Email Data Protection policy does not trigger as expected

book

Article ID: 162271

calendar_today

Updated On:

Products

Email Security.cloud

Issue/Introduction

You have created a Data Protection Policy for Symantec Email Security.cloud, but certain email does not trigger the rule when you expect that it should.

Cause

The issue is commonly caused by a problem in the conditions of the rule. However, it may also be an issue with the data, particularly when testing.

Resolution

Data Protection “False Negatives”

A false negative occurs when an email is not triggered, but you expect it to

Propagation time

Changes take up an hour to propagate. Compare the sample date/time to Last Modified date/time.

Global rules

If rules are set at Global level, check the domain to see if it is using Global or Custom.

Administrator address(es)

  • Any address that is set as an Admin in Data Protection is exempt from ALL rules including Email Impersonation. 
  • This includes the Default admin address in the Settings and any custom admin address on ANY Data Protection Policy

Attachment Condition vs. Email Condition

  • When using MIME-Type, it should usually be Attachment MIME-Type condition rather than an Email Mime-Type Condition
  • Email Size is the size of the email with all attachments and encoded in MIME which inflates the size. An email with an 8 MB attachment would likely trigger on an Email Size Greater than 10 MB condition.
  • Attachment Size is checked individually against each attachment. An Attachment Size Greater than condition of 10 MB would not trigger on an email with 10 individual 2 MB attachments.

Invalid test numbers for templates

Credit cards must pass a Luhn algorithm check. Use creditcardity.com to confirm the number passes.

Invalid SSNs

  • Any number with a group (3, 2, 4) of all zeros. For example:

    000 XX XXXX, XXX 00 XXXX, XXX XX 0000
     
  • Any number beginning with 666 or 900-999. For example:

    666 XX XXXX, 9XX XX XXXX

Incomplete keyword searching when using special characters

For alphanumeric only content, special characters serve as delimiters. For example, keyword search for confidential would trigger on (confidential). However, if the keyword uses a special character, special characters no longer server as delimiters. This can be an issue if you are trying to search headers for IP/Email addresses.  A keyword search for *@domain.com in the header won’t trigger matches.  IP/Email addresses in headers are within brackets or quotes. The keyword search should use a single or multiple wildcard at the end.

  • *12.34.56.78* or ?12.34.56.78?
  • *@domain.com? Or *@domain.com*

PDF false negatives

If the false negative is reported for content in a PDF, it is possible that the document was created using a scanner, and the scanner has created an image only version.

To test this, press Ctrl+A to select all, Ctrl+C to copy, and then Ctrl+V to paste the text into a text editor so that you can search for the offending text. If you use Foxit PDF Reader, you can also select Text Viewer under the View tab.

Data Protection “False Positives”

A false positive occurs when an email was triggered when you did NOT expect it to

Generally this is an undesired, but correct match based on content in the email. For example:

  • X-MICROSOFT-CDO-OWNERAPPTID:205043913 [This is from an Outlook meeting invite and underlined portion triggers as an SSN match]
  • https://www.facebook.com/MANDATORY/photos/a.251564004947905.47255.205523986218574/371449635398431/?type=1 [This is a URL in an email and a portion of it triggers as a Credit Card match]

It is difficult to prevent these matches because the system is matching correctly.

To help prevent false positives, you can add a secondary condition to the rule to look for corresponding keywords, such as:

  • SSN Keywords – SSN, Social Security, SS#
  • Credit Card Keywords – CC, Visa, MC, Amex, Credit Card

PDF false positives

If the false positive is reported for content in a PDF, it is possible that the document was created using a scanner and the scanner has created a text version using Optical Character Recognition. This often creates a version with garbled text that may match list items.can be checked by opening the document in a PDF reader and attempting to select text.

To test this, press Ctrl+A to select all, Ctrl+C to copy, and then Ctrl+V to paste the text into a text editor so that you can search for the offending text. If you use Foxit PDF Reader, you can also select Text Viewer under the View tab.