What gets installed for DLP Agents installed on Windows endpoints

The DLP Agent installation places a number of components on endpoints. Do not disable or modify any of these components or the DLP Agent may not function correctly.
Installed components
Component
Description
Driver (
vfsmfd.sys
)
Detects any activity in the endpoint file system (including activity on Citrix XenApp and XenDesktop) and relays the information to the DLP Agent service.
This driver is installed at
<Windows_dir>
\System64\drivers
. For example,
c:\windows\System64\drivers
. All other agent files are installed into the agent installation directory.
Driver (
vnwcd.sys
)
Intercepts network traffic (HTTP, FTP, and IM protocols) on the endpoint. After the
Symantec Data Loss Prevention
Agent analyzes the content, the
vnwcd.sys
driver allows or blocks the data transfer over the network.
This driver is installed at
<Windows_dir>
\System64\drivers
. For example,
c:\windows\System64\drivers
. All other agent files are installed into the agent installation directory.
Driver (
vrtam.sys
)
Monitors the process creation and destruction, and send notifications to the DLP Agent. The driver monitors the applications that are configured as part of Application Monitoring; for example, CD/DVD applications.
This driver is installed at
<Windows_dir>
\System64\drivers
. For example,
c:\windows\System64\drivers
. All other agent files are installed into the agent installation directory.
Symantec DLP Agent service
Receives all information from the driver and relays it to the Endpoint Server. During installation, the DLP Agent is listed under the task manager as
edpa.exe
.
Users are prevented from stopping or deleting this service on their workstation.
Watchdog service
Automatically checks to see if the DLP Agent is running. If the DLP Agent has been stopped, the watchdog service restarts the DLP Agent. If the watchdog service has been stopped, the DLP Agent service restarts the watchdog service.
Users are prevented from stopping or deleting this service.
The DLP Agent service creates the following files:
  • Two log files (
    edpa.log
    and
    edpa_ext0.log
    ), created in the installation directory.
  • Each DLP Agent maintains an encrypted database at the endpoint called the DLP Agent store. The DLP Agent store saves two-tier request metadata, incident information, and the original file that triggered the incident, if needed. Depending on the detection methods used, the DLP Agent either analyzes the content locally or sends it to the Endpoint Server for analysis. About the DLP Agent store
  • A database named
    rrc.ead
    is installed to maintain and contain non-matching entries for rules results caching (RRC). About rules results caching (RRC)