Hello all,
I've been facing an issue lately that you guys might be able to help.
I created a policy based on a IDM Indexed profile with 50 documents (mainly pdf with text/images).
With two-tier ON in agent config, the DLP is able to detect all data transfer on email/usb/print protocols. If I switch the two tier to OFF, all emails are still being captured on Network but only 2 out of 50 documents are captured/identifyed on usb/print. Those 2 files which are always identified "matched exactly" while the others are "100% match" type.
Obviouslty, the test was done using the same files indexed.
My questions/doubts are:
- whats the difference from "matched exactly" to "matched 100%" taking in consideration that all files were indexed correctly?
- why only 2 out of 50 documents are identidified with two-tier OFF if they are all indexed?
- why with two-tier ON I am not able to have any block (right now just have a normal log on console) even on those incidents which are blocked with two-tier OFF -? Does the two tier ON send always the documents to endpoint even if the agent can match it exactly?
I am trying to avoid the two-tier ON feature due to it's high traffic/bandwidth demand (specially in a corporation with over 40K agents)
Details:
IDM policy created with 10% Minimum Document Exposure and Index archiving on Enforce Server local path
Enforce Svr and Endpoint Svr using 12.5.1 version with Network Monitor and Endpoint Prevent
Thanks in advance,
Morgado