Hi DLP Community,
We are facing the following problem:
We have an EDM that is structured the following way (simplified):
Account Number | Authorized Recipient | Company
72482 | Person1@mail.com | Company XY
72482 | Person2@mail.com | Company XY
Important to note here is that the same account ID can have multiple authorized recipients as shown above. We have a EDM prevention policy that is checking the content of the message for the account number but allows it if the recipient is the authorized person. From our observations, Symantec cannot handle the case if there are multiple lines in the EDM for the same account number.
So based on the example above:
Symantec detects 72482 in the message, checks the recipient and identifies Person1@mail.com and allows the message. But if it proceeds with checking the second line, it detects 72482 but since the recipient is still Person1, it created a false positive incident because for the ignore rule it would expect Person2, although both recipients are allowed for this specific account number.
We have been searching for a solution to this since a while now but were not able to. Do we just have to accept this as a technical limitation based on how Symantec is performing EDM scans or did someone else face this issue and found an acceptable solution to this? Changing the EDM/database structure would require a lot of effort and is not a preferred solution.
Many thanks in advance,
Armando
-------------------------------------------