Advanced agent settings
The following settings affect only the DLP Agent. These settings should not be modified without the assistance of Symantec Support. If you want to make modifications to this screen, contact Symantec Support before making any changes.
Agent advanced settings provides a list of agent settings, along with the default value and description of each setting.
If you change advanced agent settings and the agents connect to Endpoint Servers in a load-balanced environment, you must apply the same changes to all Endpoint Servers in the load-balanced environment.
Name of Setting | Default values | Description |
|---|---|---|
AgentManagement.DISABLE_ENABLE_ TASK_TIMEOUT_SECONDS.int | 300 | The amount of time, in seconds, the Disable or Enable agent troubleshooting task waits before it sends the Agent Requires Restart system event. |
AgentTamperProtection.ENABLE_AGENT_ TAMPER_PROTECTION.int | 7 | This setting enables tamper protection on the Symantec Data Loss Prevention Endpoint agent.A setting of 0 disables all tamper protection. A setting of 1 prevents the agent and the watchdog files from being deleted or modified. A setting of 2 prevents the agent and the watchdog services from being stopped. A setting of 3 prevents the agent and the watchdog files and services from being deleted, modified or stopped. A setting of 4 prevents the agent and the watchdog services from being deleted from the operating-system registry. A setting of 7 enables file, service, and registry protection. |
AgentThreadPool.IDLE_TIME_IN_SECONDS.int | 60 | The maximum time a thread can be inactive before it is removed from the thread pool. Threads are also known as agent tasks. |
AgentThreadPool.MAX_CAPACITY.int | 20 | The maximum number of threads in the thread pool. The threads can be either active or inactive. |
AgentThreadPool.MIN_CAPACITY.int | 2 | The minimum number of threads that are allowed in the thread pool. The thread pool must always contain this number of threads. The threads can be either active or inactive. |
AggregatorCommunicator.ENABLE_ENDPOINT_ DATAFLOW_CACHING.int | 1 | If enabled (1), this setting prevents agent from downloading data, like policies and configuration files, that have already been downloaded. Enter 0 to disable this setting. |
ApplicationConnector.KEY_LENGTH.int | 64 | The length of the key, in bytes, that is used to obfuscate communication between the agent and the application hooks. |
ApplicationConnector.MAX_CONNECTIONS.int | 255 | The maximum number of application hooks (per type of hook) that can simultaneously connect to the agent. |
ApplicationConnector.TEMPORARY_DIRECTORY.str | %TMP% | The temporary location where application hooks store obfuscated content. |
AttributeResolver.ATTRIBUTE_REFRESH_INTERVAL_IN_DAY.int | 7 | The number of days the agent waits to refresh Active Directory attribute information. If the agent finds the information that is older than the number of days indicated, then contacts the Active Directory server. If value is set to 0, the agent does not contact AD server to retrieve attribute information. |
Clipboard.ENABLE_CLIPBOARD_KEYBOARD_AND_ MOUSE_VIEWER.int | 1 | Enables keyboard and mouse monitoring for Clipboard paste operations. If you observe unexpected behavior in applications, enter 0 to disable this setting. Disabling this setting may result in false positive incidents when the agent blocks an application from accessing Clipboard data. |
ClipboardViewer.SLEEP_TIME_IN_MS.int | 10 | The time delay, in milliseconds, before the agent fetches contends from the endpoint clipboard. |
CommLayer.MAX_FRAME_SIZE_KILOBYTES.int | 8 | The maximum size of each outbound frame. This is the maximum number of kilobytes per frame read from the applications. Changes to this setting apply to all new connections. Changes do not affect existing connections. |
CommLayer.NO_TRAFFIC_TIMEOUT_SECONDS.int | 300 seconds (5 minutes) | The application level heartbeat interval. To detect idle dead connections the agent uses an application level heartbeat message. Data Loss Prevention closes the connection for which a heartbeat has not been received in the specified timeout interval. The agent does not send heartbeats and relies on the TCP keepalive instead. A 0 value indicates that the heartbeat should be disabled. This value is also used as an application handshake timeout value.Changes to this setting apply to existing and new connections. You can enter a value between 60 and 86400 seconds. |
