DLP event code 1802 - Corrupted incident received
Article ID: 407174
Updated On:
Products
Data Loss Prevention Core Package
Issue/Introduction
Event code 1802 is reported in the Enforce Console and multiple .bad files are filling up the Incident folder.
Environment
Symantec Data Loss Prevention 16.x
Cause
Unsupported characters were present in the Endpoint Prevent: Notify, Endpoint Prevent: Block or Endpoint Prevent: User Cancel response rules being used by the DLP policies.
Example: alt+31 "▼"
Resolution
There are two ways to resolve this issue:
- Solution is available in DLP 16.1 MP1 and 25.1. It is an agent side solution, so the DLP agent has to be running at least 16.1 MP1 or 25.1.
- If upgrading is not an option, remove the special characters from the response rule.
Feedback
Yes
No
Powered by
