Recovering sensitive files on Mac endpoints
When a block response rule is implemented in a policy and a sensitive file is moved from a Mac endpoint to an endpoint device,
Symantec Data Loss Prevention
moves the file to a local path on the endpoint. The path is fixed so the endpoint user cannot change it, and the path cannot be edited from the Enforce Server administration console.The Mac file recover location is
$HOME/My Recovered Files
, where $HOME
is the endpoint user's home directory.Recovered files are segregated by folder. Each folder is named according to the application in which the file was moved. Also, a
ReadMe.txt
file is created in the same folder from where the sensitive file was moved. This file states where the file originally resided. For example, if a user attempts to use TextEdit to save a sensitive file to a removable storage device attached to a Mac endpoint, Symantec Data Loss Prevention
moves the file to the path $HOME/My Recovered Files /TextEdit
and creates a ReadMe.txt
file with original file information.Occasionally file recovery fails. This occurs if permissions to the recovery folder have been changed or if user authentication failed. If this occurs,
Symantec Data Loss Prevention
moves the sensitive file to the root directory folder /Alternate Recovered Files
using a high privilege account to ensure that files are recovered without being deleted.Endpoint users can recover sensitive files from both locations (
$HOME/My Recovered Files
and the root directory folder /Alternate Recovered Files
), as well as recover deleted files. Symantec Data Loss Prevention
deletes files in a number of situations. If a user copies a sensitive file from the endpoint to a removable device using the cut operation, the file is deleted. To recover the file, the user must locate it in the recovery location and move it to its original location. Also, a sensitive file located on a removable device is deleted when sensitive information is added to it and the file is saved. In this scenario, the save operation is blocked and the file is deleted. Endpoint users can recover the file at $HOME/My Recovered Files
.