ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

EMDI Policy false positives

book

Article ID: 199060

calendar_today

Updated On:

Products

Data Loss Prevention Enterprise Suite Data Loss Prevention Endpoint Prevent Data Loss Prevention Data Loss Prevention Core Package

Issue/Introduction

An EMDI(Exact Match Data Identifier) policy is only generating matches on the regex pattern (the Custom Data Identifier created for EMDI specifically), instead of the EMDI indexed data.

Cause

Because EMDI is intended for Endpoint Agents, there is a cap on "calls" to the EMDI index for performance reasons, which is essentially the number of matches to the Custom DI in any given file submitted for detection.

That cap is 2500, and is hardcoded (not configurable) as of DLP 15.7. In addition, if there is more than 1 EMDI validator on the Data Identifier than the 2500 max number will be divided that number of times. So if you were to have 3 EMDI validators in your policy condition, then the total number of lookups would be 2500 / 3 = 833.

When this max is reached, the Endpoint Agent log should show the following entry in FINEST level:

****
WARNING | Detection.EMDICheck | Reached the max number of EMDI lookups(2500) | EMDICheck.cpp(124)
****

If the number of matches to the Custom Data Identifier exceeds this amount, no calls will be made to the EMDI component index - and ALL DI matches beyond that number will be part of the incident.

For example, a Custom DI that is only looking for 5 digit number strings will frequently generate a lot of matches. This will exceed the cap, and create what will appear to be false positives (data not part of the indexed EMDI profile).

 

Environment

Release : 15.7

Component : Symantec Data Loss Prevention Endpoint Agent and Detection Servers

Resolution

The Custom DI tied to an EMDI policy should be tuned to more closely match the requirements of the dataset being analyzed.

Additional Information

There is an enhancement to this feature, coming in a future release, to allow the cap on matches to be increased.