You receive an alert from Microsoft Defender or another third-party antivirus (AV) solution indicating that a malicious file is present in the Symantec Data Loss Prevention (DLP) Agent installation directory. The file path typically resembles the following:

C:\Program Files\Manufacturer\Endpoint Agent\temp\buffer\####\####

The alert often identifies the threat as a Trojan, Joke, or other malicious IOC (Indicator of Compromise) and names the edpa.exe process as the creator or modifier of the file.

DLP Agent : Any version

This behavior occurs because of how the Symantec DLP Agent performs content inspection. When you or a system process attempts to access, move, or upload a file, the DLP Agent (edpa.exe) must inspect the file to determine if it violates any configured policies.

To perform this scan efficiently, the agent creates a temporary, cached copy of the source file in its local \temp\buffer directory. If the original file contains malicious code, the temporary copy created by DLP also contains that code. Your antivirus software then detects the malicious content within the DLP buffer directory. In this scenario, DLP is not the source of the malware; it is actively scanning a file that was already present or being accessed on the system.

To manage these alerts and ensure the DLP Agent operates correctly, follow these steps:

1. Confirm the Detection Context

Verify that the file path in the AV alert is located within the Endpoint Agent\temp\buffer directory. This confirms that the detection is a side effect of a DLP inspection request rather than a direct infection of the DLP binaries.

2. Verify Antivirus Exclusions

You must ensure that the DLP Agent processes and directories are excluded from your antivirus scanning to prevent false positives and performance degradation.

• Exclude the main installation directory: C:\Program Files\Manufacturer\Endpoint Agent\ (and all subdirectories).
• Specifically ensure the \temp\buffer directory is excluded from real-time monitoring by other security products.
• Exclude DLP processes such as edpa.exe and wdp.exe.

3. Handle the Source Threat

Since the DLP Agent is only scanning a file that triggered the inspection, you should use your security tools to identify and remediate the source file that the user or process was attempting to access. The DLP buffer file is temporary and the agent automatically deletes it once the inspection is complete.

For detailed best practices on configuring these exclusions, refer to https://knowledge.broadcom.com/external/article/160045