The newest version of IT Analytics Symantec Data Loss Prevention Content Pack 3.0 enables DLP program managers to easily leverage numerous reports and dashboards that communicate the value of the DLP programs to executive sponsors and business unit stakeholders. It enables in depth visibility on DLP operational data across its functions for auditors, IT managers and incident remediator’s managers. In this latest release, significant effort was put into focusing on several real-world business use cases to maximize the overall investment in the Symantec Data Loss Prevention tool.

This document takes a detailed look at the almost 40 reports available out-of-the-box in IT Analytics Symantec Data Loss Prevention by providing report descriptions, tailored use cases and resulting business value, and poses questions that can be answered by utilizing IT Analytics to improve an organizations risk posture.

For IT Analytics reports hosted by SQL Server Reporting Services (which include out-of-the-box reports and dashbaords) some users may experience extended wait times before the report is able to render, and in some cases the report may even fail or timeout. This typically occurs in environments where there are extremely large data volumes and where reports are pre-configured to display all data by default (without filtering).

To minimize the time it takes for some IT Analytics reports to load, steps can be taken to configure settings so that data will be filtered by default, hence greatly improving performance. This article will describe such process, utilizing Microsoft Report Builder a client side aplpication which comes with SQL Server Reporting Services.

Selecting the Report

1. To load Report Builder, open Symantec Management Platform Console and navigate to: Settings > Notification Server > IT Analytics Settings > Reports > Report Builder. Then click on the Launch Report Builder button.

​

2. If prompted, click Run to start downloading the application.
3. Be patient, launching application may take a minute or two, depending on connectivity. While the application is loading, you should see this message:

4. Click Open to select the report you want to optimize. Under the default configuration, all IT Analytics reports are stored within the ITAnalytics folder off the ReportServer root. 

NOTE: For the purposes of this example, we will select the IT Analytics Configuration Events report. As such, the parameters you select in the next section of this article may be different.

Modifying the Report

1. When report opens, expand Parameters in the Report Data pane on the left, then right-click the From parameter and select Parameter Properties.

2. Navigte to Default Values > Get values from a query. For both fields select MaxDate from drop-down list, then click OK.

3. Modify the properties for the Types parameter and navigate again to Default Values. Select Specify Values and Add new value. In the field type in 'Cube Processing' (without quotes) as shown below, then click OK. If you are modifying a different report, select an appropriate paramater and input a default value that matches a value for that parameter.

5. Click Save to apply all changes (saving may take couple seconds).

Reloading the Report

1. In the Symantec Management Console, navigate to Reports > IT Analytics > Reports > IT Analytics Events > ITA Configuration Events (or a the appropriate report you modified). Refresh the browser if necessary. You should notice the report load much faster than previously.
2. Verify that the current day (in the From parameter) and the specific Type and Target are pre-selected with the values we input previously (or the appropriate values you entered if modifying a different report).

3. To adjust the parameter values, you can select different values as you normally would.

By default, reports and dashboards in IT Analytics (hosted by SQL Server Reporting Services) will run automatically when selected. This behavior can sometimes be problematic for environments with excessive amounts of data, resulting in increased load times or timeouts for certain reports. One option to prevent this is to modify the value of a parameter within a report so that it does not execute automatically when clicked, a process which is documented in the article below.

To modify report parameters in more detail in order to load reports more efficiently, please see the article: Modifying IT Analytics Reports to Decrease Load Times.

1. For the purposes of this example we will use the DLP Endpoint Incident Search report. Note that by default, the report runs with the Policy Name parameter value of 'All' pre-selected.

2. To change this report, open a browser on the server hosing SQL Reporting Services and goto: http://localhost/Reports.
3. From within the IT Analytics folder, locate and hover over the DLP Endpoint Incident Search report (or the report you want to modify) and to the right you will see a menu of options. Select Manage.

4. Once in the report manage screen, select the Parameters section.

5. Once there, uncheck the 'Has Default' column from the parameter you want to force users to select or enter information on. This will ensure a user must select a value for that parameter before the report can be executed. In this example we will use the Policy Name parameter, then click Apply.

6. Return to the Symantec Management console to load the report and you should notice that it does not automatically execute the report, but instead prompts for a parameter value. Once a value is selected click View Report. Refresh the browser if necessary. 

I am in the process of designing EDM indexes for customer data but have encountered a design issue relating to cells containing multiple tokens. I would greatly appreciate it if anyone could confirm:

1) how DLP handles empty cells (not entire columns, just cells) and if there is any performance impact resulting from this.

