Endpoint Prevent detection stops working after server upgrade to 16.0 RU1 or later
search cancel

Endpoint Prevent detection stops working after server upgrade to 16.0 RU1 or later

book

Article ID: 380609

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Discover Data Loss Prevention Data Loss Prevention Endpoint Prevent Data Loss Prevention Endpoint Suite

Issue/Introduction

You have upgraded the DLP infrastructure to 16.0 RU1 or newer, while the Agents stay on an older build from the 16.0 branch, for example 16.0 MP2. 

With this done, you see the amount of DLP Endpoint Prevent incidents drops visibly, especially for protocols such as: browser HTTPS, Outlook, Copy to Network Share, Copy to Removable Storage. 

Environment

DLP servers upgraded to 16.0 RU1 or newer, DLP Agents on an older 16.0 version. 

Cause

In the DLP Agent log with FINEST logging enabled, you may see the following error message for several detection requests:

[
Request Id #YY FAILURE invalid string position allow
Scan Time : XXX ms]

 

Resolution

Check if there's an active policy that uses a Data Identifier condition "IPv6 Address". It was confirmed that in a mixed-version setup, with servers on 16.0 RU1 and newer builds, older Agents will see these errors caused by the updated definition of this DI. The definition itself was updated in 16.0 RU1. 

In that situation, you have the following solutions available:

1) Temporarily disable the policy which includes a condition for that DI.

2) Or, remove only the condition from the policy but leave the rest of the policy active. 

3) The most recommended long-term solution is to upgrade all DLP Agents to be running on the same version as the DLP servers.