Education
    • New justification (custom)
    Each justification entry consists of the following options:
    • Check box
    This option indicates whether to include the associated justification in the notification. To remove a
    justification, clear the check box next to it. To include a justification, select the check box next to it.
    • Justification
    The system label for the justification. This value appears in reports (for ordering and filtering purposes), but
    the user does not see it. You can select the desired option from the drop-down list.
    • Option Presented to End User
    The justification text Symantec Data Loss Prevention displays in the notification. This value appears in
    reports with the justification label. You can modify the default text as desired.
    To add a new justification, select New justification from the appropriate drop-down list. In the Enter new
    justification text box that appears, type the justification name. When you save the rule, the system includes the
    new justification as an option (in alphabetical order) in all Justification drop-down lists.
    Note: You should be selective in adding new justifications. Deleting new justifications is not currently supported.

    Allow user to enter Select this option to include a text box into which users can enter their own justification.
    text explanation

    Implementing response rules

    Configuring the Endpoint Prevent: Notify action


    The Endpoint Prevent: Notify response rule action displays an on-screen notification to the endpoint user when the user
    attempts to copy or send a sensitive file. You can provide a reason for the notification as well as options for the endpoint
    user to give a justification for the action.
    About response rule actions
    This response rule action is available for Endpoint Prevent.

    NOTE
    The notify action is not triggered for a copy of sensitive data to a local drive.
    To configure the Endpoint Prevent: Notify action
    1. Configure a response rule at the Configure Response Rule screen.
    Configuring response rules
    Add the Endpoint Prevent: Notify action type from the Actions list.
    Configuring response rule actions
    2. Configure the action parameters.
    Endpoint Prevent: Notify response rule action parameters

    1402
    3. Click Save to save the configuration.
    Manage response rules

    Table 810: Endpoint Prevent: Notify response rule action parameters

    Parameter Description

    Language Select the language you want the response rule to execute on.
    Click Add Language to add more than one language.
    Display Alert Box with This field is required for Endpoint Notify actions. Select this option to display an on-screen notification to the
    this message endpoint user.
    Enter the notification message in the text box. You can add variables to the message by selecting the
    appropriate value(s) from the Insert Variable box.
    Optionally, you can configure the on-screen notification to include user justifications as well as the option for
    users to enter their own justifications.
    You can also add hyperlinks to refer users to URLs that contain company security information. To add
    hyperlinks you use standard HTML syntax, tags, and URLs. Tags are case-sensitive. You can include insert
    hyperlinked text between regular text. For example, you would enter:
    The $CONTENT_TYPE$ "$CONTENT_NAME$" contains sensitive information. <a
    href="http://www.company.com">Click here for information</a>. Contact
    the <a href="mailto:admin@company.com">administrator</a> if you have
    questions.
    Insert Variable Select the variables that you want to include in the on-screen notification to the endpoint user.
    You can select variables based on the following types:
    • Application
    • Content Name
    • Content Type
    • Device Type
    • Policy Names
    • Protocol

    1403
    Parameter Description

    Allow user to choose Select this option to display up to four user justifications in the on-screen notification. When the notification
    explanation appears on the endpoint, the user is required to choose one of the justifications. (If you select Allow user
    to enter text explanation, the user can enter a justification.) Symantec Data Loss Prevention provides four
    default justifications, which you can modify or remove as needed.
    Available Justifications:
    • Broken Business Process
    • False positive
    • Manager Approved
    • User Education
    • Custom (new justification)
    Each justification entry consists of the following options:
    • Check box
    This option indicates whether to include the associated justification in the notification. To remove a
    justification, clear the check box next to it. To include a justification, select the check box next to it.
    • Justification
    The system label for the justification. This value appears in reports (for ordering and filtering purposes),
    but the user does not see it. You can select the desired option from the drop-down list.
    • Option Presented to End User
    The justification text Symantec Data Loss Prevention displays in the notification. This value appears in
    reports with the justification label. You can modify the default text as desired.
    To add a new justification, select New Justification from the appropriate drop-down list. In the Enter new
    justification text box that appears, type the justification name. When you save the rule, the system includes
    the new justification as an option (in alphabetical order) in all Justification drop-down lists.
    Note: You should be selective in adding new justifications. Deleting new justifications is not currently
    supported.

    Allow user to enter text Select this option to include a text box into which users can enter their own justification.
    explanation

    Response rule actions for endpoint detection

    Configuring the Endpoint Prevent: User Cancel action


    The Endpoint Prevent: User Cancel response rule action displays a time-sensitive notification to the user when a policy is
    violated.
    About response rule actions
    Users have a limited amount of time to decide to ignore the policy violation or not. If the violation is ignored, the data
    transfer completes and an incident is created. If the violation is not ignored, the data transfer is stopped and an incident
    is created. If the user does not make a decision in the allotted time, the data transfer is automatically blocked or allowed
    according to the configured policy, and an incident is created. You can provide a reason for the notification as well as
    options for the endpoint user to enter a justification for the action.
    This response rule action is available for Endpoint Prevent on Windows and macOS endpoints.

    To configure the Endpoint Prevent: User Cancel action


    1. Configure a response rule at the Configure Response Rule screen.
    Configuring response rules
    Add the Endpoint Prevent: User Cancel action type from the Actions list.
    Configuring response rule actions

    1404
    2. Configure the Endpoint Prevent: User Cancel parameters.
    Endpoint Prevent: User Cancel parameters
    3. Click Save to save the configuration.
    Manage response rules

    Table 811: Endpoint Prevent: User Cancel parameters

    Parameter Description

    Language Select the language you want the response rule to execute on.
    Click Add Language to add more than one language.
    Pre-timeout warning This field is required to notify users that they have a limited amount of time to respond to the incident.
    Enter the notification message in the text box. You can add variables to the message by selecting the
    appropriate value(s) from the Insert Variable box.
    Post-timeout message This field notifies users that the amount of time to override the policy has expired. The data transfer was
    blocked.
    Enter the notification message in the text box. You can add variables to the message by selecting the
    appropriate value(s) from the Insert Variable box.
    Display Alert Box with This field is required for Endpoint User Cancel actions. Select this option to display an on-screen notification
    this message to the endpoint user.
    Enter the notification message in the text box. You can add variables to the message by selecting the
    appropriate value(s) from the Insert Variable box.
    Optionally, you can configure the on-screen notification to include user justifications as well as the option for
    users to enter their own justifications.
    You can also add hyperlinks to refer users to URLs that contain company security information. To add
    hyperlinks you use standard HTML syntax, tags, and URLs. Tags are case-sensitive. You can include insert
    hyperlinked text between regular text. For example, you would enter:
    The $CONTENT_TYPE$ "$CONTENT_NAME$" contains sensitive information. <a
    href="http://www.company.com">Click here for information</a>. Contact
    the <a href="mailto:admin@company.com">administrator</a> if you have
    questions.
    Insert Variable Select the variables that you want to include in the on-screen notification to the endpoint user.
    You can select variables based on the following types:
    • Application
    • Content Name
    • Content Type
    • Device Type
    • Matching Attachments
    • Matching Recipient Domains
    • Matching Recipients
    • Policy Name
    • Protocol
    • Timeout Counter
    Note: You must use the Timeout Counter variable to display how much time remains before blocking the
    data transfer.

    1405
    Parameter Description

    Allow user to choose Select this option to display up to four user justifications in the on-screen notification. When the notification
    explanation. appears on the endpoint, the user is required to choose one of the justifications. (If you select Allow user
    to enter text explanation, the user can enter a justification.) Symantec Data Loss Prevention provides four
    default justifications, which you can modify or remove as needed.
    Available Justifications:
    • Broken Business Process
    • False positive
    • Manager Approved
    • User Education
    • Custom (new justification)
    Each justification entry consists of the following options:
    • Check box
    This option indicates whether to include the associated justification in the notification. To remove a
    justification, clear the check box next to it. To include a justification, select the check box next to it.
    • Justification
    The system label for the justification. This value appears in reports (for ordering and filtering purposes),
    but the user does not see it. You can select the desired option from the drop-down list.
    • Option Presented to End User
    The justification text Symantec Data Loss Prevention displays in the notification. This value appears in
    reports with the justification label. You can modify the default text as desired.
    To add a new justification, select New Justification from the appropriate drop-down list. In the Enter new
    justification text box that appears, type the justification name. When you save the rule, the system includes
    the new justification as an option (in alphabetical order) in all Justification drop-down lists.
    Note: You should be selective in adding new justifications. Deleting new justifications is not currently
    supported.

    Allow user to enter text Select this option to include a text box into which users can enter their own justification.
    explanation.

    Implementing response rules

    Configuring the Network Prevent for Web: Block FTP Request action
    The Network Prevent for Web: Block FTP Request response rule action blocks any file transfer by FTP on your network
    device.
    About response rule actions
    This response rule is available only for Network Prevent for Web integrated with a proxy server.

    To configure the Network Prevent for Web: Block FTP Request response rule action
    1. Configure a response rule at the Configure Response Rule screen.
    Configuring response rules
    2. Add the Network Prevent for Web: Block FTP Request action type from the Actions list.
    The Block FTP Request response rule action does not require any further configuration. Once the response rule is
    deployed to a policy, this action blocks any FTP attempt.
    Configuring response rule actions
    3. Click Save to save the configuration.
    Manage response rules

    1406
    Implementing response rules

    Configuring the Network Prevent for Web: Block HTTP/S action


    The Network Prevent for Web: Block HTTP/S response rule action blocks the transmission of Web content that Network
    Prevent for Web detects. This action also blocks Web-based email messages and attachments.
    About response rule actions
    This response rule action blocks the transmission of Web content using the Internet Content Adaptation Protocol (ICAP).
    To implement this response rule action you must integrate the detection server with a Web proxy server.

    To configure the Network Prevent: Block HTTP/S response rule action


    1. Integrate Network Prevent for Web with a proxy server and, if necessary, a VPN server.

    2. Configure a response rule at the Configure Response Rule screen.


    Configuring response rules
    3. Add the Network Prevent for Web: Block HTTP/S action type from the Actions list.
    Configuring response rule actions
    4. Edit the Rejection Message, as necessary.
    The system presents this message to the user's browser when the action blocks content.
    For example, you might include some HTML-coded text to display in a browser.
    NOTE
    If the requesting client does not expect an HTML response, the Rejection Message may not be displayed
    in the client browser. For example, a client expecting an XML response to a Web post may only indicate a
    Javascript error.
    5. Click Save to save the configuration of the response rule.

    Certain applications may not provide an adequate response to the Network Prevent for Web: Block HTTP/S response
    action. This behavior has been observed with the Yahoo! Mail application when a detection server blocks a file upload. If a
    user tries to upload an email attachment and the attachment triggers a Network Prevent for Web: Block HTTP/S response
    action, Yahoo! Mail does not respond or display an error message to indicate that the file is blocked. Instead, Yahoo!
    Mail appears to continue uploading the selected file, but the upload never completes. The user must manually cancel the
    upload at some point by pressing Cancel.
    Other applications may also exhibit this behavior, depending on how they handle the block request. In these cases a
    detection server incident is created and the file upload is blocked even though the application provides no such indication.
    Implementing response rules

    Configuring the Network Prevent: Block SMTP Message action


    The Network Prevent: Block SMTP Message response rule action blocks SMTP email messages that cause an incident
    on the Network Prevent for Email detection server and the Cloud Service for Email.
    About response rule actions
    Response rule actions for Network Prevent detection
    You must integrate the Network Prevent for Email detection server with a Mail Transfer Agent (MTA) to implement this
    response rule action. Refer to the Symantec Data Loss Prevention MTA Integration Guide for Network Prevent for Email
    for details.

    1407
    To configure the Block SMTP Message response rule action
    1. Configure a response rule at the Configure Response Rule screen.
    Configuring response rules
    2. Add the Network Prevent: Block SMTP Message action type from the Actions list.
    Configuring response rule actions
    3. Configure the Block SMTP Message action parameters.
    Network Prevent: Block SMTP Message parameters
    4. Click Save to save the response rule.
    Manage response rules

    Table 812: Network Prevent: Block SMTP Message parameters

    Parameter Description

    Bounce Message to Sender Enter the text that you want to appear in the SMTP error that Network Prevent for Email
    returns to the MTA. Some MTAs display this text in the message that is bounced to the
    sender.
    If you leave this field blank, the message does not bounce to the sender but the MTA
    sends its own message.
    Redirect Message to this Address If you want to redirect blocked messages to a particular address (such as the Symantec
    Data Loss Prevention administrator), enter that address in this field.
    If you leave this field blank, the bounced message goes to the sender only.

    Implementing response rules

    Configuring the Network Prevent: Modify SMTP Message action


    The Network Prevent: Modify SMTP Message response rule action lets you modify a sensitive email. For example, you
    can use this action to change an email subject header to include information about the policy violation type. The Modify
    SMTP Message response rule also works with Cloud Service for Email.
    About response rule actions
    Response rule actions for Network Prevent detection
    To configure the Network Prevent: Modify SMTP Message action
    1. Configure a response rule at the Configure Response Rule screen.
    Configuring response rules
    2. Add the Network Prevent: Modify SMTP Message action type from the Actions list.
    Configuring response rule actions
    3. Configure the action parameters.
    Network Prevent: Modify SMTP Message parameters
    4. Click Save to save the configuration.
    Manage response rules

    1408
    Table 813: Network Prevent: Modify SMTP Message parameters

    Parameter Description

    Subject Select the type of modification to make to the subject of the message from the following options:
    • Do not Modify – No text is changed in the subject.
    • Prepend – New text is added to the beginning of the subject.
    • Append – New text is added to the end of the subject.
    • Replace With – New text completely replaces the old subject text.
    If the subject text is currently modified, specify the new text.
    For example, if you want to prepend "VIOLATION" to the subject of the message, select Prepend and enter
    VIOLATION in the text field.
    Headers Enter a unique name and a value for each header you want to add to the message (up to three).
    Enable Email Select this option to enable integration with Symantec Messaging Gateway. When this option is enabled,
    Quarantine Connect Symantec Data Loss Prevention adds preconfigured x-headers to the message that inform Symantec
    (requires Symantec Messaging Gateway that the message should be quarantined.
    Messaging For more information, see the Symantec Data Loss Prevention Email Quarantine Connect FlexResponse
    Gateway) Implementation Guide.

    Implementing response rules

    Configuring the Network Prevent for Web: Remove HTTP/S Content


    action
    The Network Prevent for Web: Remove HTTP/S Content response action removes confidential data that is posted to
    Web mail sites (such as Gmail), blogs (such as Blogspot), and other sites. This action also removes confidential data that
    is included in any files that users upload to Web sites or attach to Web mail. This action only applies to HTTP/S POST
    commands; it does not apply to GET commands.
    About response rule actions
    This response rule action is only available for Network Prevent for Web.
    Response rule actions for Network Prevent detection
    Symantec Data Loss Prevention recognizes Web form fields for selected Web mail, blog, and social networking sites.
    If Network Prevent for Web cannot remove confidential data for a Web site it recognizes, it creates a system event and
    performs a configured fallback option.
    NOTE
    Symantec Data Loss Prevention removes content for file uploads and, for Network Prevent, Web mail
    attachments even for those sites that it does not recognize for HTTP content removal.
    To configure the Network Prevent for Web: Remove HTTP/S Content action
    1. Configure a response rule at the Configure Response Rule screen.
    Configuring response rules
    2. Add the Network Prevent for Web: Remove HTTP/S Content action type from the Actions list.
    Configuring response rule actions
    3. Configure the action parameters.
    Network Prevent for Web: Remove HTTP/S Content parameters

    1409
    4. Click Save to save the configuration.
    Manage response rules

    Table 814: Network Prevent for Web: Remove HTTP/S Content parameters

    Field Description

    Removal The message that appears in content (Web postings, Web mail, or files) from which the system has removed
    Message confidential information. Only the recipient sees this message.
    Fallback option The action to take if Network Prevent for Web cannot remove confidential information that was detected in an
    HTTP or HTTPS post.
    The available options are Block (the default) and Allow.
    Note: Symantec Data Loss Prevention removes confidential data in file uploads and, for Network Prevent, Web
    mail attachments, even for sites in which it does not perform content removal. The Fallback option is taken only in
    cases where Symantec Data Loss Prevention detects confidential content in a recognized Web form, but it cannot
    remove the content.

    Rejection The message that Network Prevent for Web returns to a client when it blocks an HTTP or HTTPS post. The client
    Message Web application may or may not display the rejection message, depending on how the application handles error
    messages.

    Implementing response rules

    Configuring the Network Protect: Copy File action


    The Network Protect: Copy File response rule action copies a sensitive file to the local file system.
    About response rule actions
    This response rule action is only available for Network Discover that is configured for Network Protect.
    Response rule actions for Network Prevent detection
    To configure the Network Protect: Copy File response rule action
    1. Configure a network file share and specify a location to copy files to.

    2. Configure a response rule at the Configure Response Rule screen.


    Configuring response rules
    3. Select the Network Protect: Copy File action type from the Actions list.
    This action does not require you to configure any parameters.
    Configuring response rule actions
    4. Click Save to save the configuration.
    Manage response rules

    Implementing response rules

    Configuring the Network Protect: Quarantine File action


    The Network Protect: Quarantine File response rule action quarantines a file that the detection server identifies as
    sensitive or protected.
    About response rule actions

    1410
    This response rule action is only available for Network Discover that is configured for Network Protect.
    Response rule actions for Network Prevent detection
    To configure the Network Protect: Quarantine File response rule action
    1. Configure a response rule at the Configure Response Rule screen.
    Configuring response rules
    2. Add the Network Protect: Quarantine File action type from the Actions list.
    Configuring response rule actions
    3. Configure the Network Protect: Quarantine File parameters.
    Network Protect: Quarantine File configuration parameters
    4. Click Save to save the configuration.
    Manage response rules

    Table 815: Network Protect: Quarantine File configuration parameters

    Parameter Description

    Marker File Select this option to create a marker text file to replace the original file. This action notifies the user what happened to
    the file instead of quarantining or deleting the file without any explanation.
    Note: The marker file is the same type and has the same name as the original file, as long as it is a text file. An
    example of such a file type is Microsoft Word. If the original file is a PDF or image file, the system creates a plain
    text marker file. The system then gives the file the same name as the original file with .txt appended to the end. For
    example, if the original file name is accounts.pdf, the marker file name is accounts.pdf.txt.

    Marker Text Specify the text to appear in the marker file. If you selected the option to leave the marker file in place of the
    remediated file, you can use variables in the marker text.
    To specify marker text, select the variable from the Insert Variable list.
    For example, for Marker Text you might enter:
    A message has violated the following rules in $POLICY$: $RULES
    Or, you might enter:
    $FILE_NAME$ has been moved to $QUARANTINE_PARENT_PATH$

    Implementing response rules

    Configuring the Endpoint: MIP Classification action


    When MIP classification is enabled for supported applications in the agent configuration, the Endpoint: MIP
    Classification response action enables DLP Agents and the Enforce Server to suggest classification labels for Microsoft
    Office documents and outgoing emails in Microsoft Outlook that contain confidential information. Alternatively, DLP Agents
    can apply labels automatically when the Endpoint: MIP Classification response action is triggered.
    NOTE
    • MIP classification is available for outgoing emails in Microsoft Outlook only on Windows endpoints. If
    an email already has a label that enforces MIP encryption, DLP does not inspect the email again for
    classification.
    • Labels are applied to the email body only.
    Regardless of whether a label is suggested to users or whether a label is applied automatically, the Endpoint: MIP
    Classification response action enables you to configure a pop-up notification that is displayed to users.

    1411
    To configure the Endpoint: MIP Classification response action, do the following steos:
    1. Navigate to Policies > Response Rules, click Add Response Rule, and select Automated Response.
    2. Configure a response rule at the Configure Response Rule screen.
    See Configuring response rules.
    3. From the Actions list, add the the Endpoint: MIP Classification action.
    See Configuring response rule actions.
    4. Under Endpoint Notification Content, configure the following parameters:

    Table 816: Endpoint Notification Content parameters

    Parameter Description

    Add Language Creates another Endpoint Notification Content section


    in which you can configure pop-up notifications for the
    Endpoint: MIP Classification response rule action in a different
    language.
    Select Label Select the label for which you want to configure a pop-up
    notification. The label is synchronized from the MIP service.
    Select Sub-label Select the sub-label for which you want to configure a pop-up
    notification. The sub-label is synchronized from the MIP service.
    5. Under Microsoft Office (Word, Excel and PowerPoint), configure the following classification parameters for Office
    applications:

    Table 817: Classification parameters for Office applications

    Parameter Description

    Recommend the label Select this option to configure the DLP Agent to suggest a label
    to users when they save and close a file that contains confidential
    information using a supported application.
    Alert that is displayed when the label is recommended Enter the message to recommend a label to users.
    Apply the label automatically Select this option to configure the DLP Agent to automatically
    apply a label when users save a file that contains confidential
    information using a supported application
    Alert that is displayed when the label is recommended Enter the message to inform users that a label is required.
    Alert that is displayed when the label is applied automatically Enter the message to inform users that a label has been applied.

    NOTE
    If you have migrated your Enforce Sever and detection servers from DLP 15.8, update your existing
    configuration of the Endpoint: MIP Classification response action to include the settings for Microsoft
    Outlook.
    6. Under Microsoft Outlook, configure the following classification parameters for Microsoft Outlook on Windows
    endpoints:

    1412
    Table 818: Classification parameters for Microsoft Outlook

    Parameter Description

    Title Enter a title for the pop-up message about classifying outgoing
    emails.
    Recommend the label Select this option to configure the DLP Agent to suggest a label
    to users when they send an email using Outlook on a Windows
    endpoint.
    Alert that is displayed when the label is recommended Enter the message to recommend a label to users.
    Apply the label automatically Select this option to configure the DLP Agent to automatically
    apply a label when users send an email using Outlook on a
    Windows endpoint.
    Alert that is displayed when the label is to be applied Enter the message to inform users that a label has been applied.
    7. Click Save to save the configuration.
    Related Links
    About response rule actions on page 1350
    Response rule best practices on page 1362
    Implementing response rules on page 1361
    Manage response rules on page 1363

    Configuring the User Risk Response Condition


    Create a response rule that executes based on the user risk score.
    You can create a user risk response condition when user risk detection is enabled.
    You can configure the response rule condition to execute based on various user risk scenarios. For example, you can
    create a response rule to block a sensitive file transmission with the user risk score is greater than 80 and the content
    violates a PII policy.
    1. Click Manage > Policies > Response Rules, click Add Response Rule, and select Automated Response.
    2. Configure a response rule at the Configure Response Rule screen.
    For more information, see Configuring response rules.
    3. Select the User Risk Score condition from the Conditions list.
    Configuring response rule conditions
    4. Select the user risk requirements to trigger actions. See the following table for a description of the condition
    parameters.

    Parameter Input Description

    Matches Exactly User risk number Triggers a response rule action if the user risk score matches.
    Is Greater Than User risk number Triggers a response rule action if the user risk score is exceeded.
    Is Greater Than or User risk number Triggers a response rule action if the user risk score is met or exceeded.
    Equals
    Is Between User risk number Triggers a response rule action when the user risk score is within the range of
    numbers specified.

    1413
    Parameter Input Description

    Is Less Than User-specified number Triggers a response rule action if the user risk score is less than the specified
    number.
    Is Less Than or User-specified number Triggers a response rule action when the user risk score is equal to or less than the
    Equals specified number.

    Related Links
    Implementing response rules on page 1361
    Manage response rules on page 1363

    1414
    Incidents
    View, manage, and remediate incidents.
    Remediating incidents
    Remediating Network incidents
    Remediating Endpoint incidents
    Remediating Discover incidents
    Working with Application incidents
    Viewing, managing, and reporting incidents
    Hiding incidents
    Working with incident data
    Working with user risk
    Implementing lookup plug-ins

    Remediating incidents
    This content includes the following topics:
    • About incident remediation
    • Remediating incidents
    • Overview of End User Remediation
    • Configurations for End User Remediation
    • Working with the DLP incidents in ServiceNow
    • Customizations in ServiceNow when using End User Remediation
    • Security guidelines for selecting incident attributes when using End User Remediation
    • About Troubleshooting Incidents
    • Performance guidelines for End User Remediation
    • Executing Smart response rules
    • Incident remediation action commands
    • Response action variables

    About incident remediation


    As incidents occur in your system, individuals in your organization must analyze the incidents, determine why they
    occurred, identify trends, and remediate the problems.
    Symantec Data Loss Prevention provides a rich set of capabilities which can be used to build an effective incident
    remediation process. Once you are ready to take action, you can use a series of incident commands on the Incident
    Snapshot and Incident List pages.
    Since the Incident Snapshot page displays details about one specific incident, you can select a command to perform an
    action on the displayed incident.
    On the Incident List page, you can perform an action on multiple incidents at one time. You can select more than one
    incident from the list and then choose the desired command.

    1415
    Along with the DLP administrators, the remediators or end users can perform the remediation action on incidents using
    the End User Remediation functionality. End User Remediation simplifies the management of Data Loss Prevention
    incidents by decentralizing, automating, and expediting the incident remediation process. See About End User
    Remediation.
    Options involved in incident remediation describes the options that are involved in incident remediation:

    Table 819: Options involved in incident remediation

    Remediation options Description

    Role-based access control Access to incident information in the Symantec Data Loss Prevention system can be tightly
    controlled with role-based access control. Roles control which incidents a particular remediator can
    take action on, as well as what information within that incident is available to the remediator. For
    example, access control can be used to ensure that a given remediator can act only on incidents
    originating within a particular business unit. In addition, it might prevent that business unit's staff
    from ever seeing high-severity incidents, instead routing those incidents to the security department.
    Severity level assignment Incident severity is a measure of the risk that is associated with a particular incident. For example,
    an email message containing 50 customer records can be considered more severe than a
    message containing 50 violations of an acceptable use policy. Symantec Data Loss Prevention lets
    you specify what constitutes a severe incident by configuring it at the policy rule level. Symantec
    Data Loss Prevention then uses the severity of the incident to drive subsequent responses to the
    incident. This process lets you prioritize incidents and devote your manual remediation resources
    to the areas where they are needed most.
    Custom attribute lookup Custom attribute lookup is the process of collecting additional information about the incident from
    data sources outside of Enforce and the incident itself. For example, a corporate LDAP server can
    be queried for additional information about the message sender, such as the sender's manager
    name or business unit.
    About using custom attributes
    For example, you can use custom attributes as input to subsequent automated responses to
    automatically notify the sender's manager about the policy violation.
    Setting the values of custom attributes manually
    Automated incident responses A powerful feature of the Enforce Server is the ability to automatically respond to incidents as they
    arise. For example, you can configure the system to respond to a serious incident by blocking the
    offending communication. You can send an email message to the sender's manager. You can send
    an alert to a security event management system. You can escalate the incident to the security
    department. On the other hand, an acceptable use incident might be dispensed with by sending an
    email message to the sender. Then you can mark the incident as closed, requiring no further work.
    Between these extremes, you can establish a policy that automatically encrypts transmissions of
    confidential data to a business partner. All of these scenarios can be handled automatically without
    user intervention.

    1416
    Remediation options Description

    Smart Response Although the automated response is an important part of the remediation process,
    SmartResponse is necessary at times, particularly in the case of more serious incidents.
    Symantec Data Loss Prevention provides a detailed Incident Snapshot with all of the information
    necessary to determine the next steps in remediation. You can use SmartResponse to manually
    update incident severity, status, and custom attributes, add comments to the incident. You can
    move the incident through the remediation workflow to resolve it.
    The following standard SmartResponse actions are available:
    • Add Note
    • Log to a Syslog Server
    • Send Email Notification
    • Set Status
    The following additional SmartResponse actions are available when you click Include Cloud
    Detection API incident actions:
    • Custom
    • Encrypt
    • Quarantine
    • Remove Collaborator Access
    • Remove Shared Links
    • Restore File
    • Server FlexResponse
    • Tag File
    Distribution of aggregated You can create and automatically distribute aggregated incident reports to data owners for
    incident reports remediation.

    The Enforce Server handles all of these steps, except for Smart Response. You can handle incidents in an entirely
    automated way. You can reserve manual intervention (Smart Response) for only the most serious incidents.

    Remediating incidents
    When you remediate an incident, you can perform the following actions:
    • Set the status or severity of an incident.
    • Apply a Smart Response rule to the incident.
    • Set the custom attributes of the incident.
    • Add comments to the incident record.
    • Remediate incidents by going to an incident list or incident snapshot and selecting actions to perform on one or more
    incidents.
    • Perform some combination of these actions.
    NOTE
    Along with the DLP administrators, the remediators or end users can perform the remediation action on incidents
    using the End User Remediation functionality. See About End User Remediation.
    You can import a solution pack during installation. Solution packs prepopulate incident lists and incident snapshots with
    several remediation options and custom attributes. For complete descriptions of all solution packs (including information
    about all remediation options and custom attributes they contain), see Solutions Packs in 16.0 Related Documents.
    To remediate incidents

    1417
    1. Access an incident list or incident snapshot.
    In incident lists, Symantec Data Loss Prevention displays available remediation options in the Incident Actions drop-
    down menu. The menu becomes active when you select one or more incidents in the list (with the check box). In
    incident snapshots, Symantec Data Loss Prevention also displays the available remediation options. You can set a
    Status or Severity from the drop-down menus.
    Viewing Incidents
    You can also edit the Attributes and provide related information.
    2. Take either of the following actions:
    • When you view an incident list, select the incident(s) to be remediated (check the box). You can select incidents
    individually or you can select all incidents on the current screen. Then select the wanted action from the Incidents
    Actions drop-down menu. For example, select Incident Actions > Set Status > Escalated.
    You can perform as many actions as needed.
    • When you view an incident snapshot, you can set the Status and Severity from the drop-down menus.
    If a Smart Response has been previously set up, you can select a Smart Response rule in the remediation bar.
    For example, if one of the Solution Packs was installed, you can select Dismiss False Positive in the remediation
    bar. When the Execute Response Rule screen appears, click OK. This Smart Response rule changes the incident
    status from New to Dismissed and sets the Dismissal Reason attribute to False Positive.
    You can perform as many remediation actions as needed.