2) what the best practice or recommended approach is to creating EDM indexes for multi-token customer data

I know that EDM cannot match unstructured content against multiple token index cells. Many customer names, however, have multiple first names and multiple surnames (the example in the DLP training materials is "Mary Jane" and "von Batten".  The two options, as far as I can see, are:

1. Remove part of the name, leaving only one token and excluding all others from the matching process, e.g. "Mary" or "Batten". The obvious downside to this is that you are excluding potentially key data.

2. Splitting the original name out into multiple cells, allowing matching to be performed against all parts of the name, utilizing EDM.SimpleTextProximityRadius to reduce false positives.

The second option here would work perfectly, providing the index file was created with enough columns to accommodate the longest customer name. This would, however, result in empty cells for any customers who have shorter names. For example:

Row 1:  Mary | Jane | von | batten | - all cells are filled with data.

Row 2: John | | | Smith |          - note the two empty cells here.

If anyone has encountered this issue themselves or has advice regarding best practice, I'd greatly appreciate your input.

Robin

I am using Endpoint agent v12 to do DAR discovery for PCI data on one production PC.

• One vanilla PCI DSS policy - No exceptions to the credit card number DI, Wide breadth, No optional validators, Count all unique matches (at least 1 match), Subject/Body/Attachments. No EDM or IDM.
• The Discover Target does not contain any Include/Exclude filters for file types or location, nothing filtered by size or date, 'Only scan files added or modified since the last full scan' is unchecked and 'Make next scan a full scan' is greyed out. Scan idle timeout is 10 minutes and Max scan duration is 2 days.

A full scan of the PC is kicked off and takes 8 hours 10 minutes to complete, producing zero Incidents. Time required to scan is about half of what has been seen to scan the same (or similar) PC. Thinking that the scan time and results are a little too good to be true, another full scan is kicked off the following day. The second scan takes 13 hours 48 minutes to complete, producing 125 Incidents.

Looking at the statistics reports for each day, items scanned and bytes scanned numbers are very close, but the items unprocessable numbers differ greatly

• On the day the scan completed in 8 hours, 53,677 items unprocessable
• On the day the scan completed in 13 hours, 435 items unprocessable

At a high level, I'm looking at the difference between these numbers as the reason for the shorter scan time. Are there specific places in the agent logs that can help explain this?

1] Incident Archiving :

Incident archiving lets you flag specified incidents as "archived." Because these archived incidents are excluded from normal incident reporting, you can improve the reporting performance of your Symantec Data Loss Prevention deployment by archiving any incidents that are no longer relevant. The archived incidents remain in the database; they are not moved to another table, database, or other type of offline storage.

You can set filters on incident reports in the Enforce Server administration console to display only archived incidents or to display both archived and non-archived incidents. Using these reports, you can flag one or more incidents as archived by using the Archive options that are available when you select one or more incidents and click the Incident Actions button. The Archive options are:

i] Archive Incidents - Flags the selected incidents as archived.

ii] Restore Incidents - Restores the selected incidents to the non-archived state.

iii] Do Not Archive - Prevents the selected incidents from being archived.

iv] Allow Archive - Allows the selected incidents to be archived.

The archive state of an incident displays in the incident snapshot screen in the Enforce Server administration console. The History tab of the incident snapshot includes an entry for each time the Do Not Archive or Allow Archive flags are set for the incident.

Access to archiving functionality is controlled by roles. You can set the following user privileges on a role to control access:

i] Archive Incidents - Grants permission for a user to archive incidents.

ii] Restore Archive Incidents - Grants permission for a user to restore archived incidents.

iii] Remediate Incidents - Grants permission for a user to set the Do Not Archive or Allow Archive flags.

2] To archive incidents :

A] Open the Enforce Server administration console and navigate to an incident report.
B] Select the incidents you want to archive, either by selecting the incidents manually or by setting filters or advanced filters to return the set of

    incidents that you want to archive.
C] Click the Incident Actions button and select Archive > Archive Incidents.The selected incidents are archived.

3] Restoring archived incidents :

To restore archived incidents

A] Open the Enforce Server administration console and navigate to an incident report.
B] Select the Advanced Filters & Summarization link.
C] Click the Add filter button.
D] Select Is Archived in the first drop-down list.
E] Select Show Archived from the second drop-down list.
F] Select the incidents you want to restore, either by selecting incidents manually or by setting filters or advanced filters to return the set of incidents you  want to restore.

The selected incidents are restored.

4] Preventing incidents from being archived :

You can prevent incidents from being archived using either an incident report or an incident snapshot.

To prevent incidents from being archived using an incident report.

