DLP File Scan is scanning more files than it should after an upgrade

book

Article ID: 223465

calendar_today

Updated On:

Products

Data Loss Prevention Network Discover Data Loss Prevention

Issue/Introduction

After upgrading Symantec Data Loss Prevention (DLP) from 15.1 to 15.7 the file scans are scanning and quarantining more files than they should.
This only happens when auto-quarantine is enabled.
The scan throws no errors or warnings.

They have two credentials configured, one for the scan and one for the quarantine (remediation).
The credentials are the same ones that worked as expected in 15.1 prior to the upgrade.

The scan credentials have less access and permissions to the file shares than the remediation credentials.
When auto-quarantine is enabled, the file scan uses the remediation credentials for both the scan and quarantine.

Cause

In DLP 15.5 we changed the way the file share scan uses the credentials by introducing an order of priority.
The 15.5 and higher Administration Guides state this:

"As Network Discover and Network Protect. Enable to you provide scanning and remediation credentials in multiple areas on the Edit File System Target window, the configured credentials are used in the following order of priority:

1. Remediation credentials that are configured in the Protect section of a content root in the Scanned Content tab.
2. Remediation credentials that are configured in the Protect tab.
3. Scan credentials that are configured in the General section of a content root in the Scanned Content tab.
4. Global scan credentials that are configured in the Default User section of the Scanned Content tab."


Thus when you enable remediation (quarantine) the scan uses the remediation credentials for the scan and remediation.
When remediation is not enabled, the scan uses the scan credentials for the scan.
This change was made in 15.5 when we provided support for remediation using native mounting on Windows.
We can only mount the host once, so we use the more permissive remediation credentials when remediation is enabled.

Resolution

Ensure that the account used for remediation only has access to the desired scan targets.
The credentials for the scan and remediation accounts will still differ.
But both accounts should have access to the same directories/roots for the file scan.