search cancel

Data Loss Prevention is not able to detect certain Taiwan ROC IDs

book

Article ID: 175928

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent

Issue/Introduction

Certain Taiwan ROC IDs are not detected when creating policy detecting the data identifier for Tawian ROC ID

Agent log

08/18/2019 23:20:22 |  6944 | FINEST  | FileSystem.FOMConnector |
<DLPFileOperationRequestMarshallable>
 <sourceFilePath type=String>C:\Users\Administrator\Documents\ROC ID
all.rtf</sourceFilePath>
 <destinationFilePath type=String>\\192.168.127.10\bj\ROC ID
all.rtf</destinationFilePath>
 <deviceType type="FileOperationTargetTypeMarshallable">
  <FileOperationTargetTypeMarshallable>
   <targetType type=int>3</targetType>
  </FileOperationTargetTypeMarshallable>
 </deviceType>
</DLPFileOperationRequestMarshallable>

08/18/2019 23:20:22 |  6944 | FINEST  | AgentServices.PreFilterConfiguration
| FileFilter(Type&Size&Path): File[C:\Users\Administrator\Documents\ROC ID
all.rtf] Size[13691] did not match any filter, using default action
08/18/2019 23:20:22 |  8176 | FINEST  | CoreServices.MessageLogger |
MESSAGETYPE_FILE_OP_ADDREMOVE_REQUEST   
MESSAGESOURCE_FILEOPERATION_CONNECTOR  08/19/2019 06:20:22
08/18/2019 23:20:22 |  8176 | FINER   |
Configuration.ApplicationSettingsHandler | C:\Windows\Explorer.EXE
{application id: -33} Microsoft® Windows® Operating System Windows Explorer
08/18/2019 23:20:22 |  8176 | FINEST  | CoreServices.MessageLogger |
MESSAGETYPE_DETECTION_REQUEST    MESSAGESOURCE_FILEOPERATION_CONNECTOR 
08/19/2019 06:20:22  [
Request Id #52
Detection Request Details :
 Session Command : Single Request
 Request Type : Data In Motion Request

Dim Detection Request Details :
 Process Id : 5648
 Process Path : C:\Windows\Explorer.EXE
 Application Name : Microsoft® Windows® Operating System Windows
Explorer
 User : Administrator
 Domain : VM-101146357
 Time Stamp : 08/19/2019 06:20:22
 Dim Event Type : File System

DIM File Detection Request Details :
 file: C:\Users\Administrator\Documents\ROC ID all.rtf

 

On the Enforce console the incident can only detect some of the Taiwan ROC IDs in the file but not all

Environment

  1. Create a Taiwan ROC ID Endpoint Prevent policy with Detection Rule for Taiwan ROC ID as the data identifier. (Wide Breadth)
  2. Create any response rule and then deploy the policy
  3. On a endpoint agent copy the file Taiwan ROC ID.docx file with the following content to a mapped drive. Endpoint Block is triggered on the agent
  4. Check the Endpoint Incident Report for the triggered incident. The incident will only report AA20051744 as the matched identifier.

OR

  • Use the File system scan on discover and scan the attached ROC ID File.

Cause

Issue with DI regex

Resolution

  • Symantec is aware of this issue and will update this document when a solution becomes available.
  • It is not necessary to log a support case on this issue.
  • Please subscribe to this article to be notified of any updates.