What gets installed for DLP Agents installed on Windows endpoints
The DLP Agent installation places a number of components on endpoints. Do not disable or modify any of these components or the DLP Agent may not function correctly.
Component | Description |
|---|---|
Driver ( vfsmfd.sys ) | Detects any activity in the endpoint file system (including activity on Citrix XenApp and XenDesktop) and relays the information to the DLP Agent service. This driver is installed at <Windows_dir> \System64\driversc:\windows\System64\drivers . All other agent files are installed into the agent installation directory. |
Driver ( vnwcd.sys ) | Intercepts network traffic (HTTP, FTP, and IM protocols) on the endpoint. After the Symantec Data Loss Prevention Agent analyzes the content, the vnwcd.sys driver allows or blocks the data transfer over the network.This driver is installed at <Windows_dir> \System64\driversc:\windows\System64\drivers . All other agent files are installed into the agent installation directory. |
Driver ( vrtam.sys ) | Monitors the process creation and destruction, and send notifications to the DLP Agent. The driver monitors the applications that are configured as part of Application Monitoring; for example, CD/DVD applications. This driver is installed at <Windows_dir> \System64\driversc:\windows\System64\drivers . All other agent files are installed into the agent installation directory. |
Symantec DLP Agent service | Receives all information from the driver and relays it to the Endpoint Server. During installation, the DLP Agent is listed under the task manager as edpa.exe . Users are prevented from stopping or deleting this service on their workstation. |
Watchdog service | Automatically checks to see if the DLP Agent is running. If the DLP Agent has been stopped, the watchdog service restarts the DLP Agent. If the watchdog service has been stopped, the DLP Agent service restarts the watchdog service. Users are prevented from stopping or deleting this service. |
The DLP Agent service creates the following files:
- Two log files (edpa.logandedpa_ext0.log), created in the installation directory.
- Each DLP Agent maintains an encrypted database at the endpoint called the DLP Agent store. The DLP Agent store saves two-tier request metadata, incident information, and the original file that triggered the incident, if needed. Depending on the detection methods used, the DLP Agent either analyzes the content locally or sends it to the Endpoint Server for analysis. About the DLP Agent store
- A database namedrrc.eadis installed to maintain and contain non-matching entries for rules results caching (RRC). About rules results caching (RRC)