ComponentLoaderSettings.MAX_ COMPONENT_SHUTDOWN_TIME.int | 60000 | The maximum amount of time, in milliseconds, that the agent waits for a component to shut down. |
ComponentLoaderSettings.PROCESS_PRIORITY.str | NORMAL | The priority level that dictates what priority the DLP Agent runs on the endpoint. You can also enter NORMAL and ABOVE_NORMAL . |
ContentAnalysisSDK.CHROME_MONITORING.int | 0 | The setting that allows the DLP Agent to monitor Google Chrome by integrating with the Google Chrome Content Analysis Connector Agent SDK. Enter 1 to enable this monitoring method.Enter 0 to disable this monitoring method.If you want to stop monitoring Google Chrome by disabling the Chrome (HTTPS) channel in the agent configuration, make sure to also set the value of this setting to 0 .This will ensure that endpoints do not report an incorrect agent status. |
CrashDump.ENABLE_CRASH_DUMP_COLLECTION.int | 1 | The setting that allows the system to create a dump file when the DLP Agent crashes. Setting this value to 1 enables the crash dump file to be created. Enter 0 to disable the file. |
CrashDump.MAX_DAYS_TO_KEEP_DUMP.int | 2 | The maximum time, in days, that the crash dump file is stored. |
CrashDump.MAX_NUMBER_OF_FILES_IN_ DUMP_FOLDER.int | 3 | The maximum number of files to keep in the crash dump folder. |
Detection.CHUNK_OVERLAP.int | 45 | The number of characters each chunk borrows from the end of the previous chunk. |
Detection.CHUNK_SIZE.int | 65536 | The text chunk size in bytes. |
Detection.DAR_KVOOP_PRIORITY.str | BELOW_NORMAL | The priority of the external kvoop process while it extracts text for Endpoint Discover scans. |
Detection.ENABLE_METADATA.str | off | Allows detection on file metadata when a user attempts to transfer or print a file. If the setting is turned on, you can detect metadata for Microsoft Office and PDF files. For Microsoft Office files, OLE metadata is supported, which includes the fields Title, Subject, Author, and Keywords. For PDF files, only Document Information Dictionary metadata is supported, which includes fields such as Author, Title, Subject, Creation, and Update dates. Extensible Metadata Platform (XMP) content is not detected. Enabling this option can cause false positives. |
Detection.FILE_HEADER_KB_TO_READ.int | 1 | The maximum amount of bytes read for custom file type detection. Set this value to 37KB or greater to enable detection on the DLP Agent to determine the ISO file type. |
Detection.FILTER_TIMEOUT.int | 420000 | The time limit, in milliseconds, for filtering text. |
Detection.LOCAL_DRIVE_KVOOP_PRIORITY.str | BELOW_NORMAL | The priority of the external kvoop process while it extracts text for local drive events. |
Detection.MARKUP_AS_TEXT.str | off | Stops the detection on any text that has XML or HTML tags associated with it. |
Detection.MAX_DETECTION_TIME.int | 900000 | The maximum amount of time to complete endpoint detection in milliseconds. |
Detection.MAX_EMDI_LOOKUPS.int | 10000 | Maximum number of EMDI validations that are run per detection request, regardless of how many EMDI validators are configured. After the limit is reached, each EMDI validator stops validating any additional data identifier matches. If there is a document with a large number of DI matches, not all of them appear in the incident when EMDI validation is enabled. DLP-63950 Increasing the limit above the default value of 10000 increases the likelihood of false positives and performance degrades linearly. For example, a setting of 20000 is twice as slow as a setting of 10000. |
Detection.MAX_FILTER_FILE_SIZE.int | 31457280 | Maximum file size for text filtering in bytes. |
Detection.MAX_IDM_FILE_SIZE | 30000000 | The maximum size (in bytes) used to generate the MD5 hash for an exact binary match in an IDM. This setting should not be changed. The following conditions must be matched for IDM to work correctly:
Changing the first or third item in the list requires re-indexing all IDM files. |
Detection.MAX_NUM_MATCHES.int | 300 | Maximum number of matches for a given matcher. |
Detection.MAX_QUEUE_SIZE.int | 10000 | The maximum number of items that simultaneously wait for detection. |
Detection.MIN_EXTRACTED_CHARS_FOR_TEXT_IDM_MATCH | 30 | Minimum size of the normalized content before the cracked content is indexed, otherwise an exact match is performed against the raw (binary) content. Must match the min_normalized_size parameter in the Indexer.properties file. |
Detection.NEWLINE_ELIMINATION.str | on | Sets whether newlines are eliminated before detection. |
