If Symantec DLP catches an email twice, is an additional incident created?

book

Article ID: 159907

calendar_today

Updated On:

Products

Data Loss Prevention Network Monitor Data Loss Prevention Network Prevent for Email Data Loss Prevention Enforce

Issue/Introduction

Symantec DLP email anti-duplication feature: cached email msg-ids

Resolution

Relevant versions: Symantec DLP 10.x and beyond

When Symantec DLP receives an SMTP message it extracts the message id and recipients from BOTH the SMTP envelope (which might contain BCC recipients hidden from end user) AND Email headers (TO and CC). 

If the message id has been processed before, the list of recipients of the current and previous emails are checked.  If there are new recipients in the current email, the email is processed.   If there aren't any new recipients, the email is discarded.

NOTE: This is only true for Network Monitor. Duplicate messages are not removed in SMTP Prevent as it may be advisable to block every single copy of it.

If the SMTP message contains one or more recipients Network Monitor has not seen, Symantec DLP will inspect the message again.

There are some advanced settings that control duplication (System -> Overview -> Advanced tab of detection server):

L7.DiscardDuplicateMessages

This must be set to "true" (default for Network Monitor) to avoid duplicate incidents. If the value is set to false, multiple incidents will be created. This is important if the same message is being replayed for testing purposes.

L7.messageIDCacheCleanupInterval

This is the interval in ms between when an SMTP message ID is seen, and when it is removed from the cache allowing a duplicate message to create an incident. So, if two copies of the same message are sent with longer than 60 seconds between them, they may create duplicate incidents irregardless of the first setting.