    Overview of End User Remediation


    • About End User Remediation
    • Applications of End User Remediation
    • About the End User Remediation architecture
    • About remediating incidents using End User Remediation
    • Overview of steps to implement End User Remediation

    About End User Remediation

    End User Remediation simplifies the management of Data Loss Prevention incidents by decentralizing, automating,
    and expediting the incident remediation process. End User Remediation enables the DLP administrator to delegate
    the incident remediation to end users, such as managers, data owners, file owners, employees, or anyone in your
    organization. End User Remediation enables quicker and more accurate incident remediation as the responsibility
    of remediation is no longer solely on the DLP administrators, but is shared by other stakeholders in the organization as
    well. And as there are more remediators, more incidents can be remediated, and the risk associated with incorrect
    remediation is reduced.
    For End User Remediation, Symantec Data Loss Prevention integrates with ServiceNow. To use End User Remediation,
    there is no additional license required for Data Loss Prevention. You will need to have a ServiceNow instance in your
    organization. The Symantec DLP End User Remediation (EUR) application is available from the ServiceNow store.
    End users can remediate any DLP incident type using the EUR application. The end users (remediators) receive an email
    per incident, notifying them that they have an incident to remediate. They can click the appropriate remediation action
    in same email. Clicking on the remediation action will draft an email response. The remediator can add comments, if
    required and sending the email will remediate the incidents assigned to them.
    There is a one time configuration that needs to be done in the Enforce Server administration console, where you
    can identify incidents to be remediated, what incident information will be made available to the remediators, and
    what remediation actions they can take. You need to configure EUR Incident Configurations and EUR Remediation
    Configurations in the Enforce Server administration console.

    1418
    On the ServiceNow instance, the EUR administrator needs to configure a set of prerequisites settings to trigger the EUR
    workflow. After the remediation workflow is triggered, the incident status is recorded in ServiceNow. Periodically, the
    Enforce Server polls the incident status and executes the response rules selected by remediators.
    The following figure and table summarizes a use case of an incident remediated using End User Remediation.
    Figure 22: An incident remediated using End User Remediation

    Table 820: An incident remediated using End User Remediation

    Steps Action More Information

    1 DLP administrator configures the Enforce Server, EUR Configuring End User Remediation role for Enforce
    Incident Configurations based on incident type, and users
    EUR Remediation Configurations based on incident Viewing the End User Remediation - Incident
    report. Configurations
    As a prerequisite, you need to configure the incident Configuring End User Remediation - Incident
    reports for the incidents that need to be remediated, add Configurations
    the remediators, and configure response rules actions. Viewing the End User Remediation - Remediation
    Configurations
    Configuring End User Remediation - Remediation
    Configurations
    2 An employee, who has a file on their system and has
    violated the policy, and an incident is generated. The
    DLP administrator configures Manager of employee as
    the remediator on the Enforce Server administration
    console.

    1419
    Steps Action More Information

    3 The Symantec DLP End User Remediation application Installing the Symantec DLP End User Remediation
    is hosted on ServiceNow. The DLP administrator syncs application on ServiceNow
    this incident to the EUR application. Assigning roles to the ServiceNow users
    As a prerequisite, the ServiceNow administrator has Configuring the End User Remediation properties
    installed the EUR application on ServiceNow and has Generating an OAuth client
    configured the prerequisite settings on ServiceNow. Configuring the Outbound and Inbound email
    configuration
    Configuring End User Remediation Portal Settings
    4 The EUR application on ServiceNow sends Manager an
    email for this incident remediation.
    5 Manager could contact employee as to how to take Working with the DLP incidents in ServiceNow
    the remediation action, or manager could click an
    appropriate response rule action in the email and
    remediate the incident themselves. Their response is
    recorded on the EUR application on ServiceNow.
    6 The Enforce Server polls the incident action from
    ServiceNow and executes the corresponding response
    rule on the Enforce Server to remediate the incident.

    See Overview of steps to implement End User Remediation.

    Applications of End User Remediation

    Following are some of the applications where the End User Remediation functionality can be used.
    • Involving line managers to determine the severity of the incidents generated by their employees. This would help
    organizations quickly identify the most critical issues.
    • Quarantining emails with sensitive content and have the sender’s manager review the quarantined email and decide if
    it can be allowed or rejected.
    • Enabling the file owners to remediate any sensitive files that might be stored on a network share, SharePoint or a
    SaaS app like Dropbox, and so on.
    • Capability to define workflows, specifically to take care of situations like the remediator being “Out of Office” and the
    remediator not taking action within the stipulated time, automatic enrollment of the policy violator for privacy training,
    and so on.

    About the End User Remediation architecture

    The following figure summarizes the architecture of End User Remediation. The following architecture diagram considers
    DLP Discover setup; however, it is similar for other DLP products as well.

    1420
    Figure 23: End User Remediation - Architecture diagram

    1. DLP scans the repository to find the sensitive files and incidents are generated for violating policies.
    2. The incidents are recorded in the Enforce Server.
    3. These incidents are also stored in the DLP Oracle database.
    4. The EUR application is hosted on ServiceNow. These incident details are synchronized to the EUR application.
    5. The incidents are recorded on the ServiceNow instance.
    6. The EUR application sends the email to the end users for the incident remediation.
    7. The end users responds to email by clicking on an appropriate response rule action link and the response is recorded
    on the EUR application on ServiceNow. And an incident action request is generated.
    8. The Enforce Server polls this incident action request from ServiceNow.
    9. The Enforce Server executes the corresponding response rule and closes the incident.

    About remediating incidents using End User Remediation

    Any DLP violation across any channel generates DLP incidents, which are recorded in the Enforce Server administration
    console and stored in the DLP Oracle database. You create an incident report for these incidents; and configure the EUR
    Incident Configurations and Remediation Configurations.
    NOTE
    Before configuring the EUR Incident Configurations and EUR Remediation Configurations, ensure that you have
    configured the following.
    • Incident reports for the incidents that need to be remediated
    See About custom reports and dashboard.
    • Remediators, such as data-owners, and so on
    Set Incident Remediator. See Incident remediation action commands
    Add remediators through plugins. See Selecting lookup parameters
    • Response Rules actions
    See About response rule actions.
    These incidents are sent to the EUR application based on the connection setting defined in the Enforce Server
    administration console, General> Settings >End User Remediation Portal Settings. When an incident is synced to
    ServiceNow, it triggers a remediation workflow that generates an event to send an email notification to the assigned
    remediator. A remediation workflow defines the process to remediate the incidents and the various stages while the
    incident is being remediated.

    1421
    For a remediator to receive an email from the EUR Application, the remediator should be assigned to the EUR
    Remediator role in ServiceNow. If the remediator does not have the EUR remediator role assigned, the incident
    assignment fails and no email is sent out.
    The EUR application automates this workflow and allows the ServiceNow administrator to customize the remediation
    workflow.
    In the default EUR workflow, the EUR application sends the incident details through an email to the remediator. A
    remediator could be any user in the organization, for example, the user that caused the incident, or his manager,
    or a manager in his hierarchy, or an IT engineer, and so on. The email contains the details of the incident, incident
    attributes, and response action. The content of the email is configurable. The ServiceNow administrator can customize
    the email templates, change the layout, and the look-and-feel of the emails. The EUR application provides a default email
    template, the DLP Incident Notification Template.
    The remediator can click on one of the remediation actions, which would in turn create an email reply. The remediator can
    provide justification or comment for the chosen action in the email response. These comments are recorded under
    Incident snapshot notes tab on the incident details in the Enforce Server administration console. The EUR application
    receives the response and the workflow triggers the next steps. Action request is generated by the workflow. The state
    of each reply are recorded on the ServiceNow as well. The Enforce Server polls the incident action request periodically
    from ServiceNow. The polling period is configurable. The Enforce Server executes the corresponding smart response rule
    and the incident details are recorded in the Incident snapshot history tab page. This completes the process of successful
    remediation of an incident and the incident is closed.

    Overview of steps to implement End User Remediation

    The EUR application is compatible with the ServiceNow versions: Utah, Tokyo, and San Diego. The EUR application can
    be deployed in the ServiceNow instance only and integrates with Data Loss Prevention.
    The following are the various audiences for End User Remediation that have distinct roles.
    • The DLP administrator or the Enforce Server users with the End User Remediation role that are referred to "you" in the
    End User Remediation content.
    • The ServiceNow administrator, who is having admin role assigned to them.
    • The EUR administrators (EUR Admin), who are the EUR application users with the administrator privileges for EUR
    application.
    • The remediators or the end users, who remediate incident on ServiceNow; these could be managers of an
    organization and their employees.

    The following table lists the roles of various audience and the actions they need to perform for the end-to-end deployment
    process of the EUR application.

    Table 821: Overview of steps to implement End User Remediation

    Steps Action Role More Information

    1 Install the Symantec DLP EUR application on ServiceNow Installing the Symantec DLP End
    ServiceNow Administrator User Remediation application on
    ServiceNow
    2 Assign role to the ServiceNow users in ServiceNow Assigning roles to ServiceNow users
    ServiceNow Administrator
    3 Configure EUR Properties in ServiceNow EUR Admin Configuring the End User Remediation
    properties

    1422
    Steps Action Role More Information

    4 Generate OAuth credentials and configure the ServiceNow Generating OAuth credentials
    Outbound and Inbound email configuration in Administrator Configuring the Outbound and
    ServiceNow Inbound email configuration
    5 Enable the Response Rule Execution DLP Administrator Enabling the Response Rule
    Service and configure properties for End User Execution Service for End User
    Remediation for End User Remediation Remediation
    Configuring EUR incident sync
    between Enforce and ServiceNow
    6 Configure End User Remediation Portal Settings DLP Administrator Configuring End User Remediation
    and configure End User Remediation role for Portal Settings
    Enforce users Configuring End User Remediation
    role for Enforce users
    7 View and configure the End User Remediation - DLP Administrator Viewing the End User Remediation -
    Incident Configurations Incident Configurations
    Configuring End User Remediation -
    Incident Configurations
    8 View and configure the End User Remediation - DLP Administrator Viewing the End User Remediation -
    Remediation Configurations Remediation Configurations
    Configuring End User Remediation -
    Remediation Configurations
    9 Working with the DLP incidents in the EUR EUR Admin Working with the DLP incidents in the
    application The EUR Admin can EUR application
    view all the incidents,
    whereas remediators
    can view only the
    incidents assigned to
    them.
    10 Customize the email templates and workflows on ServiceNow About customizing email templates
    ServiceNow Administrator Customizing the email content and
    format in ServiceNow
    Customizing the email layout in
    ServiceNow
    Customizing the email template in
    ServiceNow
    Assigning email templates to
    workflows in ServiceNow
    About workflows on ServiceNow
    Accessing the workflow in ServiceNow
    Customizing the workflow on
    ServiceNow

    Configurations for End User Remediation


    As a ServiceNow administrator or DLP administrator, you need to configure the following settings on ServiceNow
    and Enforce for deploying the EUR application.
    • Configurations for End User Remediation on ServiceNow

    1423
    • Installing the Symantec DLP End User Remediation application on ServiceNow
    • Assigning roles to ServiceNow users
    • Configuring End User Remediation properties in ServiceNow
    • Generating OAuth credentials in ServiceNow
    • Configuring the Outbound and Inbound email configuration in ServiceNow
    • Configurations for End User Remediation on Enforce
    • Enabling the Response Rule Execution Service for End User Remediation
    • Configuring EUR incident sync between Enforce and ServiceNow
    • Configuring End User Remediation Portal Settings
    • Configuring End User Remediation role for Enforce users
    • Viewing the End User Remediation - Incident Configurations
    • Configuring End User Remediation - Incident Configurations
    • Viewing the End User Remediation - Remediation Configurations
    • Configuring End User Remediation - Remediation Configurations

    Configurations for End User Remediation on ServiceNow

    • Installing the Symantec DLP End User Remediation application on ServiceNow


    • Assigning roles to ServiceNow users
    • Configuring End User Remediation properties in ServiceNow
    • Generating OAuth credentials in ServiceNow
    • Configuring the Outbound and Inbound email configuration in ServiceNow
    Installing the Symantec DLP End User Remediation application on ServiceNow

    Perform the following steps to install the EUR application on the ServiceNow instance.
    1. Go to the ServiceNow App Store:https://store.servicenow.com/$appstore.do#!/store/home
    2. In the Search field, type Symantec DLP End User Remediation.
    3. Click Search.
    4. In the search results, click on the Symantec DLP End User Remediation application.
    5. On the application description page, click Get to download the Symantec DLP End User Remediation application.
    6. Enter your ServiceNow Hi portal credentials and click Login.
    7. Follow the online instructions to install the application.
    Assigning roles to ServiceNow users

    To all the users to whom you want to delegate the incident remediation need to be provisioned in ServiceNow. All such
    users will be assigned the EUR Remediator role.
    In ServiceNow, the ServiceNow administrator can assign the following predefined roles to a new user or an existing
    ServiceNow user.
    • x_symct_dlp_eur.admin
    Defines the administrator role for a user.

    1424
    The EUR admin has access to the EUR Portal, is able to view and update the EUR Application Properties and can
    remediate the incidents. The EUR Admin can delete or desync incidents and has access to the Customer Support
    section of the EUR application.
    • x_symct_dlp_eur.remediator
    Defines the incident remediator role for a user.
    An EUR Remediator can receive incident emails and perform a remediation action for these incidents. A remediator
    can re-assign these incidents to another remediator.
    • x_symct_dlp_eur.user
    Defines the end user role for a user.
    Configuring End User Remediation properties in ServiceNow

    The EUR admin configures the EUR properties on the ServiceNow instance.
    1. On ServiceNow, navigate to Symantec DLP End User Remediation > Properties.
    2. Edit the following EUR properties.

    Table 822: End User Remediation properties

    Property function Property name Description

    Use default remediator user configured x_symct_dlp_eur.use.default.remediator.valueSelect Yes to use the default user
    on enforce as an incident owner for EUR configured as remediator while configuring
    incident remediation workflow process the EUR Incident Configurations >
    Remediator Preferences in the Enforce
    Server administration console. This user
    acts as the incident owner for EUR incident
    remediation workflow process.
    Select No, if the EUR Admin does not want
    to use this user as the default remediator
    and instead update the workflow and
    assign a different incident remediator.
    Values: Yes/No
    Default: Yes
    This property defines the batch size for x_symct_dlp_eur.symc.incident.action.request.batch
    Enter the number of incidents that Enforce
    remediation actions get REST API polls from Service Now as a request.
    This property is used to throttle the number
    of action requests pulled from ServiceNow
    by Enforce.
    Maximum value: 100

    1425
    Property function Property name Description

    Enable email reminders x_symct_dlp_eur.enable.reminder Enable this to send the reminder emails to
    the remediator for incident remediation.
    If enabled, two reminder emails are sent.
    The time period between the first email
    and the two reminder emails is dependent
    on the remediation period configured
    by the DLP Administrators in the EUR
    Remediation Configuration. The first email
    is sent to the end user when the incident
    has been synced to ServiceNow. The
    first reminder email is sent after one-third
    of the remediation period has elapsed.
    The second and final reminder email is
    sent to the end user after two-thirds of
    the remediation period has elapsed. The
    frequency period of reminder emails, if
    enabled, is dependent on the remediation
    period set in the EUR Remediation
    Configuration.
    However, the frequency of the reminder
    email is not customizable.
    Values: Yes/No
    Default: No
    This property defines the email address of x_symct_dlp_eur.instance.email.address Enter the email address of the current
    the current active SMTP Email Account of active SMTP Email Account of this
    this ServiceNow instance ServiceNow instance. From this email
    address the remediation email is sent to
    the remediator and after the remediator
    remediates the incident, the remediation
    action email is sent back to this address.

    3. Click Save.
    Generating OAuth credentials in ServiceNow

    The EUR application lets you access the Symantec DLP Incidents and perform remediation actions. For the Symantec
    DLP Enforce Server to integrate with the EUR application, the ServiceNow administrator needs to generate an OAuth
    2 credentials ("OAuth credentials"). The OAuth credentials authorizes the Symantec DLP Enforce Server to communicate
    with the EUR application.
    The ServiceNow administrator generates OAuth credentials so that the Enforce Server can act as an OAuth client.
    On the ServiceNow instance, to create an OAuth credentials, perform the following steps:
    1. Navigate to System OAuth>Application Registry.
    2. Click New.
    3. Click Create an OAuth API endpoint for external clients.
    4. Enter the following OAuth client application details.
    • Name: A unique name.
    • Client ID: Client ID is automatically generated by the ServiceNow OAuth server.
    • Client Secret: Client secret for the OAuth application.

    1426
    The Client ID and Client Secret values are used in the DLP Enforce Server administration console for configuring EUR
    Portal settings.
    See Configuring End User Remediation Portal Settings.
    5. Click Submit.
    Configuring the Outbound and Inbound email configuration in ServiceNow

    The ServiceNow administrator needs to configure the outbound and inbound email configurations on the ServiceNow
    instance for sending and receiving the emails to the end users.
    1. Navigate to System Properties > Email Properties.
    2. On the Outbound Email Configuration, select Yes/No for Email sending enabled.
    Property name: glide.email.smtp.active. Selecting Yes enables the EUR application to send an email to end users.
    3. On the Inbound Email Configuration, select Yes/No for Email receiving enabled.
    Property name: glide.email.read.active. Selecting Yes enables the EUR application to receive an email.
    4. Click Save.

    Configurations for End User Remediation on Enforce

    • Enabling the Response Rule Execution Service for End User Remediation
    • Configuring EUR incident sync between Enforce and ServiceNow
    • Configuring End User Remediation Portal Settings
    • Configuring End User Remediation role for Enforce users
    • Viewing the End User Remediation - Incident Configurations
    • Configuring End User Remediation - Incident Configurations
    • Viewing the End User Remediation - Remediation Configurations
    • Configuring End User Remediation - Remediation Configurations
    Enabling the Response Rule Execution Service for End User Remediation

    End User Remediation uses the Response Rule Execution Service on the Enforce Server to execute the response
    rule. After incidents are remediated by the end users, the Enforce Server polls the incidents action records from the
    Symantec DLP End User Remediation application and submits the response rule execution requests to the Response
    Rule Execution Service.
    You need to enable the Response Rule Execution Service, execute and stop time interval for the response rules by
    enabling the properties in the Manager.properties file for End User Remediation.
    1. On the Enforce Server, open the manager.properties file in a text editor.
    2. Set the value for the com.vontu.enforcewebservices.responserules.execution.service.schedule
    property to Always or BY_SCHEDULE as required. The default value is Never.
    Set it to 'Always', if you want to remediate incidents always as soon as the incident action records are polled by
    Enforce from ServiceNow. And then the incident is processed in the Enforce Server administration console.
    If you set the value to BY_SCHEDULE, then you need to set the values for start and stop execution time of
    the Response Rule Execution Engine as described in the following steps.

    1427
    3. Enter the start execution time interval of the Response Rule Execution Engine in the
    com.vontu.enforcewebservices.responserules.execution.service.startHour property. The format of
    the time interval is seconds,minutes,hour,day-of-month,month,day-of-week,year (optional).
    The Response Rule Execution Engine will start executing the requests from the persistence queue at this time of the
    day.
    4. Enter the stop execution time interval of the Response Rule Execution Engine in the
    com.vontu.enforcewebservices.responserules.execution.service.endHour property. The format of
    the time interval is seconds,minutes,hour,day-of-month,month,day-of-week,year (optional).
    The Response Rule Execution Engine will stop executing the requests from the persistence queue at this time of the
    day.
    5. Save and close the manager.properties file.
    Configuring EUR incident sync between Enforce and ServiceNow

    To sync the incidents from Enforce to ServiceNow using End User Remediation, you need to configure the following
    properties in the EndUserRemediation.properties file .
    1. On the Enforce Server, open the EndUserRemediation.properties file in a text editor.
    2. Set the values for the following properties

    Table 823: EndUSerRemediation.properties

    Property name Default value Description

    enduserremediation.portal.poller.schedule 0 0/15 * * * ? Specifies the time interval in which the Enforce Server polls the
    incident action requests from ServiceNow.
    The time format is: "seconds, minutes, hour, day-of-month,
    month, day-of-week, year(optional)"
    enduserremediation.incidentSync.throttle.enabled False Enable or disable throttling while syncing incidents with
    Symantec DLP End User Remediation application on
    ServiceNow. Set this property to 'true' to enable throttling.
    enduserremediation.incidentSync.throttle.duration.seconds
    60 Specifies the incident sync throttle duration in seconds.
    If property the
    enduserremediation.incidentSync.throttle.enabled
    is set to "True", then this property is used to set the incident
    sync throttle duration.
    enduserremediation.incidentSync.throttle.incidents.batchsize
    100 Specifies the maximum number of incidents that need to be
    sent at one time to ServiceNow for remediation.
    If property the
    enduserremediation.incidentSync.throttle.enabled
    is set to "True", then this property is used to limit the number of
    incidents sent.
    enduserremediation.incidentSync.batchSize 100 Specifies the batch size in which the Enforce Server sends
    incidents for remediation to ServiceNow.
    enduserremediation.incidentFile.maxSize 5 Defines the size of the file attachment attached in the
    remediation email. Default value for the EUR application is 5
    MB. Maximum permitted limit is 15 MB.
    If the file attachment exceeds the maximum size of 15 MB,
    then the incident will be sent for remediation, but the file will not
    be attached.
    enduserremediation.parallel.config.execution.limit 5 Specifies the number of EUR Remediation Configurations that
    can run parallelly.

    1428
    3. Save and close the EndUserRemediation.properties file.
    Configuring End User Remediation Portal Settings

    The Enforce Server integrates with the EUR application deployed on the ServiceNow instance. For Enforce to connect
    with ServiceNow instance, an OAuth 2.0 authentication scheme is used. These OAuth connection settings are provided in
    the End User Remediation Portal Settings section.
    1. On the Enforce Server administration console, navigate to System > Settings > General and click Configure. The
    Edit General Settings screen is displayed.
    2. In the Enforce to End User Remediation Portal Settings section, enter the following values.
    • Portal URL: ServiceNow instance URL
    • User Name: ServiceNow Integration user name
    The ServiceNow Integration user is a ServiceNow user who has the EUR Admin role assigned to them.
    • Password: Password of the Integration user account
    • Re-enter Password: Re-enter the password for the Integration user account
    • Client ID: ServiceNow OAuth Client ID
    NOTE
    Enter the Client ID and Client Secret values from the ServiceNow instance that were generated while
    creating the OAuth client.
    See Generating OAuth credentials in ServiceNow.
    • Client Secret: ServiceNow OAuth Client secret
    • Re-enter Client Secret: Re-enter the ServiceNow OAuth Client secret
    3. Click Save.
    Currently, only one Enforce Server can be mapped to a single ServiceNow instance to use the EUR functionality.
    Incase the customer has multiple Enforce Server administration consoles, then each Enforce Server should be
    connected with a different ServiceNow instance and have the EUR application deployed on each of the ServiceNow
    instance.
    Configuring End User Remediation role for Enforce users

    You can configure a role for an Enforce Server administration console user with 'End User Remediation Administration'
    privilege to manage the following.
    • Incident Configurations
    • Remediation Configurations and Execution
    1. On the Enforce Server administration console, navigate to the System > Login Management > Roles screen.
    2. Click Add Role.
    3. The Configure Role screen appears, displaying the following tabs: General, Incident Access, Policy Management,
    and Users & Groups.
    4. In the General tab:
    • Use the User Privileges section to grant user privileges for the role.
    In the System privileges include the End User Remediation Administrator option.
    5. Click Save.
    See Configuring roles.

    1429
    Viewing the End User Remediation - Incident Configurations

    This is the first step to do the EUR configurations in the Enforce Server administration console.
    The Manage > End User Remediation > Incident Configurations screen is the home page for adding EUR Incident
    Configurations and viewing the configured EUR Incident Configurations. You configure the set of incidents to send for
    remediation to end users.
    NOTE
    By default, there are out-of-box EUR Incident Configurations pre-populated by system for Discover incident
    types. You can update these EUR Incident Configurations as per your requirements.
    In the Incident Configurations screen, click Send to End User Remediation Portal for the following scenarios.
    • To send the newly created remediation actions for each incident type configured to the Symantec DLP End User
    Remediation application on ServiceNow.
    • To send the updated remediation actions for each incident type configured to the Symantec DLP End User
    Remediation application on ServiceNow.
    • To send the remediation actions to the new ServiceNow instance if you have updated the End User Remediation Portal
    Settings.

    Table 824: EUR Incident Configuration screen actions

    Action Description

    Add an EUR Incident Configuration Click New to create a new EUR Incident Configuration.
    Modify an EUR Incident Configuration Click the EUR Incident Configuration name or edit icon to modify
    an existing EUR Incident Configuration.
    Sort an EUR Incident Configuration Click any column header to sort the EUR Incident Configuration
    list.
    Remove an EUR Incident Configuration You can click the red X icon at the end of the EUR Incident
    Configuration row to delete an individual EUR Incident
    Configuration.

    Table 825: EUR Incident Configuration screen display fields

    You can sort the following fields by clicking on their column name.
    Column Description

    Incident Type Displays the name of the incident type selected in the EUR
    Incident Configuration.
    Incident Category Displays the name of the incident category selected in the EUR
    Incident Configuration.
    Incident Details Displays the incident details, such as Data Owner of the incident,
    incident attributes, and so on.
    Incident Remediators Displays the remediator preferences selected in the EUR Incident
    Configuration.
    Response Rules Displays the response rule actions selected in the EUR Incident
    Configuration.
    Last Modified By Displays the user name by whom the EUR Incident
    Configuration was last updated.

    1430
    Column Description

    Last Modified Date Displays the date when the EUR Incident Configuration was last
    updated.

    Configuring End User Remediation - Incident Configurations

    You need to configure the EUR Incident Configurations to define the type of incidents that you need to send to the
    Symantec DLP End User Remediation application on ServiceNow. EUR Incident Configuration also allows you to
    configure the following.
    • Incident details, such as incident type, incidents attributes, and custom attributes
    • Incident remediator preferences
    See About remediator preferences.
    • Remediation actions (smart response rules that will be available for end users) for each incident type
    NOTE
    Ensure that you configure EUR Incident Configurations for each incident type that you need to send to the
    EUR application for remediation in additions to including them in the incident report. If there is no EUR Incident
    Configuration defined for an incident type, then incidents will not be send to the EUR application even they are
    included in the report.
    1. On the Enforce Server administration console, navigate to Manage > End User Remediation > Incident
    Configurations.
    2. On the Create Incident Configurations page, select the DLP incident category and type from the Incident Category
    and Incident Type list boxes.
    3. On the Incident Details > Incident Attributes tab, choose the system incident attributes from the Select Incident
    Attribute list box and configure a label to be displayed for the attribute in the End User Remediation Portal.
    4. On the Incident Details > Custom Attributes tab, choose the custom incident attributes from the Select Custom
    Attribute list box and configure a label to be displayed for the attribute in the End User Remediation Portal.
    The selected system and custom incident attributes are sent to the EUR application. The remediation email that is sent
    to the remediator from ServiceNow to remediate the incident has all these selected incident attributes, file attachment
    (if any), along with the response actions.
    Refer to the security guidelines for choosing the matches and file attachments. See Security guidelines for selecting
    incident attributes when using End User Remediation.
    5. On the Remediator Preferences tab, select the incident attributes to identify the remediator from the Available
    Remediator Attributes list box and add it to the Selected Remediator Attributes list box. You can configure the
    remediator preference order by using the Up and Down arrows in the Selected Remediator Attributes list box.
    If you are using Incident Remediator as remediator, then you specify the remediator email address in Incidents>select
    an incident, on Incident details page, in the Key Info tab, add the address of the remediator in Incident
    Remediator Email Address, click Change. Refer to topic Selecting lookup parameters.
    See About remediator preferences.
    6. On the Remediator Actions tab, select the applicable response rules to remediate incidents from the End User
    Remediation Portal from the Available Smart Response Rules list box and move to the Selected Smart Response
    Rules list box.
    You can configure the smart response rules applicable based upon the incident type to be made available for end
    user to remediate the incident. The smart response rules are termed as 'Remediation Actions'. In remediation
    actions only smart response rules are taken in to account. Automated response rules are not considered as they are
    executed automatically.
    Ensure that you select at least one smart response rule action for incident remediation. If you do not select any smart
    response rule action, then the remediator will not be able to remediate the incident and the incident will expire.
    7. Click Save.

    1431
    After you add the EUR Incident Configurations, you need to send these remediation actions to the Symantec DLP End
    User Remediation application on the ServiceNow instance. To send the remediation actions to the application, click
    Send to End User Remediation Portal on the Incident Configurations page.
    About remediator preferences
    Ideally any incident or custom attribute, which is an email address can be selected as remediator. The custom attributes
    can be populated using lookup plugins on the Enforce Server.
    Remediator preferences are used to determine the 'remediator' for an incident. The remediator for an incident is defined
    on the Enforce Server using incident standard or custom attributes. Only incident attributes with email type can be used as
    a remediator preference.
    Multiple attributes can be selected as remediator and while EUR process is executed, each attribute will be evaluated
    in the sequence of the order (top to bottom) configured in the remediator preferences. If an attribute configured in the
    remediator preferences has a value available, the 'Incident Remediator Email Address' attribute of the incident will be
    updated with the same value as the remediator. If an attribute has no value available, then the next remediator preference
    attribute in the sequence will be evaluated and the process will continue till the Incident Remediator value is obtained. If
    none of the remediator preference attributes configured has value available for the incident, then incident will be marked
    with the status defined in EUR Remediation Configuration and the incident will not be sent to the EUR application for
    remediation.
    NOTE
    Once the Incident Remediator Email Address attribute of the incident is populated with the remediator
    preference, and if you need to update this attribute during the EUR execution process, then you need to
    manually update the Incident Remediator Email Address on the Enforce Server.

    Viewing the End User Remediation - Remediation Configurations

    This is the second step to do the EUR configurations in the Enforce Server administration console.
    The Manage > End User Remediation > Remediation Configurations screen is the home page for adding and viewing
    the EUR Remediation Configurations.

