How to diagnose issues with Outlook or Lotus Notes on Symantec Data Loss Prevention (DLP) Endpoint.

15.8, 16.x

Diagnosing Outlook & Lotus Notes Monitoring

Mail Monitoring not working, emails, meetings, etc containing sensitive content are not blocked.

Verify the following.

1. Endpoint agent is running, and appc.dll is loaded in the process; for this Process Explorer can be used.
2. Check if Outlook monitoring and\or Lotus Notes functionality is enabled on the Enforce in the Agent Configuration. 
3. Follow https://support.symantec.com/en_US/article.TECH254965.html
4. Check if otlk.dll is loaded in the Outlook process, and\or ltnex.dll is loaded in the Lotus Notes process; Process Explorer can be used to verify this.
5. Collect the endpoint agent log by setting the log level to FINEST, TECH219080 How to Modify the Endpoint Database 
6. For Outlook: INSERT or REPLACE into configuration values ('Logging','OutlookAddinLevel','str','FINEST');
7. For Lotus Notes:  INSERT or REPLACE into configuration values ('Logging','LotusNotesExtensionLevel','str','FINEST');
8. Check if there are any third-party outlook plugins installed on the customer machine.  You can check this with the following entry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Outlook\Addins
9. Mention the version of Outlook\Lotus Notes along with Service Pack.

Emails or attachments containing sensitive content are not blocked.

Verify the following.

1. The content or attachments are not in image formats or alike which can't be understood by our Content Extraction.
2. Check if the user has permission to write to the temp folder (User temp).
3. Check if any file pre-filters are configured for ignoring the files from scanning, and the document passes the conditions mentioned there-in.
4. Collect the endpoint agent log as mentioned above.

Mails, meetings, etc are blocked even if Mail monitoring functionality is disabled.

Verify the following.

1. The connection mode to the Exchange server or Lotus Domino is HTTP.
2. Outlook\Lotus Notes is not excluded from networking monitoring, this can be verified by navigating to the Endpoint Application Control List page. Sample link https://<EnforceServer>/ProtectManager/EndpointApplicationControlList.do

Outlook\Lotus Notes Crash or Hang

1. Check if the crash\hang is reproducible without the Endpoint Agent; in most of the cases, the Outlook\Lotus Notes itself might crash.
2. Turn off the mail monitoring feature, and observe if the hang\crash is reproducible, this would ensure if the crash\hang is related.
3. Execute "tasklist /v" and save the output
4. When Outlook crashes or hangs verify if the following registry entries are present
   1. Click Start, and then click Run.
   2. Type regedit, and then click OK.
   3. Elevate to [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Outlook\Addins\OutlookAddin.Addin.1]
   4. Check if the following entries are present.
      1. "FileName"="otlk.dll"
      2. "FriendlyName"="Outlook2K3 Addin"
      3. "Description"="ATLCOM Outlook Addin"
      4. "CommandLineSafe"=dword: 00000000
      5. "LoadBehavior"=dword: 00000003
5. Export the following registry details, which would help in diagnosing the crash.  This contains the details of the add-ins disabled by Outlook, because they had crashed Outlook.
   1. Click Start, and then click Run.
   2. Type regedit, and then click OK.
   3. Elevate to [HKEY_CURRENT_USER\Software\Microsoft\Office\[11.0]\Outlook\Resiliency\DisabledItems] where 11.0 is the version.
   4. Right click -> Export -> Specify a file name and location.
6. Get the dump of the Outlook\Lotus Notes process.  One can use Windbg or Dr. Watson for generating the dump.

   Attach WinDbg to Outlook and create a dump file by executing ".dump /ma c:\outlook.dmp" in WinDbg.

   Attach WinDbg to Edpa.exe and create a dump file by executing ".dump /ma c:\edpa.dmp" in WinDbg.