Continuous incidents are created in Symantec Data Loss Prevention Endpoint Prevent 15.1 when logging into Gmail using either I.E. 11 or Firefox.
This does not happen when using Chrome.
This does not happen in Yahoo mail using any browser.
When logging in to Gmail a pop-up is thrown indicating that a message is blocked.
Just logging in triggers the incidents, you do not need to open a message.
When that message is cleared, another message pops up indicating that a message is blocked.
This will continue until the user logs out of Gmail.
An incident is created for each pop-up message.
The incident is created against the default "HIPAA and HITECH (including PHI)" policy.
It only triggers on header information.
The rules that are triggering are the following two default rules:
"SSN and Treatment Keywords (Keyword Match)"
"SSN and Treatment Keywords (Data Identifiers)"
The incident shows a match on the keyword "application".
The DI is triggering against a nine-digit number that, while not an SSN, does meet the requirements of an SSN.
DLP 15.1 and 15.5
One cause has been identified.
Gmail continuously tries to sync/resync to any drafts and this will cause incidents to be generated for each sync attempt.
We do not have a fix for this as we do detect the sync attempts and this generates an incident for each attempt to sync.