Detection.OFFICE_OPEN_XML_ENABLED.str | on | |
Detection.OFFICE_OPEN_XML_EXTRACT_EMFWMF.str | on | |
Detection.OFFICE_OPEN_XML_IMAGE_SIGNATURES.str | on | |
Detection.OFFICE_OPEN_XML_SKIP_FILES_WITH_SIGNATURES.str | on | |
Detection.OFFICE_OPEN_XML_STREAM_CONFIGURATION.str | on | |
Detection.RULESRESULTSCACHE_ENABLED.str | on | Rules results caching (RRC) is a way to cache the results of content on a DLP Agent that does not violate a policy. By default, RRC is set to on. If you do not want to use RRC, set this parameter to off. |
Detection.RULESRESULTSCACHE_FAST_CACHE_SIZE.int | 2048 | The size of the rules results caching first-level database, the Level 1 database. Rules results caching sends new entries of recorded, non-violating files to the Level 1 database. After the Level 1 database is full, entries are flushed to the Level 2 database to maintain the space of the Level 1 database. |
Detection.SHORT_DAR_DETECTION_TIME.int | 2000 | The amount of time, in milliseconds, taken to detect on a file before the file is considered too large. |
Detection.TRACKED.CHANGES.str | off | Allows the detection of content that has changed over time (Track Changes content) in Microsoft Office documents. Using this option might reduce the accuracy rate for IDM and data identifiers. |
Detection.TWO_TIER_IDM_ENABLED.str | See description | Enables two-tier detection for IDM for the DLP Agent. Set to "off" to use IDM on the endpoint. Set to "on" to use two-tier detection. For new installations the default is set to "off" so that by default the DLP Agent uses IDM on the endpoint. For upgrades the default is set to "off" so that there is no change in functionality for existing IDM policies deployed to the endpoint. |
Detection.UNICODE_NORMALIZATION.str | on | Transforms the specific characters to UNICODE before detection. This transformation is necessary for matching policies containing data in many Asian languages. |
DeviceControl.SHOW_NOTIFICATION.int | 1 | This setting displays pop-ups when an endpoint user exceeds device access limits. Enter 0 to disable pop-ups. |
Discover.CRAWLER_THREAD_PRIORITY.str | BELOW_NORMAL | The priority of the Discover threads while drives are scanned. This setting is not used in Symantec Data Loss Prevention . |
Discover.SCAN_ONLY_WHEN_IDLE.int | 2 | Sets whether the agent performs an Endpoint Discover scan while the endpoint user is idle. If set to 1, the agent only performs Endpoint Discover scanning while the endpoint user is idle.If set to 2, the agent only scans small files while the endpoint is active and larger files while the endpoint user is idle. Files taking longer than the Detection.SHORT_DAR_ DETECTION_TIME value are considered large. If set to 0, the scan runs regardless of user activity. |
Discover.SECONDS_UNTIL_IDLE.int | 120 | If the agent does not detect any user activity in this amount of time, in seconds, the user is considered to be idle. Very small amounts of time, less than 60 seconds, may not be precisely adhered to. |
Discover.STANDARD_REPORT_INTERVAL.int | 900000 | The interval of time between two Endpoint Discover scan status reports, in milliseconds.To create a transient connection between the agent and Endpoint Server, enter an interval greater than the EndpointCommunications. IDLE_TIMEOUT_ IN_SECONDS.int value. |
Email.IGNORE_SMIME.in | 0 | Enables agents to disregard outgoing emails in Microsoft Outlook that have the Encrypt with S/MIME option enabled so that Data Loss Prevention no longer blocks the email from being sent.To monitor outgoing emails that are encrypted with S/MIME, enter 0 .To ignore outgoing emails that are encrypted with S/MIME, enter 1 . |
EncryptionDriver.FORCE_UNLOAD_TIMEOUT.int | 10 | The time interval in seconds that the DLP Agent waits to shut down the Encryption driver after timeout.
|
EncryptionDriver.LISTENER_THREADS_COUNT.int | 1 | This is a performance tuning setting. If many encrypted files are accessed and many files are encrypted, then increasing the listener thread count improves the responsiveness of the file encryption and access. Generally, for single user endpoints, one listener thread provides good performance. Multi-user endpoints may need more listener threads. |
EncryptionDriver.MESSAGE_HANDLER_ THREADS_COUNT.int | 10 | This is a performance tuning setting. This setting controls the maximum number of the threads that handle responsiveness when the files get encrypted or when the encrypted files are accessed.
