When using DLP Agent, it is important to understand the difference between Endpoint Prevent and Endpoint Discover.
Symantec DLP Endpoint Prevent monitors and blocks confidential data from leaving an endpoint computer. It can also present an onscreen pop-up notification to inform the user of a policy violation. Endpoint Prevent is powered by one or more Endpoint servers and by compact, stable agents that contain data loss policies and perform local detection.
Fig 1.0 below depicts an Endpoint server along with endpoint agents that are monitoring activity on endpoint computers. If a user attempts to transfer confidential data against policy, the agent executes the appropriate response, which may be to block the transfer, prompt the user to confirm the action, display an onscreen notification, or execute custom responses (such as encrypting confidential files upon copy to USB). The agent continues to provide protection even if the endpoint computer is not connected to the network, and it writes incident data encrypted to disk regardless of whether there is a connection. When the agent connects to the Endpoint server, it sends incident data up to the Endpoint server, which then forwards the incident data to the Enforce server.
Symantec DLP Endpoint Discover scans endpoints for stored confidential data and, for Windows endpoint computers, can quarantine such files or, via the FlexResponse API, execute custom responses on them.
Endpoint Discover relies on the same Endpoint Servers and compact agents that are used for Endpoint Prevent, as depicted in Figure 1.0 for Endpoint Prevent.
Similar to Network Discover, Endpoint Discover requires the administrator to configure a scan target, which in this case governs the scanning of up to thousands of endpoint computers. In the target, administrators select applicable policies and can configure various scan filters, including directory filters, file size filters, and file modification date filters. Even if the endpoint computer is not connected to the corporate network (or to the Internet at all), the agent continues to run the scan, storing incidents in the agent’s encrypted data store. When the agent connects to the Endpoint server, it sends incidents up. Administrators can specify a time limit for scans or can configure scans to end when Endpoint servers no longer receive scan-related data from agents for a specified amount of time.
When Endpoint Discover detects confidential files on Windows endpoint computers, it can quarantine them or apply customized automatic responses built on our FlexResponse API (for example, a FlexResponse rule might engage another product to encrypt files). For Mac endpoint computers, Endpoint Discover simply logs an incident.
As Symantec DLP keeps evolving, improvements are added with every new release and it is always good to check the new release documentation for new features.
About Endpoint Discover
About Endpoint Prevent Monitoring