The file exceeded the data retention threshold and was not retained.
search cancel

The file exceeded the data retention threshold and was not retained.

book

Article ID: 173983

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent Data Loss Prevention Data Loss Prevention Cloud Detection Service Data Loss Prevention Cloud Package Data Loss Prevention Cloud Prevent for Microsoft Office 365 Data Loss Prevention Cloud Service for Email Data Loss Prevention Cloud Storage Data Loss Prevention Discover Suite Data Loss Prevention Enforce Data Loss Prevention Network Email Data Loss Prevention Network Monitor and Prevent for Email Data Loss Prevention Network Prevent for Email

Issue/Introduction

You are reviewing an Endpoint Incident in the DLP Enforce console.

When you click on the attachment in the incident, the .wav file that caused the incident is now replaced by a .wav.txt with contents: "The file exceeded the data retention threshold and was not retained"

Cause

This is the correct behaviour and by design. 

Versions of DLP prior to 14.5 DLP would truncate files at a threshold which generally led to corrupt unreadable files in the console because very few file types are still usable post-truncation.

This behaviour was changed in version 14.5 and later to discard attachments above a specified threshold size and instead replace them with a text file of the same name with the message inside "The file exceeded the data retention threshold and was not retained".

 

Resolution

The DLP Agent Configuration - Advanced Agent Setting named IncidentHandler.MAX_INCIDENT_FILE_SIZE.int allows you to choose a reasonable size threshold that can be supported by your network bandwidth and database storage designs, which in turn permits inclusion of attachments, without the corruption up to that pre-defined threshold size.

If the file exceeds the data retention threshold value of IncidentHandler.MAX_INCIDENT_FILE_SIZE.int the the file is discarded as mentioned above. The default value of this setting is 31457280 bytes.

To modify the threshold value follow these steps:

  1. Login to the Enforce console and go to System > Agents > Agent Configuration page.
  2. Select the Endpoint Agent configuration you wish to modify and apply the change to. 
  3. For version 14.x or below click on the Advanced Agent Settings tab
  4. For version 15.x click on the Advanced Settings tab
  5. Scroll down the page until you find the setting IncidentHandler.MAX_INCIDENT_FILE_SIZE.int 
  6. Then enter a threshold value that you require to keep files up to that threshold and discard the rest. 
  7. Click Save.
  8. Click Apply Configuration.
  9. Select the Agent Group to apply the change to and click the Update Configuration button.
  10. At the Update Configuration prompt click OK.

 

 

Powered by Wolken Software