Diagnosing ICAP issues where Incidents are not being triggered by webmail attachments

book

Article ID: 160286

calendar_today

Updated On:

Products

Data Loss Prevention Network Prevent for Web

Issue/Introduction

Diagnosing ICAP issues where Incidents are not being triggered by webmail attachments

Resolution

In actuality, we ARE likely processing the attachment. Just in the body of the email as that is how it is sent by many Web 2.0 apps.

The way to test it is:

1. Get the policy you  expect to hit (is it a Data Identifier?)
2. Get a screenshot of the screen when the email is about to be sent (you NEED to know if it's plain text or rich text or whatever. In general if you can see little icons for font/color/etc, it's rich text)
3. Enabling Detection Trace logging per TECH219364
4. Set up a keyword policy rule and OR it to the original policy rule
5. Add the keyword to the attachment AND the email body
6. Send it through.
7. Verify that it created an incident
8. Get the logs
9. Using the User Interface, navigate to the incident(s) and (from the upper right corner) select "Report - Open Original Message" and save it to a safe location.
10. Review and prepare for Support :
     10.1 The Screenshot of the email client prior to sending the email (#2)
     10.2 A screenshot of the Policy (#1)
     10.3 A full set of logs
     10.4 The "Original Messages"