Warnings about MCO policies when running URT

Products

Data Loss Prevention Data Loss Prevention API Detection Data Loss Prevention API Detection for Developer Apps Virtual Appliance Data Loss Prevention Cloud Detection Service Data Loss Prevention Cloud Detection Service for ICAP Data Loss Prevention Cloud Detection Service for REST Data Loss Prevention Cloud Package Data Loss Prevention Cloud Prevent for Microsoft Office 365 Data Loss Prevention Cloud Service for Discovery/Connector Data Loss Prevention Cloud Service for Email Data Loss Prevention Cloud Storage Data Loss Prevention Core Package Data Loss Prevention Data Access Governance Data Loss Prevention Discover Suite Data Loss Prevention Endpoint Discover Data Loss Prevention Endpoint Prevent Data Loss Prevention Enforce Data Loss Prevention Enterprise Suite Data Loss Prevention for Mobile Data Loss Prevention Form Recognition Data Loss Prevention Network Discover Data Loss Prevention Network Monitor Data Loss Prevention Network Monitor and Prevent for Email Data Loss Prevention Network Monitor and Prevent for Email and Web Data Loss Prevention Network Monitor and Prevent for Web Data Loss Prevention Network Prevent for Email Data Loss Prevention Network Prevent for Email Virtual Appliance Data Loss Prevention Network Prevent for Web Virtual Appliance Data Loss Prevention Network Protect Data Loss Prevention Oracle Standard Edition 2 Data Loss Prevention Plus Suite Data Loss Prevention Sensitive Image Recognition

Issue/Introduction

In the update readiness tool details log we see the following warning:
*** WARNING ***
The following policies contain a message-level exception that may
generate new incidents because of improved interpretation of matches
and exceptions per matched component.
See Detection Features in Data Loss Prevention 16.1 in the latest
version of the Symantec Data Loss Prevention Help Center for additional
information.

Environment

Upgrades to 16.1+ while having policies with Matched component only checked.

Cause

Prior to 16.1, if an exception triggered at all, the entire message would not generate an incident for that policy.
For example, if you had an email with 2 attachments, both violated matching conditions on a policy, but only one attachment qualified for an exception, no incident will be generated, because the exception successfully executed on the other attachment.

After 16.1 if you have 2 components, such as attachments that violate the policy but only 1 attachment remains excluded via an exception, then the other attachment/component will still generate an incident.

Example:

Resolution

Review the mentioned policies and note that they may start to generate more incidents after the upgrade.
As this change only results in exceptions getting narrower, the upgrade should not result in fewer incidents being generated, only that the mentioned policies may generate more incidents.

Additional Information

Additionally if only message-level conditions exist on the policy, 'Matched Components Only' will not be selectable on an exception.

Message-level conditions include the following:

Sender
Recipient
Sender Profile
Recipient Profile
Protocol
Endpoint Location
DGM
Endpoint Device
Contextual Attribute
Risk Score