In enterprise environments using Symantec Data Loss Prevention (DLP), managing endpoint agents is a critical part of maintaining data security and system hygiene. A common question arises when endpoint agents are deleted from the Enforce console: What happens if those agents continue to send data to the Detection Servers?

DLP Endpoint Agent

Key Questions and Clarifications
Q1: If an endpoint agent that was deleted from the Enforce Console still sends detection data, will that incident data be forwarded to the Enforce Server?
-> Yes. Deleting an agent from the Enforce console only removes its record from the Enforce database. It does not uninstall the DLP Agent or stop its service on the endpoint. If the agent is still running and can communicate with the Detection Server, it will continue to send incident data. The Detection Server will forward this data to the Enforce Server.
 
Q2: Will it create incidents in Enforce?
-> Yes. The Enforce Server does not block or discard incident data simply because the agent was previously deleted. As long as the data is properly formatted (which it typically is), Enforce will accept and log it as a valid incident.
Q3: If not, does the Detection Server discard data from unknown or deleted agents?
-> No. Detection Servers do not discard data from agents that were deleted from Enforce. In fact, if the agent still knows the Detection Server’s address, it may even re-register itself automatically.

Uninstall the DLP Agent from the Endpoint (Preferred Method):
This ensures the agent no longer monitors or sends data.
Block Communication at the Network Level:
Use firewalls, Network Access Control (NAC), or similar tools to prevent the agent from reaching the Detection Server.
Stop the DLP Agent Service on the Endpoint:
This is a temporary measure and may not be foolproof, especially if the service restarts.

Note: DLP agents are designed to cache incidents and status updates locally if they cannot immediately reach the Enforce Server. Even after deletion, once communication is restored, they may attempt to upload cached data.

Conclusion
Deleting an agent from the Enforce console does not stop it from functioning or reporting data.

If an agent is deleted from the Enforce console, and not removed from the endpoint then the agent we reappear in the Enforce console the next time it recieves a data push from the agent.

To fully decommission an agent, it must be uninstalled, or its communication must be blocked.

Understanding this behavior is essential for maintaining control over your DLP environment and ensuring that only authorized endpoints are reporting data.