The Symantec Education Services team is beginning development of the new DLP 14.5 SCS exam. We invite you to participate in the development of the exam by submitting real world scenarios and questions that you think would be great on our certification exam! 

A few rules: 

1. No True/False questions 
2. Avoid the use of "All of the above" or "None of the above" answer options
3. Questions should test meaningful content 

SCS exams are being enhanced with the inclusion of advanced question types that measure outcomes. If you draft ideas / questions, please avoid questions that measure basic knowledge of features and functions. Rather, we seek questions that require problem solving skills and measure real-world use cases. If you think you have great ideas for questions about Data Loss Prevention, email Orlando_Martinez@Symantec.com to see the draft exam objectives and offer ideas / questions & answers that you would like to see on the DLP 14.5 SCS exam. ​

Please note: By submitting 20 or more quality items that make it to our final exam, you are choosing to opt-in to being listed as a contributor on the study guide. You can opt-out at any time by contacting us through this post or by emailing Orlando_Martinez@Symantec.com or Global_Exams@Symantec.com. 

Thank you for your interest in the Symantec Certification Program!

Train. Certify. Succeed! 

http://go.symantec.com/certification

Hello,

Client receives Confidential Data Detected Warning when copying query results from MS SQL Studio

Client states this happens multiple times while working in copying the query results. The data appears to be PHI.

I dameware into workstation. 

Press ok on the window, attempted another query, copied data and window is not popping up currently. 

Disconnected from Dameware, having client run another query and copy the data. Warning did not come up. 

Restart SQL Management Studio and ran a new query and Warning came up again. 

What gives? 

It appears that the endpoint agent is working as it should.

This is how I think the EPA works:

Every time you make a copy, you are making a copy of new data. Therefore, a new incident is created.

The endpoint agent works on the data…the information, not the activity.

Every piece of new data is considered a new action, even if you are engaging in the same activity as the one you just ok’d.

Am I wrong about how the Endpoint agent works?

Why does it work fine when I dameware into the system?

Why does it revert back to throwing pop-ups when I restart SQL Management Studio?

Has anyone else come across something like this?

Any help you can provide would be greatly appreciated.

Thanks!

Hi All,

Can any one please tell me how many exceptions can I add to a policy ? In my case DLP crashes if there are more than 14 exceptions in a policy. Is there any solution for this?

Regards,

Tejas

I need trust process can run and call sub-process.

The other process can be deny.

I set the policy content below...

I can deny non-trust process, but can't allow trust process call sub-process.

Such as

cmd.exe is trusted updaters process.

cmd.exe call putty.exe can't be run.

log is deny_ps.

How can i do?

Thanks

I've been attempting to write a 'catch all' for any EXE which I can apply to a policy for testing.   I've attempted the following strings, under both Binary name and Original File Name.    This is for the Endpoint Agent.

*\.exe

*.exe

Symantec is sponsoring the 2014 Information Security Summit featuring two days of information security presentations, focused sessions, and hands-on workshops. Pre-conference training is available and will be held on October 27-29 with the conference taking place on October 30 – 31, 2014 at LaCentre in Westlake, Ohio.

Click HERE to see our current Brochure.
For more information click here!

• To access the agenda from the web, go to:  GUIDEBOOK FOR THE WEB
• To download the mobile app to your phone go to: GUIDEBOOK FOR YOUR PHONE

  EVENT REGISTRATION IS OPEN!
   

• Conference Registration - Attendees can register HERE
• Pre-Conference Training– Attendees can register HERE
• Click Here for Conference Location Information.
• Click Here for Suggested Hotel Information.

We Hope To See You At The Summit!

IT Analytics DLP pack offers several predefined cubes out-of-the-box.  As part of the DLP pack, the custom attribute name and custom attribute value dimension are included.  These two dimensions contain data for custom attributes defined within DLP, however they need to be used hand-in-hand for the data in the cubes to make any sense.  For users who leverage custom attributes in DLP, there is a method by which this data can be added to IT Analytics as custom dimension attributes to make browsing the cube using particular custom attributes easier. This involves the download and installation of the IT Analytics DLP Custom Attribute Utility (.zip file attached to this article) and a simple configuration to add custom attributes as a dimension to the cubes.

This utility is provided as an optional configuration to IT Analytics and is separate from the Symantec Management Platfrom so that it can be updated on as needed basis. Any issues and requested enhancements to the utility should be sent directly to the author. In the event of future upgrades to subsequent versions of the Symantec Management Platform, this utility will need to be run again to include any custom attributes previously added to the default set of cubes.

