search cancel

Issues with Symantec Data Loss Prevention endpoint IDM exact matching


Article ID: 162779


Updated On:


Data Loss Prevention Endpoint Prevent


There are several issues that limit or prevent Indexed Document Matching (IDM) exact file and exact file contents matching on endpoints. These issues affect Symantec Data Loss Prevention 14 and earlier. This article describes these issues, and, where possible, provides workarounds.



Different versions of the detection engine. If the detection engine version used to index a file is different than the version used to detect a file (as might happen if different versions of Data Loss Prevention are involved), the file might not match. You must use the same version of Data Loss Prevention for both the DLP Agent and the detection server.
Metadata not detected correctly. The Endpoint Server extracts metadata differently than the DLP Agent. Consequently, you must turn off metadata detection for both the Server and the Agent. See the Workaround column for details.

The following Endpoint Server Advanced Server Settings must be set to off:



The following Advanced Agent Settings must be set to off:






Files larger than 30 MB. Exact matching will not work correctly for files larger than 30 MB unless the Endpoint Server and DLP Agent settings are set as detailed in the Workaround column. The value for the Advanced Server Setting DDM_max_bin_match_size must equal the value for the Advanced Agent Setting
Different file type for indexed and detected file. If the type of file indexed (for example, .pdf or .doc) is different than the type of file that is detected, there may be no match.  
Text files with different encoding than the operating system. Text files with an encodng different than the default encoding of the OS are not matched.  
Files with the same text content but different graphical content. Files with the same text content but different graphical content (for example, two files similar in text but one file contains "picture1.jpg" and the other contains "picture2.jpg") might be reported as the same (false positive).