A] Open the Enforce Server administration console and navigate to an incident report.
B] Select the incidents you want to prevent from being archived. You can select incidents manually or by setting filters or advanced filters to return the set of incidents you want to prevent from being archived.
C] Click the Incident Actions button and select Archive > Do Not Archive.
The selected incidents are prevented from being archived.

Note:  You can allow incidents to be archived that you have prevented from being archived by selecting the incidents and then selecting Archive > Allow Archive from the Incident Actions button.
 

To prevent an incident from being archived using the incident snapshot.

A] Open the Enforce Server administration console and navigate to an incident report.
B] Click on an incident to open the incident snapshot.
C] On the Key Info tab, in the Incident Details section, click Do Not Archive.

Note:  You can allow an incident to be archived that you have prevented from being archived by opening the incident snapshot and then clicking Allow Archive in the Incident Details section.

5] Deleting archived incidents :

To delete archived incidents

A] Open the Enforce Server administration console and navigate to an incident report.
B] Click the Advanced Filters & Summarization link.
C] Click Add filter.
D] Select Is Archived in the first drop-down list.
E] Select Show Archived from the second drop-down list.
F] Select the incidents you want to delete. You can select the incidents manually or you can set filters or advanced filters that return the set of incidents you want to delete.
G] Click the Incident Actions button and select Delete incidents.
H] Select one of the following delete options:

i] Delete incident completely -  Permanently deletes the incident(s) and all associated data (for example, any emails and attachments). Note that you cannot recover the incidents that have been deleted.
 
ii] Retain incident, but delete message data -  Retains the actual incident(s) but discards the Symantec Data Loss Prevention copy of the data that triggered the incident(s). You have the option of deleting only certain parts of the associated data. The rest of the data is preserved.
 
iii] Delete Original Message -  Deletes the message content (for example, the email message or HTML post). This option applies only to Network incidents.
 
iv] Delete Attachments/Files -  This option refers to files (for Endpoint and Discover incidents) or email or posting attachments (for Network incidents). The options are All, which deletes all attachments, and Attachments with no violations. For example, choose this option to delete files (for Endpoint and Discover incidents) or email attachments (for Network incidents).

This option deletes only those attachments in which Symantec Data Loss Prevention found no matches. For example, choose this option when you have incidents with individual files taken from a compressed file (Endpoint and Discover incidents) or several email attachments (Network incidents).
 

I] Click the Delete button.

Hi Symanetc,

Incorporate the following features in DLP Discover.

1. Option to quarantine Emails from Exchange Mailboxes by individual Email items with Response rules.

hi All,

agent not reporting after Endpoint detection server services restarted, attached file is a exported log.

how   to resolve this issue..

thanks

hi All,

agent not reporting after Endpoint detection server services restarted, attached file is a exported log.

how   to resolve this issue..

thanks

hi All,

agent not reporting after Endpoint detection server services restarted, attached file is a exported log.

how   to resolve this issue..

thanks

Any ideas or a published roadmap for the support of Symantec DLP for SharePoint 2013?

We are looking for an enhanced feature that allows DLP Prevent/Protect functionality with the SharePoint 2013 Web API, to empower customers to block and prevent data from reaching the SharePoint space.

This document describes the various scenarios you can encounter when deploying the Symantec Management Agent or the Symantec DLP Agent in your environment when both agents may be present.

Recently we had an issue which resulted in millions of bad events being produced on our Altiris servers because of the automatic integration & registration of the 2 agents. Because we were not using the DLP IC we had to figure out a way to stop the integration from occurring and prevent the DLP Agent info events from being generated during a Basic Inventory from the SMA.

Because of this integration, we had to perform Scenario 1 & 3 to properly split the 2 agents and prevent DLP events from being sent to our Altiris servers.

Do you have an enhancement request that would make Symantec Data Loss Prevention better or would improve the usability of the product?

If you are not aware, Symantec Connect has an ideas portal for submitting and tracking enhancement requests.  Once your idea has been submitted, other community members can add comments and vote on it.  The most popular ideas move to the top where they are reviewed by Symantec Product Managers.  Look here for a quick demo of how ideas works.

Links: 

• Ideas Portal (Connect Login Required) - https://www-secure.symantec.com/connect/security/ideas
• Ideas Portal (Read Only) - http://www.symantec.com/connect/security/ideas
• Symantec Ideas Demo - https://www-secure.symantec.com/connect/idea/welcome-symantec-ideas-1
   

Curtis Carroll
Symantec DLP Product Manager

As a Symantec Data Loss Prevention (DLP) customer, you have access to thousands of DLP technical solutions contained within the Symantec DLP Knowledgebase.