NOTES: After adding or removing DLP custom attributes, affected cubes will require processing. 

Adding new DLP connections after custom attributes have been added using the DLP Custom Attribute utility will invalidate the DLP cubes.  To remediate, re-run the DLP Custom Attribute Utility to remove and add the custom attributes.

UPDATE (5/15/15): Please make sure you select the proper download for your version of the Symantec Management Platform:

• SMP 7.5 (and below) -> ITAnalyticsDLPCustomAttributeUtility_v75.zip
• SMP 7.6 -> ITAnalyticsDLPCustomAttributeUtility_v76.zip

To successfully install and use the IT Analytics DLP Custom Attribute Utility the following prerequisites must be met:

• .NET Framework 4.0
• Must be run on the machine hosting the Symantec Management Platform
• db_owner access to Symantec CMDB database
• Administrator access to the IT Analytics Analysis Services database
• Be a member of the Symantec Administrators role in the Symantec Management Platform

Installing the IT Analytics DLP Custom Attribute Utility

1.     Download the DLPCustomAttributeUtility.msi file attached to this article.

2.     Extract and open the DLPCustomAttributeUtility.msi file.

3.     The IT Analytics DLP Custom Attribute Utility Setup Wizard screen will be displayed.  Click Next to continue.

4.     Select the installation folder for the IT Analytics DLP Custom Attribute Utility and decide whether or not the utility can be accessed by other users on the computer, then click Next.

​

5.     Click Next to confirm installation and install the IT Analytics DLP Custom Attribute Utility.

6.     Click Close to finish the installation

color:#333333">Adding a DLP Custom Attribute as a Dimension to the Cubes

1.     Launch the IT Analytics DLP Custom Attribute Utility by navigating to Start > All Programs > Bay Dynamics > IT Analytics DLP Custom Attribute Utility > DLP Custom Attribute Utility

2.     Wait for the IT Analytics DLP Custom Attribute Utility to initialize.

3.     Select Add Custom Attribute to launch the Add DLP Custom Attribute Wizard.

color:#333333">

4.     Wait for the Add DLP Custom Attribute Wizard to load the available custom attributes.

5.     Select one or more Custom Attributes to add and click Next (hold down the CRTL key to select more than one attribute).

6.     Verify the information is correct on the Summary screen and click Next to add the selected attribute(s).

7.     Wait for utility to finish adding the custom attribute.

8.     Click Finish to close the Add DLP Custom Attribute Wizard.

9.     After you have finished adding dimensions, you must reprocess the modified cubes for the changes to take effect. From the Symantec Management Console, navigate to: Settings > Notification Server > IT Analytics Settings > Processing to reprocess cubes.

10.     Open the modified cube by going to Reports > All Reports > IT Analytics > Cubes. In the Pivot Table Field List you should see the new dimension that was just added.

11.     You can now use this dimension when creating pivot table views, the same way you use any other default dimension.

Removing Custom Attribute Dimension(s) from the Cubes

1.     Launch the Custom Attribute Utility by navigating to Start > All Programs > Bay Dynamics > IT Analytics DLP Custom Attribute Utility > DLP Custom Attribute Utility.

2.     Wait for the DLP Custom Attribute Utility to initialize.

3.     Select Remove Custom Attributes to launch the Remove DLP Custom Attribute Wizard.

4.     Select the custom attribute(s) you want to remove the dimension from and click Next. (hold down the CRTL key to select more than one attribute)

5.     Verify the information is correct on the Summary screen and click Next.

6.     Wait for the custom attribute(s) to be removed.

7.     Click Finish to close the Remove DLP Custom Attribute Wizard.

8.     After you have finished removing dimensions, you must reprocess the modified cubes for the changes to take effect. From the Symantec Management Console, navigate to: Settings > Notification Server > IT Analytics Settings > Processing to reprocess cubes.

Working with a customer to install SMG and Prevent for Email 11.6 using the DLP Connect feature that comes with SMG 10.5.  The mail flow is as follow:

GMAIL > SMG > DLP (Reflective mode) > SMG > GMAIL.

Two response rules have been created and associated to a DLP test policy:

If high:  Add header x-block; SMG action: delete message

If medium or Low: Add header x-encrypt; SMG action: redirect to encryption gateway

Send notification to sender on either action

The customer's objective is to route email back on premise to inspect content before it goes out of Gmail.

