search cancel

Large files detection for IDM on Endpoint Agent

book

Article ID: 242463

calendar_today

Updated On:

Products

Data Loss Prevention Data Loss Prevention Endpoint Prevent

Issue/Introduction

Detection for large-size files not working when IDM rule is chosen. You would like to detect files indexed with the IDM technology, including files larger than the default 30 MB maximum size, using Endpoint Prevent. However, after creating the required IDM indexes and a policy based on an IDM matching rule, you still do not see successful detection, even when testing the same exact files which have been indexed.

Environment

Release : DLP 15.7 and newer

Component :

Cause

You already followed guide 173111. The reason is that there might be still additional configuration missing to allow DLP to match the larger files in the agent and server configuration.

 

Resolution

Please make the below additional configuration changes to allow the Endpoint Agent to successfully match the larger files indexed with IDM. 

1. For endpoint you will need to change the following Advanced Settings in  Agent configuration to the file size you want(in bytes):
Detection.MAX_FILTER_FILE_SIZE.int
Detection.MAX_IDM_FILE_SIZE.int
IncidentHandler.MAX_INCIDENT_FILE_SIZE.int

more on each setting in the documentation: https://techdocs.broadcom.com/us/en/symantec-security-software/information-security/data-loss-prevention/15-8/about-discovering-and-preventing-data-loss-on-endp-v98548126-d294e27/adding-and-editing-agent-configurations-v43423927-d294e6953/advanced-agent-settings-v23015464-d294e1128.html

Important Note: Be aware that increasing these settings can impact Endpoint performance. Also we advise 150 MB as the maximum for Endpoint Prevent.

2. On Enforce go to Indexer.propeties file located by default in  C:\Program Files\Symantec\DataLossPrevention\EnforceServer\<version>\Protect\config\ and increase the value of parameter max_bin_match_size value (should be equal to ContentExtraction.MaxContentSize).


3. On the Detection Server please modify DDM.MaxBinMatchSize setting in Advance Setting to match max_bin_match_size. 157286400 in our scenario.

4. Reindex the IDM profile.

Attachments