    Table 826: EUR Remediation Configuration screen actions

    Action Description

    Add an EUR Remediation Configuration Click New to create a new EUR Remediation Configuration.
    Modify an EUR Remediation Configuration Click the EUR Remediation Configuration name or edit icon to
    modify an existing EUR Remediation Configuration.
    Sort EUR Remediation Configurations Click any column header to sort the EUR Remediation
    Configuration list.
    Remove an EUR Remediation Configuration You can click the red X icon at the end of the EUR Remediation
    Configuration row to delete an individual EUR Remediation
    Configuration.
    Execute an EUR Remediation Configuration You can click the Execute Now icon in the Actions menu at the
    end of the EUR Remediation Configuration row to execute an
    individual remediation configuration.
    You can execute an remediation configuration for the following.
    • If you are setting the schedule to No Regular Schedule
    • If you intend to run an remediation action immediately even if
    you have configured a schedule for a later time

    1432
    Action Description

    Stop execution of an EUR Remediation Configuration You can click the Stop Now icon in the Actions menu to stop the
    execution of an individual EUR Remediation Configuration.

    Table 827: End User Remediation - Remediation Configuration screen display fields

    You can sort the following fields by clicking on their column name.
    Column Description

    Status Displays the following status of the EUR Remediation


    Configuration as icons.
    • Green icon: Specifies the EUR Remediation Configuration is
    enabled. Click on the Green icon to disable the EUR
    Remediation Configuration.
    • Red icon: Specifies the EUR Remediation Configuration is
    disabled. Click on the Red icon to enable the EUR
    Remediation Configuration.
    Name Displays the name of the EUR Remediation Configuration.
    Report Displays the name of the incident report selected in the EUR
    Remediation Configuration.
    Last Execution Displays the day and time when the EUR Remediation
    Configuration was last executed.
    Next Execution Displays the day and time when the EUR Remediation
    Configuration will be next executed. If the remediation
    configuration is not scheduled for next execution, then it is
    displayed as: "Not Scheduled".
    Last Modified By Displays the user name by whom the EUR Remediation
    Configuration was last updated.
    Execution Status Displays the execution status of the EUR Remediation
    Configuration, such as Ready, Executing, Executed, and so on.

    Configuring End User Remediation - Remediation Configurations

    EUR Remediation Configurations allows you to actually send the incidents for remediation to the EUR application. In
    the EUR Remediation Configurations, you do the following.
    • Select the incident report that is used to sync incidents to the EUR application
    • Set the time interval of syncing the incidents for remediation to the EUR application on ServiceNow
    • Set the incident status for different stages of the incident remediation execution result
    1. On the Enforce Server administration console, navigate to Manage > End User Remediation > Remediation
    Configurations.
    2. On the Create New Remediation Configuration page, enter the following
    – Name: Name of EUR Remediation Configuration
    – Description: Description for the EUR Remediation Configuration
    – Sync incidents from report: Select a DLP Incident report from the list box that can be used only once to configure
    a EUR Remediation Configuration.
    – Schedule: Select an appropriate schedule option from the following options to send the new incidents for
    remediation to the EUR application on ServiceNow.

    1433
    Table 828: EUR Remediation Configurations schedule

    Schedule Description

    No Regular Schedule Save the EUR Remediation Configuration without a schedule.


    Once Run the EUR Remediation Configuration one time at the specified
    time and date.
    Daily Run the EUR Remediation Configuration daily at the specified
    start time.
    Weekly Run the EUR Remediation Configuration every week on the
    specified day of the week and at the specified start time.
    Monthly Run the EUR Remediation Configuration every month on the
    specified date of the month and at the specified start time.
    Custom Run the EUR Remediation Configuration in the specified minutes
    or hours.

    3. In the Remediation Deadline section, in the Number of days to remediate field, enter the number of days in which
    the end user needs to remediate the incidents assigned to them.
    If the remediators do not remediate the incidents in the specified days, then the incident is sent back to Enforce from
    ServiceNow.
    4. In the Change Incident Status section, select the appropriate incident status from the corresponding list box for the
    following.
    You can configure the incident status at Configuring the Set Status action.

    Table 829: EUR Remediation Configuration - Change Incident Status options

    Change Incident Status options Description

    After Remediation Deadline expires Select the status that needs to be assigned to the incidents, when
    the end users do not take any action till the specified remediation
    deadline.
    After successfully sent for End User Remediation Select the status that needs to be assigned to the incidents,
    when they are successfully sent to the EUR application on the
    ServiceNow instance.
    On failure to determine the Incident Remediator Select the status that needs to be assigned to the incidents, when
    there is a failure in identifying an incident remediator. These
    incidents are not sent to the EUR application.
    For deleted incidents on End User Remediation Portal Select the status that needs to be assigned to the incidents, when
    these incidents are deleted from the EUR application.

    5. Click Save.
    After the EUR Remediation Configuration is executed in the set schedule, an event is generated on the System >
    Servers and Detectors > Events page. See Server and Detectors event detail and System events reports.
    After the EUR Remediation Configuration is executed successfully, the status of the incident is set to the value
    specified in After successfully sent for End User Remediation on the Incidents > <Incident category> > <Name
    of the incident report> page in the Status column. See About endpoint incident lists.

    Working with the DLP incidents in ServiceNow

    1434
    In the ServiceNow console, the EUR Admin can view the following menu options on the EUR application. The EUR
    Admin can view all the incidents on the EUR application, including the incidents assigned to them as well as the incidents
    assigned to remediators.
    However, a user with EUR remediator privileges can view only the incidents assigned to them in the DLP Incidents menu
    option.
    • Properties
    See Configuring the End User Remediation properties
    • DLP Incidents
    Lists the incidents received for end user remediation. After the incidents are remediated and Enforce and ServiceNow
    are synched, this entry is deleted from here. The EUR Admin can do the following on the DLP Incidents menu.
    • Remediating incidents using the EUR application
    • Reassigning incidents using the EUR application
    • Desyncing incidents using the EUR application
    The DLP Incidents menu lists the incidents details as described in the following table.

    Table 830: ServiceNow - EUR application - DLP Incidents

    Column Description

    Incident ID Displays the DLP incident ID number that is synched with the EUR
    application for remediation.
    Incident Type Displays the DLP incident type.
    Severity Displays the severity of the incident, such as High (1), Medium (2),
    Low (3), or Info (4).
    Incident State Displays the current incident status of the incident specified on the
    ServiceNow/ Enforce Server.
    • New
    • Assigned
    • Assigned failed
    • Reassigned (if the EUR Admin reassigns an incident to
    another remediator from ServiceNow)
    • Remediator changed (if the DLP administrator reassigns an
    incident to another remediator from Enforce)
    • Remediated
    • Expired
    • Deleted
    • Closed

    Assigned to Displays the name of the remediator to whom the incident is


    assigned for remediation.
    Policy Name Displays the name of the policy against which the incident was
    logged.
    Remediation End Date Displays the date and time by when the incident needs to be
    remediated by the remediator.

    1435
    Column Description

    Stage Displays the following stages of a workflow for a given


    incident defined in the remediation workflow for the EUR
    application.
    • New
    • Assignment
    • In Progress
    • Reassignment
    • Processed
    • Completed

    NOTE
    You search for an particular field name by entering the value for the selected field name in the Search field.
    • Remediation Actions
    Lists the EUR Incident Configurations and its associated response rule action that we have configured on Enforce and
    is synched with ServiceNow.
    • Incident Type
    Displays the DLP incident type.
    • Response Rule Name
    Displays the name of the response rule associated to the policy for which incident was generated.
    • Incident Action Requests
    Lists the remediation action taken by remediators and raises an action request for Enforce to poll the incident
    request action from ServiceNow. After the incident is remediated on Enforce, this action request entry along with the
    remediated incident record will be deleted from the EUR application. The incident action request are stored in the
    IncidentActionRequest (x_symct_dlp_eur_incidentactionrequest) table in ServiceNow.

    Table 831: Incident Action Requests

    Column Description

    Request ID Displays the request ID that is generated after the incident is


    remediated, reassigned, expired, or desynced.
    Incident ID Displays the DLP incident ID number that is synched with the EUR
    application for remediation.
    Incident Type Displays the DLP incident type.
    Policy Name Displays the name of the policy against which the incident was
    logged.
    Action Type Displays the action taken on the incident and displays the action
    type, such as Remediated, Desync, Reassigned, and Expired.
    Requested By Displays the name of the remediator who has remediated the
    incident.

    • Customer Support
    Lists the customer support information for the EUR application.

    Remediating incidents using the EUR application

    1436
    The End User Remediation feature enables users to remediate an incident through the incident email received, by clicking
    the appropriate response action available. However, the EUR Admin can also remediate the incident by logging into
    the ServiceNow console.
    1. In the ServiceNow console, navigate to Symantec DLP End User Remediation > DLP Incidents, and select the
    incident that needs to be remediated.
    2. On the DLP Incident page, in the Incident Action section, do the following.
    • Select the response rule action from the Incident Action list box.
    • Add comments if required in Comments.
    NOTE
    Currently, after selecting the appropriate incident action, the incident remains in the assigned state and
    the incident is not remediated. To resolve this issue, the EUR Admin or end user needs to select the
    same end user as specified in the Assigned list box, in the Reassigned To list box too.
    3. Click Update.
    The incident is remediated and this triggers the remediation path of the incident workflow.

    Reassigning incidents using the EUR application

    After the incidents are synced to ServiceNow, they can be re-assigned if required. The EUR Admin can log into the
    ServiceNow instance and reassign the incident.
    1. In the ServiceNow console, navigate to Symantec DLP End User Remediation > DLP Incidents, select the incident
    that needs to be reassigned.
    2. On the DLP Incident page, in the Reassigned To field, search for the user to whom the incident needs to be
    reassigned.
    3. Click Update.
    The incident is reassigned and this triggers the reassignment path of the incident workflow. Ensure that the reassigned
    user has the EUR remediator role. On the ServiceNow instance, the state of the incident updated to "Reassigned" and
    finally "Assigned".
    NOTE
    The DLP Administrator can also reassign incidents from the Enforce Server administration console. You
    can update the incident remediator field of an incident on the Enforce Server and resync the updated incidents
    by executing a EUR Remediation Configuration either manually or by the next scheduled execution. In the
    ServiceNow console, the state of the incident is updated to "Remediator Changed".
    Set Incident Remediator. See Incident remediation action commands.
    Add remediators through plugins. See Selecting lookup parameters.

    Desyncing incidents using the EUR application

    If incidents are unintentionally synced to ServiceNow or if incidents are synced to ServiceNow before their respective
    remediation actions, then these incidents can be desynced from ServiceNow to the Enforce Server. The EUR Admin can
    desync the incidents.
    1. In the ServiceNow console, navigate to Symantec DLP End User Remediation > DLP Incidents, select an incident
    that needs to be desynced.
    NOTE
    To desync multiple incidents simultaneously, on the DLP Incident List page; select the check box against
    each of the incidents that needs to be desynced and click Desync from the top menu.
    2. On the DLP Incident page, click Desync.

    1437
    When the EUR Admin desyncs the incident, the state of an incident is updated to "Deleted" in ServiceNow. The
    workflow path to desync incident will be triggered. The status of the incident on Enforce is updated with the status
    configured in the respective EUR Remediation Configuration in the Change Incident Status > For deleted incidents
    on End User Remediation portal field.

    Customizations in ServiceNow when using End User Remediation


    The ServiceNow administrator can optionally customize the out-of-box workflow and email notification template, if
    required.
    • About workflows in ServiceNow
    – Accessing the workflow in ServiceNow
    – Customizing the workflow in ServiceNow
    – About requirements for customizing EUR workflows
    – About use cases for customizing the workflow in ServiceNow
    • About customizing email templates
    – Customizing the email content and format in ServiceNow
    – Customizing the email layout in ServiceNow
    – Customizing the email template in ServiceNow
    – Assigning email templates to workflows in ServiceNow

    About workflows in ServiceNow

    A workflow is a sequence of activities to automate processes in applications. Activities are workflow blocks that perform
    different tasks, such as obtaining approvals, sending an email, running scripts, testing conditions, and setting field values
    on records. All workflows start with a Begin activity and end execution with an End activity. When an activity completes,
    the activity exits through the appropriate node, and the transition is followed to the next activity.
    The EUR application provides an out-of-box workflow: DLP Incident Remediation Process Workflow. This workflow is a
    sequence of activities to automate and delegate the remediation process of a Data Loss Prevention incident in the EUR
    application.

    1438
    Figure 24: DLP Incident Remediation Process Workflow

    The workflow has the following stages for incident remediation in ServiceNow.

    Table 832: Stages of DLP Incident Remediation Process Workflow

    Workflow Activity Activity Type Workflow Stage Description

    Begin Begin New When incidents are synced from the


    Enforce Server to ServiceNow, a new
    workflow is triggered for every incident.
    A new workflow is triggered when an
    incident is inserted into the DLP Incident
    (x_symct_dlp_eur_dlpincident) table.
    Use Default Remediator If block This block checks whether the remediator
    specified on the Enforce Server should be
    used as the default remediator. If yes, the
    workflow moves on to the Incident Owner
    Assignment script. Else, the out-of-box
    workflow moves to the 'Wait for Condition'
    block.

    1439
    Workflow Activity Activity Type Workflow Stage Description

    Assign DLP Incident Owner Run Script Assignment Assigns the incident owner. By default,
    the remediator specified on the Enforce
    Server is assigned as the incident owner.
    The assignment is successful if the
    user is active and is an authorized user;
    having at least the EUR Remediator role.
    If the assignment fails, this is updated in
    the incident record and workflow moves
    to the 'Wait for Condition' block.
    DLP Incident Assignment Event Create Event Creates a new event,
    x_symct_dlp_eur.incidentAssignment
    on the successful incident owner
    assignment. This event triggers an email
    notification to be sent to the incident
    remediator.
    Wait Wait for Condition In Progress The following conditions completes the
    "Wait for condition" activity.
    • Incident state changes to
    'Remediated' - When incident owner
    remediates the incident.
    • Incident state changes to 'Deleted'
    - When the EUR Admin desyncs/
    deletes the incident.
    • Incident state changes to
    'Reassigned' - When the EUR Admin
    or the remediator re-assigns the
    incident.
    • Incident state changes to 'Remediator
    Changed' - When the DLP
    administrator re-assigns the incident
    on the Enforce Server and resyncs
    the incident to ServiceNow.
    • Incident state changes to 'Expired' -
    When incident is auto expired after
    the incident expiration date.

    Is Re-assigned If block This blocks checks whether the Incident


    state is updated to "Reassigned". If the
    incident state is "Reassigned", then it
    proceeds to process the re-assignment
    request. Else the workflows proceeds to
    the Generate Incident Action Request
    script.
    Process Re-assignment Run Script Reassignment Re-assigns the incident owner to either
    the user specified through ServiceNow or
    the Enforce Server.
    An incident action request of type
    Reassignment is generated, which is
    polled by Enforce.
    The workflow goes back to the Assign
    DLP Incident Owner activity after
    remediator is updated.

    1440
    Workflow Activity Activity Type Workflow Stage Description

    Generate Incident Action Run Script Processed Generates the following types of incident
    Request action request based on the action taken
    either by remediator, the EUR Admin, or
    the EUR application.
    • REMEDIATION - A REMEDIATION
    action request contains the details
    of the remediation action taken by
    the remediator. When this request
    is polled on the Enforce Server, it is
    mapped to the corresponding smart
    response rule which internally gets
    executed for the given incident.
    • DESYNC - The EUR Admin can
    desync incidents from the EUR
    application. This incident action
    request contains the details
    (username and email) of the EUR
    Admin, who has triggered the desync
    request.
    • EXPIRED - A scheduled script
    executing on the EUR application
    auto updates the state of an incident
    as Expired, if the remediation period
    of an incident has elapsed. This
    triggers an EXPIRED incident action
    request.
    The state of the incident is updated
    to "Closed" indicating that no other
    action can be taken on the incident. The
    Enforce Server polls these incident action
    requests from ServiceNow and the EUR
    application proceeds to delete these
    incident records from ServiceNow.
    End End Completed Completion of a workflow execution. This
    is the last activity in a workflow execution.

    Accessing the workflow in ServiceNow

    The ServiceNow administrator can access the default out-of-box workflow: DLP Incident Remediation Process
    Workflow on ServiceNow. This default workflow is already set in the active state and thus it will be triggered for
    remediating an incident.
    NOTE
    Ensure that the ServiceNow administrator has only one active workflow assigned to remediate an incident.
    1. In the ServiceNow console, navigate to Workflow > Workflow Editor.
    2. Search for DLP Incident Remediation Process Workflow.
    3. Click on DLP Incident Remediation Process Workflow.
    4. On the DLP Incident Remediation Process Workflow page, ensure that this workflow is active.
    By default, it is set to active.
    In case it is not active, to activate it, click the Menu (with 3 horizontal lines) on the left-hand side corner and select
    Set active.
    To set it to inactive, click the Menu (with 3 horizontal lines) on the left-hand side corner and select Set inactive.

    1441
    NOTE
    If the workflow is in inactive state, then it will not be triggered while remediating an incident.
    5. Click the Workflow Properties "i" icon on the right-hand-side corner and ensure the following.
    – On the Workflow Properties page > Application tab, Symantec DLP End User Remediation is selected in the
    Application field. By default, it is selected.
    – On the Workflow Properties page > General tab, DLPIncident (x_symct_dlp_eur_dlpincident) is selected in
    the Table field. By default, it is selected.
    Customizing the workflow in ServiceNow

    The steps to customize the out-of-the box remediation workflow.


    1. On ServiceNow, navigate to Workflow > Workflow Editor.
    2. Search for DLP Incident Remediation Process Workflow.
    3. Click on DLP Incident Remediation Process Workflow.
    NOTE
    It is recommended that the ServiceNow administrator creates a copy of the out-of-box DLP Incident
    Remediation Process and then customize it. Do not update the out-of-box workflow directly.
    4. On the DLP Incident Remediation Process Workflow page, click Copy and enter an appropriate name for the
    customized workflow in the Workflow Name field.
    The copy of the workflow opens and it is in the checked out state.
    The ServiceNow administrator can edit the workflow in the checked out state.
    5. On the Core tab on the right-hand side, the ServiceNow administrator can edit the workflow based on the
    requirements of their organization, such as create an event. The ServiceNow administrator needs to perform some
    mandatory steps while customizing the workflow. See About requirements for customizing EUR workflows.
    6. On the Create Event page, click Submit to save the event.
    The newly added event is added in the customized workflow.
    7. To save the customized workflow, on the customized workflow page, click Menu (with 3 horizontal lines) on the right-
    hand side corner, click Publish.
    The customized workflow has the published state. Activate this customized workflow, and deactivate the out-of-the-box
    remediation workflow as only one workflow should be active.
    NOTE
    Since the ServiceNow administrator has created a copy of the DLP Incident Remediation Workflow,
    this customized workflow can be used in the EUR application directly. And the customized workflow
    uses the default settings of the DLP Incident Remediation Workflow, that is; Symantec DLP End User
    Remediation and DLPIncident (x_symct_dlp_eur_dlpincident) are selected in the Application and Table
    fields.
    See Accessing the workflow in ServiceNow.
    See About use cases for customizing the remediation workflow in ServiceNow.
    About requirements for customizing EUR workflows
    Enforce polls data from the IncidentActionRequest (x_symct_dlp_eur_incidentactionrequest) table in ServiceNow to
    process an incident. Enforce updates the incident details based on the action type and the action taken recorded in this
    table. A customized workflow should always generate these incident action requests to complete the workflow execution
    of an incident on ServiceNow and ensuring that the same is polled on Enforce too. This is achieved by creating records in
    the IncidentActionRequest table and populating the record with the required information.
    The following incident action types are described along with creating records in their respective IncidentActionRequest
    table. The ServiceNow administrator needs to ensure that required fields are populated in each of these tables to
    generate an incident action request that will be polled by Enforce.

    1442
    • Remediation Incident Action Request
    When an incident is remediated by remediator (incident state is ‘Remediated’), the incident action type should be set
    to REMEDIATION. The value of ‘u_responserule_id’ column should be the response rule id of the remediation action
    performed and value of ‘u_requested_by’ column is the email address of remediator.

    Table 833: Remediation Incident Action Request

    Column Value Required Description

    u_dlp_incident <dlp incident id> Yes DLP Incident ID.


    u_action_type REMEDIATION Yes
    u_requested_by <Remediator email address> Yes Email address of remediator.
    u_responserule_id <dlp response rule id> Yes Enforce response rule ID.
    RemediationAction table
    contains this ID.
    u_comment <Remediator comment as Optional Optional field for a comment
    mentioned in email> from the remediator.
    u_reassigned_to_name No
    u_reassigned_to_email No

    • Reassignment Incident Action Request


    In the case of re-assignment (incident state is 'Reassigned'), the action type should be set to REASSIGNMENT.
    The other required parameters are the name and email of the user to whom the incident is reassigned to
    (‘u_reassigned_to_name’ and ‘u_reassigned_to_email’ columns), and the user requesting the re-assignment
    (‘u_requested_by’ column). The current user is usually the requesting user.

    Table 834: Reassignment Incident Action Request

    Column Value Required Description

    u_dlp_incident <dlp incident id> Yes DLP Incident ID.


    u_action_type REASSIGNMENT Yes
    u_requested_by <email of user requesting Yes User requesting for
    reassignment> reassignment of an incident.
    u_responserule_id No
    u_comment No
    u_reassigned_to_name <Reassigned to User Name> Yes Name of the user to whom
    the incident is reassigned.
    u_reassigned_to_email <Reassigned to User Email> Yes Email address of the user
    to whom the incident is
    reassigned.

    • Expired Incident Action Request


    After the scheduled job marks an incident as Expired (incident state is ‘Expired’), the action type should be set
    to EXPIRED. Additional parameters are not required for this action type.

    1443
    Table 835: Expired Incident Action Request

    Column Value Required Description

    u_dlp_incident <dlp incident id> Yes DLP Incident ID


    u_action_type EXPIRED Yes
    u_requested_by No Not required as an incident is
    marked as Expired by the EUR
    application.
    u_responserule_id No
    u_comment No
    u_reassigned_to_name No
    u_reassigned_to_email No

    • Desync Incident Action Request


    When the EUR Admin desyncs an incident (incident state is ‘Deleted’), the action type should be set to DESYNC. The
    email address of the current user, that is the EUR Admin performing the desync action is required (‘u_requested_by’
    column).

    Table 836: Desync Incident Action Request

    Column Value Required Description

    u_dlp_incident <dlp incident id> Yes DLP Incident ID.


    u_action_type DESYNC Yes
    u_requested_by <email of EUR Admin Yes Email address of the EUR
    requesting desync> Admin who is performing the
    desync action.
    u_responserule_id No
    u_comment No
    u_reassigned_to_name No
    u_reassigned_to_email No

    After any incident action request is created, the state of the incident should be updated to ‘Closed’ to ensure no further
    action can be taken on the incident.
    Refer to the out-of-box workflow for more details. See About workflows in ServiceNow.
    About use cases for customizing the remediation workflow in ServiceNow
    The ServiceNow administrator can customize the out-of-box remediation workflow to suit specific requirements of their
    organization. Some of the many use cases that can be solved using End User Remediation are as follows.
    • Escalation - Remediation period has expired:
    The ServiceNow administrator can define a process in the EUR application to escalate the incident to the assigned
    remediator's manager, if the remediator does not remediate the assigned incident within a certain period of time (as
    defined in the ‘Remediation deadline’ field. The new remediator assigned will be expected to perform action on the
    incident within the Remediation deadline. And the process continues till the incident is remediated.
    • Escalation - Out of Office:

    1444
    The ServiceNow administrator can define workflows in the EUR application such that if the remediator has marked
    themselves as Out of Office (OOO) in their email client, then the incident will be automatically assigned and sent
    to their manager or any other end user (as defined in the workflow).
    This may be achieved by processing the OOO response.
    • InfoSec approval for remediation:
    NOTE
    An InfoSec user can be anyone from the organization, who would review the remediation action performed
    by a remediator and either approve or reject the request.
    The ServiceNow administrator can define complex workflows in the EUR application based on the approval or rejection
    by the InfoSec team member.
    For example, when the 1st remediator takes a remediation action on the incident, the InfoSec team can receive
    an email with incident details and the action taken. The InfoSec team member will be able to approve or reject the
    action taken. If the remediation action taken is approved, then the workflow concludes and the incident closes. If the
    remediation action is rejected, the remediator will be reassigned to the manager of the remediator and the workflow
    continues.
    • Multiple Step Workflow:
    The ServiceNow administrator can define workflows in the EUR application to execute multiple steps and depending
    on the action taken, notifying the remediation action taken to stakeholders.
    For instance, if the 1st remediator marks the incident as ‘Major Exposure’, then a notification should be sent to the
    InfoSec team. If the incident is marked as a ‘Minor Exposure’, then a notification should be sent to the Training
    department.

    About Customizing Email Templates

    The EUR application generates an email, which contains the details of the incident; and sends it to the remediator. This
    email is generated using the out-the-box notification provided by the EUR application: DLP Incident Notification. This
    notification uses the out-of-box email notification script, layout, and template. The DLP Incident Notification contains
    details of the incident that caused the notification, and the remediation actions the end user can take.
    The email is divided into the following three parts:
    • Header: Contains basic incident details, such as Incident ID, remediation request expiry date, and so on.
    • Message Body: Contains details of the incident.
    • Footer: Contains mandatory details to perform the remediation action, such as lists the smart response rule actions as
    links.

    The ServiceNow administrator can customize the default email notification template and email layout to modify the color,
    font, images; and layout of the incident information.
    ServiceNow Components Required for Email Notifications

    1445
    Figure 25: DLP Notification template components

    The ServiceNow components required for the DLP Notification template are as follows:
    • Notification: Contains details, such as when to generate a remediation email, whom to send the email, and what
    should be the content of the email.
    • Email layout: Contains reusable content for the message body of email templates.
    Email layout is used to customize the display by customizing the text font, size, and color of the email text. The
    notification template HTML contains a style tag at the top. The ServiceNow administrator can modify the CSS styles
    present in this tag. This updates the look and feel of the email, but the layout remains the same. The ServiceNow
    administrator can also insert images while customizing the display.
    Email layout can be used for the following:
    • To specify consistent layout such as always displaying a header, body, and footer.
    • To display static content on all email notifications, such as a company logo or a background.
    • To provide links to common response rule actions.
    • To declare inline styles.
    • Email template: Contains reusable content for the subject line and message body of email notifications. It is used to
    get dynamic content of an incident using scripts.
    • Notification email scripts: Contains the notification message content used to print from a server-side script. They are
    used to display the incident details received from utility scripts as specified by the ServiceNow administrator in a table
    or paragraph format.
    For example, in the EUR application we have coded the email scripts so that the Match highlights incident attributes
    are 70% masked. This masking percentage can be customized or removed.
    NOTE
    Beginning with Symantec Data Loss Prevention version 16.0, masking of confidential data can also be
    configured on the Enforce Server administrator console. For more information, see Incident Masking
    Overview and Setting Up Masking for Roles. If the masking percentage is enabled on both the Enforce
    Server administrator console and the EUR application, then the greater of the two masking percentages is
    applied on the match highlights sent through the EUR email to the remediator. The masking configuration for
    the user initiating EUR Remediation Configuration on the Enforce Server administrator console is evaluated
    by DLP. For example, if the masking percentage on the EUR application is unchanged (70%) and masking
    is also applied on the Enforce Server administrator console (50%), then the matches are 70% masked in the
    email received by the remediator.
    Masking adds an additional layer of security. Similarly, the email script can be updated based on the organization
    policies and requirements.
    A notification email script is used to customize the content, such as incident information, incident details along with
    display format. The EUR application provides utility scripts to get the incident data for a given incident. To customize

    1446
    the email, the ServiceNow administrator can create custom email notification scripts and include EUR utility scripts.
    After getting the data with the help of EUR utility scripts, the ServiceNow administrator can create a custom email
    notification template and include these custom scripts. The ServiceNow administrator can create a layout as per a
    requirement such as plain text layout or tabular layout; and change color, fonts, images, and so on.
    • Script includes: Contains utility functions and classes that connect with the ServiceNow database to get the required
    incident details.
    • ServiceNow database: Contains the details of the incidents synced from the Enforce Server.
    See Customizing the email content and format in ServiceNow
    See Customizing the email layout in ServiceNow
    See Customizing the email template in ServiceNow
    See Assigning email templates to workflows in ServiceNow
    Customizing the Email Content and Format in ServiceNow

    The ServiceNow administrator can customize the content (masked, plain text), and format (tabular, and so on) of the
    incident details that are displayed in the email sent to the remediator.
    To customize the out-of-box email script, perform the following steps.
    NOTE
    It is recommended that the ServiceNow administrator creates a copy of the out-of-box DLP Incident Email Script
    and then customize it. Do not update the out-of-box email script directly.
    1. In the ServiceNow console, navigate to System Notification > Email > Notification Email Scripts.
    2. Click New.
    3. On the Email Script page, enter the following information:
    • Name
    • Application: Ensure that the ServiceNow administrator selects Symantec DLP End User Remediation from the
    list box.
    • Script: Use the utility scripts (EURNotificationUtils) provided in the EUR application to get the incident
    details. Specify the details of the email script, such as the following:
    – The incident attributes
    – The masking percentage defined on the Enforce Server administrator console for the user initiating the
    EUR process is considered and the greater of the two masking percentages is applied in the EUR email. The
    two masking percentages are the one defined on the Enforce Server administrator console and the second
    defined on the EUR application.
    NOTE
    Back up the email script before you update the masking percentage.
    – The remediation actions that need to be part of the remediation email.
    You can specify how the details of the remediation actions are displayed in the email, such as in tabular format or in
    paragraph format.
    4. Click Submit to save the customized email script.
    Customizing the email layout in ServiceNow

    The ServiceNow administrator can customize the look and feel of the email body, such as adding logo, updating content,
    and so on by using the CSS styles.
    To customize the out-of-the-box email layout, perform the following steps.