Integration works as expected the first time an email is sent; an incident is generated and actions are taken accordingly.  When we tried resending the same message (go to sent folder and forwarding the message); the incident is not generated and message is delivered by SMG to the final destination.

After going through the logs with support we discovered the following header in the Prevent for Email server RequestProcessor0.log:

INFO: (SMTP_CONNECTION.1201) Connection accepted (tid=2c cid=1 local=PE server remote=x.x.x.x:50934)
Jan 29, 2015 9:45:50 AM com.vontu.mta.rp.ESMTPRequestProcessorThread connectNextHop
INFO: (SMTP_CONNECTION.1203) Forward connection established (tid=2c cid=2 local=PE server:1644 remote=x.x.x.x:25)
Jan 29, 2015 9:45:50 AM com.vontu.mta.rp.RequestProcessorHandler handleLine
FINER: RPT(2c)|S: EHLO Bypass_loop_detection

That EHLO Bypass_loop_detection is the only thing that I see different from a regular email that generates an incident but I need to identify where is this coming from,  I don't think the problem is with DLP since the policy works every time a new email is sent.  But there seems to be a condition somewhere to bypass DLP when the message is being resend (my working theory).

About to test two things to troubleshoot this scenario:

1. Disabling the SMG option to bypass DLP when it is not available since this is the only place I can see that a bypass function could be triggered.

2.  Currently the 2 Prevent servers connected to SMG are using the same metric (they both are 1).  This suppose to provide load balancing capabilities, but I am wondering if I could be running into a bug with this.

3.  About to run the SMG finer logs to try to identify the source of the bypass_Loop_detection command

We also have Gmail investigating on their end.

Any feedback will be greatly appreciated.

-Leo

Hi,

I've been searching for an option that allows me to restrict editing attribute values when runing smart response rules.

Example:

All: Set Attribute

Attribute - Resolution

Value - Dismissed

I would like to know if there is a chance to block value content without configure "special" roles for this (when runing RR). Therefore, it would be possible to configure this value only when we configure response rule.

BR.

Hi Everyone,

Could you guys help me? I Need help to create a .bat or cmd script that:

1. check if the service is running edpa.exe
2. if so, does not install the agent
3. if not, run the agent installation script

The purpose is to add this at a script logon at machines.

Does anyboby already made it? or Know how to write ir?

Thank you so much!

Best Regards!

I'm looking to understand what settings are required to perform HTTP monitoring? 

As I understand, in the Agent Configuration, Agent Monitoring tab the "Web" channel checkbox for "HTTP" must be checked.

Assuming that is correct, what, if any, impact do the Application Monitoring settings have to do with what is and isn't detected with HTTP?  For example, within Application Monitoring there is the option for "Network Access" to be checked. Microsoft IE is listed and "Network Access" is checked, however Chrome is not listed.  Yet, in our environment we see HTTP incidents from both IE and Chrome.  So my question is does checking "Network Access" for Application Monitoring have impact on HTTP monitoring? 

Neither the help or admin guide is clear, and it doesn't seem nessaccary because Chrome incidents are detected despite Chrome not being registered in Application Monitoring.

Any help would be appreciated.

In this video, we demonstrate how to install the new standalone IT Analytics Server v2.1 with the Symantec Data Loss Prevention content pack.

ビデオのアップロード: 

IT Analytics Server v2.1 Install.mp4

Bay Dynamics recently announced the availability of the standalone IT Analytics Server 2.1, which includes an enhanced web based cube browser. This video walks you through how as an existing Symantec customer, you can leverage IT Analytics Server to visualize your cube data and take advantage of its benefits.

ビデオのアップロード: 

IT Analytics Server 2.1 Cube Browser for Symantec Data Loss Prevention Users.mp4

Currently i have an enforce server ver 11.6 (E-A) and DB 10.2.0.5 (D-A), which are outdated with H/W & OS and  hosted in location A.

We have upgraded Hardware available on location B, so plan is to upgrade Enforce server on ver 12.0 (E-B)and DB on ver 11.2.0.3 (D-B) on location B.

Considering resource availability i need to plan reallocation of services and application upgrade on new platform (in terms of OS).

Below are activities phases, Please suggest if i can plan this in better way.