|
EndpointCommunications.HEARTBEAT_INTERVAL_IN_ SECONDS.int | 270 | Time interval in seconds between heartbeat messages. The Endpoint Server sends heartbeat messages to detect dead connections to individual agents when no other traffic is being sent or received. The Endpoint Server measures the time between when the last data traffic was sent to or received by the agent until the current time. Data traffic is defined as any bytes sent or received by the Endpoint Server, including heartbeat message bytes. When the specified duration is exceeded, the Endpoint Server sends a heartbeat message to the agent. If the value of the setting in the agent configuration changes, the new value is applied immediately to any connections that are open to agents for which the configuration applies, and to any subsequent connections. Application-defined heartbeat messages are treated by network appliances as actual traffic and, unlike TCP keepalives, are never ignored. Heartbeat messages do not count as normal messages for determining whether the connection is idle. Sending or receiving a heartbeat message does not reset the idle timer. Enter a value between 0 and 1000000000. Enter 0 to disable the agent heartbeat. |
EndpointCommunications.IDLE_TIMEOUT_ IN_SECONDS.int | 30 | The maximum time to keep an idle connection open. The connection is closed when the specified number of seconds has passed. This timeout only applies during the normal operation phase of a connection. This occurs after the SSL handshake and application handshake phases. Enter a value between 0 and 1000000000. Enter 0 to prevent idle connections from closing. |
EndpointLocation.MATCHES_ALL_INTERFACES_FOR _MANUAL _SETTING.int | 1 | The value, based on the network interface, that defines whether the endpoint is considered on or off the corporate network. This setting applies when the Manually setting on the Endpoint Location is selected.When the value is 1, the Enforce Server considers the agent on the corporate network if the endpoint IP matches all of the IP addresses entered in the IP field on Endpoint Location screen. When the value is 0, the Enforce Server considers the agent on the corporate network if the Endpoint IP matches at least one of the IP addresses entered in the IP field on Endpoint Location screen. |
ExtensionEnablement.DISPLAY_BROWSER_EXTENSION_ NOTIFICATION.int. | 1 | The value controls whether the extension enablement reminder dialog for Firefox and Safari browsers displays on the endpoint. When the value is 0, the extension enablement reminder does not display on the endpoint. |
ExtensionEnablement.DISPLAY_SAFARI_EXTENSION_ NOTIFICATION.int | 1 | The value controls whether the Enable the Symantec extension for Safari dialog displays on the endpoint.When the value is 0, the Enable the Symantec extension for Safari does not display on the endpoint. |
ExtensionEnablement.INSTALL_BROWSER_EXTENSION.int | 1 | Lets you control whether the extensions for Microsoft Edge and Google Chrome are installed automatically from the Microsoft Edge Addons store and the Chrome Web Store on Windows endpoints. To configure Windows agents to install the extension automatically, enter 1 (default).
If you set the value of this setting to 0 , the extension gets uninstalled from both browsers.If you want to deploy the extension on Windows endpoints using a Group Policy Object, enter 0 . To monitor printing within Microsoft Edge and Google Chrome, ensure that the Symantec DLP extension is deployed using the DLP Agent or a GPO and is enabled in the browser. |
FileService.MAX_CACHE_SIZE.int | 250 | The maximum number of recently opened file paths that have been recorded for each endpoint process. |
FileSystem.APPS_LIST_USES_TRUNCATE_FILE_FOR_ BLOCK_RULE |
TextEdit | This setting helps to prevent duplicate incidents and minimizes application pop-ups, crashes, and hangs when an endpoint user edits a sensitive file located on a Mac removable storage device using TextEdit and Microsoft PowerPoint. When this setting is enabled, temporary files that contain sensitive information are truncated instead of deleted. This setting removes content from temporary files. If you observe unexpected behavior in applications, you can also ignore the application from being monitored. Ignoring macOS applications |
FileSystem.DRIVER_FILE_OPEN_ REQUEST_TIMEOUT.int | 10 | Lets you configure the timeout value, in seconds, for a file open request that is sent from a driver to the agent. This setting is helpful in case the file system connector is slow in responding to the driver. If the connection is slow, the system performs badly. Each file open request is postponed by the driver waiting for the agent to respond. You cannot leave this setting blank and a value of 0 is not allowed. |
FileSystem.ENABLE_FILE_RESTORATION.int | 1 | This setting provides the ability to turn on or turn off file restoration. File restoration is the ability to restore the original file in case it is overwritten with a newer file containing confidential data. File restoration is enabled by default. Enter 0 to disable this setting. |
FileSystem.ENABLE_VEP_ FILE_ELIMINATION.int | 3 | This setting provides the ability to select for which detection channel a .vep is created. This process also runs detection on the original file and resolves any sharing violations for EDPA.exe and KVOOP.exe , when needed. You can make changes to this setting if your environment does not contain any of the following:
You can use the following values:
|
FileSystem.IGNORE_STORAGE_ BUS_TYPE.str | None | This setting controls which storage devices Symantec Data Loss Prevention ignores. You typically adjust this setting when you want to allow the copying of sensitive information to company-provided external devices like USB drives and SD cards.Enter All to ignore removable devices attached to Windows endpoints. USB and FireWire devices are monitored. Enter None to monitor all storage devices, whether attached to Windows or Mac endpoints. You can set Symantec Data Loss Prevention to ignore storage devices attached to Mac endpoints by entering the BUS type of the device you want to ignore. You can generate the BUS type for a device using the DeviceID tool.