    1447
    NOTE
    It is recommended that the ServiceNow administrator creates a copy of the out-of-box DLP Incident Email
    Layout and then customize it. Do not update the out-of-box email layout directly.
    1. In the ServiceNow console, navigate to System Policy > Email > Layouts.
    2. Click New.
    3. On the Email Layout page, enter the following.
    – Name
    – Application: Ensure that the ServiceNow administrator selects Symantec DLP End User Remediation from the
    list box.
    – Layout: Specify the details of the email layout, such as the theme to be used in the remediation email for an
    organization. The theme can comprise of using a specific set of colors, fonts, company logo and so on. Click on
    Source Code menu option to edit the HTML source code.
    4. Click Submit to save the customized email layout.
    Customizing the email template in ServiceNow

    The ServiceNow administrator can customize the email template, which constitutes the email layout and the email script;
    that is the content and format of the email.
    To customize the out-of-the-box email template, perform the following steps.
    NOTE
    It is recommended that the ServiceNow administrator creates a copy of the out-of-box DLP Incident Email
    Template and then customize it. Do not update the out-of-box email template directly.
    1. In the ServiceNow console, navigate to System Notification > Email > Templates.
    2. Click New.
    3. On the Email Template page, enter the following
    – Name
    – Table: Ensure that the ServiceNow administrator selects DLPIncident (x_symct_dlp_eur_dlpincident) from the
    list box.
    – Email layout: Select the default DLP Email Notification layout or the customized email layout.
    See Customizing the email layout in ServiceNow.
    – Message HTML: You can copy the default email script details or customize email script details to get dynamic
    content of an incident using the scripts.
    See Customizing the email content and format in ServiceNow.
    4. Click Submit to save the customized email template.
    Assigning email templates to workflows in ServiceNow

    The email templates are assigned to the email notifications, which are in turn mapped with the workflow events. When the
    workflow events are triggered, then it will in turn trigger the email notifications.
    The ServiceNow administrator can update the default DLP Incident Notification and add the default or customized
    Notification Email Template as required. The Notification Email Template in turn can have the default or customized
    DLP Notification Email Layout and DLP Notification Email Scripts attached to it.
    1. In the ServiceNow console, navigate to System Notification > Email > Notifications.
    2. On the Notifications page, search for DLP.
    3. Click on DLP Incident Notification.
    4. On the Notification - DLP Incident Notification page, on the What it will contain tab, enter the following.
    – Email template: Select the customized the email template from the list box.

    1448
    See Customizing the email template in ServiceNow.
    – Subject: Enter the appropriate subject text. The Incident ID is appended at the end of the subject.
    5. Click Preview Notification to view the updates made in the DLP Incident Notification.
    6. Click Update to save the changes.

    Security guidelines for selecting incident attributes when using End User
    Remediation
    The DLP data sent to ServiceNow is extremely sensitive. Symantec recommends ServiceNow administrators configure
    ServiceNow provided security controls to protect sensitive DLP data. DLP incident attributes, such as attachments and
    match highlights are sent through email by ServiceNow to incident remediators. As a result, it is important to configure
    security controls in ServiceNow to protect this information.
    The overall security of the file attachments and match highlights depends on secure configuration of the ServiceNow
    instance. Follow the security practices established by your organization. Additionally, Symantec recommends the
    following:
    • Disable the email attachment option on the Enforce Server. This will prevent attachments with sensitive content from
    being sent through email.
    To disable the email attachment option, on the End User Remediation - Incident Configuration page do not select
    the File attribute for a incident attribute.
    • Disable the matches option on the Enforce Server.
    To disable the matches option, on the End User Remediation - Incident Configuration page do not select the
    Matches attribute for an incident attribute.
    • Enable the database encryption option on ServiceNow. See Security aspects in ServiceNow.
    Consult the official documentation of your ServiceNow release for authoritative information on security levels offered by
    ServiceNow.
    • Enable TLS for ServiceNow emails. This can be accomplished only if the receiving MTA (customer side) enforces
    TLS rather than making TLS as optional. Else the ServiceNow administrator needs to configure the email server
    appropriately on ServiceNow.
    • Consider using Symantec CloudSOC CASB to scan the audit logs.
    • Consider implementing Symantec DLP Endpoint Agents to monitor the remediator endpoint.
    • Consider integrating Data Loss Prevention with Microsoft Information Protection to protect sensitive data in the user
    email inbox.

    Security Aspects in ServiceNow

    The following figure shows the three levels of security controls to protect confidentiality, integrity, and availability of data
    offered by ServiceNow.

    1449
    Figure 26: Levels of security in ServiceNow

    • Database level
    Database encryption enables you to protect all the data with symmetric AES-256 encryption. By default, the data
    stored on the ServiceNow platform is not encrypted. Symantec recommends that the ServiceNow administrator
    enables the database level encryption to encrypt the ServiceNow database. The ServiceNow administrator needs
    to have ServiceNow activate Database Encryption for the instances running in the ServiceNow environment. The
    service is chargeable, contact ServiceNow to enable it as the ServiceNow console does not provide an option to
    enable database encryption. Similarly, the ServiceNow administrator can disable the database encryption as required.
    • Application level
    The ServiceNow administrator can restrict access to their application data by implementing role based access controls.
    The roles control access to features and capabilities in the EUR application and modules. These roles are of a user,
    remediator, or of an admin. Any user who is not associated with any of these roles will not have access to the End
    User Remediation functionality. They will neither be able to receive EUR emails nor perform any remediation action.
    • Attribute level
    Attribute level security is achieved using masking for the match information that is configured to be sent
    to remediators through email. Currently, only the match highlights attribute is masked to 70%. The masking percentage
    ratio can be increased or decreased in the EUR application based on the organization's policy. In addition to the
    attribute level masking, DLP also provides the ability to mask all confidential data before it is sent to the EUR
    application. You can mask the incident attribute data before it reaches the EUR application on ServiceNow. If the
    masking percentage is defined in both the Enforce Server administrator console and the EUR application, then the
    higher masking percentage is applied to the match highlights. This behavior ensures that the sensitive information is
    not completely visible in the end users mailbox. Therefore, it may not pose a significant threat even if the email is
    distributed by the end user.
    NOTE
    The EUR application resources can not be accessed by other applications installed on ServiceNow.

    1450
    About Troubleshooting Incidents
    You can view the incident details for troubleshooting on the Enforce Server and in the ServiceNow console.
    Data Loss Prevention Enforce Server-side troubleshooting
    For troubleshooting of the incidents, the DLP administrator can view the incident details on the Enforce Server
    administration console as follows:
    • Incident history
    See Incident history .
    • Events > System Events
    See Server and Detectors event detail and System events reports.
    • On the Enforce Server,
    – Remediation Configuration Execution Logging
    This facilitates the DLP administrators to troubleshoot the EUR Remediation Configuration issues or errors without
    going through the manager logs. The log file name will be generated dynamically based upon the EUR Remediation
    Configuration name.
    The path of this log file is:
    C:\ProgramData\Symantec\DataLossPrevention\EnforceServer\16.0.10000\logs\debug
    \eur_configuration_<Remediation_Configuration_Name>.log
    The logging details are configurable through the properties specified in the ManagerLogging.properties file
    available under the "<Protect installation path>/config" folder.
    To change the log settings, update the ManagerLogging.properties file. For finest log level, update the
    following property.
    com.vontu.manager.enduserremediation.logging.EURConfigurationExecutionLogHandler.level
    = FINEST
    – Incident Action Request Poller Operational Logging
    The incident action request poller job will do the operational logging in the file "eur_operational.log" under the folder
    used for logs.
    The path of this log file is:
    C:\ProgramData\Symantec\DataLossPrevention\EnforceServer\16.0.10000\logs
    \eur_operational.log
    The logging detail is configurable through the properties specified in the ManagerLogging.properties file
    available under the "<Protect installation path>/config" folder.
    To change the log settings, update the ManagerLogging.properties file. For finest log level, update the
    following property.
    com.vontu.manager.enduserremediation.logging.EURLogHandler.level = FINEST
    ServiceNow-side troubleshooting
    For troubleshooting of the incidents, the ServiceNow administrator can view the incident details on the ServiceNow
    instance as follows:
    • Application logs
    The EUR application logging is done at the ServiceNow system level. These logs contain the log statements of all the
    applications installed on the ServiceNow instance. To view EUR specific information log statements, the App Logs
    have to be filtered by App Scope for 'Symantec DLP End User Remediation'.
    In the ServiceNow console, navigate to System Logs > System Log > Application Logs.
    • Through the Workflow context
    a. In the ServiceNow console, navigate to Workflow > Workflow Editor.
    b. Search for DLP Incident Remediation Process Workflow.

    1451
    c. Click on DLP Incident Remediation Process Workflow.
    d. On the DLP Incident Remediation Process Workflow page, click the Menu (with 3 horizontal lines) on the left-
    hand side corner and select Show Contexts.
    e. On the Contexts page, click on the appropriate incident.
    • Email logs
    The ServiceNow administrator can view the outbound and inbound email logs.
    In the ServiceNow console, navigate to System Logs > Emails.
    • Error logs
    The ServiceNow administrator can view the error logs.
    In the ServiceNow console, navigate to System Logs > System Log > Errors.

    Troubleshooting incidents

    The following scenarios explain the general steps for tracing an incident.
    • Incidents are synced from the Enforce Server to ServiceNow, but the assignment fails in ServiceNow
    – Verify if the last EUR Remediation Configuration ran successfully and there is no warning symbol visible on last
    execution.
    – Check the system events for any error. In case of error, check logs on the Enforce Server.
    – Verify the status of the incidents in the report.
    – Verify whether the synced incidents are assigned to an appropriate user. If not, the incident would be updated with
    the status: Assignment Failed. Check workflow contexts for the exact cause.
    • The remediator does not receive a remediation email from the EUR application
    – Verify if the last EUR Remediation Configuration ran successfully and there is no warning symbol visible on last
    execution.
    – Check the system events for any error. In case of error, check logs on the Enforce Server.
    – Verify the status of the incidents in the report.
    – Verify whether the synced incidents are assigned to an appropriate user.
    – If the incident is assigned to the appropriate user, verify email sending property on ServiceNow under Email
    Outbound Configuration in Email Properties.
    – Check the email logs for the status of the email, or error if any.
    The following table describes the use cases as to how the DLP administrator or the EUR Admin can trace the incidents
    and troubleshoot the flow of End User Remediation on the Enforce Server and ServiceNow.

    1452
    Table 837: Troubleshooting incidents

    Sr. No. Enforce Server/ServiceNow Error Possible reason Possible resolution

    1 Enforce Server EUR Remediation Integration user does Check if the Integration user
    Configuration fails to not have the EUR has the EUR Admin role
    execute (warning symbol is Admin role assigned privileges.
    visible on last execution) Syncing of incidents is allowed,
    if the integration user is
    authorized that is they have
    the EUR Admin role privileges
    assigned.
    2 Enforce Server Incident state on The Enforce Server Set the following property in the
    ServiceNow gets updated may not have Manager.properties file.
    after remediation, but it been configured to com.vontu.enforcewebservices
    is not reflected on the execute schedule
    Enforce Server for Response Rule
    Execution Service
    3 ServiceNow Incidents are synced to Email sending on Enable email sending on
    ServiceNow, but emails ServiceNow is not ServiceNow under Email
    have not been sent enabled Outbound Configuration in
    Email Properties.
    4 ServiceNow Remediation emails are on • User does not • Check the roles assigned to
    ServiceNow, but neither have the required the user. User should have
    the state of the incident is authorization the EUR Remediator role
    updated nor the workflow • User is locked out assigned.
    stage • Watermarks in the • Check if the user is locked
    email could be out of the ServiceNow
    tampered instance.
    • Check if the watermarks
    in the email have been
    tampered by comparing
    those in the emails sent
    to and received by the
    remediator.

    Performance guidelines for End User Remediation


    The performance for End User Remediation depends on several factors:
    • Network performance
    • ServiceNow latency
    • The number of cores and memory on Enforce
    See System requirements and recommendations
    • Active load on Enforce
    Follow these guidelines to ensure optimal End User Remediation performance.
    • Symantec recommends to use default incidents batch size of 100. However, the incident batch size is configurable.
    See Configuring End User Remediation properties in ServiceNow.
    • Execute multiple EUR Remediation Configurations to achieve parallelism.
    In case there is EURRestCommunicationException in the
    eur_configuration_<Remediation_Configuration_Name>.log , then enable throttling in the
    EndUserRemediation.properties file.

    1453
    See Configuring EUR incident sync between Enforce and ServiceNow.
    • Schedule EUR Remediation Configuration execution for DAR incidents, when the load on Enforce is comparatively
    less.
    • Prioritize the incident reports that needs to be sent to the EUR application and schedule EUR Remediation
    Configurations accordingly.
    • Ensure that the reports are configured properly, such as use the report filters to narrow the list of incidents.

    About partial incident batch sync


    Incidents are synced from Enforce to ServiceNow in batches and there is a possibility that a particular batch may fail,
    when the batch size is increased beyond the recommended limit. In this scenario, some of the incidents might get synced
    to ServiceNow, but on Enforce, the whole batch is marked as failed. As a result, for the synced incidents, end user will
    receive the email in ServiceNow to remediate the incidents. Once end user remediates these incidents, the action request
    for those incidents will be generated on ServiceNow, but it will be ignored when polled by Enforce.
    To resolve this issue, the DLP administrator needs to resync these incidents again by including them in another report
    for remediation. The end user will receive an email again to remediate these incidents and they should remediate these
    incidents.

    Executing Smart response rules


    When you execute a response rule that sends an email, you can manually compose the contents of the email notification.
    NOTE
    Sending an email notification to the sender applies to SMTP incidents only. Also, the notification addressees
    that are based on custom attributes (such as "manager email") work correctly only if populated by the attribute
    lookup plug-in.
    To compose an email notification response
    1. Enter optional emails for copies in the CC field.
    2. Select the language.
    3. Compose or edit the subject and body of the email.
    4. Insert variables for the fields in the incident. The supported variables appear as links to the right of the editable fields.
    For example, if you want to include the policy and rules violated, you might enter:
    A message has violated the following rules in $POLICY$:
    $RULES$

    5. Click OK to send the notification.

    About incident remediation


    Response action variables

    Incident remediation action commands


    In an incident list, use the Incident Actions drop-down to select remediation actions.

    1454
    The following incident actions are available for an incident list:

    Add Note Add a brief note to the selected incident(s). The comment appears on the Incident History tab of the
    Incident Snapshot page for each selected incident.
    The limit for the Add Note field is 4000 bytes.
    Delete Incidents Delete the selected incident(s) from the Symantec Data Loss Prevention system.
    Proceed cautiously when deleting incidents. All data that is associated with the incident(s) is removed.
    This operation cannot be reversed.
    Export Selected: CSV Export the selected incident(s) to a comma-separated (.csv) file.
    Export Selected: XML Export the selected incident(s) to an XML file.
    Hide/Unhide Select one of the following incident hiding actions to set the hidden state for the selected incidents:
    • Hide Incidents—Flags the selected incidents as archived.
    • Unhide Incidents—Restores the selected incidents to the non-archived state.
    • Do Not Hide—Prevents the selected incidents from being archived.
    • Allow Hiding—Allows the selected incidents to be archived.
    About incident hiding
    Lookup Attributes Use the configured lookup plug-ins to look up the configured attributes.
    Set Attributes Display the Set Attributes page so you can enter or edit the attribute values for the selected
    incident(s).
    Set Data Owner Set the following Data Owner attributes:
    • Name
    • Email Address
    Set Incident Remediator Set the following Incident Remediator attributes:
    • Name
    • Email Address
    Set Severity Change the severity that is set for the selected incident(s) to one of the options under Set Severity.
    Set Status Change the status of the selected incident(s) to one of the options under Set Status. A system
    administrator can customize the options that appear on this list on the Incident Attributes page.
    About incident status attributes
    Run Smart Response Perform one of the listed responses on the selected incident(s). When you click a response rule, the
    Execute Response Rule page appears.
    These manual response rules are available only if you have permission to remediate.

    About incident remediation

    Response action variables


    Response action variables can be used in response rules.
    Executing Smart response rules
    The response action variables vary by incident type.
    General incident variables
    Endpoint incident variables
    Network Monitor and Network Prevent incident variables
    Discover incident variables

    1455
    General incident variables
    The following general variables are available for all incident types:

    $APPLICATION_NAME$ Specifies the name of the application that is associated with the incident.
    $ATTACHMENT_FILENAME$ Specifies the name of the attached file.
    $BLOCKED$ Indication of whether or not Symantec Data Loss Prevention blocked the
    message (yes or no).
    $DESTINATION_IP$ Specifies the destination IP address.
    $INCIDENT_ID$ The unique identifier of the incident.
    $INCIDENT_SNAPSHOT$ The fully qualified URL to the incident snapshot page for the incident.
    $MATCH_COUNT$ The incident match count.
    $MATCHING_RECIPIENT_DOMAINS$ For policies that use recipient pattern type rules, indicates the domains of the
    users that matched the recipient rule for email-based activities. This variable is
    not applicable for other types of user activities such as file uploads, copying files
    to network shares, and so on.
    $OCCURED_ON$ Specifies the date on which the incident occurred. This date may be different
    than the date the incident was reported.
    $POLICY$ The name of the policy that was violated.
    $POLICY_RULES$ A comma-separated list of one or more policy rules that were violated.
    $PROTOCOL$ The protocol, device type, and target type of the incident, where applicable.
    $RECIPIENTS$ A comma-separated list of one or more message recipients.
    $REPORTED_ON$ Specifies the date on which the incident was reported.
    $MONITOR_NAME$ Specifies the detection server or cloud detector that created the incident.
    $SENDER$ The message sender.
    $SEVERITY$ The severity that is assigned to incident.
    $STATUS$ Specifies the remediation status of the incident.
    $SUBJECT$ The subject of the message.
    $URL$ Specifies the file path or location.

    Network Monitor and Network Prevent incident variables


    The following Network Monitor and Network Prevent variables are available:

    $DATAOWNER_NAME$ The person responsible for remediating the incident. This field must be set
    manually, or with one of the lookup plug-ins.
    Reports can automatically be sent to the data owner for remediation.
    $DATAOWNER_EMAIL$ The email address of the person responsible for remediating the incident. This
    field must be set manually, or with one of the lookup plug-ins.

    1456
    Discover incident variables
    The following Network Discover and Network Protect incident variables are available:

    $DATAOWNER_NAME$ The person responsible for remediating the incident. This field must be set
    manually, or with one of the lookup plug-ins.
    Reports can automatically be sent to the data owner for remediation.
    $DATAOWNER_EMAIL$ The email address of the person responsible for remediating the incident. This
    field must be set manually, or with one of the lookup plug-ins.
    $ENDPOINT_MACHINE$ The name of the endpoint computer that generated the violation.
    $PATH$ The full path to the file in which the incident was found.
    $FILE_NAME$ The name of the file in which the incident was found.
    $PARENT_PATH$ The path to the parent directory of the file in which the incident was found.
    $QUARANTINE_PARENT_PATH$ The path to the parent directory in which the file was quarantined.
    $SCAN_DATE$ The date of the scan that found the incident.
    $TARGET$ The name of the target in which the incident was found.

    Endpoint incident variables


    The following Endpoint incident variables are available:

    $APPLICATION_USER$ The name of the application user.


    $DATAOWNER_NAME$ The person responsible for remediating the incident. This field must be set
    manually, or with one of the lookup plug-ins.
    Reports can automatically be sent to the data owner for remediation.
    $DATAOWNER_EMAIL$ The email address of the person responsible for remediating the incident. This
    field can be set manually, or with one of the lookup plug-ins.
    $ENDPOINT_LOCATION$ The location of the endpoint computer.
    $ENDPOINT_MACHINE$ The name of the endpoint computer that generated the violation.
    $ENDPOINT_USER_NAME$ The name of the endpoint user.
    $MACHINE_IP$ The corporate IP address of the endpoint computer.
    $USER_JUSTIFICATION$ The justification that was provided by the endpoint user.

    Application incident variables


    The following Application incident variables are available:

    $DATAOWNER_NAME$ The person responsible for remediating the incident. This field must be set
    manually.
    Reports can automatically be sent to the data owner for remediation.
    $DATAOWNER_EMAIL$ The email address of the person responsible for remediating the incident. This
    field must be set manually.

    Remediating Network incidents


    This content includes the following topics:

    1457
    • Network incident list
    • Network incident list—Actions
    • Network incident list—Columns
    • Network Incident Snapshots
    • Network incident snapshot—Heading and navigation
    • Network Incident Snapshot—General Information
    • Network incident snapshot—Matches
    • Network incident snapshot—Attributes
    • Network summary report

    Network incident list


    A network incident list shows multiple network incident records with information about the incident such as: the severity,
    associated policy, number of matches, and status of the incident. Click a row of the incident list to view more details about
    a specific incident. Select specific incidents (or groups of incidents) to modify or remediate by clicking the check boxes at
    the left.
    Network incidents include incidents from Network Monitor and Network Prevent, as well as Symantec WSS incidents
    generated by the Symantec Cloud Detection Service for WSS.
    When IPv6 addresses appear in reports, they follow these rules:
    • Addresses are normalized in the Source IP and Destination IP fields.
    • In the Recipient (URL) fields, addresses are represented as they have been provided, which is usually a hostname
    and varies by protocol.
    • In the Sender fields, representation of addresses varies by protocol.
    • Normalized fields are used for IP-based filtering.
    When IPv6 addresses appear in incident list filters, they follow these rules:
    • Addresses are normalized in the Source IP and Destination IP fields.
    • In the Recipient (URL) field, addresses are represented as they have been provided in the Recipient (URL), Domain,
    and Sender fields.
    • Normalized fields are used for IP-based filtering.
    When IPv6 addresses appear in incident details, they follow these rules:
    • Addresses are normalized in the Source IP and Destination IP fields.
    • In the Recipient (URL) field, addresses are represented as they have been provided.
    • In the Sender field, addresses are represented as they have been provided.
    • Links to filtered lists behave like user input.
    You can view normalized IPv6 addresses in an incident summary:
    • Addresses are summarized by the Source IP, Destination IP, Sender, and Domain fields.
    • Normalization occurs for fields as it does in the incident details.
    You can view non-normalized IPv6 addresses in an incident summary:
    • Addresses are summarized by the Source IP, Destination IP, Sender, and Domain fields.
    • Normalization occurs for fields as it does in the incident details.
    NOTE
    Use caution when you click Select All. This action selects all incidents in the report (not only those on the
    current page). Any incident command you subsequently apply affects all incidents. To select only the incidents
    on the current page, select the checkbox at top left of the incident list.

    1458
    Incident information is divided into several columns. Click any column header to sort alpha-numerically by that column's
    data. To sort in reverse order, click the column header a second time. By default, Symantec Data Loss Prevention sorts
    incidents by date.
    The Type column shows the icons that indicate the type of network incident. Type of network incident describes the icons.

    Table 838: Type of network incident

    Icon Description

    SMTP
    The addition of the second icon indicates a message attachment.

    HTTP
    Symantec Data Loss Prevention also detects the Yahoo and MSN
    IM traffic that is tunneled through HTTP.
    The addition of the second icon indicates an attachment to Web-
    based email.
    HTTPS

    FTP

    NNTP

    IM:MSN

    IM:AIM

    IM:Yahoo

    TCP:custom_protocol

    This column also indicates whether the communication was blocked or altered. Incident block or altered status shows the
    possible values.

    Table 839: Incident block or altered status

    Icon Description

    No icon. Blank if the communication was not blocked.


    Indicates Symantec Data Loss Prevention blocked the
    communication containing the matched text.
    Indicates Symantec Data Loss Prevention removed confidential
    data from Web postings or Web-based email messages. This
    icon can also indicate that a file was uploaded to a Web site or
    attached to a Web-based email message.
    Indicates that Symantec Data Loss Prevention added or modified
    the headers on the message that generated the incident.

    1459
    Use the following links to learn more about the Network incident list page:

    To learn more about See this section

    Columns of the incident list table Network incident list—Columns


    Actions to perform on selected incidents Network incident list—Actions
    Details of a specific incident Network Incident Snapshots
    Viewing a summary of all network incidents Network summary report
    Common features of all Symantec Data Loss Prevention reports

    Network incident list—Actions


    You can select one or more incidents and then remediate them using commands in the Incident Actions drop-down list.
    The incident commands are as follows:

    Action Description

    Add Note Select to open a dialog box, type a comment, and then click OK.
    Hide/Unhide Select one of the following archive actions to set the archive state
    for the selected incidents:
    • Hide Incidents—Flags the selected incidents as archived.
    • Unhide Incidents—Restores the selected incidents to the
    non-archived state.
    • Do Not Hide—Prevents the selected incidents from being
    archived.
    • Allow Hiding—Allows the selected incidents to be archived.
    Delete Incidents Select to delete specified incidents.
    Export Selected: CSV Select to save specified incidents in a comma-separated text
    Export Selected: XML (.csv) file or XML file, which can be displayed in several common
    applications, such as Microsoft Excel.
    Lookup Attributes Use lookup plug-ins to look up incident custom attributes.
    Run Smart Response Select to run a Smart Response rule that you or your administrator
    configured. (To configure a Smart Response rule, navigate to
    Policy > Response Rules, click Add Response Rule, and select
    Smart Response.
    Set Attributes Select to set attributes for the selected incidents.
    Set Data Owner Set the data owner name or email address. The data owner is the
    person responsible for remediating the incident.
    Reports can automatically be sent to the data owner for
    remediation.
    Set Incident Remediator Set the incident remediator name or email address. The incident
    remediator is the person responsible for remediating the incident
    using End User Remediation.
    The EUR application sends an email to the incident remediator for
    remediation.
    See About End User Remediation.
    Set Severity Select to set severity.
    Set Status Select to set status.

    Network incident list

    1460
    Network incident list—Columns
    Incident information is divided into several columns. Click any column header to sort alpha-numerically by that column's
    data. To sort in reverse order, click the column header a second time. By default, Symantec Data Loss Prevention lists
    incidents by date.
    The report includes the following columns:
    • Check boxes that let you select incidents to remediate.
    You can select one or more incidents to which to apply commands from the Incident drop-down menu at the top of the
    list. Click the checkbox at the top of the column to select all incidents on the current page. (Note that you can also click
    Select All at far right to select all incidents in the report.)
    • Type
    The protocol over which the match was detected.
    Network incident list
    • Subject/Sender/Recipient(s)
    Message subject, sender email address or IP address, recipient email address(es), or URL(s).
    • Sent
    Date and time the message was sent.
    • ID/Policy
    Symantec Data Loss Prevention incident ID number and the policy against which the incident was logged.
    • Matches
    Number of matches in the incident.
    • Sev
    Incident severity as determined by the severity setting of the rule the incident matched.
    The possible values are as follows:

    Icon Description

    High
    Medium
    Low
    For information only
    • Status
    Current incident status.
    The possible values are as follows:
    – New
    – In Process
    – Escalated
    – False Positive
    – Configuration Errors
    – Resolved
    You or your administrator can add new status designations on the Attribute Setup page.
    Network incident list

    1461
    Network Incident Snapshots
    An incident snapshot provides detailed information about a particular incident. The snapshot displays general incident
    information, matches detected in the intercepted text, and incident attributes. The snapshot also enables you to execute
    any Smart Response rules that you have configured.
    The incident snapshot is divided into three panes, with navigation and Smart Response options. Click a link to view more
    help about the incident snapshot:

    Options and panes More information

    Navigation and Smart Response options Network incident snapshot—Heading and navigation
    General incident information (left-hand pane) Network incident snapshot—General information
    Matches in incident (middle pane) Network incident snapshot—Matches
    Attributes (right-hand pane) Network incident snapshot—Attributes

    Network incident snapshot—Heading and navigation


    The following page navigation tools appear near the top of the incident snapshot:

    Previous Displays the previous incident in the source report.


    Next Displays the next incident in the source report.
    Returns to the source report (where you clicked the link to get to
    this screen).
    Updates the snapshot with any new data, such as a new comment
    in the History section or a modified status.

    If you configured any Smart Response rules, Symantec Data Loss Prevention displays the response options for executing
    the rules at the top of the page. Depending on the number of Smart Response rules, a drop-down menu may also appear.
    Network incident snapshot

    Network Incident Snapshot—General Information


    The left section of the snapshot displays general incident information. You can click many values to view an incident list
    that is filtered on that value. An icon may appear next to the Status drop-down list to indicate whether the request that
    generated the incident was blocked or altered.
    Incident block or altered status
    The status and severity of the incident appear to the right of the snapshot heading. To change one of the current values,
    click it and choose another value from the drop-down list.
    The remaining portion of the general information pane is divided into four tabs.
    • Key Info
    • History
    • Notes
    • Correlations
    Information in this section is divided into the following categories (not all of which appear for every incident type):

    1462
    Table 840: Incident general information tabs

    Tab Name Description

    Key Info The Key Info tab shows the policy that was violated in the incident. This tab also shows the total number of
    matches for the policy and the matches per policy rule. Click the policy name to view a list of all incidents
    that violated the policy. Click view policy to view a read-only version of the policy.
    This section also lists other policies that the same file violated. To view the snapshot of an incident that
    is associated with a particular policy, click go to incident next to the policy name. To view a list of all
    incidents that the file created, click show all.
    The Key Info tab also includes the following information:
    • The name of the detection server that recorded the incident.
    • The date and time the message was sent
    • The sender email or IP address
    • The recipient email or IP addresses
    • The SMTP heading or the NNTP subject heading
    • If you use ProxySG, the following attribute information is visible:
    – Source IP
    – Category
    – Server Geo
    – Transaction ID
    • The Is Hidden field displays the archived state of the incident and whether you can hide the incident.
    You can toggle the Do Not Hide flag for the incident.
    • Attachment file names. Click to open or save the file.
    If a response rule tells Symantec Data Loss Prevention to discard the original message, you cannot
    view the attachment.
    • The person responsible for remediating the incident (Data Owner Name). This field must be set
    manually, or with a lookup plug-in. Reports can automatically be sent to the data owner for remediation.
    If you click a hyperlinked Data Owner Name, a filtered list of incidents by Data Owner Name is
    displayed.
    • The email address of the person responsible for remediating the incident (Data Owner Email
    Address). This field must be set manually, or with a lookup plug-in.
    If you click the hyperlinked Data Owner Email Address, a filtered list of incidents by Data Owner Email
    Address is displayed.
    • The person responsible for remediating the incident using End User Remediation (Incident
    Remediator Name). This field must be set manually, or with a lookup plug-in.
    If you click the hyperlinked Incident Remediator Name, a filtered list of incidents by Incident
    Remediator Name is displayed.
    • The email address of the person responsible for remediating the incident using End User Remediation
    (Incident Remediator Email Address). This field must be set manually, or with a lookup plug-in.
    If you click the hyperlinked Incident Remediator Email Address, a filtered list of incidents by Incident
    Remediator Email Address is displayed.
    History View the actions that were performed on the incident. For each action, Symantec Data Loss Prevention
    displays the action date and time, the actor (a user or server), and the action or the comment.
    Notes View any notes that you or others have added to the incident. Click Add Note to add a note.
    Correlations You can view a list of those incidents that share attributes of the current incident. For example, you can
    view a list of all incidents that a single account generated. The Correlations tab shows a list of correlations
    that match single attributes. Click attribute values to view lists of those incidents that are related to those
    values.
    To search for other incidents with the same attributes, click Find Similar. In the Find Similar Incidents
    dialog box that appears, select the desired search attributes. Then click Find Incidents.
    Note: The list of correlated incidents does not display related incidents that have been hidden.

