Data Loss Prevention

 Low Disk Space - What files can be deleted? + a few more questions

posted 11-11-2020 05:05 AM

Hello Folks, 

I am kinda new to DLP administration. 
The Enforce server reports low disk space (around 90% full). What files can I delete so I can free up space?

Also, I created these new policies for indexed data which should block the uploading via HTTP/S, but it is not working in any way. I have other policies with the same purpose but for different data and they work just fine. What could be the problem?

I will highly appreciate any kind of help here (as there is no one else in my company I could ask for help)

Good morning Mihaela. I would recommend adding more information to your first question so our community can have more details of your DLP environment in order to give advice; server type, OS, memory, hard drive size and how many, and if an Endpoint server, how many clients are talking to this server. However, if it is a VM, it is pretty easy to add space, read the system requirements and server sizing documentation to figure out how much space your DLP environment will need, and comply. 
For your second question, again you need to provide more detailed information on what you are trying to accomplish, and how you are doing it. Once we know what if the final goal, we can recommend a path to follow. For instance, what detection technology are you testing? EDM, EMDI, IDM, VML, each technology has a purpose and limitation. For instance, if you are trying to block HTTPs traffic based on an AD based policy, it might have a two-tier detection need and it won't be able to block. Indexed documents normally are left for detection servers, but the new EMDI technology can be used in the endpoint, check the Admin guide to properly apply detection technologies based on your needs.
Here are some documents might be useful:
System requirements
https://techdocs.broadcom.com/content/dam/broadcom/techdocs/symantec-security-software/information-security/data-loss-prevention/generated-pdfs/Symantec_DLP_15.7_System_Requirements_Guide.pdf

Best practices for Endpoint Protection on Windows servers

https://knowledge.broadcom.com/external/article/177535/best-practices-for-endpoint-protection-o.html

Architecture best practices for deploying DLP Endpoint Prevent Detection Servers

https://knowledge.broadcom.com/external/article?articleId=173958

DLP 15.7 All documents including Admin guide  https://techdocs.broadcom.com/us/en/symantec-security-software/information-security/data-loss-prevention/15-7/Related-Documents.html
Note: I will recommend posting a single question per post. 

Good luck,
A.C.
Hello, 
 
I have an one-tier infrastructure (VM) and I asked the VMware guys to add more space to my server and the resources are completely fine now.

The feature in question is IDM. I have 550 documents indexed and managed to make the DLP to block uploading the files on HTTP/S, but when I paste the whole content of the file, the agent does not block me. I have set only one network prevent block rule. Do I have to set an endpoint one so I can make it work?
>>  Do I have to set an endpoint one so I can make it work?

Do you use Endpoint Prevent or Network via ICAP? If you do use endpoint installations you will need a rule for actions on endpoint  using "agent IDM"

Check for Two Tier detection using endpoint as well if using MacOS agents:  https://techdocs.broadcom.com/us/en/symantec-security-software/information-security/data-loss-prevention/15-7/about-data-loss-prevention-policies-v27576413-d327e9/introducing-indexed-document-matching-idm-v27388119-d327e27601/types-of-idm-detection-v86395596-d327e27714/two-tier-idm-detection-v95340568-d327e27802.html
Agent IDM is disabled for Mac in upgrades, only in new 15.7 installations
With the help of your windows team you can get to know which folder/file is taking the maximum space.
It's usually the tomcat logs are accumulated over a period of time.
If you don't have a retention requirement, then these logs can be purged (better if you take a backup of these by exporting it to a network share)
In regards to your question about IDM detection failure; if you are using Network web prevent it may be due to the way the data is being posted. I've found that even simple keyword detection is missed because of how it's presented to DLP
For example, posting:

SSN test data

123-45-6789 KENT ADAMS ad

Appears like this in the actual post
value: [{"commands":[{"ty":"mlti","mts":[{"ty":​"is","ibi":1,"s":"SSN test data\​n123-45-6789 KENT ADAMS ad..