Adjust the "maximum matches count" in a DLP policy incident
Article ID: 159776
Updated On: 03-04-2025
Products
Issue/Introduction
A policy only returns 100 matches even if the file has over 100 strings that should match the policy.
Example:
There are 2 Excel docs, each with over 1600 "capturable strings". Yet the policy incident only shows "100 matches".
How can the number of matches be increased?
Cause
Default settings are in place to prevent performance impacts due to high incident match counts.
Resolution
Relevant versions: All supported releases
The following values can be configured from the Server Detail -> Advanced Settings page for your particular detection server. Restart the File Reader or recycle the detection server from the Server Detail page for the changes to take effect.
NOTE: Increasing these numbers increases the size of incidents and potentially slows down the incident snapshot report - it can also negatively affect the detection performance.
DI.MaxViolations
Specifies the maximum number of violations allowed with data identifiers.
EDM.MaximumNumberOfMatchesToReturn
The intermediary limit on the number of EDM matches. This limit is applied before all the search results are combined and duplicates eliminated.
IncidentDetection.patternConditionMaxViolations
The maximum number of pattern (regular expression) violations highlighted by detection. The exact number of matches may still be 'correct' but only the first 'patternConditionMaxViolations' are marked up in reporting. Increasing this number increases the size of incidents and potentially slows down the incident snapshot report.
For Endpoint
And agent configuration Advanced settings you can modify
Detection.MAX_NUM_MATCHES.int Default is 300
Additional Information
Please note:
Definition of function per engineering.
Defines a top limit on the number of matches returned from each RAM index search. For multi-file indices this limit is applied to each sub-index search independently before the search results are combined. As a result the number of actual matches can exceed this limit for multifile indices.
In other words, the limit is per file and or sub-file.
Please note:
As per official documentation
NOTE:
Use caution when modifying these settings on a detector. Contact Symantec Support before changing any of the settings on this screen. Changes to these settings typically do not take effect until after the detector has been restarted.
There have been a few issues where customers have substantially increased these values and it has greatly increased the database usage.
You should exercise extreme caution anytime you modify server advanced settings.
Feedback
