ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Agent domain filtering exclusions and inclusions

book

Article ID: 172477

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent

Issue/Introduction

  • Data Loss Prevention
  • Agent configuration
  • Not all the domains that are listed in "Filter by Network Properties" work
  • Incidents are in the process of creation for some of the domain filters that are supposed to be excluded
  • Incidents being created for the addresses that are listed in "Filter by Network Properties"

Agent configuration of inclusions and exclusions

  • Click System > Setting > Agent Configuration
  • Select configuration
  • Scroll down to Filter by Network Properties
  • Use the minus sign for exclusions and plus sign for inclusions
  • -symantec.com to exclude scanning symantec.com
    • ‚ÄčOr
  • +symantec.com to include scanning symantec.com
    • Or
  • -example.symantec.com,+symantec.com,* to exclude a subdomain and then include the rest of the domain

In this example, symantec.com still generates incidents.

The following is an example of domain filters

Domain Filter        := <Domain Filter Entry> [,<Domain Filter Entry>]
Domain Filter Entry  := {*|{-|+}<metadata value>}

You cannot use ports in the inclusions nor exclusions.

Cause

An invalid character in the domain filter list.
A question mark, "?", at the end of one of the domains in the list.
All domains after that invalid character are not parsed.

Resolution

Removed the invalid character from the domain list.
After which, all the domains that are listed in the "Filter by Network Properties" get properly parsed. No incidents were created for the excluded domains.


Note: We do not monitor or exclude ports separately. You cannot add www.symantec.com:9900 or similar entries.