    1463
    Network incident snapshot

    Network incident snapshot—Matches


    Beneath the general information, Symantec Data Loss Prevention displays the message content (if applicable) and the
    matches that caused the incident. Symantec Data Loss Prevention displays the following types of message content,
    depending on protocol type:

    Protocol Message content

    SMTP Message body


    HTTP Name value pairs of the HTTP request
    FTP Nothing shown
    NNTP Message body
    IM (all providers) IM conversation
    TCP Data that was transmitted through custom protocol

    Matches are highlighted in yellow and organized according to the message component (such as header, body, or
    attachment) in which they were detected. Symantec Data Loss Prevention displays the total relevant matches for each
    message component. It shows matches by the order in which they appear in the original text. To view the rule that
    triggered a match, click on the highlighted match.

    Network incident snapshot

    Network incident snapshot—Attributes


    NOTE
    This section appears only if a system administrator has configured custom attributes.
    You can view a list of custom attributes and their values, if any have been specified. Click on attribute values to view an
    incident list that is filtered on that value. To add new values or edit existing ones, click Edit. In the Edit Attributes dialog
    box that appears, type the new values and click Save.

    Network incident snapshot

    Network summary report


    The Network summary report provides summary information about the incidents that are found on your network. You can
    organize the report by one or two summary criteria. A single-summary report is organized by a single summary criterion,
    such as the policy that is associated with each incident. A double-summary report is organized by two criteria, such as
    policy and incident status.
    To view the primary criteria and the secondary summary criteria available for the current report, click the Advanced
    Filters & Summarization bar. The bar is near the top of the report. The Summarize By: listboxes show the primary
    criteria and the secondary summary criteria. In each listbox, Symantec Data Loss Prevention displays all out-of-the-box
    criteria in alphabetical order, followed by any custom criteria that your system administrator has defined. Summary reports
    take their name from the primary summary criterion (the value of the first listbox). If you rerun a report with new criteria,
    the report name changes accordingly.
    Summary entries are divided into several columns. Click any column header to sort alpha-numerically by that column's
    data. To sort in reverse order, click the column header a second time.

    1464
    Table 841: Summary report columns

    Column name Description

    summary_criterion This column is named for the primary summary criterion. It lists
    primary and (for double summaries) secondary summary items.
    In a Policy Summary, this column is named Policy and it lists
    policies. Click on a summary item to view a list of incidents that
    are associated with that item.
    Total The total number of incidents that are associated with the
    summary item. In a Policy Summary, this column gives the total
    number of incidents that are associated with each policy.
    High Number of high-severity incidents that are associated with the
    summary item. (The severity setting of the rule that was matched
    determines the incident severity.)
    Med Number of medium-severity incidents that are associated with the
    summary item.
    Low Number of low-severity incidents that are associated with the
    summary item.
    Info The number of informational incidents that are associated with the
    summary item.
    Bar Chart A visual representation of the number of incidents (of all
    severities) associated with the summary item. The bar is broken
    into proportional, colored sections to represent the various
    severities.
    Matches Total number of matches associated with the summary item.

    If any of the severity columns contain totals, you can click on them to view a list of incidents of the chosen severity.

    Remediating Endpoint incidents


    This content includes the following topics:
    • About endpoint incident lists
    • Endpoint incident snapshot
    • Endpoint incident summary reports
    About endpoint incident lists
    An endpoint incident list shows endpoint incidents that contain basic information such as protocol or destination, severity,
    associated policy, number of matches, and status. Click on any incident to view a snapshot containing more incident
    details. You can select specific incidents (or groups of incidents) to modify or remediate.
    NOTE
    Endpoint reports show only the incidents that were captured by Endpoint Prevent. Incidents that were captured
    by Endpoint Discover appear in Network Discover reports.
    Incident information is divided into several columns. Click any column header to sort alpha-numerically by the data in that
    column. To sort in reverse order, click the column header a second time. By default, Symantec Data Loss Prevention lists
    incidents by date.

    1465
    The report includes the following columns:
    • Check boxes that let you select incidents to remediate
    You can select one or more incidents to which to apply commands from the Incident drop-down menu at the top of the list.
    Click the checkbox at the top of the column to select all incidents on the current page. (You can click Select All at far right
    to select all incidents in the report.)

    Table 842: Type of endpoint incident

    Graphic Type of incident

    CD/DVD burner (for example, Windows Media burner)

    Removable media (for example, a USB flash drive or SD card)

    Fixed drive (for example, the C:\ drive)

    Endpoint copy to network share

    Email/SMTP

    HTTP

    HTTPS

    FTP

    IM: MSN

    IM: Yahoo

    Print/Fax

    Clipboard

    Application File Access

    A response column that indicates whether Symantec Data Loss Prevention blocked an attempted violation or notified the
    end user about the violation of confidential data.
    The possible values are as follows:
    • Blank if Symantec Data Loss Prevention did not block the violation or notify the end user
    • A red icon indicates the violation was blocked by Symantec Data Loss Prevention, by the user, or if the user cancel
    option time limit expired.
    • A notification icon indicates Symantec Data Loss Prevention notified the end user about the violated confidential data
    policies. The notification icon also appears if the user allowed the violating data transfer. The icon also appears if the
    user cancel time limit option has expired and the default action is set to allow data transfers.
    The other columns of this section appear as follows:

    1466
    Table 843: Endpoint incident columns

    Column Definition

    File Name/Machine/User/Subject/Recipient File name, computer, endpoint user (domain and logon name),
    subject title (if Email/SMTP violation), and recipient user that is
    associated with the incident.
    When temporary files generate incidents on Mac agents, the
    temporary file name displays in the File Name column.
    Occurred On Date • Incident date and time
    • Reported On Date
    • Time and date that the incident was reported. If the endpoint
    is disconnected from the corporate network, incidents are
    reported when the connection is restored.
    ID/Policy Symantec Data Loss Prevention incident ID number and the policy
    against which the incident was logged.
    Matches Number of matches in the incident.
    Severity Incident severity as determined by the severity setting of the rule
    the incident matched.
    The possible values are as follows:
    • High
    • Medium
    • Low
    • For information only
    Status Current incident status.
    The possible values are as follows:
    • New
    • In Process
    • Escalated
    • False positive
    • Configuration Errors
    • Resolved

    You or your administrator can add new status designations on the Attribute Setup page.
    Endpoint incident snapshot

    Endpoint incident snapshot


    An incident snapshot provides detailed information about a particular Endpoint Prevent incident. It displays general
    incident information, matches detected in the intercepted text, and details about attributes, incident history, and the
    violated policy. You can also search for similar incidents in the Correlations area.
    NOTE
    Endpoint Discover incidents are captured in Network Discover reports.

    Current status and severity appear under the snapshot heading. To change one of the current values, click on it and
    choose another value from the drop-down list. If any action icon is associated, it also appears here.
    If you have configured any Smart Response rules, Symantec Data Loss Prevention displays a Remediation bar (under the
    Status bar). The Remediation bar includes options for executing the rules. Depending on the number of Smart Response
    rules, a drop-down menu may also appear.

    1467
    The top left section of the snapshot displays general incident information. You can click most information values to view an
    incident list that is filtered on that value. Information in this section is divided into the following categories (not all of which
    appear for every incident type):

    Table 844: Type of incident

    Icon Incident type

    CD/DVD burners (for example, Windows Media burner)

    Removable media (for example, a USB flash drive or SD card)

    Local drive

    Network Share

    Email/SMTP

    HTTP

    HTTPS/SSL

    FTP

    IM: MSN

    IM: Yahoo

    Print/Fax

    Clipboard

    Application File Access

    The following table contains the other informational sections:

    1468
    Table 845: Incident sections

    Section Description

    Server Name of the Endpoint Server that detected the incident for two-tier
    detection. Or, it is the name of the Endpoint Server that received
    the incident from the Symantec DLP Agent.
    Agent response The Endpoint Block, Endpoint Notify, Endpoint Quarantine,
    Endpoint FlexResponse, Action Encrypted, Action Encryption
    Blocked, or User Cancel action, if any. The possible values are as
    follows:
    • Blank or no icon if Symantec Data Loss Prevention did not
    block the copy or notify the end user.
    • A red circle icon indicates Symantec Data Loss Prevention
    blocked confidential data.
    • A message icon indicates Symantec Data Loss Prevention
    notified the end user that the data is confidential.
    • A green tick mark with a key indicates that Symantec Data
    Loss Prevention blocked the user's action and encrypted the
    file or files that the user was trying to copy or move.
    • A red X icon with a key indicates that Symantec Data Loss
    Prevention blocked the user's action and but did not encrypt
    the file or files that the user was trying to copy or move.
    • A clock icon indicates that the DLP Agent did not block the
    user's action but the configured response action was not
    carried out due to a timeout in macOS 11.
    See Reporting on Endpoint Prevent Response Rules.
    Incident Occurred On Date and time the incident occurred.
    Incident Reported On Date and time the Endpoint Server detected the incident.
    Is Hidden Displays the hidden state of the incident, whether or not the
    incident is hideable, and allows you to toggle the Do Not Hide flag
    for the incident.
    User Endpoint user name (for example, MYDOMAIN\bsmith).
    User Justification The justification label precedes by the text that is presented to
    the end user in the on-screen notification (for example, Manager
    Approved: "My manager approved the transfer of this data.")
    Symantec Data Loss Prevention uses the label for classification
    and filtering purposes in reports, but the endpoint user never sees
    it. Click the label to view a list of incidents in which the end user
    chose this justification.
    Machine Name Computer on which the incident occurred.
    Machine IP (Corporate) The IP address of the violating computer if the computer was on
    the corporate network.
    File name Name of the file that violated the policy. The file name field
    appears only for fixed-drive incidents.
    Quarantine Result If you have Endpoint Discover: Quarantine response rules
    configured, you may see one of the following quarantine
    scenarios:
    • File Quarantined
    • Quarantine Failed
    • Quarantine Result Timeout

    1469
    Section Description

    Quarantine Location Displays the file path of the secure location where the file was
    moved.
    Quarantine Details Displays the reason that the quarantine task failed to move the
    confidential file. For example, the action may fail because the
    source file is missing, or the credentials to access the secure
    location are incorrect.
    The Quarantine Details file also displays information if the status
    of the quarantined file is unknown because of a Quarantine Result
    Timeout event.
    Endpoint Location Indicates whether or not the endpoint was connected to the
    corporate network at the time the incident occurred.
    Application Name The name of the application that caused the incident.
    Destination The destination location or file path for the confidential data,
    depending on the device or protocol.
    Destination IP The destination IP address for the confidential data. The
    Destination IP address appears only for specific network incidents.
    Source The original file or data for the violation. The source primarily
    appears in file-transfer incidents.
    Sender The sender of the confidential data for network violations.
    Recipient The intended recipient of the confidential data for network
    violations.
    FTP User Name The originating user name for violating FTP transfers.
    Attachments The associated file(s) or attachments sent (for network incidents).
    If your administrator has configured Symantec Data Loss
    Prevention to retain endpoint incident data, you can click on a file
    name to view file contents.
    Data Owner The specified owner of the confidential data.
    Data Owner Email Address The email address for the owner of the confidential data.
    Access information The available ACL information. Only applicable to Endpoint
    Discover and Endpoint Prevent local drive monitoring.

    Other sections of the incident snapshot are common across all Symantec Data Loss Prevention products. These common
    sections include:
    • Incident snapshot matches
    • Incident snapshot policy section
    • Incident snapshot correlations section
    • Incident snapshot attributes section. (This section appears only if a system administrator has configured custom
    attributes.)
    • Incident snapshot history tab
    • Incident snapshot notes tab
    The Endpoint incident snapshot also contains two sections that are not common across other product lines. Those
    sections are:
    • Destination or protocol-specific information
    Endpoint incident destination or protocol-specific information
    • Reporting on Endpoint Prevent response rules
    Reporting on Endpoint Prevent response rules

    1470
    Reporting on Endpoint Prevent response rules
    If user activity on the endpoint triggers more than one response rule, Symantec Data Loss Prevention determines which
    policy to apply based on an established order of precedence. Only the response rule that is associated with the prevailing
    policy is executed. Symantec Data Loss Prevention creates incidents for all policies that are violated. It indicates (in the
    relevant incident snapshots) that the response rules were superseded.
    Endpoint incident snapshot
    By default, the following list is the main order of precedence for Endpoint Prevent incidents:
    • Block
    • User Cancel
    • Endpoint FlexResponse
    • Notify
    NOTE
    For Endpoint Discover, Quarantine incidents always take precedence over Endpoint FlexResponse incidents.
    Be aware of the following behavior regarding reporting of superseded incidents:
    • The snapshot of a superseded Endpoint Block or User Cancel incident still displays the Blocked icon, because
    Symantec Data Loss Prevention did block the content in question. The icon also indicates if the content was blocked
    because the user elected to block the content. Alternately, the icon indicates that the user cancel time limit was
    exceeded and the content was blocked.
    • The snapshot of a superseded Endpoint Notify incident does not include the Notify icon. The Notify icon is not
    included because Symantec Data Loss Prevention did not display the particular on-screen notification that was
    configured in the policy.
    • The snapshot of a superseded Endpoint Quarantine incident displays the Blocked icon because the data did not
    move out of the secured area. The icon also indicates if the content was blocked because the user elected to block
    the content. Alternately, the icon indicates that the user cancel time limit was exceeded and the content was blocked.
    The History tab of the incident snapshot always displays information on whether the Endpoint FlexResponse rule was
    successful.
    • The snapshot of a superseded Endpoint FlexResponse incident displays the Blocked icon because the data did not
    move out of the secured area. The icon also indicates if an Endpoint Quarantine response rule was activated.
    If you have configured Endpoint Prevent response rules to display on-screen notifications prompting users to
    justify their actions, the following statements are true:
    • Symantec Data Loss Prevention displays the user justification in the snapshots of all the incidents that are generated
    by the policies that include the executed response rule.
    • Symantec Data Loss Prevention displays the justification Superseded – Yes in the snapshots of all superseded
    incidents that do not include the executed response rule.
    • If there is no user to enter a justification, for example if a user accesses a remote computer, the justification reads N/A.

    Endpoint incident destination or protocol-specific information


    Depending on the type of incident, additional information that is associated with the incident snapshot is visible.

    1471
    Table 846: Destination or protocol-specific information

    Destination or protocol Description

    URL For network incidents, denotes the URL where the incident
    occurred.
    Source IP and Port For network incidents, denotes the IP address or port of the
    endpoint that originated the incident. This information is only
    shown if the incident is created on this endpoint.
    Destination IP and Port The IP address of the destination endpoint that is associated
    with the incident. This information is only shown if the incident is
    created on this endpoint.
    Sender/Recipient Email For Email/SMTP and IM incidents, incidents also contain the email
    addresses of the sender and recipient. The sender or recipient
    email address are only shown if the incident occurs on them.
    Subject The subject line of the Email/SMTP message is displayed.
    FTP user name at the FTP Destination For FTP incidents, the user name at the FTP destination is
    displayed.
    Server IP For FTP incidents, the server IP address is shown.
    File Name/Location For print/fax incidents, the name of the file and the location of the
    file on the endpoint is displayed.
    Print Job Name For print/fax incidents, the print job name is the file name of the
    printing job that generated the incident.
    Printer Name/Type For print/fax incidents, the printer name and type are only
    displayed if the file cannot be named through from the Print Job
    name. Or, if the file was generated from an Internet browser.
    Application Window For Clipboard incidents, the application window is the application
    name from which the contents of the Clipboard were taken.
    Source Application For Clipboard incidents, the application name from which the
    contents of the Clipboard were taken.
    Source Application Window Title For Clipboard incidents, the application window name from which
    the contents of the Clipboard were taken.
    Title Bar For Clipboard incidents, the title bar is the window from which the
    data was copied.

    Endpoint incident snapshot

    Reporting on Endpoint Prevent response rules


    If user activity on the endpoint triggers more than one response rule, Symantec Data Loss Prevention determines which
    policy to apply based on an established order of precedence. Only the response rule that is associated with the prevailing
    policy is executed. Symantec Data Loss Prevention creates incidents for all policies that are violated. It indicates (in the
    relevant incident snapshots) that the response rules were superseded.
    Endpoint incident snapshot
    By default, the following list is the main order of precedence for Endpoint Prevent incidents:
    • Block
    • User Cancel
    • Endpoint FlexResponse
    • Notify

    1472
    NOTE
    For Endpoint Discover, Quarantine incidents always take precedence over Endpoint FlexResponse incidents.
    Be aware of the following behavior regarding reporting of superseded incidents:
    • The snapshot of a superseded Endpoint Block or User Cancel incident still displays the Blocked icon, because
    Symantec Data Loss Prevention did block the content in question. The icon also indicates if the content was blocked
    because the user elected to block the content. Alternately, the icon indicates that the user cancel time limit was
    exceeded and the content was blocked.
    • The snapshot of a superseded Endpoint Notify incident does not include the Notify icon. The Notify icon is not
    included because Symantec Data Loss Prevention did not display the particular on-screen notification that was
    configured in the policy.
    • The snapshot of a superseded Endpoint Quarantine incident displays the Blocked icon because the data did not
    move out of the secured area. The icon also indicates if the content was blocked because the user elected to block
    the content. Alternately, the icon indicates that the user cancel time limit was exceeded and the content was blocked.
    The History tab of the incident snapshot always displays information on whether the Endpoint FlexResponse rule was
    successful.
    • The snapshot of a superseded Endpoint FlexResponse incident displays the Blocked icon because the data did not
    move out of the secured area. The icon also indicates if an Endpoint Quarantine response rule was activated.
    If you have configured Endpoint Prevent response rules to display on-screen notifications prompting users to
    justify their actions, the following statements are true:
    • Symantec Data Loss Prevention displays the user justification in the snapshots of all the incidents that are generated
    by the policies that include the executed response rule.
    • Symantec Data Loss Prevention displays the justification Superseded – Yes in the snapshots of all superseded
    incidents that do not include the executed response rule.
    • If there is no user to enter a justification, for example if a user accesses a remote computer, the justification reads N/A.

    Endpoint incident destination or protocol-specific information


    Depending on the type of incident, additional information that is associated with the incident snapshot is visible.

    Table 847: Destination or protocol-specific information

    Destination or protocol Description

    URL For network incidents, denotes the URL where the incident
    occurred.
    Source IP and Port For network incidents, denotes the IP address or port of the
    endpoint that originated the incident. This information is only
    shown if the incident is created on this endpoint.
    Destination IP and Port The IP address of the destination endpoint that is associated
    with the incident. This information is only shown if the incident is
    created on this endpoint.
    Sender/Recipient Email For Email/SMTP and IM incidents, incidents also contain the email
    addresses of the sender and recipient. The sender or recipient
    email address are only shown if the incident occurs on them.
    Subject The subject line of the Email/SMTP message is displayed.

    1473
    Destination or protocol Description

    FTP user name at the FTP Destination For FTP incidents, the user name at the FTP destination is
    displayed.
    Server IP For FTP incidents, the server IP address is shown.
    File Name/Location For print/fax incidents, the name of the file and the location of the
    file on the endpoint is displayed.
    Print Job Name For print/fax incidents, the print job name is the file name of the
    printing job that generated the incident.
    Printer Name/Type For print/fax incidents, the printer name and type are only
    displayed if the file cannot be named through from the Print Job
    name. Or, if the file was generated from an Internet browser.
    Application Window For Clipboard incidents, the application window is the application
    name from which the contents of the Clipboard were taken.
    Source Application For Clipboard incidents, the application name from which the
    contents of the Clipboard were taken.
    Source Application Window Title For Clipboard incidents, the application window name from which
    the contents of the Clipboard were taken.
    Title Bar For Clipboard incidents, the title bar is the window from which the
    data was copied.

    Endpoint incident snapshot

    Endpoint incident summary reports


    Endpoint incident summary reports provide information about those Endpoint incidents that has been summarized by
    specific criteria. You can summarize incidents by one or more types of criteria. A single-summary report is organized by a
    single summary criterion, such as the policy that is associated with each incident. A double-summary report is organized
    by two or more criteria, such as policy and incident status.
    NOTE
    Endpoint reports show only the incidents that are captured by Endpoint Prevent. Incidents from Endpoint
    Discover appear in Network Discover reports.
    To view the primary and the secondary summary criteria available for the report, go to the Summarize By link. Click
    Edit. In the Primary and Secondary drop-down menus, Symantec Data Loss Prevention displays all of the criteria in
    alphabetical order, followed by custom criteria your system administrator defined. You can select criteria from the Primary
    and Secondary drop-down menus and then click Run Now to create a new summary report. Summary reports take their
    name from the primary summary criterion. If you rerun a report with new criteria, the report name changes accordingly.

    Summary entries are divided into several columns. Click any column header to sort alpha-numerically by that column's
    data. To sort in reverse order, click the column header a second time.

    1474
    Table 848: Endpoint incident summary report details

    Field Description

    Summary criteria This column contains the name of whichever summery criteria
    you selected. If you select a primary and a secondary summary
    criteria, only the primary criteria is displayed.
    Total Total number of the incidents that are associated with the
    summary item. For example, in a Policy Summary this column
    gives the total number of incidents that are associated with each
    policy.
    High Number of high-severity incidents that are associated with the
    summary item. (The severity setting of the rule that was matched
    determines the level of severity.)
    Med Number of medium-severity incidents that are associated with the
    summary item.
    Low Number of low-severity incidents that are associated with the
    summary item.
    Info Number of the informational incidents that are associated with the
    summary item.
    Bar Chart A visual representation of the number of incidents (of all
    severities) associated with the summary item. The bar is broken
    into proportional colored sections that represent the various
    severities.
    Matches Total number of matches associated with the summary item.
    If any of the severity columns contain totals, you can click on them
    to view a list of incidents of the chosen severity.

    Remediating Discover incidents


    This content includes the following topics:
    • About reports for Network Discover
    • About incident reports for Network Discover
    • Discover incident reports
    • Discover incident lists
    • Discover incident actions
    • Discover incident entries
    • Discover incident snapshot
    • Discover summary reports

    About reports for Network Discover


    Symantec Data Loss Prevention has reports for incidents, Network Discover targets, scan details, and scan history.
    The Network Discover incident reports contain details about the confidential data that is exposed.
    About incident reports for Network Discover
    For information about Network Discover targets and scan history, go to Manage > Discover Scanning > Discover
    Targets, then select one of the Discover targets from the list. For information about Network Discover scan details, go to
    Manage > Discover Scanning > Scan History, then select one of the Discover scans from the list.

    1475
    Managing Network Discover target scans
    Network Discover Reports lists the Network Discover reports.

    Table 849: Network Discover Reports

    Report Navigation

    Network Discover Targets This report is on the Enforce Server administration console, Manage menu, Discover Scanning
    > Discover Targets.
    About the Network Discover scan target list
    Scan Status This report is on the Enforce Server administration console, Manage menu, Discover Scanning
    > Discover Servers.
    Viewing Network Discover server status
    Scan History (single target) This report is from the Enforce Server administration console, Manage menu, Discover
    Scanning > Discover Targets. Click the link in the Scan Status column to see the history of a
    particular scan target.
    About Discover and Endpoint Discover scan histories
    Scan History (all targets) This report is from the Enforce Server administration console, Manage menu, Discover
    Scanning > Scan History.
    About Discover and Endpoint Discover scan histories
    Scan Details This report is from the Enforce Server administration console, Manage menu, Discover
    Scanning > Scan History. Click the link in the Scan Status column to see the scan details.
    About Discover scan details

    About incident reports for Network Discover


    Use incident reports to track and respond to Network Discover incidents. You can save, send, export, or schedule
    Symantec Data Loss Prevention reports.
    In the Enforce Server administration console, on the Incidents menu, click Discover This incident report displays all
    incidents for all Discover targets. You can select the standard reports for all incidents, new incidents, target summary,
    policy by target, status by target, or top shares at risk.
    Summaries and filter options can select which incidents to display.
    You can create custom reports with combinations of filters and summaries to identify the incidents to remediate.
    For example you can create the following reports:
    • A summary report of the number of incidents in each remediation category.
    Select the summary Protect Status.
    • A report of all the incidents that were remediated with copy or quarantine.
    Select the filter Protect Status with values of File Copied and File Quarantined.
    • A report of the Network Discover incidents that have not been seen before (to identify these incidents and notify the
    data owners to remediate them).
    Select the filter Seen Before?. Set a value of No.
    • A report of the Network Discover incidents that are still present (to know which incidents to escalate for remediation).
    Select the filter Seen Before?. Set a value of Yes.
    • A report using the summary filters, such as months since first detected.
    Select the summary Months Since First Detected.
    • A report that lists incidents older than a given period of time.
    Select Older than, a number to indicate the period, and select Measure of time.

    1476
    Discover incident reports
    Use Network Discover incident reports to monitor and respond to Network Discover incidents. You can save, send, export,
    or schedule Symantec Data Loss Prevention reports.
    In the Enforce Server administration console, on the Incidents menu, click Discover This incident report displays all
    incidents for all Discover targets. You can select the standard reports for all incidents, new incidents, target summary,
    policy by target, status by target, or top shares at risk.
    Summaries and filter options can select which incidents to display.

    You can create custom reports with combinations of filters and summaries to identify the incidents to remediate.

    Network Discover has the following types of reports:


    • Incident list
    Discover incident lists
    • Incident snapshot
    Discover incident snapshot
    • Incident summary
    Discover summary reports

    Discover incident lists


    A Discover incident list shows the incidents that are reported during Discover scans (including the incidents from Endpoint
    Discover). Individual incident records contain information such as severity, associated policy, number of matches, and
    status.
    Discover incident entries
    You can select specific incidents (or a group of incidents) to modify or remediate.
    Discover incident actions
    You can click on any incident to view a snapshot containing more details.
    Discover incident snapshot
    Discover incident reports

    Discover incident actions


    You can select one or more incidents and then remediate them using commands in the Incident Actions drop-down list.
    The incident commands are as follows:
    • Add Note
    Select to open a dialog box, type a comment, and then click OK.
    • Delete Incidents
    Select to delete specified incidents.
    • Export Selected: CSV
    Select to save specified incidents in a comma-separated text (.csv) file, which can be displayed in several common
    applications, such as Microsoft Excel.
    • Export Selected: XML
    Select to save specified incidents in an XML file, which can be displayed in several common applications.
    • Hide/Unhide

    1477
    Select one of the following actions to set the display state for the selected incidents:
    – Hide Incidents—Flags the selected incidents as hidden.
    – Unhide Incidents—Restores the selected incidents to the unhidden state.
    – Do Not Hide—Prevents the selected incidents from being hidden.
    – Allow Hiding—Allows the selected incidents to be hidden.
    • Set Attributes
    Select to set attributes for the selected incidents.
    • Set Data Owner
    Set the data owner name or email address. The data owner is the person responsible for remediating the incident.
    Reports can automatically be sent to the data owner for remediation.
    • Set Incident Remediator
    Set the incident remediator name or email address. The incident remediator is the person responsible for remediating
    the incident using End User Remediation.
    The EUR application sends an email to the incident remediator for remediation. See About End User Remediation.
    • Set Status
    Select to set status.
    • Set Severity
    Select to set severity.
    • Lookup Attributes
    Use the lookup plug-ins to look up incident custom attributes.
    • Run Smart Response
    Select to run a Smart Response rule you or your administrator configured.
    Discover incident lists

    Discover incident entries


    Incident information is divided into several columns. Click any column header to sort alpha-numerically by that column's
    data. To sort in reverse order, click the column header a second time.
    The report includes the following columns:
    • Check boxes that let you select incidents to remediate.
    You can select one or more incidents to which to apply commands from the Incident Actions drop-down menu.
    Click the checkbox at the top of the column or click Select All to select all incidents on the current page.
    NOTE
    Use caution when you use Select All. This option selects all incidents in the report, not only those on the
    current page. Any incident command you subsequently apply affects all incidents. You may want to configure
    the maximum-incident-batch-size property to limit the number of incidents that a Server FlexResponse
    plug-in processes at one time.
    • Type
    Type of target in which the match was detected.
    An icon represents each target type.
    Discover targets
    This column also displays a remediation icon, if any response rule applied.
    The possible values are as follows:

    Blank if no response rule applied


    Copied

    1478
    Quarantined
    Remediation Error

    When you use a Server FlexResponse action for an Automated or Smart response rule, one of the following icons may
    appear:

    This incident was successfully remediated using a Server FlexResponse action.


    The Server FlexResponse action is in process.
    The Server FlexResponse action has an error.

    These same icons may appear for other incident types as well, and you can execute Server FlexResponse actions on
    those incidents.
    • Location/Target/Scan
    Repository or file location, target name, and date and time of most recent scan.
    • File Owner
    Username of file owner (for example, MYDOMAIN\Administrator).
    • ID/Policy
    The Symantec Data Loss Prevention incident number and the policy the incident violated.
    • Matches
    The number of matches in the incident.
    • Severity
    Incident severity as determined by the severity setting of the rule the incident matched.
    The possible values are:

    High
    Medium
    Low
    For information only
    • Status
    The current incident status.
    The possible values are:
    – New
    – In Process
    – Escalated
    – False Positive
    – Configuration Errors
    – Resolved
    The following icon may be displayed near the status if this incident was seen before:

    This icon is displayed if this incident has an earlier connected incident.

    You or your administrator can add new status designations on the attribute setup page.

    Discover incident lists

    1479
    Discover incident snapshot
    An incident snapshot provides detailed information about a particular incident. It displays general incident information,
    matches detected in the content, and details about policy, attributes, and incident history. You can also search for similar
    incidents in the Correlations area.
    Current status and severity appear under the snapshot heading. To change one of the current values, click it and choose
    another value from the drop-down list.
    Use the icons at the top right to print the report, or send it as email. To send reports, you or your administrator must first
    enable report distribution in system settings.
    Configuring the Enforce Server to Send Email Alerts
    If any Smart Response rules are set up, Symantec Data Loss Prevention displays a remediation bar that includes buttons
    for executing the rules. Depending on the number of Smart Response rules, a drop-down menu may also appear.
    About incident remediation
    Incident data is divided into the following sections:
    • Key Info tab
    – Policy Matches
    – Incident Details
    The following details are included:

    Server Name of the Discover Server that detected the incident.


