Hi Armando,
It may be easiest to simply increase the minimum number of matches for an incident. Like if one of your keywords is "confidential", and most emails have that word as part of the disclaimer, set the threshold for incidents to be 2 matches.
If that's too inexact, you might need further consideration - I've seen disclaimers that were images of the text, which avoids detection if OCR is not part of your detection.
So, more info at any rate might be needed!
------------------------------
Stephen Heider
Global Support Lead | Symantec Enterprise Division | DLP Support
Broadcom
stephen.heider@broadcom.com | broadcom.com
------------------------------
Original Message:
Sent: Mar 19, 2024 06:13 AM
From: Armando Rodriguez
Subject: Exclude E-Mail Disclaimers from Detection
Hi,
I have a keyword policy in place that generates a lot of false positive Incidents, due to the generic nature of the keywords. Unfortunately, they appear quite often in the e-mail disclaimer that is included in each e-mail. Is there a proper way to ignore the content of the disclaimer? I am relatively new to Symantec DLP so I just wanted to check if there are already proven approaches as I do not want to reinvent the wheel. I was thinking about using Regex or Proximity Keywords (If that even exists in Symantec).
Many Thanks