What DLP Rule Conditions Will Cause Two Tier Detection

book

Article ID: 160344

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

You want to know which Symantec Data Loss Prevention (DLP) rules will cause two-tier detection.

Resolution

The table listed below outlines which policy conditions have caused two-tier detections as of version 11.6.1.

With DLP Agent 14.5 and above the Endpoint Agent is capable of detecting derivative IDM matches locally on the Endpoint and will not generate a two-tier detection. However, two-tier detection can be specifically enabled for the agent via the "Detection.TWO_TIER_IDM_ENABLED.str = ON"

Please note that this list may change with newer versions and may be updated.

 

Detection Tab Two Tier Detection Technology
Rule Conditions:    
Content:    
Content Matches regular expression no DCM
Content Matches Exact data form yes EDM
Content Matches keyword no DCM
Content Matches Document Signature Form no [not by default] IDM
Content matches data identifier no DCM
Detect using Vector Machine Learning profile no VML
     
File Properties:    
Message attachment of File Type Match no DCM
Message attachment of File Size Match no DCM
Message attachment of File Name Match no DCM
Custom File Type Signature no DCM
     
Protocol:    
Protocol or Endpoint Monitoring no DCM
Endpoint Device Class or ID no DCM
Endpoint Location no DCM
     
Group Tab    
Rule Conditions:    
Sender/User Matches Pattern no DCM
Recipient Matches Pattern no DCM
     
Sender/User matches User Group    
Sender/User based on a Directory Server group no DCM
Sender/User based on a Directory Form yes EDM
     
Recipient matches User Group    
Recipient based on a Directory Server Group yes EDM
Recipient based on a Directory Form yes EDM
     
Also Match Section:    
Content matches Data Identifier no DCM
Content matches keyword no DCM
Content matches Regular Expression no DCM
Custom File Type Signature no DCM
Endpoint Device Class or ID no DCM
Endpoint Location no DCM
Message attachment or file name match no DCM
Message attachment or file size match no DCM
Message attachment or file type match no DCM
Protocol or Endpoint Monitoring no DCM
Recipient based on a Directory Server Group yes EDM
Recipient matches pattern no DCM
Sender/User based on a Directory Server Group no EDM
Sender/User Matches Pattern no DCM