Data Loss Prevention

Hi,

I have a keyword policy in place that generates a lot of false positive Incidents, due to the generic nature of the keywords. Unfortunately, they appear quite often in the e-mail disclaimer that is included in each e-mail. Is there a proper way to ignore the content of the disclaimer? I am relatively new to Symantec DLP so I just wanted to check if there are already proven approaches as I do not want to reinvent the wheel. I was thinking about using Regex or Proximity Keywords (If that even exists in Symantec).

Many Thanks

Hi Armando,

It may be easiest to simply increase the minimum number of matches for an incident. Like if one of your keywords is "confidential", and most emails have that word as part of the disclaimer, set the threshold for incidents to be 2 matches. 

If that's too inexact, you might need further consideration - I've seen disclaimers that were images of the text, which avoids detection if OCR is not part of your detection.

So, more info at any rate might be needed!

------------------------------
Stephen Heider

Global Support Lead | Symantec Enterprise Division | DLP Support
Broadcom

stephen.heider@broadcom.com | broadcom.com
------------------------------

Original Message:
Sent: Mar 19, 2024 06:13 AM
From: Armando Rodriguez
Subject: Exclude E-Mail Disclaimers from Detection

Hi,

I have a keyword policy in place that generates a lot of false positive Incidents, due to the generic nature of the keywords. Unfortunately, they appear quite often in the e-mail disclaimer that is included in each e-mail. Is there a proper way to ignore the content of the disclaimer? I am relatively new to Symantec DLP so I just wanted to check if there are already proven approaches as I do not want to reinvent the wheel. I was thinking about using Regex or Proximity Keywords (If that even exists in Symantec).

Many Thanks

The email disclaimer is indeed problematic for us too. Increasing the threshold for no. of matches is not suitable giving the fact there are many emails with multiple disclaimers (for each email reply back and forth there are new disclaimer attached). Is there any option to add the disclaimers to be "ignored" from being taken in account (not as exclusion which we know it's going to exclude the email completely)

Original Message:
Sent: Mar 20, 2024 06:38 PM
From: Stephen Heider
Subject: Exclude E-Mail Disclaimers from Detection

Hi Armando,

It may be easiest to simply increase the minimum number of matches for an incident. Like if one of your keywords is "confidential", and most emails have that word as part of the disclaimer, set the threshold for incidents to be 2 matches. 

If that's too inexact, you might need further consideration - I've seen disclaimers that were images of the text, which avoids detection if OCR is not part of your detection.

So, more info at any rate might be needed!

------------------------------
Stephen Heider

Global Support Lead | Symantec Enterprise Division | DLP Support
Broadcom

stephen.heider@broadcom.com | broadcom.com

Original Message:
Sent: Mar 19, 2024 06:13 AM
From: Armando Rodriguez
Subject: Exclude E-Mail Disclaimers from Detection

Hi,

I have a keyword policy in place that generates a lot of false positive Incidents, due to the generic nature of the keywords. Unfortunately, they appear quite often in the e-mail disclaimer that is included in each e-mail. Is there a proper way to ignore the content of the disclaimer? I am relatively new to Symantec DLP so I just wanted to check if there are already proven approaches as I do not want to reinvent the wheel. I was thinking about using Regex or Proximity Keywords (If that even exists in Symantec).

Many Thanks

Hi Armando

Try either one of the following:

Use [confidential] instead of just confidential in your disclaimer. The keyword list policy should not detect that. If [] are not ignored, try another special character. The characters taken by DCM-KW policies are limited. Use another one. Humans will understand it and scanners will ignore it.

In general, using a classification tag like #CONFIDENTIAL# ist better than using normal words to avoid the false/positive match in these cases.
Also you could use something like #<your company>_CONFIDENTIAL#. Especially usefull, when classified content is shared with need to know people outside your company. They might have a classification too,

rgds
Thomas

Original Message:
Sent: Mar 19, 2024 06:13 AM
From: Armando Rodriguez
Subject: Exclude E-Mail Disclaimers from Detection

Hi,

I have a keyword policy in place that generates a lot of false positive Incidents, due to the generic nature of the keywords. Unfortunately, they appear quite often in the e-mail disclaimer that is included in each e-mail. Is there a proper way to ignore the content of the disclaimer? I am relatively new to Symantec DLP so I just wanted to check if there are already proven approaches as I do not want to reinvent the wheel. I was thinking about using Regex or Proximity Keywords (If that even exists in Symantec).

Many Thanks