search cancel

EDM detection does not detect content at the end of a file

book

Article ID: 162719

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

Detecting content at the beginning of a file works without issue;  however when the content value you are trying to detect is at the end of a file, detection does not occur.

Cause

The issue with detecting content at the end of the file is by design.  The EDM Advanced Server settings are configured to scan only a specified number of tokens in any given file. 

With the default settings, the EDM scan doesn’t cover the entire file size of 30 MB (default maximum) extracted content.  The EDM content scans are governed by the Advanced Server setting Lexer.MaximumNumberOfTokens. The Lexer.MaximumNumberOfTokens value of 12000 in Symantec Data Loss Prevention 12.5.x and above covers approximately 100 KB of extracted content.   For Symantec Data Loss Prevention 11.6, the value of 30000 covers around 200 KB of extracted content.

Resolution

Note:  The following steps apply only to on-premises Data Loss Prevention Detection Servers; they do not apply to the Cloud Service Detectors. 

To perform EDM detection on a greater number of tokens, you must modify the Lexer.MaximumNumberOfTokens setting from its default value.  This value depends on the version you are running. In addition, for detecting to the end of a file that is larger than the default 30 MB, you may need to modify the values for settings IncidentDetection.MaxContentLength and ContentExtraction.MaxContentSize.

For more details, review the article Guidelines for tuning Symantec Data Loss Prevention to scan large files (broadcom.com).

In depth configuration options are also discussed in this Online Help topic Configuring Advanced Settings for EDM policies (symantec.com)

If more information is require, please contact Symantec Enterprise Technical Support for assistance.