How do I change the maximum file size for cracking on Endpoint Agent?

book

Article ID: 160143

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent

Issue/Introduction

As with other detection server types (Discover, Monitor, Prevent), the Endpoint Agent has a default setting of 30MB, expressed in bytes as 31457280. This is to keep resource usage low when cracking files, a larger file will require significantly more resources than a smaller one.

 

There are two scenarios in which you may wish to change this value:

1. Your client has a need to crack files of a larger size than the default, or

2. You are attempting to troubleshoot the use of resources on a machine with the Agent installed; the edpa.exe is likely using too much CPU and memory.

Resolution

To change this setting:

1. Log in to the Enforce Console and navigate to System -> Agents -> Agent Configuration.

2. Click on your Agent Configuration.

3. Click Advanced Settings and scroll down and search for:

IncidentHandler.MAX_INCIDENT_FILE_SIZE.int

4. Change the value as necessary. The formula for converting megabytes to bytes is:

MB x 1024 x 1024, where MB is the MB target.

Some examples:

10MB is 10485760

30MB is 31457280

50MB is 52428800

5. Save changes and apply the changes to the Agent Group in order for them to take effect.

Note: Retain incident attachment behavior has changed. Prior to DLP 14.5, the Endpoint incident attachment file would be truncated at IncidentHandler.MAX_INCIDENT_FILE_SIZE.INT. In DLP 14.5 and later if the incident attachment file is larger than IncidentHandler.MAX_INCIDENT_FILE_SIZE.INT it will be discarded and replaced with a text file that contains the text, "The file exceeded the data retention threshold and was not retained."