Best practice: DLP Servers with Backup Solutions
search cancel

Best practice: DLP Servers with Backup Solutions


Article ID: 170152


Updated On:


Data Loss Prevention


The DLP application reads and writes frequently to some common directories. If a Backup is running on a DLP Server, the DLP process may not be able to gain access to the files or folders and the DLP process may fail. To resolve this issue, exclude some directories from any scheduled or real-time Backup of the DLP servers.

Not Excluding these folders in the backup could result in corrupted data.

For Example, when a backup attempts to backup a file under the scan folder, various derby database failures can occur when the backup had temporarily blocked access to this incremental database causing the entire target to get scanned again as if it was a full scan.


Using the Backup software, locate the area where you can define the directories for backup exclusion, and exclude the following directories from the backup:

For DLP 11.6 through 15.0:


For DLP 15.1 and newer:

Enforce Server Specific:
C:\ProgramData\Symantec\Data Loss Prevention\Enforce Server\15.1\logs
C:\ProgramData\Symantec\Data Loss Prevention\Enforce Server\15.1\temp
C:\ProgramData\Symantec\Data Loss Prevention\Server Platform Common\15.1\scan
C:\ProgramData\Symantec\Data Loss Prevention\Server Platform Common\15.1\incidents
C:\ProgramData\Symantec\Data Loss Prevention\Enforce Server\15.1\tomcatTemp
C:\ProgramData\Symantec\Data Loss Prevention\Enforce Server\15.1\tomcatWorkDir
[Drive]:\Program Files\Symantec\Data Loss Prevention\Enforce Server\15.1\Protect\tomcat

Detection Server Specific:
C:\ProgramData\Symantec\Data Loss Prevention\Detection Server\15.1\drop
C:\ProgramData\Symantec\Data Loss Prevention\Detection Server\15.1\logs
C:\ProgramData\Symantec\Data Loss Prevention\Detection Server\15.1\temp
C:\ProgramData\Symantec\Data Loss Prevention\Detection Server\15.1\scan
C:\ProgramData\Symantec\Data Loss Prevention\Server Platform Common\15.1\incidents
C:\ProgramData\Symantec\Data Loss Prevention\Detection Server\15.1\spool

You must also exclude the local temporary folder of the user that runs the DLP services (usually 'protect').

This can be tested by running the following command while logged in as the 'protect' user: echo %TEMP%

Typically the user is named protect, so by default the path is:

Note that for Windows Server 2003 and older, the default temp folder would have been:
C:\Documents and Settings\protect\Local Settings\Temp

Additional Information

You may want to refer to Guidelines for excluding Symantec Data Loss Prevention installation directories from third-party file backups for additional guidance.