search cancel

False positive for Hong Kong ID wide breath detection

book

Article ID: 174579

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent

Issue/Introduction

There are false positive incidents triggered for Hong Kong ID detection policy when the selecting Hong Kong ID (Data Identifiers) Breadth as “Wide”.
E.g 800000000, 850000000, 20140613(2), 20140619(2) are not valid Hong Kong ID.
 

In the incident details from the Enforce console, you will be able to see the false positive incident being triggered.

 

In the agent logs you can also verify that the incident is being triggered.

05/31/2019 05:24:02 |  2588 | INFO    | Outlook.OutlookClient | Getting Recipients table..
05/31/2019 05:24:02 |  2588 | INFO    | Outlook.OutlookClient | Querying rows in recipients table..
05/31/2019 05:24:02 |  2588 | INFO    | Outlook.OutlookClient | Found [2] rows in the recipients table

05/31/2019 05:24:02 |  2588 | INFO    | Outlook.OutlookClient | Querying rows in recipients table..
05/31/2019 05:24:02 |  1764 | INFO    | CoreServices.MessageLogger | MESSAGETYPE_DETECTION_REQUEST    MESSAGESOURCE_OUTLOOK_CONNECTOR  05/31/2019 05:24:02  [
Request Id #275
Detection Request Details :
 Session Command : Single Request
 Request Type : Data In Motion Request

Dim Detection Request Details :
 Process Id : 3724
 Process Path : C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE
 Application Name : Microsoft Outlook
 User : Administrator
 Domain : DLPDI
 Time Stamp : 05/31/2019 05:24:02
 Dim Event Type : Email

Email Details :
 Subject : This is a Hong Kong ID false positive test
 Sender : [email protected]
 Sent Time : 05/31/2019 05:24:02
 Recipients : [email protected],[email protected]
]
05/31/2019 05:24:02 |  1764 | INFO    | CoreServices.MessageLogger | MESSAGETYPE_SCHEDULE_DETECTION    MESSAGESOURCE_DETECTION_CACHE  05/31/2019 05:24:02  [req#275 CrackingProcessPriority=NORMAL]
05/31/2019 05:24:02 |  1764 | INFO    | CoreServices.MessageLogger | MESSAGETYPE_START_DETECTION    MESSAGESOURCE_DETECTION_SCHEDULER  05/31/2019 05:24:02  [req#275 CrackingProcessPriority=NORMAL]
05/31/2019 05:24:02 |  1764 | INFO    | CoreServices.MessageLogger | MESSAGETYPE_DETECTION_RESULT    MESSAGESOURCE_DETECTION  05/31/2019 05:24:02  [req#275 SUCCESS has incidents]
05/31/2019 05:24:02 |  1764 | INFO    | CoreServices.MessageLogger | MESSAGETYPE_2TIERDETECTION_REQUEST    MESSAGESOURCE_DETECTION  05/31/2019 05:24:02

 

Environment

Data Loss Prevention: 15.0 MP1

Any version of Windows

Resolution

Upgrade to Data Loss Prevention 15.1 MP1 as stated in the Data Loss Prevention 15.1 MP1 Release note. Issue id is 4183328

Attachments