To get to the Knowledgebase, go to: https://kb-vontu.altiris.com or select a specific Vontu/Symantec product from our support page at: http://www.symantec.com/business/support/all_produ...

and click the Knowledgebase button located on the upper right-hand side of the page.

If you do not have an account click on the “New User? Request Access Link”

Note: You must be a DLP customer to gain access to the knowledgebase.

An added benefit to the Knowledgebase is the ability to sign up for alerts regarding New Hotfixes/New Release Notifications, and other important technical information that is sent from the Knowledgebase. In order to keep informed of these important bulletins, you must subscribe to email notifications through the Knowledgebase System. To subscribe, once you are in the Knowledgebase System, click on the plus+ sign next to Vontu on the left hand side of the screen to expand the category. Then click on the Bulletins category and then the subscribe/unsubscribe button in the main window. Clicking at the Bulletins level will sign you up for all of the bulletins, and ensure you receive all alerts should additional bulletin categories be created.

The Product is DLP. 

The Problem is:         Credit Cards Diners and Amex are being detected by the credit card policy and CPNJ (Credit Cards Diners and Amex for the credit card policy is correct)
                                CNPJ of 13 and 14 digits are being detected in the Credit Card policy beyond policy CNPJ (which is correct in the CNPJ) 

What we do: We added the identifier data of 13 and 14 digits as an exception in the Credit Card policy. 
                    Result: CNPJ no longer detected in the Credit Card Policy, But credit cards also no longer detected. 
                
Does someone have a specific date identifier for Amex and Diners card?

Thank you so much!!

Hi Everyone,

Good day

May i know Does Symantec DLP 12 support Oracle installed on VMWare? 

what would be the pros and cons? impact with environment.

thanks,

Hi my friends,

Could you help me?

I need a Data identifier specific for  Credit Cards Diners and another specific for  Credit Cards Amex .

I need that because the default rule of DLP does not see those at my enviroment.

Thank you so much!!

Lopes~

1] Incident Archiving :

Incident archiving lets you flag specified incidents as "archived." Because these archived incidents are excluded from normal incident reporting, you can improve the reporting performance of your Symantec Data Loss Prevention deployment by archiving any incidents that are no longer relevant. The archived incidents remain in the database; they are not moved to another table, database, or other type of offline storage.

You can set filters on incident reports in the Enforce Server administration console to display only archived incidents or to display both archived and non-archived incidents. Using these reports, you can flag one or more incidents as archived by using the Archive options that are available when you select one or more incidents and click the Incident Actions button. The Archive options are:

i] Archive Incidents - Flags the selected incidents as archived.

ii] Restore Incidents - Restores the selected incidents to the non-archived state.

iii] Do Not Archive - Prevents the selected incidents from being archived.

iv] Allow Archive - Allows the selected incidents to be archived.

The archive state of an incident displays in the incident snapshot screen in the Enforce Server administration console. The History tab of the incident snapshot includes an entry for each time the Do Not Archive or Allow Archive flags are set for the incident.

Access to archiving functionality is controlled by roles. You can set the following user privileges on a role to control access:

i] Archive Incidents - Grants permission for a user to archive incidents.

ii] Restore Archive Incidents - Grants permission for a user to restore archived incidents.

iii] Remediate Incidents - Grants permission for a user to set the Do Not Archive or Allow Archive flags.

2] To archive incidents :

A] Open the Enforce Server administration console and navigate to an incident report.
B] Select the incidents you want to archive, either by selecting the incidents manually or by setting filters or advanced filters to return the set of

    incidents that you want to archive.
C] Click the Incident Actions button and select Archive > Archive Incidents.The selected incidents are archived.

3] Restoring archived incidents :

To restore archived incidents

A] Open the Enforce Server administration console and navigate to an incident report.
B] Select the Advanced Filters & Summarization link.
C] Click the Add filter button.
D] Select Is Archived in the first drop-down list.
E] Select Show Archived from the second drop-down list.
F] Select the incidents you want to restore, either by selecting incidents manually or by setting filters or advanced filters to return the set of incidents you  want to restore.

The selected incidents are restored.

4] Preventing incidents from being archived :

You can prevent incidents from being archived using either an incident report or an incident snapshot.

To prevent incidents from being archived using an incident report.

A] Open the Enforce Server administration console and navigate to an incident report.
B] Select the incidents you want to prevent from being archived. You can select incidents manually or by setting filters or advanced filters to return the set of incidents you want to prevent from being archived.
C] Click the Incident Actions button and select Archive > Do Not Archive.
The selected incidents are prevented from being archived.