    Remediation Detection Status The latest remediation status of the file that generated the incident.
    Target Network Discover target name.
    Scan The date and time of the scan that registered the incident.
    Detection Date The date and time that the incident was detected.
    Protect Status Displays the remediation status of the content that generated the incident.
    Note: When the same remediation action is applied to more than one policy, then after the
    remediation is successful for the first policy, the Protect Status changes to Remediation
    overridden for the other policies where this remediation action is skipped.

    Seen Before No, if this incident was not previously detected. Yes, if this incident was previously detected.
    Subject Email subject for integrated Exchange scans.
    Sender Email sender for integrated Exchange scans.
    Recipient Email recipient for integrated Exchange scans.
    File Location Location of the file, repository, or item.
    Click go to file to view the item or file, or go to directory to view the directory. If you view an
    Endpoint Discover incident, you do not see the go to file or go to directory links.
    Is Hidden Displays the hidden state of the incident, whether or not the incident is hideable, and lets you toggle
    the Do Not Hide flag for the incident.
    URL For SharePoint, this URL is the item on the SharePoint server. Click this URL to go to the item on
    the SharePoint server.
    Document Name File or item name(s)
    File Owner Creator of the file or item.
    For SharePoint and Exchange incident snapshots the File Owner is listed as unknown because it is
    not applicable to these target types.

    1480
    Extraction Date Date custom target adapter was run ( In the Firefox browser, these links do not work without
    additional setup.
    Applies to custom targets only.)
    Scanned Machine Host name of the scanned computer.
    For SharePoint this name is the web application name.
    Notes Database Name of the IBM (Lotus) Notes database (Applies to IBM (Lotus) Notes only.)
    File Created The date and time that the file or item was created.
    Last Modified Date and time of last change to the file or item.
    Last Accessed Date and time of last user access to the file or item.
    For SharePoint, this date is not valid.
    Created By The user who created the file.
    Modified By The user who last modified the file.
    Data Owner Name The person responsible for remediating the incident. This field must be set manually, or with a
    lookup plug-in.
    Reports can automatically be sent to the data owner for remediation.
    If you click on the hyperlinked Data Owner Name, a filtered list of incidents by Data Owner Name is
    displayed.
    Data Owner Email Address The email address of the person responsible for remediating the incident. This field must be set
    manually, or with a lookup plug-in.
    If you click on the hyperlinked Data Owner Email Address, a filtered list of incidents by Data
    Owner Email Address is displayed.
    Incident Remediator Name The person responsible for remediating the incident using End User Remediation. This field must
    be set manually, or with a lookup plug-in.
    If you click on the hyperlinked Incident Remediator Name, a filtered list of incidents by Incident
    Remediator Name is displayed.
    Incident Remediator Email The email address of the person responsible for remediating the incident using End User
    Address Remediation. This field must be set manually, or with a lookup plug-in.
    If you click on the hyperlinked Incident Remediator Name, a filtered list of incidents by Incident
    Remediator Name is displayed.
    – Access Information
    For SharePoint incident snapshots, the permission levels show the permissions from SharePoint, for example
    Contribute or Design. The list in the incident snapshot shows only the first 50 entries. All the ACL entries can be
    exported to a CSV file. The permissions are comma-separated. Users or groups having Limited Access permission
    levels are not recorded or shown.
    NOTE
    If you are scanning a SharePoint repository without using the SharePoint solution, the incident snapshot
    will not show any SharePoint permissions information.
    – Message Body
    For a SharePoint list item, the message body shows the name and value pairs in the list.
    • Attributes
    • History tab
    • Notes tab
    • Correlations tab
    • Matches and file content
    Discover incident reports

    1481
    Discover summary reports
    Discover Summary Reports provide summary information about the incidents that are found during Discover scans.
    If you are running Endpoint Discover, the Discover Summary Reports also include Endpoint Discover incidents.
    You can filter or summarize the options in the reports.

    You can extract the report information in selected formats.


    You can click highlighted elements, such as the entries in the Totals column, to view details.
    Icons provide navigation through long reports.

    Discover incident reports

    Working with Application incidents


    This content includes the following topics:
    • About Applications incident reports
    • Applications incident list
    • Applications incident entries
    • Applications incident actions
    • Applications incident snapshot
    • Applications summary reports

    About Applications incident reports


    Use Applications incident reports to monitor and manage incidents from the REST Cloud Detection Service and API
    Detection for Developer Apps Appliances. You can save, send, export, or schedule Symantec Data Loss Prevention
    reports.
    In the Enforce Server administration console, on the Incidents menu, click Applications. This incident report displays all
    incidents for all REST Cloud Detection Service detectors and API Detection for Developer Apps Appliances.
    You can pre-filter your Applications incident reports by the Data-at-Rest and Data-in-Motion data types:
    • Incidents > Applications > Data-at-Rest
    • Incidents > Applications > Data-in-Motion
    You can select the following standard reports for all incidents:
    • Incidents - All
    Displays a list of all incidents.
    Applications incident list
    • DIM - Incidents - All
    Displays a list of all Data-in-Motion (DIM) incidents
    Applications incident list
    • DIM - Incidents - New
    Displays a list of all DIM incidents with a status of New.
    Applications incident list
    • DIM - Policy Summary
    Displays a summary of DIM incidents by policy.

    1482
    Applications summary reports
    • DIM - Status by Policy
    Displays a summary of DIM incidents by policy and incident status.
    Applications summary reports
    • DIM - High Risk Users - Last 30 Days
    Displays a summary of DIM incidents associated with high-risk users in the last 30 days.
    Applications summary reports
    • DAR - Incidents - All
    Displays a list of all Data-at-Rest (DAR) incidents.
    Applications incident list
    • DAR - Incidents - New
    Displays a list of all DAR incidents with a status of New.
    Applications incident list
    • DAR - Application Summary
    Displays a summary of DAR incidents by cloud application.
    Applications summary reports
    • DAR - Policy Summary
    Displays a summary of DAR incidents by policy.
    Applications summary reports
    • DAR - Status by Application
    Displays a summary of DAR incidents by status and cloud application.
    Applications summary reports
    • DAR - High Risk Users
    Displays a summary of DAR incidents associated with high-risk users.
    Applications summary reports
    Summaries and filter options can select which incidents to display.

    You can create custom reports with combinations of filters and summaries to monitor the incidents.

    Applications have the following types of reports:


    • Incident list
    Applications incident list
    • Incident snapshot
    Applications incident snapshot
    • Incident summary
    Applications summary reports

    Applications incident list


    An Applications incident list shows the incidents that are reported by the REST Cloud Detection Service or API Detection
    for Developer Apps Appliance. Individual incident records contain information such as severity, associated policy, number
    of matches, and status.
    NOTE
    If you have an existing Symantec Web Security Service (WSS) implementation using the REST Cloud Detection
    Service, your WSS incidents appear in the Applications > Data-in-Motion incident list. If you have a Symantec
    WSS implementation using the Cloud Detection Service for WSS, your WSS incidents appear in the Network
    incident list.

    1483
    Applications incident entries
    You can select specific incidents (or a group of incidents) to modify or manage.
    Applications incident actions
    You can click on any incident to view a snapshot containing more details.
    Applications incident snapshot
    About Applications incident reports

    Applications incident entries


    Incident information is divided into several columns. Click any column header to sort alpha-numerically by the data in that
    column. To sort in reverse order, click the column header a second time.
    The report includes the following columns:
    • Checkboxes that let you select incidents to manage.
    You can select one or more incidents to which to apply commands from the Incident Actions drop-down menu.
    Click the checkbox at the top of the column or click Select All to select all incidents on the current page.
    NOTE
    Use caution when you use Select All. This option selects all incidents in the report, not only those on the
    current page. Any incident command you subsequently apply affects all incidents.
    • Data Type
    Specifies whether the incident is from Data-at-Rest (DAR) or Data-in-Motion (DIM).
    • Location/Application/Detection Date
    The location of the sensitive data, the application with which the incident is associated, and the date on which the
    policy violation was detected.
    • User
    Displays the information of the user associated with the incident, if applicable.
    • ID/Policy
    The Symantec Data Loss Prevention incident number and the policy the incident violated.
    • Matches
    The number of matches in the incident.
    • Severity
    Incident severity as determined by the severity setting of the rule the incident matched.
    The possible values are:

    High
    Medium
    Low
    For information only
    • Status
    The current incident status. The possible values are:

    1484
    – New
    – In Process
    – Escalated
    – False Positive
    – Configuration Errors
    – Resolved
    Applications incident list

    Applications incident actions


    You can select one or more incidents and then manage them using commands in the Incident Actions drop-down list.
    The incident commands are as follows:
    • Add Note
    Select to open a dialog box, type a comment, and then click OK.
    • Delete Incidents
    Select to delete specified incidents.
    • Export Selected: CSV
    Select to save specified incidents in a comma-separated text (.csv) file, which can be displayed in several common
    applications, such as Microsoft Excel.
    • Export Selected: XML
    Select to save specified incidents in an XML file, which can be displayed in several common applications.
    • Mark Accepted
    Select to set the remediation status to Accepted.
    • Run Smart Response
    Select to run the Quarantine or Restore File Smart Response rules.
    • Hide/Unhide
    Select one of the following actions to set the display state for the selected incidents:
    – Hide Incidents—Flags the selected incidents as hidden.
    – Unhide Incidents—Restores the selected incidents to the unhidden state.
    – Do Not Hide—Prevents the selected incidents from being hidden.
    – Allow Hiding—Allows the selected incidents to be hidden.
    • Set Attributes
    Select to set attributes for the selected incidents.
    • Set Data Owner
    Select to set the data owner by user name or email address.
    • Set Incident Remediator
    Select to set the incident remediator by user name or email address.
    • Set Severity
    Select to set severity.
    • Set Status
    Select to set status.
    Applications incident list

    1485
    Applications incident snapshot
    An incident snapshot provides detailed information about a particular incident. It displays general incident information,
    matches detected in the content, and details about policy, attributes, and incident history. You can also search for similar
    incidents in the Correlations area.
    Current status and severity appear under the snapshot heading. To change one of the current values, click it and choose
    another value from the drop-down list.
    You can use the Accepted checkbox to set the remediation status to User Accepted. This remediation status indicates
    that the incident was remediated by the user, CASB administrator, or another incident responder.
    Use the icons at the top right to print the report, or send it as email. To send reports, you or your administrator must first
    enable report distribution in system settings.

    Application incident data is divided into the following sections:


    • Key Info tab:
    – Policy Matches
    – Incident Details
    The following details are included for both DAR and DIM incidents:

    Data Type Specifies the DAR or DIM data type.


    Detector Specifies the cloud detector that created the incident.
    Is Hidden Displays the hidden state of the incident, whether or not the incident is hideable, and lets you toggle
    the Do Not Hide flag for the incident.
    Recipient For data uploads, the recipient is the site to which the data is uploaded.
    For data downloads, the recipient is the user who downloads the data.
    Date The date the incident was created.
    Subject The subject field of the sensitive data. Click the subject link to view all incidents with the same
    subject.
    Data Owner Name The person responsible for remediating the incident. This field must be set manually.
    Reports can be sent automatically to the data owner for remediation.
    Click Data Owner Name to view a filtered list of incidents for that data owner.
    Data Owner Email Address The email address of the person responsible for remediating the incident. This field must be set
    manually.
    Click Data Owner Email Address to view a filtered list of incidents for that data owner email
    address.
    Incident Remediator Name The person responsible for remediating the incident using End User Remediation. This field must be
    set manually, or with a lookup plug-in.
    If you click on the hyperlinked Incident Remediator Name, a filtered list of incidents by Incident
    Remediator Name is displayed.
    Incident Remediator Email The email address of the person responsible for remediating the incident using End User
    Address Remediation. This field must be set manually, or with a lookup plug-in.
    If you click on the hyperlinked Incident Remediator Email Address, a filtered list of incidents
    by Incident Remediator Email Address is displayed.
    Request ID The unique detection request identifier from the Cloud Detection Service. You can use this identifier
    to track this incident in external cloud consoles, such as Symantec CloudSOC.
    User Name The name of the user who is associated with the incident.

    1486
    User Activity Type Specifies the type of user activity on the file. The possible activities are:
    • Create
    • Edit
    • Rename
    • Delete
    • Upload/Download
    External Transaction ID The unique transaction identifier that is provided by the cloud application. You can use this identifier
    to track this incident in external cloud consoles, such as Symantec CloudSOC.
    – Site/Application Details
    Specifies the following details about the website or cloud application that is associated with the DAR or DIM
    incident:

    Service Score The Shadow IT score provided by Symantec CloudSOC.


    Application Name The name of the cloud application associated with the incident.
    Site Risk Score The site risk score provided by Blue Coat WSS, based on information from the Global Intelligence
    Network.
    HTTP URL The HTTP URL accessed by the user.
    – User Details
    This section provides the following details about the user who is associated with the DAR or DIM incident:

    User Threat score Specifies the user threat score as provided by Symantec CloudSOC or Blue Coat WSS.
    Documents Exposed Count Specifies the number of exposed documents for that user. Click More Info to view document
    exposure information in your external cloud console.
    User Activity Provides a link to user activity details in your external cloud console.
    – Data Exposure Details (DAR only)
    This section provides the following details about the exposure of the sensitive data:

    Document is Publically Specifies if the document is exposed in a publically accessible location.


    Exposed
    Document is Internally Shared Specifies if the document is shared with or accessible to all members of your organization.
    Document is Exposed Specifies if the document is shared with anyone or accessible to outside of your organization, or
    shared with or accessible to all members of your organization.
    Document is Internal Specifies if the document is within your organization.
    Document Activity Count Specifies the number of times the document has been accessed.
    Document Creator ID The identifier of the document creator.
    Document ID The identifier of the document.
    Document Parent Folder ID The identifier of the folder containing the document.
    – File Information (DAR only)
    This section specifies the following information about the file containing the sensitive data:

    File Folder Specifies the folder that contains the file. Click More Info to go to exposures panel for that file.
    Last Modified Specifies the date and time the file was last modified.
    Sharing URL Specifies the URL at which the file is shared.
    Document Type Specifies the document type of the file.
    File Activity Click More Info to view the file activity in your external cloud console.

    1487
    Alert in CASB Click More Info to view incident information in your external cloud console.
    – Data Transfer (DIM Only)
    Specifies the following details about the device that is associated with the DIM incident:

    Network Direction Specifies the direction of the network traffic, upload or download.
    Connector Source Protocol Specifies the network protocol of the data transfer, such as https.
    Source IP Specifies the originating IP address of the network traffic.
    Destination IP Specifies the destination IP address of the network traffic.
    Device is Compliant Specifies if the device complies with your organization's standards.
    Device is Unmanaged Specifies if the device is not managed by your organization.
    Device is Personal Specifies if the device is the personal property of the user.
    Device is Trusted Specifies if the device is trusted by your organization.
    HTTP Method Specifies the HTTP method that was called when the incident was created.
    HTTP Cookies Lists any cookies that are associated with the incident.
    Device OS Specifies the operating system of the device.
    Device Type Specifies the type of device.
    – Location (DIM Only)
    Specifies the following device location information:

    Location Specifies the city and country location of the device.


    Latitude Specifies the latitude coordinate of the device.
    Longitude Specifies the longitude coordinate of the device.
    – Message Body
    Provides a link to the original JSON-formatted message.
    • History
    • Notes
    The notes tab displays any notes for this incident.
    • Correlations
    • Matches
    About Applications incident reports

    Applications summary reports


    Applications Summary Reports provide summary information about Application incidents.
    You can filter or summarize the options in the reports.

    You can extract the report information in selected formats.


    You can click highlighted elements, such as the entries in the Totals column, to drill down into details.
    Icons provide navigation through long reports.

    About Applications incident reports

    1488
    Viewing, managing, and reporting incidents
    View, manage, and report Symantec DLP incidents.
    This content includes the following topics:

    1489
    • Viewing Incidents
    • Incident List Control Features Overview
    • Incident Masking Overview
    • About Symantec Data Loss Prevention Reports
    • About Strategies for Using Reports
    • Setting Report Preferences
    • About Incident Reports
    • About dashboard reports and executive summaries
    • Viewing dashboards
    • Creating dashboard reports
    • Configuring dashboard reports
    • Choosing reports to include in a dashboard
    • About summary reports
    • Viewing summary reports
    • Creating summary reports
    • About custom reports and dashboards
    • Using IT Analytics to manage incidents
    • Filtering Incident Lists and Reports using the Filter By controls
    • Saving custom incident reports
    • Scheduling Custom Incident Reports
    • Delivery Schedule Options for Incident and System Reports
    • Delivery schedule options for dashboard reports
    • Using the date widget to schedule reports
    • Editing custom dashboards and reports
    • Exporting Incident Reports
    • Exported Fields for Common Reports
    • Exported fields for Network Monitor
    • Exported fields for Network Discover
    • Exported fields for Endpoint Discover
    • Deleting incidents
    • Deleting custom dashboards and reports
    • Common incident report features
    • Page navigation in incident reports
    • Incident report filter and summary options
    • Sending incident reports by email
    • Printing incident reports
    • Incident snapshot history tab
    • Incident snapshot notes tab
    • Incident snapshot attributes section
    • Incident snapshot correlations tab
    • Incident snapshot policy section
    • Incident snapshot matches section
    • Incident snapshot access information section
    • Customizing incident snapshot pages
    • About filters and summary options for reports
    • General filters for reports
    • Summary options for incident reports
    • Advanced filter options for reports

    1490
    Viewing Incidents
    Go to the Incidents > All Channels screen in the Enforce Server administration console to filter your view of Symantec
    Data Loss Prevention incidents. You can filter incidents by choosing incident type, severity, status, and date.
    1. In the Enforce Server administration console, on the Incidents menu, select All Channels. The incident list displays
    incidents of all types, arranged under default column headings. You can select specific channels, or you can use other
    filters to customize what you see.
    See Incident List Control Features Overview for a complete overview of incident list controls.
    2. Optionally, use report filters to narrow down the incident list.
    Filtering Incident Lists and Reports using the Filter By controls
    3. To view more details of a particular incident, click the incident.
    The incident snapshot appears. The snapshot displays general incident information, matches detected in the
    intercepted text, details about policy, attributes, and incident history.
    You can also search for similar incidents from the Correlations tab.
    4. Optionally, click through the incident snapshot to view more information about the incident.
    • You can find information about the policy that detected the incident. On the Key Info tab, the Policy Matches
    section displays the policy name. Click the policy name to see a list of incidents that are associated with that policy.
    Click view policy to see a read-only version of the policy. This section also lists other violated policies with the
    same file or message. When multiple policies are listed, you can see the snapshot of an incident that is associated
    with a particular policy. Click go to incident next to the policy name. To see a list of all incidents, click show all.
    • You can view lists of the incidents that share various attributes with the current incident. The Correlations tab
    shows a list of correlations that match single attributes. Click attribute values to see the lists of incidents that are
    related to those values.
    For example, the current network incident is triggered from a message from a particular email account. You can
    bring up a list of all incidents that this account created.
    • For most network incidents, you can access any attachments that are associated with the network message.
    Locate the Attachments field in the Incident Details section of the snapshot and click the attachment file name.
    For a detailed description of incident snapshots and the actions you can perform through them, see Incident snapshot
    history tab.
    5. When you finish viewing incidents, you can exit the incident snapshot or incident list, or you can choose one or more
    incidents to remediate.
    Remediating incidents

    Incident List Control Features Overview


    You can view and save incident lists and reports, view system reports, save reports, and export incident reports, all from
    the Incident List screen.
    Go to the Incidents > All Channels screen and review the new features of the modernized DLP incident user interface.
    In the main area of the screen, you can see (by default) a list of all new incidents from the last 30 days. The incidents are
    displayed in the default eight-column format. Use the scroll bar to the right of the list to scroll vertically, and the scroll bar
    at the bottom of the list to scroll horizontally.
    Eight default columns contain information that is common to all types or channels of incidents:

    1491
    • Type
    • Date
    • ID
    • Policy
    • Policy Label
    • Matches
    • Severity
    • Status
    You can choose from up to 153 incident filters. Some of these filters are common to all channels. Some of the filters
    are unique to a specific channel. For a common incident list, you can only choose filters that are common to all incident
    channels.
    Scanning from left to right, you can see the following new icons and navigation features.
    The action icons on the top left of the screen let you:
    • Save your user-created custom incident reports using the disk icon. You cannot update System Reports, but you can
    save a system report as a user-created saved report by using Save As. See Saving custom incident reports.
    • View all Saved Reports using the file folder icon.
    • View System Reports using the spreadsheet icon. You can choose to view reports for All Channels or Network or
    Endpoint or Discover or Cloud Applications and API Appliance. You cannot update System reports.
    • Access a list of your Saved reports. See Using Saved Reports.
    • Export incidents, selected components of incidents, or reports in CSV and JSON format using the up arrow icon. You
    can export up to 10,000 incidents. See Exporting Incident Reports.
    NOTE
    Legacy XML is deprecated in DLP 16.0 and is not available in subsequent DLP releases. Reports that are
    exported in XML are limited to the hard-coded, DLP 15.8 format and are not customizable.
    Quick Filters
    You can create two kinds of incident lists: one with all types of incidents (the common, or all channels view) or one with
    just one type (the single channel view). You cannot create an incident list that is composed of two or three types. For
    example, you cannot create an incident list with Network incidents and Discover incidents.
    When you don't select a Type, you get the common or all channels view. This report contains all types of incidents,
    including Network, Endpoint, Discover, and Cloud Applications and API Appliance. Only incident filters that are common to
    all channels are available in the common or all channels view.
    When you choose one channel, you can choose all filters available to that channel. For example, if you choose Network,
    you can use all filters available to Network incidents.
    You can filter incidents in the default all channels list by using the following Quick Filters. Click a quick filter to select it. To
    deselect a filter, click it again. Click Apply after you are finished.

    1492
    Table 850: Quick Filters

    Filter Options

    Type - The type or channel of the incident • All Channels - Incidents that are common to all channels
    (default)
    • Network - Incidents that are unique to the Network channel
    • Endpoint - Incidents that are unique to the Endpoint channel
    • Discover - Incidents that are unique to the Discover channel
    • Cloud Applications and API Appliance - Incidents that are
    unique to the Cloud Applications and API Appliance channel
    Severity - The severity of the incident • All (default)
    • High
    • Medium
    • Low
    • Info
    Status - The status for All (default) or New incidents • Equals (default)
    • Is Any Of
    • Is None Of
    Date - The date the incident occurred. • All Dates (default)
    • Today
    • Yesterday
    • Current Week to Date
    • Current Month to Date
    • Current Quarter to Date
    • Current Year to Date
    • Last 7 Days
    • Last 30 Days
    • Last Week
    • Last Month
    • Last Quarter
    • Last Year
    • Custom
    • Older Than
    • Not Updated In

    Advanced Filters
    Use Advanced Filters to filter on attributes and conditions that are common to all reports.
    The Pending Filter bar at the top of the screen over the incident list shows the applied filters and their settings.
    Action Bar
    When you click a checkbox to the left of an incident or incidents, the Action Bar appears between the incident list and the
    Pending Filter bar.
    The controls on the Action Bar enable you to further customize the data for your incident list. If you choose more than
    eight columns out of the 153 available columns, you can easily view the additional columns by using the horizontal and
    vertical scroll bar. Hovering over an action gives you more options, if they are available. For actions that require more
    information, a popup may appear.
    Click actions to quickly perform the actions for your selected incident or report.

    1493
    Table 851: Incident Actions

    Action Details More Information

    Column Preferences • Apply column filters preferences for the You can select all filters, but to view the
    type of report that you have selected. data, you must have permission to view a
    • Save column filter preferences for an particular filter.
    incident report that you have selected.
    • View the default columns for an incident
    report that you have selected.
    Add Note A popup appears so that you can enter a
    note for the report.
    Hide / Unhide • Hide incidents.
    • Unhide incidents
    • Do not hide incidents.
    • Allow hiding.
    Run Smart Response
    Set Severity • High
    • Medium
    • Low
    • Info

    Set Status New


    More
    Click More to see these other options:
    Delete Incidents
    Lookup Attributes
    Export Selected: CSV
    Export Selected: JSON
    Export Selected: XML Only available for for reports for specific
    channels. Not available for a common
    report.
    Set Data Owner: Name
    Set Data Owner: Email Address
    Set Incident Remediator: Name
    Set Incident Remediator: Email Address
    Mark Accepted REST incidents only. Not visible if one
    of the selected incidents is not a REST
    incident.

    For more information on these actions, see Filtering Incident Lists and Reports using the Filter By controls .

    Scheduling Reports
    Use the Schedule Delivery widget to schedule incident reports. The ability to scheduling reports by the minute and by the
    hour is now available.

    1494
    See Delivery Schedule Options for Incident and System Reports Delivery Schedule Options for Incident and System
    Reports.
    See Scheduling Reports.

    Incident Masking Overview


    Hide sensitive data in DLP incidents from unauthorized users. This data can include personally
    identifiable information (PII), medical data, financial data, and so on. Masking can be set at the role level and at the data
    identifier level.
    You can mask (hide) the sensitive content in incidents from unauthorized users. Masking helps you to meet your
    regulatory compliance requirements for restricting access to personally identifiable information.
    You can use incident masking in the following places:
    • Incident Snapshots: You can see the masked incident message content in incident snapshots. The masked info is
    highlighted in yellow and is replaced with a capital Xs. Context information, such as the file size and the file name, is
    not masked.
    • Web archives
    • Rest APIs

    Capabilities of Masking
    • Characters that are masked: Alphanumeric characters are masked, but not punctuation characters. For example, a
    60% masked US Social Security number can appear as XXX-XX-6789 or XXXXX6789.
    • Percentage of a string to mask: From 0% to 100% (rounded percentages only). Punctuation is not included in
    percentages.
    • Where to apply the mask in the incident: from the Beginning, from the Middle, or from the End.
    • The masking character is not configurable; it is always an X.

    Masking Configuration
    You can configure two types of Masking:
    • You configure Role-based masking at the System > Login Management > Role screen.
    NOTE
    Role-based masking has priority over data identifier masking. You must "turn on" masking at the role level to
    enable masking for roles and data identifiers. For example, if a role is set to unmasked, nothing is masked,
    not even data identifier matches.
    • You configure Data Identifier-based masking at the Manage > Policies > Data Identifier screen.

    Masking Configuration Defaults


    • Roles: Unmasked is the default. The default controls all masking and is the primary mask. The default "role" is
    unmasked, so no masking is automatically applied to roles. You must set up (turn on) Data Identifier masking for roles
    to take advantage of the default.
    • Data Identifiers: The default mask for all data identifiers is a 60% mask from the Beginning.
    • PCI-standard masking can be selected for credit cards. You can also create a custom credit card data identifier with
    this masking.
    Setting Up Masking for Roles
    Setting Up Masking for Data Identifiers

    1495
    Setting Up Masking for Roles
    Set masks by role to block viewing of sensitive incident data.
    You can choose partial or 100% masking for a role. If you choose Unmasked, or Masked, you can also set the
    percentage of an incident that is masked. You can also set where to start masking: from the beginning, from the middle, or
    from the end.
    NOTE
    Role-based masking has priority over data identifier masking. You must "turn on" masking at the role level to
    enable masking for roles and for data identifiers. For example, if a role is set to unmasked, nothing is masked,
    not even data identifier matches.
    1. Go to System > Login Management > Roles to configure a role.
    2. See that the default role is Unmasked under Display Attributes > Matches.
    3. Check Masked to set the role to use the masking pattern defined in Data Identifiers. For everything else, the default
    masking is set to 50% from the Beginning.
    4. Click Mask at 50% from the Beginning. These settings are the default for partial masking.
    – Change the percentage to any whole percent in increments of 5 from 0 to 100.
    – Change the location where the masking starts to from the Beginning, or from the Middle, or from the End.
    – Choosing Masked at 100% completely masks sensitive data, other than Data Identifier matches.
    – Choosing Masked at 0% enables Data Identifier masking to take effect for Data Identifier matches, but this setting
    leaves other matches unmasked.
    5. Continue configuring the role.
    6. Click Save when you are done.

    Setting Up Masking for Data Identifiers


    Set masks on Data Identifiers to block viewing of sensitive incident data.
    You can choose partial or full masking for a data identifier. You can choose partial masking with a default masking
    of 60% from the beginning, or a specified masking percentage and location, or PCI-standard masking for credit card
    numbers. You can also set where to start masking: from the beginning, from the middle, or from the end.
    NOTE
    Role-based masking has priority over data identifier masking. You must "turn on" masking at the role level to
    enable masking for roles and data identifiers. For example, if a role is set to unmasked, nothing is masked, not
    even data identifier matches.
    1. Go to Manage > Policies > Data Identifiers > Masking Configuration.
    2. Click Partial Masking. Choose one of the following options:
    – Click Default Masking (60% from beginning, e.g., XXXX34), to set partial masking to the default value.
    – Click Mask at 50% from the Beginning; this is the default setting for partial masking.
    • Change the percentage that is masked to any whole percent in increments of 5 from 0 to 95.
    • Change the location that the masking starts to Beginning, or Middle, or End.
    – Click PCI standard masking for credit card number data identifiers (for example, 2345-34XX-XXXX-5678).
    NOTE
    PCI masking is preselected for credit card number data identifiers. You should never select PCI masking
    for other data identifiers. If you create a custom data identifier that matches a credit card number, then
    you can choose the PCI masking option for that custom data identifier.
    3. Alternately, click Full Masking.