Phases:

1. Current setup. (E-A ---> D-A)
2. Build a parallel enforce server ver 11.6 on location B, on new H/W & OS. (E-B---> will setup with 11.6 ver.)
3. Establish DB connection between enforce server ver 11.6 on location B and DB 10.2.0.5 on location A. (E-A & E-B on 11.6 -->D-A) this will be over the WAN connection.
4. Change the Enforce settings on all detection server from location A to Location B.
5. Migrate DB from location A (10.2.0.5) to  location B DB (11.2.0.3) server.
6. Change the DB settings on enforce server ver 11.6 hosted on location B and point it to location B DB (11.2.0.3) server.
7. Upgrade location B enforce server from ver 11.6 to 12.0.

Queries:

1. For phase 2:  A parallel DB connection need to create between location A-DB server and two enforce server (hosted in location A and B), so can I use location A enforce server ver 11.6 crypto key on location B server? Because creating a new crypto key for location B enforce will create a new DB, however I need to create multiple connection from a single DB.
2. Phase 3: How feasible it is to point vontu application to DB over the WAN/MPLS connectivity?
3. For phase 4: To avoid any downtime in this phase, I am planning to add two enforce server in all detection servers. Is that feasible?

Thanks.

Hi All,

Need help to understand the cause of this issue.

I am getting the connection drop of like 2-3% at Mail traffic prevent servers. TLS is enabled on all email prevents, but not sure about MTA.

When i checked the wireshark of prevent servers, i can see data transaction after EHELO and getting 421 connection refuse error after data exchange.

Downward MTA --> Load Balancer --> VIP of 6 Email prevent  --> Load Balancer -->Upward MTA--> Exchange

##########################Example of 5204###############################################

Jul 19, 2016 9:13:30 AM com.vontu.mta.rp.ESMTPPeer close

INFO: (SMTP_CONNECTION.1204) Forward connection closed (tid=24 cid=22,521 local=192.168.11.78:2961 remote=192.168.10.124:25)

Jul 19, 2016 9:13:30 AM com.vontu.mta.rp.RequestProcessorHandler handleLine

FINER: RPT(25)|R: 250 2.0.0 Ok

Jul 19, 2016 9:13:30 AM com.vontu.mta.rp.ESMTPPeer close

INFO: (SMTP_CONNECTION.1205) Service connection closed (tid=24 cid=22,516 local=192.168.11.78:25 remote=192.168.10.123:7706 messages=26 time=11.08s)

Jul 19, 2016 9:13:30 AM com.vontu.mta.rp.RequestProcessorHandler handleLine

FINER: RPT(25)|S: MAIL FROM:<> SIZE=14569

Jul 19, 2016 9:13:30 AM com.vontu.mta.rp.RequestProcessorHandler handleLine

FINER: RPT(25)|S: RCPT TO:<w@rcpt.com> ORCPT=rfc822;w@rcpt.com

Jul 19, 2016 9:13:30 AM com.vontu.mta.rp.RequestProcessorHandler handleLine

FINER: RPT(25)|S: DATA

Jul 19, 2016 9:13:30 AM com.vontu.mta.rp.ESMTPRequestProcessorThread _handlePeerDisconnect

SEVERE: (SMTP_CONNECTION.5204) Peer disconnected unexpectedly (tid=24 cid=22,516 local=<> remote=<> reason=End of stream)

Jul 19, 2016 9:13:30 AM com.vontu.mta.rp.ESMTPRequestProcessorThread run

INFO: RPT(24) Waiting for new connection

Jul 19, 2016 9:13:30 AM com.vontu.mta.rp.RequestProcessorHandler handleLine

FINER: RPT(25)|R: 250 2.1.0 Ok

Jul 19, 2016 9:13:30 AM com.vontu.mta.rp.RequestProcessorHandler handleLine

FINER: RPT(25)|R: 250 2.1.5 Ok

Jul 19, 2016 9:13:30 AM com.vontu.mta.rp.RequestProcessorHandler handleLine

FINER: RPT(25)|R: 354 End data with <CR><LF>.<CR><LF>

################################# Example of 5202#########################################################################

Jul 19, 2016 9:08:40 AM com.vontu.mta.rp.ESMTPRequestProcessorThread messageCommitted

INFO: (SMTP_MESSAGE.1300) Message complete (tid=24 cid=22,452 message_id=<13494681262a4bb9ers4aab3d59b18c9a@CY1PR64MB0092.021d.mgd.msft.net> dlp_id=155fd744b8d size=13,772 sender=<za@sender.com> recipient_count=2 disposition=PASS code=250 estatus=<> text=<2.0.0 Ok: queued as 69C1320114> rtime=0.02s dtime=0.02s mtime=0.03s)

