Symantec Data Classification Services - Configuring the Data Classification Filter for Enterprise Vault

book

Article ID: 178745

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

 

Resolution

Enterprise Vault comes with a registry file, DataClassificationServicesx64.reg, with which you can quickly configure the registry settings for the Data Classification Filter.

By editing the file and importing its contents into the registry of each Enterprise Vault server, you can enable the Data Classification Filter on that server.

To configure the Data Classification Filter

  1. Locate the registry file in the Enterprise Vault installation folder (typically, C:\Program Files (x86)\Enterprise Vault).  If there is no DataClassificationServicesx64.reg in the Enterprise Vault installation folder, utilize the registry file attached to this article.
  2. Open the registry file in a text editor such as Windows Notepad.
  3. Remove the semicolon (;) from the start of any line that you want to uncomment.
  4. Modify each line as necessary. Note the following points:
    • If you have enabled multiple filters of various types, the number with which you associate the Data Classification Filter determines the order in which Enterprise Vault applies it.  If you have previously added other filters, ensure that their numbers are consecutive and that none share the same number as the Data Classification Filter.
    • The MoveOnFilterFailure lines control whether Enterprise Vault moves messages to the Failed External Filter mailbox folder when the Data Classification Filter cannot process them. Enterprise Vault creates this folder automatically in the appropriate journal mailbox or user mailbox.
    • In the following line, you must replace the dcsurl string with the name or IP address of a Classification Server:
      "1"="http://dcsurl:10080/classification/classify"
      For example:
      "1"="http://dcs.symantec.com:10080/classification/classify"
      For high availability and load balancing, you can add more Classification Servers by specifying them in the same form.  Ensure that the numbers of the registry subkeys are consecutive.
  5. If you want to set any of the miscellaneous configuration options to a value other than the default value (shown below), uncomment the appropriate line  and set its value as required. Note that all these options take hexadecimal values and that the values shown in the .reg file are not the defaults.
    • ShutdownThresholdMinutes
      If Data Classification Services cannot classify a message for a period longer than this setting, the filter instructs the Enterprise Vault Exchange Agent to shut down.  The default shutdown threshold is 15 minutes.
    • WarningThresholdSeconds
      If Data Classification Services cannot classify a message for a period longer than this setting, it logs a warning in the Enterprise Vault event log to show the status of the servers.  The default is 60 seconds.
    • EnableTestModeLog
      You can configure the Classification Server so that, instead of affecting the archiving process, policies show what would take place if they were used.  Then you can check that you have configured the policies correctly.  On the Classification Server, policies that match in test mode generate some incidents that you can view in the incident report.  On the Enterprise Vault server, setting EnableTestModeLog to 1 creates a log file for each agent.  The log files are under the Enterprise Vault\Reports\DataClassificationServices folder.  Each log file contains the details of any messages that at least one policy in test mode has classified and matched.  All policies that match for the message are listed, and not just the ones that are in test mode.
    • MessageTimeoutSeconds
      This option lets you specify the number of seconds before the filter gives up waiting for Data Classification Services to classify a message.  The default is 300 seconds.  If you set too low a value for this option, Data Classification Services may never classify some messages.  Make sure that you specify a higher value for the ShutdownThresholdMinutes option than for MessageTimeoutSeconds.
  6. Save and close the registry file.  On a Windows Server 2008 R2 computer, you require elevated permissions to create or modify files in the Program Files folder.  If you cannot save the registry file in its current location, save it to the Windows desktop or any folder where you have write access.
  7. In Windows Explorer, double-click the file to import its contents into the registry.
  8. Restart the Journaling tasks or Exchange mailbox tasks as necessary.
    The following message is sent to the Enterprise Vault event log when the tasks start:
    EventID = 45329
    Description = External Filter
    'EnterpriseVault.DataClassificationFilter' initialising...

Attachments

DataClassificationServicesx64.reg get_app
DataClassificationServicesx64.reg get_app