    1496
    About Symantec Data Loss Prevention Reports
    Use incident reports to track and respond to incidents. Symantec Data Loss Prevention reports an incident when it detects
    data that matches the detection parameters of a policy rule.
    The data can include specific file content, an email sender or recipient, attachment file properties, or many other types of
    information.
    Each piece of data that matches detection parameters is called a match, and a single incident may include any number of
    individual matches.
    You can set a hiding flag on an incident to indicate that the incident has been hidden. By default, hidden incidents do
    not appear in incident reports, but you can include them in incident reports by setting Advanced Filters for the report.
    Including hidden incidents in a report may slow down reporting activities. Incident Hiding
    Symantec Data Loss Prevention tracks incidents for all detection servers. These servers include Network Discover Server,
    Network Monitor Server, Network Prevent for Email Server, Network Prevent for Web Server, and Endpoint Server.
    You can specify the reports Symantec Data Loss Prevention displays in the navigation panel.
    Setting Report Preferences
    Symantec Data Loss Prevention provides the following types of incident reports:
    • Incident lists show the individual incident records that contain information such as severity, associated policy, number
    of matches, and status. You can click any incident to see a snapshot containing more details. And you can select
    specific incidents or groups of incidents to modify or remediate.
    Symantec Data Loss Prevention provides separate reports for incidents by selecting Network, Endpoint, Discover, or
    Cloud Applications and API Appliance.
    • Summaries provide summary information about the incidents on your system. They are organized with either one or
    two summary criteria. A single-summary report is organized with a single summary criterion, such as the policy that
    is associated with each incident. A double-summary report is organized with two criteria, such as policy and incident
    status. By default, hidden incidents do not appear in the counts that display in summary reports, but you can set
    Advanced Filters to include the hidden incidents. (Incident Hiding).
    • Dashboards combine information from several reports. They include graphs and incident totals representing the
    contents of various incident lists and summaries. Graphs can sometimes contain lists of high-severity incidents or
    lists of summary groups. You can click report portlets (the individual tiles that contain report data) to drill down to the
    detailed versions of the reports.
    Executive summaries are similar to dashboards. They include similar information arranged in an intuitive and easy-to-
    read manner. You cannot customize an executive summary. Executive summaries do not include report portlets.
    Symantec Data Loss Prevention ships with executive summaries for Network, Endpoint, Discover and Users
    incidents.
    You can create and save customized versions of all reports (except executive summaries) for continued use.
    About custom reports and dashboards
    Symantec Data Loss Prevention displays reports in separate sections on the Incident > All Reports screen as
    follows:
    • The Saved Reports section contains any shared reports that are associated with your current role. This section
    appears only if you or other users in your current role have created saved reports.

    1497
    About custom reports and dashboards
    • The All Channels section contains Symantec-provided incident lists, summaries, and dashboards for all incidents.
    It includes a Policy Summary, which is a list of all incidents that are grouped by Policy. It also includes an Incident
    Type Summary, which is a list of all incidents that are grouped by Type.
    • The Network section contains Symantec-provided incident lists, summaries, and dashboards for network incidents.
    • The Endpoint section contains Symantec-provided incident lists, summaries, and dashboards for endpoint incidents.
    Endpoint reports include the incidents that Endpoint captures, such as Endpoint Block and Endpoint Notify incidents.
    Incidents that Endpoint Discover captures appear in Discover reports.
    • The Discover section contains Symantec-provided incident lists, summaries, and dashboards for Network Discover
    and Endpoint Discover incidents.
    • The Applications (Cloud and API Appliance) section contains Symantec-provided incident lists and summaries for
    cloud application incidents.
    • The Users section contains s user list and user risk summary, which displays users and their associated Email and
    Endpoint incidents.

    About Strategies for Using Reports


    Many companies configure their Symantec Data Loss Prevention reporting to accommodate the following
    primary roles:
    • An executive responsible for overall risk reduction who monitors risk trends and develops high-level initiatives to
    respond to those trends.
    The executive monitors dashboards and summary reports (to get a general picture of data loss trends in the
    organization). The executive also develops programs and initiatives to reduce risk, and communicates this information
    to policy authors and incident responders. The executive often monitors reports through email or some other exported
    report format.
    Symantec Data Loss Prevention dashboards and summary reports let you monitor risk trends in your organization.
    These reports provide a high-level overview of incidents. Executives and managers can quickly evaluate risk trends
    and advise policy authors and incident responders how to address these trends. You can view existing summary
    reports and dashboards. You can also create customized versions of these reports.
    About dashboard reports and executive summaries
    About summary reports
    • An incident responder, such as an InfoSec Analyst or InfoSec Manager, who monitors and responds to particular
    incidents.
    The responder monitors incident reports and snapshots to respond to the incidents that are associated with a particular
    policy group, organizational department, or geographic location. The responder may also author policies to reduce
    risk. These policies can originate either at the direction of a risk reduction manager or based on their own experience
    tracking incidents.
    About incident remediation

    Setting Report Preferences


    You can specify your preferences for the reports that Symantec Data Loss Prevention displays in the navigation panel for
    each of the report types.
    1. In the Enforce Server administration console, on the Incidents menu, click All Reports.
    2. On the All Reports screen, click Edit Preferences.
    The Edit Report Preferences screen lists any saved reports (for all your assigned roles).
    The screen also lists Network, Endpoint, Discover, and Applications (Cloud and API Appliance) reports.

    1498
    3. To display a report in the list, check the Show Report box for that report. To remove a report from the list, clear the
    Show Report box for that report.
    The selected list of reports displays in a left navigation panel for each of the types of reports.
    For example, to see the list of Network reports, on the Incidents menu, click Network.
    4. Click Save.

    About custom reports and dashboards

    About Incident Reports


    Use incident reports to track and respond to incidents on your network. Symantec Data Loss Prevention reports an
    incident when it detects data that matches a detection rule in an active policy. Such data may include specific file content,
    an email sender or recipient, attachment file properties, or many other types of information. Each piece of data that
    matches a detection rule is called a match, and a single incident may include any number of individual matches.
    NOTE
    To configure which reports appear in the navigation panel, go to All Reports and click Edit Preferences.
    Symantec Data Loss Prevention provides the following types of incident reports:

    Incident lists These show individual incident records containing information such as severity, associated policy, number
    of matches, and status. You can click on any incident to view a snapshot containing more details. You can
    select specific incidents or groups of incidents to modify or remediate.
    Summaries These show incident totals organized by a specific incident attribute such as status or associated policy.
    For example, a Policy Summary includes rows for all policies that have associated incidents. Each row
    includes a policy name, the total number of associated incidents, and incident totals by severity. You can
    click on any severity total to view the list of relevant incidents.
    Double summaries These show incident totals organized by two incident attributes. For example, a policy trend summary
    shows the total incidents by policy and by week. Similar to the policy summary, each entry includes a policy
    name, the total number of associated incidents, and incident totals by severity. In addition, each entry
    includes a separate line for each week, showing the week's incident totals and incidents by severity.
    Dashboards and These are quick-reference dashboards that combine information from several reports. They include graphs
    executive summaries and incident totals representing the contents of various incident lists, summaries, and double summaries.
    Graphs are sometimes beside lists of high-severity incidents or lists of summary groups. You can click on
    constituent report names to drill down to the reports that are represented on the dashboard.
    Symantec Data Loss Prevention ships with executive summaries for Network, Endpoint, and Discover
    reports, and these are not customizable.
    You can create dashboards yourself, and customize them as desired.
    Custom Lists the shared reports that are associated with your current role. (Such reports appear only if you or other
    users in your current role have created them.)
    Network Lists the network incident reports.
    Endpoint Lists the Endpoint incident reports. Endpoint reports include incidents such as Endpoint Block and
    Endpoint Notify incidents.
    Incidents from Endpoint Discover are included in Discover reports.
    Discover Lists Network Discover and Endpoint Discover incident reports.
    The folder risk report displays file share folders ranked by prioritized risk. The risk score is based on the
    relevant information from the Symantec Data Loss Prevention incidents plus the information from the VML
    Management Server.
    Cloud Applications and Lists Cloud Applications and API Appliance reports.
    API Appliance

    1499
    Users The User List lists the data users in your organization. The User Risk Summary lists all users with their
    associated Email and Endpoint incidents.

    About custom reports and dashboards


    Common incident report features

    About dashboard reports and executive summaries


    Dashboards and executive summaries are the quick-reference report screens that present summary information from
    several incident reports.
    About incident reports
    Dashboards have two columns of reports. The left column displays a pie chart or graph and an incident totals bar. The
    right column displays the same types of information as in the left column. The right column also displays either a list of
    the most significant incidents or a list of summary items with associated incident totals. The most significant incidents are
    ranked using severity and match count. You can click on a report to see the full report it represents.
    Dashboards consist of up to six portlets, each providing a quick summary of a report you specify.
    You can create customized dashboards for users with specific security responsibilities. If you choose to share a
    dashboard, the dashboard is accessible to all users in the role under which you create it. (Note that the Administrator user
    cannot create shared dashboards.)
    Dashboards have two columns of report portlets (tiles that contain report data). Portlets in the left column display a
    pie chart or graph and the totals bar. Portlets in the right column display the same types of information as those in the
    left. However, they also display either a list of the most significant incidents or a list of summary criteria and associated
    incidents. The incidents are ranked using severity and match count. The summary criteria highlights any high-severity
    incident totals. You can choose up to three reports to include in the left column and up to three reports to include in the
    right column.
    To create custom dashboards, click Incident Reports at the top of the navigation panel and, in the Incident Reports
    screen that appears, click Create Dashboard. The Administrator can create only private dashboards, but other users can
    decide whether to share a new dashboard or keep it private.
    About custom reports and dashboards
    To edit the contents of any custom dashboard, go to the desired dashboard and click Customize near the top of the
    screen.
    Configuring dashboard reports
    To display a custom dashboard at logon, specify it as the default logon report.
    Setting report preferences
    Symantec Data Loss Prevention includes three executive summaries: Executive Summary - Discover, Executive
    Summary - Endpoint, and Executive Summary - Network. Unlike dashboards, executive summaries cannot be created
    or customized.
    Executive summaries include the following reports:
    Executive Summary - Discover

    1500
    • Policy Distribution across Targets: A pie chart that specifies the distribution of policies across various Discover scan
    targets, including the percentage and number of incidents generated per policy.
    • Top 5 Content Roots: A bar graph displaying the top five content roots that have generated incidents, including the
    severity of the incidents generated for each content root.
    • Top 5 Target Summary: A bar graph displaying the top five incident-generating targets from the last completed
    Discover scan, including the severity of the incidents generated on each target.
    • Status by Target: A pie chart that specifies the status of various Discover scan targets, including the percentage and
    number of incidents generated per policy.
    Executive Summary - Endpoint
    • Policy Summary: A pie chart that specifies the number and percentage of incidents for each Endpoint policy.
    • Top 5 Highest Offenders: A bar graph that displays the top five incident generating endpoints, including the severity
    of the incidents associated with each endpoint.
    • Top 5 Incident Type Summary: A bar graph that displays the top five incident types, such as Clipboard or Local Drive.
    • User Justification Summary: A pie chart displaying the types of user justifications for endpoint incidents, including
    the percentage for each justification.
    • Endpoint Location Summary: A pie chart displaying the connection status for incident-generating endpoints.
    • Incident Status Summary: A pie chart displaying the status of all endpoint incidents, with a percentage for each
    status category.
    Executive Summary - Network
    • Policy Summary: A pie chart that specifies the number and percentage of incidents for each Network policy.
    • Top 5 High Risk Senders: A bar graph that displays the top five high-risk senders, including the severity of the
    incidents associated with each sender.
    • Top 5 Protocol Summary: A bar graph that displays the top five incident-generating network protocols, including the
    severity of the incidents associated with each protocol.
    • Top 5 Recipient Domains: A bar graph that displays the top five incident-generating recipient domains, including the
    severity of the incidents associated with each domain.
    • Status by Week: A bar graph displaying the incidents of the last 30 days, broken down by week, and including the
    severity of the incidents generated.
    • Sender IP Summary: A pie chart displaying the incident-generating sender IP addresses, including the number and
    percentage of incidents per sender IP.

    Viewing dashboards
    This procedure shows you how to view a dashboard.
    To view a dashboard
    1. In the Enforce Server administration console, on the Incidents menu, click Incident Reports. Under Reports, click
    the name of a dashboard.
    Dashboards consist of up to six portlets that each provide a summary of a particular report.
    2. To see the entire report for a portlet, click the portlet.
    Symantec Data Loss Prevention displays the appropriate incident list or summary report.
    3. Browse through the incident list or summary report.
    Viewing Incidents
    About summary reports

    1501
    Creating dashboard reports
    You can create custom dashboards and reports.
    If you are logged on as a user other than the administrator, Symantec Data Loss Prevention lets you choose whether to
    share your dashboard or keep it private.
    To create a dashboard
    1. In the Enforce Server administration console, on the Incidents menu, click Incident Reports.
    2. On the Incident Reports screen that appears, click Create Dashboard.
    The Configure Dashboard screen appears.
    3. Choose whether to share your dashboard or keep it private.
    If you choose to share a dashboard, the dashboard is accessible to all users assigned the role under which you create
    it.
    If you are logged on as Administrator, you do not see this choice.
    NOTE
    Symantec Data Loss Prevention automatically designates all dashboards that the administrator creates as
    private.
    Click Next.
    4. In the General section, for Name, type a name for the dashboard.
    5. For Description, type an optional description for the dashboard.
    6. In the Delivery Schedule section, you can regenerate and send the dashboard report to specified email accounts.
    If SMTP is not set up on your Enforce Server, you do not see the Delivery Schedule section.
    If you have configured your system to send alerts and reports, you can set a time to regenerate and send the
    dashboard report to specified email accounts.

    If you have not configured Symantec Data Loss Prevention to send reports, skip to the next step.
    To set a schedule, locate the Delivery Schedule section and select an option from the Schedule drop-down list. (You
    can alternatively select No Schedule.)
    For example, select Send Weekly On.
    Enter the data that is required for your Schedule choice. Required information includes one or more email addresses
    (separated by commas). It may also include calendar date, time of day, day of the week, day of the month, or last date
    to send.
    Delivery schedule options for dashboard reports
    7. For the Left Column, you can choose what to display in a pie chart or graph. For the Right Column, you can also
    display a table of the information.
    Choosing reports to include in a dashboard
    Select a report from as many as three of the Left Column (Chart Only) drop-down lists. Then select a report from as
    many as three of the Right Column (Chart and Table) drop-down lists.
    8. Click Save.
    9. You can edit the dashboard later from the Edit Report Preferences screen.
    To display a custom dashboard at logon, specify it as the default logon report on the Edit Report Preferences screen.

    1502
    Editing custom dashboards and reports

    About incident reports


    Configuring dashboard reports
    About custom reports and dashboards

    Configuring dashboard reports


    You can create the custom dashboards that are tailored for users with specific roles.
    Dashboards consist of up to six portlets, each providing a quick summary of a report you specify.
    If you choose to share a dashboard, the dashboard is accessible to all users assigned the role under which you create it.
    NOTE
    The Administrator user cannot create shared dashboards.
    To configure a custom dashboard
    1. In the General section, for Name, type a name for the dashboard.
    2. For Description, type an optional description for the dashboard.
    3. In the Delivery Schedule section, you can regenerate and send the dashboard report to specified email accounts.
    If SMTP is not set up on your Enforce Server, you do not see the Delivery Schedule section.
    If you have configured your system to send alerts and reports, you can set a time to regenerate and send the
    dashboard report to specified email accounts.

    If you have not configured Symantec Data Loss Prevention to send reports, skip to the next step.
    To set a schedule, locate the Delivery Schedule section and select an option from the Schedule drop-down list. (You
    can alternatively select No Schedule.)
    For example, select Send Weekly On.
    Enter the data that is required for your Schedule choice. Required information includes one or more email addresses
    (separated by commas). It may also include calendar date, time of day, day of the week, day of the month, or last date
    to send.
    Delivery schedule options for dashboard reports
    4. For the Left Column, you can choose what to display in a pie chart or graph. For the Right Column, you can also
    display a table of the information.
    Choosing reports to include in a dashboard
    Select a report from as many as three of the Left Column (Chart Only) drop-down lists. Then select a report from as
    many as three of the Right Column (Chart and Table) drop-down lists.
    5. Click Save.
    6. You can edit the dashboard later from the Edit Report Preferences screen.
    To display a custom dashboard at logon, specify it as the default logon report on the Edit Report Preferences screen.
    Editing custom dashboards and reports

    About Incident Reports


    About custom reports and dashboards

    1503
    Choosing reports to include in a dashboard
    Dashboards have two columns of report portlets.
    Portlets in the left column display a pie chart or graph.
    Portlets in the right column display the same information as those in the left. They also display either a list of the most
    significant incidents or a summary. Incidents are ranked with severity and match count. You can display a list of summary
    criteria and associated incidents that highlight any high-severity incident totals.
    You can choose up to three reports to include in the left column, and up to three reports to include in the right column.
    To choose reports to include
    1. Choose a report from as many as three of the Left Column (Chart Only) drop-down lists.
    2. Choose a report from as many as three of the Right Column (Chart and Table) drop-down lists.
    3. After you configure the dashboard, click Save.

    Configuring dashboard reports

    About summary reports


    Symantec Data Loss Prevention provides two types of summary reports: single summaries and double summaries.
    Single summaries show incident totals organized by a specific incident attribute such as status or associated policy. For
    example, a policy summary includes a row for each policy that has associated incidents. Each row includes a policy name,
    the total number of associated incidents, and incident totals by severity.
    Double summaries show incident totals organized by two incident attributes. For example, a policy trend summary shows
    the total incidents which are organized with policy and week. As in a policy summary, each entry includes a policy name,
    the total number of associated incidents, and incident totals by severity. In addition, each entry includes a separate line for
    each week, showing the week's incident totals and incidents by severity.
    Summary options for incident reports
    You can create custom summary reports from any incident list.

    Viewing summary reports


    This procedure shows you how to view a summary report.
    To view a summary report
    1. In the Enforce Server administration console, on the Incidents menu, select one of the types of reports.
    For example, select Network, and then click Policy Summary.
    The report consists of summary entries (rows) that are divided into several columns. The first column is named for
    the primary summary criterion. It lists primary and (for double summaries) secondary summary items. For example,
    in a Policy Summary this column is named Policy and it lists policies. Each entry includes a column for total
    number of associated incidents. It also includes columns showing the number of incidents of High, Medium, Low, and
    Informational severity. Finally, it includes a bar chart that represents the number of incidents by severity.

    1504
    2. Optionally, you can sort the report alpha-numerically by a particular column's data. To do so, click the wanted column
    heading. To sort in reverse order, click the column heading a second time.
    3. To identify areas of potential risk, click the High column heading to display summary entries by number of high-severity
    incidents.
    4. Click an entry to see a list of associated incidents. In any of the severity columns, you can click the total to see a list of
    incidents of the chosen severity.
    Viewing Incidents

    Creating summary reports


    This procedure shows you how to create a summary report.
    To create a summary report from an incident list
    1. In the Enforce Server administration console, on the Incidents menu, select one of the types of reports, and then click
    an incident list.
    For example, select Discover, and then the report Incidents-All Scans.
    2. Click the Advanced Filters & Summarization bar (near the top of the report).
    In Summarize By for the primary listbox and secondary listbox that appear, Symantec Data Loss Prevention displays
    all Symantec-provided criteria in alphabetical order. The criteria precedes any custom criteria the administrator has
    defined.
    Summary options for incident reports
    3. Select a criterion from the primary listbox, and an optional criterion from the secondary listbox. For example, select
    Policy Group and then Policy. (Note that options in the secondary listbox appear only after you choose an option
    from the primary listbox.)
    4. To create the summary report, click Apply.
    Summary reports take their name from the primary summary criterion. If you rerun a report with new criteria, the report
    name changes accordingly.
    5. Save the report.
    Saving custom incident reports

    About custom reports and dashboards


    You can filter and summarize reports, and then save them for continued use. When saving a customized report, you can
    configure Symantec Data Loss Prevention to send the report according to a specific schedule.
    Symantec Data Loss Prevention displays the titles of customized reports under Incidents > All Reports.
    The All Reports screen displays all out-of-the-box and custom reports available to your assigned role(s). The list includes
    shared custom reports and the dashboards that you or anyone else in your current role created. Several standard reports
    are available with Symantec Data Loss Prevention.
    Symantec Data Loss Prevention displays each report's name, associated product, and description. For custom reports,
    Symantec Data Loss Prevention indicates whether the report is shared or private and displays the report generation and
    delivery schedule.
    You can modify existing reports and save them as custom reports, and you can also create custom dashboards. Custom
    reports and dashboards are listed in the Saved Reports section of the navigation panel.
    You can click any report on the list to re-run it with current data.

    1505
    You can view and run custom reports for reports created by users who have any of the roles that are assigned to you. You
    can only edit or delete the custom reports that are associated with the current role. The only custom reports visible to the
    Administrator are the reports that the Administrator user created.
    A set of tables lists all the options available for filtering and summarizing reports.
    About summary reports
    Summary options for incident reports
    General filters for reports
    Advanced filter options for reports

    Create Lets you create a custom dashboard that displays summary data from several reports you specify. For users other
    Dashboard than the Administrator, this option leads to the Configure Dashboard screen, where you specify whether the
    dashboard is private or shared. All Administrator dashboards are private.
    Creating dashboard reports

    Saved (custom) reports associated with your role appear near the top of the screen.
    The following options are available for your current role's custom reports:

    Click this icon next to a report to display the save report or configure dashboard screen. You can change the name,
    description, or schedule, or (for dashboards only) change the reports to include.
    Saving custom incident reports
    Configuring dashboard reports
    Click this icon next to a report to display the screen to change the scheduling of this report. If this icon does not
    display, then this report is not currently scheduled.
    Saving custom incident reports
    Click this icon next to a report to delete that report. A dialog prompts you to confirm the deletion. When you delete a
    report, you cannot retrieve it. Make sure that no other role members need the report before you delete it.

    Using IT Analytics to manage incidents


    IT Analytics Solution is a Business Intelligence (BI) application that complements and expands upon the reporting that
    is offered by Symantec Data Loss Prevention. It provides multi-dimensional analysis and robust graphical reporting
    features to Symantec Management Platform. This functionality lets you create on-the-fly ad-hoc reports without advanced
    knowledge of databases or third-party reporting tools. IT Analytics provides this powerful on-the-fly ad-hoc reporting
    with pivot tables, pre-compiled aggregations for fast answers to typically long-running queries, and easy export to .PDF,
    Excel, .CSV and .TIF files.
    For more information, see the IT Analytics landing page at the Symantec Support Center, at https://
    support.symantec.com/en_US/dpl.56005.html.

    Filtering Incident Lists and Reports using the Filter By controls


    On the Incidents > All Channels > Incidents - New page, you can filter an incident list or summary report. To add filters,
    use the Filter By tools to the left of the screen or the Column Preferences action menu. You can search for and can
    select options from the drop-down lists. The filters that you choose are listed in the Pending filter bar at the top of the
    Incidents page. Then, you can save the filter preferences using the dropdowns in the Column Preferences action menu.

    1506
    NOTE
    • For All Reports, Network, and Endpoint reports, the default filters are Severity, Status, and Date.
    • For Discover reports, the default filters are Severity, Status, Detection Date, Scan, and Target ID.
    • For Cloud Applications and API Appliance reports, the default filters are Severity, Status, Date,
    Application Name, and Data Type.
    1. Go to Incidents > All Channels in the Enforce Server administration console.
    In the Filter By area, Quick Filters are displayed. Options for Advanced filters are also displayed.
    2. Choose a Type.
    If you don't choose a Type, incidents from all types are displayed. You can choose from Network, Endpoint,
    Discover, or Cloud Applications and API Appliance.
    3. Choose a Severity.
    You can choose any combination of High, Medium, Low, and Info severities.
    4. Choose a Status.
    For example, in the Status filter area, select Equals or Is Any Of or Is None Of and New.
    5. Click Apply to update the list or report.
    6. Click the disk icon in the upper left to save the report.
    7. Clear all at the top right, clears all the filters that you have created.
    Saving custom incident reports

    Saving custom incident reports


    After you summarize or filter a report, you can save it for continued use. When you save a customized report, Symantec
    Data Loss Prevention displays the report title under Saved Reports in the All Reports section. If a user chooses to share
    the report, Symantec Data Loss Prevention displays the report link only for users who have the same role as the user who
    created the report.
    About custom reports and dashboards
    You can edit the report later on the Edit Preferences screen.
    Editing custom dashboards and reports
    Optionally, you can schedule the report to be run regularly.
    Scheduling custom incident reports
    To save a custom report
    1. Set up a customized filter or summary report.
    About custom reports and dashboards
    2. Click the disk icon to save the report.
    3. In the Save Report dialog, edit the Name and Description fields. The report name can include up to 50 characters.
    4. In the Sharing section, users other than the administrator can share a custom report.
    NOTE
    The Sharing section does not appear for the administrator.
    The Sharing section lets you specify whether to keep the report private or share it with other role members. Role
    members are other users who are assigned to the same role. To share the report, select Share Report. All role
    members now have access to this report, and all can edit or delete the report. If your account is deleted from the

    1507
    system, shared reports remain in the system. Shared reports are associated with the role, not with any specific user
    account. If you do not share a report, you are the only user who can access it. If your account is deleted from the
    system, your private reports are deleted as well. If you log on with a different role, the report is visible on the All
    Reports screen, but not accessible to you.
    5. Click Save As.

    Scheduling Custom Incident Reports


    Optionally, you can schedule a saved report to be run automatically on a regular basis.
    You can also schedule the report to be emailed to specified addresses or to the data owners on a regular schedule.

    To schedule a custom report


    1. Click Send > Schedule Distribution.
    If SMTP is not set up on your Enforce Server, you are not able to select the Send menu item to send the report.

    2. Specify the Delivery Details:

    To: Select whether the report is sent to specified email addresses or


    to the data owners.
    Manual - Sent to specified e-mail addresses Enter the specific email addresses manually in the text box.
    Auto - Send to incident data owners To send the report to the data owners, the Send report data with
    emails setting must be enabled for this option to appear.
    If you select to have the report sent to the incident data owners,
    then the email address in the incident attribute Data Owner Email
    Address is the address where the report is sent.
    This Data Owner Email Address must be set manually, or with a
    lookup plug-in.
    A maximum of 10000 incidents can be distributed per data owner.
    CC: Enter the email addresses manually in the text box.
    Subject: Use the default subject or modify it.
    Body: Enter the body of the email.
    Response action variables can also be entered in the body.
    Response action variables

    3. In the Schedule Delivery section, specify the delivery schedule.


    Delivery schedule options for incident and system reports
    4. In the Change Incident Status / Attributes section, you can implement workflow.
    The Auto - Send to incident data owners option must be set for this section to appear.

    5. After sending the report, you can change an incident's status to any of the valid values. Select a status value from the
    drop-down list.
    6. You can also enter new values for any custom attributes.
    These attributes must be already set up.
    About incident status attributes

    1508
    7. Select one of the custom attributes from the drop-down list.
    8. Click Add.
    9. In the text box, enter the new value for this custom attribute.
    After sending the report, the selected custom attributes set the new values for those incidents that were sent in the
    report.
    10. Click Next.
    11. Enter the name and description of the saved report.
    12. Click Save.

    Delivery Schedule Options for Incident and System Reports


    The Schedule Delivery section lets you set up a schedule for the report.
    NOTE
    The Schedule Delivery section only appears when your Enforce Server is configured to send email and if you
    are allowed to send reports.
    When you make a selection from the list, more fields appear.
    To remove scheduling of a report that was previously scheduled, click the Remove option.
    The following table describes the additional fields available for each option on the list.

    Delivery Details Specify the following delivery details:


    • Send To
    Specify Manual to specify the email addresses.
    Specify Auto for automatic sending to data owners
    • To
    Enter one or more email addresses. Separate them with commas.
    • CC
    Enter one or more email addresses. Separate them with commas.
    • Subject
    Provide a subject for the email.
    • Body
    Enter the body of the email. Use variables for items such as the policy name.
    Response action variables
    One time Select One time to schedule the report to be run once at a future time, and then specify the following details for that
    report:
    • Time
    Select the time that you want to generate the report.
    • Send Date
    Enter the date you that you want to generate the report. Or click the date widget and select a date.
    By Minute Select By Minute to schedule the report to be run by the minute, and then specify the following details for that
    report:
    • Every (x minutes)
    Select the frequency that you want to generate the report, by minutes, increments of 5 minutes.
    • Until
    Click the date widget and enter the date that you want to stop generating reports. Click Indefinitely to let the
    report run indefinitely.

    1509
    Hourly Select Hourly to schedule the report to be run by the hour, and then specify the following details for that report:
    • Every (x hours)
    Select the time that you want to generate the report.
    • Until
    Click the date widget and enter the date that you want to stop generating reports. Click Indefinitely to let the
    report run indefinitely.
    Daily Select Daily to schedule the report to run every day. Then specify the following details for that report:
    • Time
    Select the time that you want to generate the report.
    • Until
    Enter the date that you want to stop generating daily reports. Click the date widget and select a date, or select
    Indefinitely.
    Weekly Select Weekly on to schedule the report to be run every week, and then specify the following details for that report:
    • Time
    Select the time tht you want to generate the report.
    • Days of Week
    Click to check one or more check boxes to indicate the days of the week that you want to generate the report.
    • Until
    Enter the date that you want to stop generating weekly reports. You can click the date widget and can select a
    date, or can select Indefinitely.
    Monthly Select Monthly to schedule the report to run every month. Then specify the following details for that report:
    • Time
    Select the time that you want to generate the report.
    • Day of Month
    Enter the date that you want to generate the report each month.
    • Until
    Enter the date that you want to stop generating monthly reports. Click the date widget and select a date, or
    select Indefinitely.
    Custom Select Custom to schedule the report to run on a custom schedule. Specify the following details for that report:
    • Every
    Select the time that you want to generate the report in hours or minutes.
    • Until
    Click the date widget and enter the date that you want to stop generating reports. Click Indefinitely to let the
    report run indefinitely.

    Saving custom incident reports

    Delivery schedule options for dashboard reports


    The Delivery Schedule section lets you set up a schedule for the report.
    NOTE
    If your Enforce Server is not configured to send email, or you are not allowed to send reports, the Delivery
    Schedule section does not appear.
    When you make a selection from the Schedule drop-down list, additional fields appear.

    1510
    The following table describes the additional fields available for each option on the list.

    No Schedule Select No Schedule to save the report without a schedule.