Jul 19, 2016 9:08:40 AM com.vontu.mta.rp.ESMTPRequestProcessorThread messageComplete

FINE: RPT(24): message complete .. RECEIVING -> COMPLETE

Jul 19, 2016 9:08:40 AM com.vontu.mta.rp.RequestProcessorHandler handleLine

FINER: RPT(24)|R: 221 2.0.0 Bye

Jul 19, 2016 9:08:40 AM com.vontu.mta.rp.ESMTPRequestProcessorThread _handlePeerDisconnect

INFO: (SMTP_CONNECTION.1202) Peer disconnected (tid=24 cid=22,453 local=192.168.11.78:8148 remote=192.168.10.124:25)

Jul 19, 2016 9:08:40 AM com.vontu.mta.rp.ESMTPPeer close

INFO: (SMTP_CONNECTION.1204) Forward connection closed (tid=24 cid=22,453 local=192.168.11.78:8148 remote=192.168.10.124:25)

Jul 19, 2016 9:08:40 AM com.vontu.logging.operational.api.PropertyFileOperationalLogWriter generateLogMessage

WARNING: Argument number mismatch for key SMTP_CONNECTION.5202: layout requires 5 args, but was passed 4

Jul 19, 2016 9:08:40 AM com.vontu.mta.rp.ESMTPRequestProcessorThread _handleIOException

INFO: (SMTP_CONNECTION.5202) Sender connection error (tid=24 cid=22,452 local=192.168.10.123:50092 remote=An existing connection was forcibly closed by the remote host reason={4})

Jul 19, 2016 9:08:40 AM com.vontu.mta.rp.ESMTPRequestProcessorThread _handleIOException

WARNING: RPT(24): Handling  servicing  op IOException on RPT(24)[22452|S:[/192.168.11.78:25 -> /192.168.10.123:50092] with peer RPT(24)[22453|R:[{- UNCONNECTED -}] as disconnect.

Jul 19, 2016 9:08:40 AM com.vontu.mta.rp.ESMTPRequestProcessorThread _handlePeerDisconnect

INFO: (SMTP_CONNECTION.1202) Peer disconnected (tid=24 cid=22,452 local=192.168.11.78:25 remote=192.168.10.123:50092)

Jul 19, 2016 9:08:40 AM com.vontu.mta.rp.ESMTPPeer close

INFO: (SMTP_CONNECTION.1205) Service connection closed (tid=24 cid=22,452 local=192.168.11.78:25 remote=192.168.10.123:50092 messages=1 time=0.03s)

Jul 19, 2016 9:08:40 AM com.vontu.mta.rp.ESMTPRequestProcessorThread run

INFO: RPT(24) Waiting for new connection

Jul 19, 2016 9:08:40 AM com.vontu.mta.rp.RequestProcessorHandler handleLine

FINER: RPT(26)|S: RSET

======================================================================

Thanks / Bhupesh

Please join us for the next Tri-State Data Loss Prevention User Group meeting on Wednesday,Sept. 14 from 2:00 pm to 5:30 pm at Great American Insurance (Dixie Terminal) in Cincinnati.

Lunch will be served!

Agenda

• 2:00 – 2:30  Welcome and Introductions
• 2:30 – 3:30  Symantec Product Overview: James Kelly – “DLP 14.5 release, what’s coming in 14.6 + other DLP updates”
• 3:30 – 4:30  Customer Presentation: Brandon Baker, LGE-KU – “DLP: Non-traditional use cases”
• 4:30 – 5:00  Customer Roundtable Discussion
• 5:00 – 5:30 Conclusion, Feedback, and Prizes!

5:30 – Happy Hour at The Yard House (95 E. Freedom Way)

Please join us for the next San Francisco Bay Area Data Loss Prevention User Group meeting on Thursday,Sept. 15 from 11:00 a.m. to 2:30 p.m. at the Symantec offices in Mountain View.

Lunch will be served!

Agenda

• Welcome and Introduction – Chirag Shah, Mobile Iron
• Welcome and Introduction – David Palic, Symantec
• Lunch (during the presentation)
• Customer Presentation – Chirag Shah: Discussion on Cloud Security and Data Protection best practices and how to solve your issues
• Partner Presentation – David Trum, Trum Partners
• Product Roadmap -- Mario Espinoza, Symantec Sr Dir., Product Management 
• Q&A Session / Customer roundtable
• Conclusion, Feedback and Prizes!