Note:  You can allow incidents to be archived that you have prevented from being archived by selecting the incidents and then selecting Archive > Allow Archive from the Incident Actions button.
 

To prevent an incident from being archived using the incident snapshot.

A] Open the Enforce Server administration console and navigate to an incident report.
B] Click on an incident to open the incident snapshot.
C] On the Key Info tab, in the Incident Details section, click Do Not Archive.

Note:  You can allow an incident to be archived that you have prevented from being archived by opening the incident snapshot and then clicking Allow Archive in the Incident Details section.

5] Deleting archived incidents :

To delete archived incidents

A] Open the Enforce Server administration console and navigate to an incident report.
B] Click the Advanced Filters & Summarization link.
C] Click Add filter.
D] Select Is Archived in the first drop-down list.
E] Select Show Archived from the second drop-down list.
F] Select the incidents you want to delete. You can select the incidents manually or you can set filters or advanced filters that return the set of incidents you want to delete.
G] Click the Incident Actions button and select Delete incidents.
H] Select one of the following delete options:

i] Delete incident completely -  Permanently deletes the incident(s) and all associated data (for example, any emails and attachments). Note that you cannot recover the incidents that have been deleted.
 
ii] Retain incident, but delete message data -  Retains the actual incident(s) but discards the Symantec Data Loss Prevention copy of the data that triggered the incident(s). You have the option of deleting only certain parts of the associated data. The rest of the data is preserved.
 
iii] Delete Original Message -  Deletes the message content (for example, the email message or HTML post). This option applies only to Network incidents.
 
iv] Delete Attachments/Files -  This option refers to files (for Endpoint and Discover incidents) or email or posting attachments (for Network incidents). The options are All, which deletes all attachments, and Attachments with no violations. For example, choose this option to delete files (for Endpoint and Discover incidents) or email attachments (for Network incidents).

This option deletes only those attachments in which Symantec Data Loss Prevention found no matches. For example, choose this option when you have incidents with individual files taken from a compressed file (Endpoint and Discover incidents) or several email attachments (Network incidents).
 

I] Click the Delete button.

The following important changes are being made to the Symantec Data Loss Prevention (DLP) and Data Insight (DI) Knowledgebase.

The content for both products is moving to a new location, to the same Technical Support Knowledge Base for other Symantec products.

Please note:

• All previously available content will be migrated to the new location.
• Links to articles in the old location, e.g., https://dlp-kb.symantec.com/article.asp?article=56741&p=4, will serve up a page that includes a link to the new technote location, e.g., http://www.symantec.com/business/support/index?page=content&id=TECH222019
• Newly migrated articles (known as 'Technotes' in the Symantec Knowledge Base) will contain a 'Legacy ID' entry. The Legacy ID is the Article ID from the original Knowledgebase.

Note for Data Loss Prevention customers:

• Unlike the previous knowledgebase, best practice within the new KB recommends using the product selector to identify the Symantec product during the search. At the time of the migration, no option to select the family of all Data Loss Prevention products was available, only options for specific DLP servers, e.g., Data Loss Prevention Network Monitor. Symantec is working to get this corrected.
• To allow the Knowledge Base to be searched for all DLP products, use the following URL in order to "pre-load" the Data Loss Prevention family of products:

http://www.symantec.com/business/support/index?page=home&productselectorkey=56544

Your search page will then include DLP Family in the product selector field, and will search among the newly indexed technotes for your solution.

If you have any questions or need more information, please contact Symantec Technical Support at http://www.symantec.com/business/support/contact_techsupp_npid.jsp

Thank You,

Symantec DLP Technical Support

http://www.symantec.com/data-protection | 1.800.342.0652

Hello,

Client receives Confidential Data Detected Warning when copying query results from MS SQL Studio

Client states this happens multiple times while working in copying the query results. The data appears to be PHI.

I dameware into workstation. 

Press ok on the window, attempted another query, copied data and window is not popping up currently. 

Disconnected from Dameware, having client run another query and copy the data. Warning did not come up. 

Restart SQL Management Studio and ran a new query and Warning came up again. 

What gives? 

It appears that the endpoint agent is working as it should.

This is how I think the EPA works:

Every time you make a copy, you are making a copy of new data. Therefore, a new incident is created.

The endpoint agent works on the data…the information, not the activity.

Every piece of new data is considered a new action, even if you are engaging in the same activity as the one you just ok’d.

Am I wrong about how the Endpoint agent works?

Why does it work fine when I dameware into the system?

Why does it revert back to throwing pop-ups when I restart SQL Management Studio?

Has anyone else come across something like this?

Any help you can provide would be greatly appreciated.

Thanks!