Loading...

Knowledge Center

How to exclude blank evidence for the Web Post Protection rule in Data Loss Prevention Endpoint
Technical Articles ID:   KB85726
Last Modified:  6/19/2019

Environment

McAfee Data Loss Prevention (DLP) Endpoint - all supported versions
McAfee ePolicy Orchestrator (ePO) 5.x

For details of DLP Endpoint supported environments, see KB68147.

Problem

Blank evidence files (.txt files) are generated by the client when the Web Post Protection Rule is configured and the DLP Endpoint client incidents are reported to DLP Incident Manager.

Cause

When you configure the Web Post Protection rule to catch text file types and specific extensions, DLP does not catch body text because the content classification or tag is not specified.

Solution

This issue is being evaluated for consideration in a future product release or update. If this issue significantly impacts your business operations, log on to the ServicePortal and create a Service Request at https://support.mcafee.com/ServicePortal/faces/serviceRequests/createSR. Include this article number in the Problem Description field to help us assess the need for product modification.

You can also search the Ideas forum for an existing product idea that matches your requirements, and vote to have it added to the product. For more information about product ideas, see KB60021.

Workaround

NOTE: Technical Support does not recommend following this procedure if you are concerned about excluding 1-KB text files (.txt), as described in KB84372.

To exclude blank evidence files (.txt files) from being generated by the client when the Web Post Protection Rule is configured and the DLP Endpoint client incidents are reported to DLP Incident Manager:

  1. Create a new file extension in Definitions:
    1. Log on to the ePO server and select Menu, Data Protection, Classification, Definitions.
    2. In the left pane, select File extension under Data.
    3. Select Actions, New.
    4. Type a unique Name (and a Description, if needed). Example: Exclude blank text files.
    5. Under Extensions, add the Name and Extension of the file:
      1. Type a generic name for the files. Example: Text files.
      2. Type the file extension. (Use uppercase letters for extensions, for example: TXT, DOC, TMP.)
      3. Click Add and Save.

  2. Create a new file information in Definitions:
    1. In the left pane, select File information under Data 
    2. Select Actions, New.
    3. Replace the default definition name with a unique name for this definition.
    4. Select File Extension from the Available Properties, set the Comparison to None of (NOT), and add the file extension definition that you created in step 1.
    5. In the left pane, under Available Properties, select File Size.
    6. Ensure that the Comparison drop-down list is set to less than (KB), and add the value 1.
    7. Click Save.
    8. Click the Classification tab and click Edit on the Classification Criteria or Tagging Criteria used in your Web Post Protection Rule.
    9. Select File Information in the Available Properties.
    10. Leave the Comparison as One of (OR).
    11. Click the Context Menu under Value and select the new definition.
    12. Click Save and Apply the policy.

Related Information

For information about blank evidence files that are generated for HTTP Posts that match Web Post Protection Rules for file type or extension, see KB84372.

Rate this document

Languages:

This article is available in the following languages:

English United States
Japanese

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.