Hi All,

I'm new to administrating Sym DLP so please bear that in mind and I didn't set-up our current enviroment. My enviroment, we are currently using mutiple network monitors which utlize napatech cards - we are tapped into the network. 

What I'd like to do is dedicate a network monitor to only receive mirrored outbound traffic from a PGP server thats sits in the DMZ - problem (that team will configure their appliance/application to send SMTP traffic in clear-text to my network monitor). Any information to below Q's help. My questions are:

Is the detection server able receive this traffic type if forwarded rather utlizing our tap?

What port number does netowrk monitor listen on for traffic and can I port forward directly to network monitor? 

Since the Napatech card is a direct line, can I configure (check mark in the UI) 

Can Napatech card be confiured to have an IP address?

Hello everyone,

I'm deploying a bunch of DLP Agents and using Altiris site with Software Management.

After creating the software release and uploading the software media, I add the command line from install_agent.bat

e.g. of the command line for DLP Agent

msiexec /i AgentInstall.msi /q INSTALLDIR="%PROGRAMFILES%\Manufacturer\Endpoint Agent" ENDPOINTSERVER="192.168.0.253:10443" TOOLS_KEY="D23DA21E708384A63E816AE042B0A064DBEB5148E707285BADBFDC72126B8A0038104D5CDBDDB667215A66D6DF0C86DAECA498BEC7E0975C263BF22B261B77146BC3C4A1EC226" SERVICENAME="EDPA" WATCHDOGNAME="WDP" ARPSYSTEMCOMPONENT="1" ENDPOINT_CERTIFICATE="endpoint_cert.pem" ENDPOINT_PRIVATEKEY="endpoint_priv.pem" ENDPOINT_PRIVATEKEY_PASSWORD="8CE39EBCE5F121E004AEB4E66C35C886A2A0994F79916A72F35AA9D5D3E5D9466E8E93E4A113D7620AD601E30A35078DB7BC8088A5F8F0B53E75223C18CBD25120796FE33C96D9F6AB0917D4DF25624972CA1C51A78163777C6BDAB06B099567B8F71" ENDPOINT_TRUSTSTORE="endpoint_truststore.pem" LOGDETAILS="Yes" /L*v %SystemDrive%\installAgent.log

But is not fully copied on to the field where the command line is:

The only command line copied is the following, and not the complete one:

msiexec /i AgentInstall.msi /q INSTALLDIR="%PROGRAMFILES%\Manufacturer\Endpoint Agent" ENDPOINTSERVER="192.168.0.253:10443" TOOLS_KEY="D23DA21E708384A63E816AE042B0A064DBEB5148E707285BADBFDC72126B8A0038104D5CDBDDB667215A66D6DF0C86DAECA498BEC7E0975C263BF22B261B77146BC3C4A1EC226" SERVICENAME="EDPA" WATCHDOGNAME="WDP" ARPSYSTEMCOMPONENT="1" ENDPOINT_CERTIFICATE="endpoint_cert.pem" ENDPOINT_PRIVATEKEY="endpoint_priv.pem" ENDPOINT_PRIVATEKEY_PASSWORD="8CE39EBCE5F121E004AEB4E66C35C886A2A0994F79916A72F35AA9D5D3E5D9

I know this is a limitation of the command line text box on Altiris page. But is there a way i can change this???

How do you set up the DLP Agent with Software Management (especifically this step)???

Thanks in advance.

Hi All,

I have created an endpoint policy to prevent user from sending email if matching keyword found only in an attachment not in body of email. But the problem is policy is working fine but pop up comes when matching word found in body of email which i dont want. I only want pop up to comes if matching keyword detect in attachment only.. right now it is showing pop for both body and attachment keyword is detecting fine but why it is detecting in body mail this is the problem.

following are the details i have configured:

add policy> content match >> keyword "confidential">>on whole words>>match on "Only attachment" is selected rest other options "Envelope", Subject, Body are unchecked as i only want detection in attachment.

along with AND condition below

protocol and endpoint monitoring >> email /SMTP is selected only.

Response rule - > prevent user pop up block options with multiple options

Now this policy works like this confidential word matching in body or attachment it shows pop up but i have only selected attachment in keyword match option then why it is picking from body mail.. i only want detection in attachment not in body.

Please suggest whats wrong with this..