DLP policies that use profiled DGM as a “user group” for senders/recipients can cause missed detections
search cancel

DLP policies that use profiled DGM as a “user group” for senders/recipients can cause missed detections

book

Article ID: 370876

calendar_today

Updated On:

Products

Data Loss Prevention Core Package

Issue/Introduction

In the below impacted versions, the WHERE clause with multiple values in a profiled DGM condition (where an EDM profile is used as a user group in a sender/recipient condition) can have missed detections.

Environment

Versions Impacted:

  • 16.0
  • 16.0 RU1
  • 16.0 RU1 MP1

Versions that are not impacted:

  • 16.0 RU2

Cause

Important:  It does not impact DLP policies using the generic EDM profiles.

Impacted versions of DLP are incorrectly parsing WHERE clauses with multiple values.

DLP customers can create a policy using a profiled DGM condition to detect records that meet a specific criteria such as:

If a corporate employee is sending a sensitive email to partner Partner.com, but the employee is a member of an unauthorized Business Unit such as HR, Engineering, or Legal, then you want to block the email.

Employees in those groups have no business sending sensitive email to Partner.com.

Below is a screenshot of the policy configuration in the UI

Note:  This only impacts the values in the WHERE clause of the rule and not the EDM itself.

Resolution

For the affected versions, please download the corresponding hotfix from the Broadcom support portal.

Symantec_DLP_16.0_MP2HF11

Symantec_DLP_16.0.1_RU1MP1HF3