How to configure Symantec DLP to retain the Endpoint incident file

book

Article ID: 160367

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent Data Loss Prevention Endpoint Discover

Issue/Introduction

The endpoint incident detail only shows the match in the file.  How can I get the original file?

Resolution

RELEVANT VERSIONS:  ALL

Endpoint file retention is accomplished by creating an automated response rule as follows:

  • Add a new Automated response rule:
    • Click Response Rule
    • Click the Add a New Response Rule tab
    • Select Automated Response and click Next
    • Name the Response Rule and provide a description
  • In the action drop down, choose All: Limit Incident Data Retention, then click Add Action
  • Tick the box "Retain Original File" for the Endpoint and Save the rule

NOTE:  Enabling retention of the original files on the Endpoint will increase the network bandwidth consumption. This is the main reason this feature is turned off by default.