    Once Select Once to schedule the report to be run once at a future time, and then specify the following details for that
    report:
    • On
    Enter the date you want to generate the report, or click the date widget and select a date.
    • At
    Select the time you want to generate the report.
    • Send To
    Enter one or more email addresses. Separate them with commas.
    Send Every Select Send Every Day to schedule the report to be run every day, and then specify the following details for that
    Day report:
    • At
    Select the time you want to generate the report.
    • Until
    Enter the date you want to stop generating daily reports, click the date widget and select a date, or select
    Indefinitely.
    • Send To
    Enter one or more email addresses. Separate them with commas.
    Send Weekly Select Send Weekly on to schedule the report to be run every week, and then specify the following details for that
    On report:
    • Day
    Click to check one or more check boxes to indicate the day(s) of the week you want to generate the report.
    • At
    Select the time you want to generate the report.
    • Until
    Enter the date you want to stop generating weekly reports, click the date widget and select a date, or select
    Indefinitely.
    • Send To
    Enter one or more email addresses. Separate them with commas.
    Send Monthly Select Send Monthly on to schedule the report to be run every month, and then specify the following details for that
    On report:
    • Day of each month
    Enter the date on which you want to generate the report each month.
    • At
    Select the time you want to generate the report.
    • Until
    Enter the date you want to stop generating monthly reports, click the date widget and select a date, or select
    Indefinitely.
    • Send To
    Enter one or more email addresses. Separate them with commas.

    Configuring dashboard reports

    Using the date widget to schedule reports


    The date widget specifies dates for reports.
    The date widget enters the date for you. You can click Today to enter the current date.
    To use the date widget

    1511
    1. Click the date widget.
    2. Click the left arrow or the right arrow on either side of the month to change the month.
    3. Click the left arrow or the right arrow on either side of the year to change the year.
    4. Click the desired date on the calendar.

    Editing custom dashboards and reports


    You can edit any custom report or dashboard that you create.
    To edit a custom dashboard or report
    1. In the Enforce Server administration console, on the Incidents menu, select Incident Reports.
    The Incident Reports dashboard appears and displays Saved Reports near the top.
    2. Click the edit icon next to the report or dashboard to edit.
    The Save Report screen or the Save Dashboard screen appears. You can edit the name, description, and schedule
    of any custom report or dashboard, and you can select different component reports for a custom dashboard.
    Saving custom incident reports
    3. When you finish editing, click Save.

    Exporting Incident Reports


    A report can be exported to a comma-separated text (CSV) file or to a JSON file.
    NOTE
    Legacy XML is deprecated in DLP 16.0 and is not available in subsequent DLP releases. Reports that are
    exported in XML are limited to the hard-coded, DLP 15.8 format and are not customizable. You can only export
    reports in XML for specific channels. You cannot export All Channels (Common) reports to XML.
    Any options that you add must be set in your profile with Apply before you export a report.
    1. Go to Incidents > All Channels > Incidents - New (for example).
    2. Click the folder icon to view saved reports or the spreadsheet icon to view system reports.
    3. Navigate to the report that you want to export. For example, choose Policy Summary. Filter or summarize the incidents
    in the report, as desired.
    Common incident report features
    4. Check the boxes on the left side of the incidents to select the incidents to export.
    5. Click the Export icon (up arrow) and select Export as CSV or Export as JSON. For this example, choose Export as
    CSV.
    6. An Export All: CSV dialog appears.
    7. Using the checkboxes, select the report columns to export. You can use the search bar at the top to find available
    columns for this report.
    8. Click Export as CSV.
    9. You can see your exported report in a popup that appears in the upper right of the screen. Click the report to open it.

    Exported Fields for Common Reports


    Exported fields for Network Monitor
    Exported fields for Endpoint Discover

    1512
    Exported fields for Network Discover
    Printing incident reports
    Sending incident reports by email

    Exported fields for Network Monitor


    The following fields are exported for Network Monitor:

    Type Incident type (for example SMTP, HTTP, or FTP).


    Message Status Status of this incident message.
    Severity Severity of this incident (High, Medium, or Low).
    Sent Date and time the message was sent.
    ID Unique identifier for this incident.
    Policy Name of the policy that triggered this incident.
    Matches The number of times that this item matches the detection parameters of a policy rule.
    Subject Subject of the message.
    Recipient(s) Recipient of the message.
    Status Status of this incident (New, Escalated, Dismissed, or Closed).
    Has Attachment Indicates if this message has an attachment.
    Data Owner Name The person responsible for remediating the incident. This field must be set manually, or with one of the lookup
    plug-ins.
    Reports can automatically be sent to the data owner for remediation.
    Data Owner Email The email address of the person responsible for remediating the incident. This field must be set manually, or
    with one of the lookup plug-ins.

    Custom attributes are also exported.

    Exported fields for Network Discover


    The following fields are exported for Network Discover:

    Type Target type (for example file system, Lotus Notes, or SQL Database).
    Message Status Status of this incident message.
    Severity Severity of this incident (High, Medium, or Low).
    Detection Date Date that an incident was detected.
    Seen Before Was this incident previously seen? The value is Yes or No.
    Subject Email subject for integrated Exchange scans.
    Sender Email sender for integrated Exchange scans.
    Recipient Email recipient for integrated Exchange scans.
    ID Unique identifier for this incident.
    Policy Name of the policy that triggered this incident.
    Matches The number of times that this item matches the detection parameters of a policy rule.
    Location Location (path) of this item.
    Status Status of this incident (New, Escalated, Dismissed, or Closed).
    Target Name of the scan target.

    1513
    Scan Date and time when the file was scanned.
    File Owner Owner of the file.
    Last Modified Date Date and time when the item was last modified.
    File Create Date Date and time when the item was created.
    Last Access Date Date and time when the item was last accessed (not shown for NFS targets).
    Data Owner Name The person responsible for remediating the incident. This field must be set manually, or with one of the lookup
    plug-ins.
    Reports can automatically be sent to the data owner for remediation.
    Data Owner Email The email address of the person responsible for remediating the incident. This field must be set manually, or
    with one of the lookup plug-ins.

    Custom attributes are also exported.

    Exported fields for Endpoint Discover


    The following fields are exported for Endpoint Discover:

    Type Target type (for example Removable Storage).


    Severity Severity of this incident (High, Medium, or Low).
    Occurred On Date that an incident was detected.
    ID Unique identifier for this incident.
    Policy Name of the policy that triggered this incident.
    Matches The number of times that this item matches the detection parameters of a policy rule.
    Status Status of this incident (New, Escalated, Dismissed, or Closed).
    File Name Name of the file that violated the policy.
    File Path Path of the file.
    Note: The file location appears only for fixed drive incidents.

    Machine Computer on which the incident occurred.


    User Endpoint user name.
    Prevention Status Status from Endpoint (for example Action Blocked).
    Subject Subject of the message.
    Recipient(s) Recipient of the message.
    Has Attachment Indicates if this message has an attachment.
    Data Owner Name The person responsible for remediating the incident. This field must be set manually, or with one of the lookup
    plug-ins.
    Reports can automatically be sent to the data owner for remediation.
    Data Owner Email The email address of the person responsible for remediating the incident. This field must be set manually, or
    with one of the lookup plug-ins.

    Custom attributes are also exported.

    Deleting incidents
    Incident reporting performance often deteriorates when the number of incidents in your system exceeds one million
    (1,000,000). Symantec recommends keeping your incident count below this threshold by deleting incidents to maintain
    good system performance.

    1514
    Incident deletion is permanent: you can delete incidents, but you cannot recover the incidents that you have deleted.
    Symantec Data Loss Prevention offers options for deleting only certain parts of the data that triggered the incident.
    After you have marked incidents for deletion, you can view, configure, run, and troubleshoot the incident deletion process
    from the Enforce Server administration console. You can mark incidents for deletion manually or automatically.
    About automatically flagging incidents for deletion
    You can also delete hidden incidents.
    NOTE
    Proceed with caution. Once you click Delete, the operation cannot be reversed.
    1. On an Incident report screen, select the incident or incidents you want to delete, then click More > Delete Incidents.
    2. On the Delete Incidents popup, select from the following deletion options:

    Delete incident completely Permanently deletes the incident and all associated data (for example, any emails and attachments).
    You cannot recover the incidents that have been deleted.
    Retain incident, but Retains the actual incident but discards the Symantec Data Loss Prevention copy of the data that
    Delet Original Message/ triggered the incident. You have the option of deleting only certain parts of the associated data. The
    Attachement(s)/File(s) rest of the data is preserved.
    Delete Original Message (applies to Network Incidents only). Deletes the message content (for
    example, the email message or HTML post). This option applies only to Network incidents.
    Delete Attachments/Files This option refers to files (for Endpoint and Discover incidents) or email or
    posting attachments (for Network incidents). The options are:
    • All - Deletes all attachments. Choose this option to delete all files (for Endpoint and Discover
    incidents) or email attachments (for Network incidents). Attachments and files are added to the
    incident deletion queue after their associated incidents have been deleted.
    • Attachments/Files with no violations - This option deletes only those attachments in which
    Symantec Data Loss Prevention found no matches. Choose this option when you have incidents
    with individual files that are taken from a compressed file (Endpoint and Discover incidents) or
    several email attachments (Network incidents).

    3. Click Cancel or Delete.


    Delete marks the incident for deletion and adds it to the incident deletion queue. You cannot recover an incident after
    it has been marked for deletion. Symantec Data Loss Prevention permanently deletes the incidents in the incident
    deletion queue when it runs the incident deletion job.

    About the incident deletion process


    You can view, configure, run, and troubleshoot the incident deletion process on the Incident Deletion screen of the
    Enforce Server administration console: System > Incident Data > Incident Deletion.This screen shows you the number
    of incidents in the incident deletion queue, the deletion schedule, and a history of deletion jobs.
    The incident deletion queue includes all incidents marked for deletion by all your Symantec Data Loss Prevention users.
    In addition to viewing the number of incidents marked for deletion, you can start and stop a deletion job manually from the
    incident deletion queue.
    You can view detailed information about your deletion jobs in the deletion jobs history section, including the number of
    incidents and attachments or files deleted, the job start and end time, the job duration, whether or not the job was stopped
    manually, and the job status (Completed, Failed, or In Progress). In the case of failed deletion jobs, you can click the
    Failed link to see the error message and problem statement. This information may be useful to your Oracle database
    administrator in troubleshooting the job failure. If this information is insufficient to resolve your deletion job issues, you can
    export information from any job to a CSV file and send it to Symantec Data Loss Prevention Support for additional help.

    1515
    By default, the incident deletion job runs nightly at 11:59 P.M. in the Enforce Server's local time zone. When the job runs,
    it also creates an event on the System > Servers and Detectors > Events screen. This event is created whether or not
    any incidents are actually deleted.

    Configuring the incident deletion job schedule


    The default incident deletion job schedule is daily at 11:59 P.M. in the Enforce Server's local time zone. You can configure
    the deletion job schedule to run at any other scheduled time. Symantec suggests running your incident deletion at a time
    when your system is idle or not in heavy use.
    To configure the incident deletion job schedule
    1. Click the Schedule Deletion Job calendar icon.
    2. In the Schedule Incident Deletion dialog box, specify one of the following options:
    • No Regular Schedule: Select this option to turn off the deletion job schedule.
    • Once: Specify a day and time for a single incident deletion job.
    • Daily: Specify a daily time for incident deletion jobs.
    • Weekly: Specify a day and time for incident deletion jobs.
    • Monthly: Specify a day of the month and time for incident deletion jobs. To accommodate differences between
    months, the day value must be between 1 and 28.
    3. Click Submit.

    NOTE
    The incident deletion job schedule is reset to the default value during the upgrade process. If you are using a
    custom incident deletion job schedule, reconfigure the schedule after the upgrade process is complete.

    Starting and stopping incident deletion jobs


    If there are incidents pending deletion, you can start an incident deletion job manually from the incident deletion queue.
    You can also stop any incident deletion job that is currently running.
    To start and stop incident deletions job manually
    1. Click Start Deletion to start an incident deletion job manually.
    2. When an incident deletion job is running, the progress bar will show you how many incidents have been deleted.
    3. Click Stop Deletion to stop an incident deletion job.
    The progress bar refreshes every 30 seconds by default. If you are deleting a large number of incidents (over
    500,000), the refresh process may degrade the performance of the deletion job. You can adjust the refresh rate in
    the manager.properties file.
    To configure the progress bar refresh rate
    4. Open the manager.properties file:
    • On Windows systems: \Program Files\Symantec\DataLossPrevention\EnforceServer
    \16.0.10000\Protect\config\manager.properties
    • On Linux systems: /opt/Symantec/DataLossPrevention/EnforceServer/16.0.10000/Protect/
    config/manager.properties
    5. Set a new value in milliseconds for the com.vontu.incident.deletion.progress.refreshRate property. For
    example, to set the refresh rate to two minutes (120 seconds):
    com.vontu.incident.deletion.progress.refreshRate=120000

    1516
    6. Save and close the manager.properties file, then restart the Symantec DLP Manager service.

    Working with the deletion jobs history


    The deletion jobs history section shows you your previously run incident deletion jobs, including:
    • The number of incidents deleted.
    • The number of attachments and files deleted.
    • The deletion job start and end time.
    • The deletion job duration.
    • Whether or not the deletion job was stopped manually.
    • The deletion job status.
    If a deletion job failed, a link will appear in the status column. Click the link to see the error message and problem
    statement. This information may be useful to your Oracle database administrator for troubleshooting a failed deletion job.
    If you are having trouble troubleshooting incident deletion job issues, you can export detailed deletion job information to
    send to Symantec Data Loss Prevention Support.
    To view and export failed deletion job information
    1. In the Deletion jobs history list, click the Failed link for the failed job you want to view.
    The error message and problem statement that appear may be useful to your Oracle database administrator for
    troubleshooting your incident deletion job issues. If you need additional help, continue to step 2.
    2. To export information for a failed deletion job, select the job in the Deletion jobs history list, then click Export.
    3. Save the ZIP file to send to Symantec Data Loss Prevention Support for analysis. The data contained in the ZIP
    file is intended for use by Symantec Data Loss Prevention Support only, and will not be helpful for your in-house
    troubleshooting efforts.

    About automatically flagging incidents for deletion


    You can automatically flag incidents for deletion based on criteria that you define. For example, you might want to
    automatically flag incidents for deletion based on their age. Flagging incidents for deletion automatically can save you a
    significant amount of time and effort, especially if you have many incidents in your system.
    Incidents that you have automatically flagged for deletion are permanently deleted from your system when the next
    incident deletion job runs. Unlike manually selected incidents, automatic deletion tagging marks the entire incident for
    deletion, including the message data and attachments.
    About the incident deletion process
    To automatically flag incidents for deletion, you first create custom incident reports with your criteria, such as incident age.
    You can have one active report per incident category: Network, Endpoint, Discover, and Applications. These report
    types are license-dependant: you cannot create or review reports for which you do not have a license.
    About creating incident reports for automatic incident deletion flagging
    After you have created your custom incident reports, you configure and manage incident deletion flagging jobs on the
    System > Incident Deleter > Flag Incidents for Deletion page.
    Configuring automatic incident deletion flagging
    Managing automatic incident deletion flagging
    You must have Symantec Data Loss Prevention administrator privileges to configure automatic incident deletion flagging.

    1517
    About creating incident reports for automatic incident deletion flagging
    You create custom reports that include your criteria for automatic incident deletion flagging on the Incidents page for each
    specific incident type. Symantec recommends that you use single-summary reports only for incident deletion flagging.
    About custom reports and dashboards
    Saving custom incident reports
    The most useful system report to start from when creating custom incident reports for incident deletion flagging is the
    Incidents > incident type > Incidents - All report. This system report includes all incidents present in your system for a
    given incident type.
    The following procedure gives an example for flagging Network incidents created between 1 January 2016 and 1 January
    2017 for deletion. This is a simple example that only involves filtering the list of all Network incidents by a range of dates.
    No additional filters or summarization are applied in this example.
    To create a report to filter Network incidents within a range of dates
    1. In the Enforce Server administration console, navigate to Incidents > Network > Incidents - All.
    2. In the Filter section, select Status: Equals All.
    3. In the Date section, select Custom, then enter a start date of 1/1/16 and an end date of 1/1/17.
    4. Click Apply.
    5. Click Save > Save As.
    6. Enter a name for and description of your report in the Save Report As dialog box, then click Save.
    You can now view your custom report on the Incidents > All Reports page, and you can select it when you configure
    your automatic incident deletion flagging job.

    You can use Advanced Filters & Summarization to further refine your reports.
    If you have hidden incidents from reports, those incidents will not be deleted even if they meet the criteria you select. You
    must unhide those incidents you wish to automatically flag for deletion.
    Unhiding hidden incidents
    Filtering reports

    Configuring automatic incident deletion flagging


    You configure automatic incident deletion flagging on the System > Incident Deleter > Flag Incidents for Deletion
    page. Automatic incident deletion flagging configuration consists of selecting your custom incident reports and scheduling
    incident deletion flagging jobs. You must have Symantec Data Loss Prevention administrator privileges to configure
    automatic incident deletion flagging.
    About creating incident reports for automatic incident deletion flagging
    To configure automatic incident deletion flagging

    1518
    1. In the Enforce Server administration console, navigate to the System > Incident Deleter > Flag Incidents for
    Deletion page.
    2. Click Configure.
    3. On the configuration page, select the report or reports that include the incidents you want to flag for incident deletion.
    You can select on report per incident type.You cannot select system reports for incident deletion flagging.
    4. Set a schedule for your incident deletion flagging jobs. You can schedule incident deletion flagging jobs to run at a
    specific time once, every day, every week, or every month. You can also select No Regular Schedule if you prefer to
    schedule your incident deletion jobs manually.
    There are two considerations to keep in mind when scheduling incident deletion flagging jobs:
    • The incident deletion flagging jobs should run to completion before your scheduled incident deletion jobs.
    • The incident deletion flagging jobs should run at a time when Symantec Data Loss Prevention is not running any
    other jobs.
    5. Click Save.

    Managing automatic incident deletion flagging


    You manage automatic incident deletion flagging jobs on the System > Incident Deleter > Flag Incidents for Deletion
    page. On this page you can view your custom reports for incident deletion flagging, the schedule for the upcoming incident
    deletion flagging job, and the incident deletion flagging job history.
    You can link directly to your incident deletion flagging job report by clicking the report name in the Selected reports for
    incident deletion flagging section.
    You can view incident deletion flagging job history in the Job history of incident deletion flagging section. For each job
    history, Symantec Data Loss Prevention displays the following information:
    • Job ID: The identifier for the incident deletion flagging job.
    • Job started: The start time for the incident deletion flagging job.
    • Report Name: the name of the custom report used to flag incidents for deletion.
    • #Incidents Flagged: The number of incidents flagged for deletion by that job.
    • Status: The status of the incident deletion flagging job.
    You can delete incident deletion flagging jobs by selecting one or more jobs using the checkboxes, then clicking Delete.
    Note that there is no confirmation for incident deletion flagging job deletion, though deleted jobs are displayed in the
    Tomcat logs.

    Troubleshooting automatic incident deletion flagging


    Automatic incident deletion flagging includes two event codes useful for tracking incident deletion flagging jobs. It also
    logs information about the process to the Tomcat logs.
    The system event codes are:
    • 2318: Incident deletion flagging process started.
    • 2319: Incident deletion flagging process ended.
    Tomcat logs include the following information (line breaks added for legibility):
    Timestamp- Thread: 111 INFO
    [com.vontu.manager]
    User "Administrator" initiated incident action
    "Marked for Deletion" for 6 incident(s)

    1519
    Timestamp- Thread: 111 INFO
    [com.vontu.manager]
    Incident deletion flagging process ended.

    Timestamp- Thread: 119 INFO


    [com.vontu.manager.system.incident.deletion.IncidentFlagDeletionListController]
    The flagged incident deletion jobs have been deleted. Number of jobs deleted are: N
    Be aware that incident deletion flagging jobs can fail due to insufficient space for undo/redo actions in the Symantec Data
    Loss Prevention database. See Working with the DLP database for detailed information about managing the database.

    Deleting custom dashboards and reports


    You can delete any custom report or dashboard that you create.
    To delete a custom dashboard or report
    1. In the Enforce Server administration console, on the Incidents menu, select Incident Reports.
    The Incident Reports dashboard appears and displays Saved Reports near the top.
    2. Click the delete icon next to the report or dashboard to delete it.
    3. Click OK to confirm.
    4. Symantec Data Loss Prevention deletes the report, and removes it from the Incident Reports screen.

    Common incident report features


    The following options are common to incident report lists:
    • Icons to perform the following tasks for a report:
    – Save
    You can save the current report as a custom saved report.
    Saving custom incident reports
    – Send
    You can email the report or schedule the report distribution.
    Saving custom incident reports
    – Export
    You can export the current report as CSV or XML.
    Exporting incident reports
    – Delete Report
    If this report is not a saved report, then the Delete Report option does not appear.
    • Report filters and summary options
    Incident report filter and summary options
    • Page navigation icons
    Page navigation in incident reports
    The following summary reports are available for the types of incidents:
    • Network
    • Endpoint
    • Discover

    1520
    Page navigation in incident reports
    All reports except executive summaries include page navigation options. Symantec Data Loss Prevention displays the
    number of currently visible incidents out of total report incidents (for example, 1-19 of 19 or 1-50 of 315).
    Reports with more than 50 incidents have the following options:

    Displays the first page of the report.


    Displays the previous page.
    Displays the next page.
    Displays the last page.
    Show All Displays all items on one single page.
    Use the Show All link on an Incident List with caution when the system contains more than 500 incidents. Browser
    performance degrades drastically if more than 500 incidents are displayed on the Incident List page.
    Select All Selects all incidents on all pages, so you can update them all at once. (Available only on Incident Lists.) Click
    Unselect All to cancel.
    Note: Use caution when you choose Select All. This option selects all the incidents in the report (not only those on
    the current page). Any incident command that you subsequently apply affects all the incidents.
    To select only the incidents on the current page, select the checkbox at top left of the incident list.

    Common incident report features

    Incident report filter and summary options


    Filters are separated into commonly used filters, and advanced filters and summarizations.
    The common filters include the following options:

    Status Select Equals, Is Any Of, or Is None Of. Then select status values. Hold down Ctrl and
    click to select more than one separate status value. Hold down Shift and click to select a
    range.
    Date Use the drop-down menu to select a date range, such as Last Week or Last Month. The
    Network and Endpoint reports default is All Dates.
    Severity Check the boxes to select the severity values.
    Scan For Discover reports, select the scan to report. You can select the most recent scan, the
    Discover reports initial scan, or a scan in progress. All Scans is the default.
    Target ID For Discover reports, select the name of the target to report. All Targets is the default.

    Click the Advanced Filters & Summarization bar to expand the section with filter and summary options.
    Click Add Filter to add an advanced filter.
    Select a primary and optional secondary option for summarization. A single-summary report is organized with a single
    summary criterion, such as the policy that is associated with each incident. A double-summary report is organized with
    two criteria, such as policy and incident status.
    NOTE
    If you select a condition where the content is matched in the text field, your entire entry must match exactly. For
    example, if you enter "apples and oranges", that exact text must appear in the specified component for it to be
    considered a match. The sentence "Bring me the apples and the oranges" is not considered a match.
    For a complete list of the report filter and summary options, see the Symantec Data Loss Prevention Help Center.

    1521
    Common incident report features

    Sending incident reports by email


    You can send a copy of the current report to any email address.
    To send reports, your system administrator must configure an SMTP server. The Administrator must specify a report
    distribution option on the System > Settings page. You must also specify an email address for your user account.

    To send a report
    1. Click Incidents, and select a type of report.
    2. Navigate to the report that you want to export. Filter or summarize the incidents in the report, as desired.
    Common incident report features
    3. Click Send in the upper right corner.
    Alternatively, you can use the Send menu (above the filters).
    Saving custom incident reports
    4. In the Send Report dialog box, specify the following options:

    To Enter one or more email addresses (comma-separated).


    Subject Enter a subject for the message.
    Message Enter the message.

    5. Click Send or Cancel.

    Printing incident reports


    Exporting incident reports

    Printing incident reports


    You can print a report to any available printer.
    To print a report
    1. Click Incidents, and select a type of report.
    2. Navigate to the report that you want to export. Filter or summarize the incidents in the report, as desired.
    Common incident report features
    3. Click Print in the upper right corner.
    4. An image of the report appears in a browser window.
    5. The printer selection dialog box appears, and you can select a printer.

    Sending incident reports by email


    Exporting incident reports

    Incident snapshot history tab


    You can view the actions that were performed on the incident. For each action, the History tab displays the action date
    and time, the actor (a user or server), and the action or the comment.
    Discover incident snapshot

    1522
    Network Incident Snapshots
    Endpoint incident snapshot

    Incident snapshot notes tab


    You can add a note to an incident, or view existing notes for that incident, on the Notes tab. To add a note, click Add
    Note. The limit for notes is 4000 bytes.

    Incident snapshot attributes section


    You can view a list of custom attributes and their values, if any have been specified. Click on attribute values to view an
    incident list that is filtered on that value. To add new values or edit existing ones, click Edit. In the Edit Attributes dialog
    box that appears, type the new values and click Save. Hidden incidents are not displayed in the filtered list.
    NOTE
    This section appears only if a system administrator has configured custom attributes.

    Incident snapshot correlations tab


    You can view lists of the incidents that share various attributes of the current incident.
    For example, if the copying of a file triggered the current incident, you can bring up a list of all the incidents that are
    related to the copying of this file. The Correlations tab shows a list of correlations that are matched to single attributes.
    Click on attribute values to view lists of the incidents that are related to those values.
    To search for other incidents with the same attributes, click Find Similar. In the Find Similar Incidents dialog box that
    appears, select the desired search attributes. Then click Find Incidents. Hidden incidents are not displayed when you
    search for similar incidents.

    Incident snapshot policy section


    The Policy area shows the policy that was violated in the incident and indicates if the policy blocked a move or notified
    the user. It also shows the total number of matches for the policy, as well as matches per policy rule. Click the policy name
    to view a list of all incidents that violated the policy. Click view policy to view a read-only version of the policy.
    You see the icons that describe the following information:
    • Symantec Data Loss Prevention blocked a copy of the sensitive information.
    • Symantec Data Loss Prevention notified the user about the copy of confidential data.
    This section also lists other policies that are violated from the same file. To view the snapshot of an incident that is
    associated with a particular policy, click the Go to Incident link next to the policy name. To view a list of all incidents that
    are related to the file, click show all.

    Incident snapshot matches section


    In the Matches section, Symantec Data Loss Prevention displays the content (if applicable) and the matches that caused
    the incident.

    1523
    Matches are highlighted in yellow. This section shows the match total and displays the matches in the order in which they
    appear in the original content. To view the rule that triggered a match, click on the highlighted match.

    Incident snapshot access information section


    The Access Information section of an incident snapshot shows the Access Control Lists for that object.
    Access Control Lists (ACL) are lists of the permissions that are attached to an object or piece of data. The list contains
    information about all users who have read and write permissions for the file. Use the list to view which users have access
    to the file as well as which actions each user can perform. The permissions for each user or group are not set through
    Symantec Data Loss Prevention. Administrators set the permissions for each file using other types of programs on the
    endpoint. Permissions are generally set at the time that the file is created.
    For example, User 1 has permission to access the file Example1.doc. User 1 can view and edit the file. User 2 also
    has access to the file Example1.doc. However, User 2 can only view the file. User 2 does not have permission to make
    changes to the file. In the ACL, both User 1 and User 2 are listed with the permissions that have been granted to them.
    Access control list example shows the combinations.

    Table 853: Access control list example

    Name Permission

    User 1 GRANT READ


    User 1 GRANT WRITE
    User 2 GRANT READ

    The ACL contains a new line for each permission granted. The ACL only contains one line for User 2 because User 2 only
    has one permission, to read the file. User 2 cannot make any changes to the file. User 1 has two entries because User 1
    has two permissions: reading the file and editing it.
    You can view ACL information only on Discover and Endpoint local drive incident snapshots. You cannot view ACL
    information on any other type of incidents.
    The Access Information section appears on the Key Info tab of the incident snapshot.

    Customizing incident snapshot pages


    You can customize the appearance of the incident snapshot page.
    To customize the appearance of the incident snapshot page
    1. From an incident snapshot, click Customize Layout (in the upper-right corner).
    2. Select the information to appear on each of the tabs in the incident snapshots.
    Tab 1 always contains the Key Info, and cannot be changed.
    3. For each of the areas on the incident snapshot screen, select the information that appears.
    4. Click Save.

    About filters and summary options for reports


    You can set a number of filters and summaries for Symantec Data Loss Prevention incident reports.

    1524
    These filters let you see the incidents and incident data in different ways.
    The set of filters apply separately to Network, Endpoint, and Storage events.
    The filters and summary options are in the following sections:

    General filters The general filter options are the most General filters for reports
    commonly used. They are always visible in
    the incident list report.
    Advanced filters The advanced filters provide many Advanced filter options for reports
    additional filter options. You must click the
    Advanced Filters & Summarization bar,
    and then click Add Filter to view these filter
    options.
    Summary options The summary options provide ways Summary options for incident reports
    to summarize the incidents in the list.
    You must click the Advanced Filters &
    Summarization bar to view these summary
    options.

    Symantec Data Loss Prevention contains many standard reports. You can also create custom reports or save report
    summary and filter options for reuse.
    About Symantec Data Loss Prevention reports

    General filters for reports


    General filters for reports include a set of a few common filters.
    Most of these filters are applicable for all the products. Network Discover contains some general filters that relate to
    scans of storage. For example, you can filter the incidents that are in a particular scan. These filters are not applicable to
    Network Prevent or Endpoint Prevent.
    Table 854: General filters for status values lists the general filter options for report status values.
    You can also create custom status values.
    About incident status attributes
    These status filters are available for Network, Endpoint, and Discover incidents.

    Table 854: General filters for status values

    Name Description

    Equals The status is equal to the field that is selected in the next drop-down.
    Is Any Of The status can be any of the fields that are selected in the next drop-down. Shift-click to select
    multiple fields.
    Is None Of The status is none of the fields that are selected in the next drop-down. Shift-click to select
    multiple fields.

    Table 855: General filters by date for Network and Endpoint incidents lists the general filter options by date.
    These date filters are available for Network, and Endpoint incidents.

    1525
    Table 855: General filters by date for Network and Endpoint incidents

    Name Description

    All Dates All dates that contain incidents.


    Today All incidents that were reported today.
    Yesterday All incidents that were reported yesterday.
    Current Week to Date All incide

    You might also like