ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Data Loss Prevention IDM policy not doing partial matches

book

Article ID: 172228

calendar_today

Updated On:

Products

Data Loss Prevention Network Prevent for Email Data Loss Prevention

Issue/Introduction

Symantec Data Loss Prevention (DLP) Indexed Policy Matching (IDM) policies are not working for partial data matches.

  • Those policies will work with exact data matches.
  • The incidents will show either "exact" or "100%".
  • The incidents show "exact" if there is an exact match.
  • They show "100%" if there is a partial match.

Cause

Per the following Help Center topic, the minimum number of normalized characters for exact matching is 50.
Whereas, the minimum number of normalized characters for partial matching is 300.
The test files being used were a little over 50 characters after normalization.

"Symantec Data Loss Prevention Help Center topic - Using IDM to detect exact and partial file contents"

Environment

DLP 15.x Endpoint Agent

Resolution

Using a test file that contains over 300 characters after normalization worked.
The incident then shows the expected percentage of match.