search cancel

DLP Agents showing "Critical" status in Enforce

book

Article ID: 174429

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent Data Loss Prevention

Issue/Introduction

Critical status indicates the DLP Agents in this state have experienced the conditions require immediate attention:

 

Cause

Critical agent alerts generally include the following:

  • A driver is not running

  • The DLP Agent version is not compatible with the Endpoint Server

  • Active Directory permissions conflict with Symantec Data Loss Prevention permissions

  • The DLP Agent cannot report to the Endpoint Server

  • The DLP Agent is unable to monitor the macOS applications that are protected by System Integrity Protection (SIP)

Resolution

Agent alert

Cause

Fix

Agent not reporting

The agent has not reported to an Endpoint Server within the specified period of time. If the agent does not report after 18 hours, then Symantec Data Loss Prevention identifies the agent as not-reporting. Not-reporting agents do not receive the latest policies and configuration information, so they are marked with a Critical agent alert.

      To fix the issue:

  • Verify the endpoint machine where the agent is installed exists. If it does not exist, you can delete the agent from the Enforce Server.*
  • Verify the agent EDPA service is running on the endpoint machine.
  • Verify the network connection between the Endpoint Server and the endpoint.

*You access the Agents List screen by clicking an agent status or alert type link on the System > Agents > Overview screen.

Agent version is not supported

The agent is two versions older than the Endpoint Server version to which it connects. For example, if the Endpoint Server is version 15.0 and the agent is 12.0.x, a Critical agent alert displays. The features available in Enforce and Endpoint Server are not available for these agents. Symantec Data Loss Prevention identifies these agents with a Critical alert because these agents do not provide current Symantec Data Loss Prevention features and may not operate as designed.

  • Upgrade the agent to the latest version.

File system driver is down

The agent service cannot communicate with the Symantec Data Loss Prevention driver installed on the endpoint. Communication may not occur for the following reasons:

  • The file system drivers have been deleted.
  • Symantec Data Loss Prevention identifies the driver as invalid. This invalidation sometimes occurs when the driver has been modified.
  • Communication between Symantec Data Loss Prevention and the agent driver is broken due to attack.

       To fix the issue:

  • Restart the endpoint.
  • Reinstall the endpoint

Mac OS application is not monitored

The DLP Agent monitors the macOS applications that are protected by System Integrity Protection (SIP) on macOS 10.11 and later as listed in the Symantec Data Loss Prevention System Requirements and Compatibility Guide. Updating the macOS version beyond the supported version causes the agent to no longer monitor the applications protected by SIP. The agent continues to monitor all other channels.

Refer to Monitoring macOS applications where SIP is enabled