search cancel

False Positives on Keyword Proximity Matching Policies in DLP 14.5

book

Article ID: 163579

calendar_today

Updated On:

Products

Data Loss Prevention

Issue/Introduction

After upgrading to DLP 14.5, Keyword Proximity matching policies are generating false positives on separate policies with the same keywords, using the same proximity match in both policies.

For example:

Policy 1: 

Legal

Sensitive

Document

Within 1 word

Policy 2:

Legal

Sensitive

Form

Within 1 word

Policy 3

Legal

Frisbee

Tournament

When content with "Legal Sensitive" is seen, all three Policies will create an incident.  The expected behavior would be for only Policies 1 and 2 to produce an incident.

Environment

This issue was identified specifically in DLP 14.5.

Cause

A defect has been filed for this issue, please see reference section for more details.

The defect is triggered by having 2 or more Keyword Proximity Matching policies withe same words in them, using the same proximity match.  Referencing the example above, the trigger here is that Policies 1 and 2 have the words "Legal" and "Sensitive" and use the same Proximity Match, within 1 word.  This condition will cause all Keyword Proximity Match policies with "Legal" or "Sensitive" to trigger, even if the other required word is not there.

 

Resolution

A temporary workaround is to change the Proximity Match.  Using the above example:

Policy 1: 

Legal

Sensitive

Document

Within 1 word

Policy 2:

Legal

Sensitive

Form

Within 1 word

Policy 3

Legal

Frisbee

Tournament

If the proximity is changed so that thepolicies with the same keywords have unique proximity matches (change Policy 2 to "within 0 words" for example) the false positives will no longer be triggered.