You can enter the following Mac removable device BUS types:
If you enter more than one storage device to ignore, use a semi-colon (;) to separate each setting. |
FileSystem.MAX_BACKLOG | 20 | The maximum number of snapshot files that are created when removable storage is monitored. |
FileSystem.MONITOR_ APPLICATION_CHILD_ PROCESS_FILE_ACCESS.INT | 1 | This setting allows the user to enable or disable the Application File Access feature that monitors child processes. Enter 1 to enable or enter 0 to disable. |
FileSystem.MONITOR_READ_ONLY_ VOLUMES.int | 1 | Controls whether DLP monitoring is done in the case of an Explorer copy if the destination volume is a read-only volume. Enter 1 to continue monitoring read-only volumes in an Explorer copy operation. Enter 0 to stop monitoring of read-only volumes in an Explorer copy operation. |
FileSystem.NUM_OF_LISTENER_THREADS | 1 | The number of listener threads that listen to file system driver requests. You can enter any positive integer value. |
FileSystem.NUM_TIMES_TO_OVERWRITE_FILE.int | 2 | This setting indicates how many times a file is overwritten with a secure pattern before it is deleted during prevention. A value of 0 indicates that the file cannot be overwritten. |
FileSystem.THREAD_POOL_MAX_CAPACITY | 20 | The maximum number of threads that the filesystem threadpool can use to serve file system requests. |
FileSystem.USE_CDDVD_DEFAULT_EXCLUDE_PATHS.int | 1 | This setting allows user to exclude any file that is opened by a CD/DVD application from the following directories:
It is enabled by default. |
FlexResponse.MAX_INCIDENT_FILE_SIZE.int | 31457280 | Reserved for future use.
|
FlexResponse.PLUGIN_HOST_LOG_ MAXFILE_SIZE.long | 5120000 | The maximum size of a plug-in log file. The default number is in bytes. |
FlexResponse.PLUGIN_HOST_LOG_MAX_ NUMBER_OF_FILES.long | 1 | The maximum number of plug-in log files that can be kept. |
FlexResponse.PLUGIN_HOST_ MESSAGE_TIMEOUT.long | 180000 | The amount of time that the plug-in host can process messages. The default time is in milliseconds. |
FlexResponse.PLUGIN_HOST_ STARTUP_TIMEOUT.long | 30000 | The amount of time that the plug-in host can take to start up. The default time is in milliseconds. If the plug-in host does not start in the specified amount of time, the plug-in host sends a fail event to the log. |
FlexResponse.PLUGIN_QUEUE_LIMIT | 100 | The number of FlexResponse plugin invocation requests placed in queue. |
GroupResolution.DAYS_DATA_STALING.int | 7 | The amount of time, in days, that the agent retains Active Directory (AD) user group information. Information that is older than this limit causes the agent to contact the AD server. |
Hooking.APPLICATION_LOAD_TIMEOUT.int | 300000 | Specifies the time, in milliseconds, that the agent tries to hook into an application if that application takes a long time to load. |
Hooking.CLOUD_STORAGE_HOOKING.int | 0 | Enter 1 to allow the DLP Agent to block files being moved to cloud storage applications.This setting applies to Microsoft Office 2010 and 2013 applications that save data to the Box cloud storage application. This setting only applies to 14.0.x agents. |
Hooking.CMD.HOOKING.int | 1 | Enables and disables FOM hooking into the command processor. When set to 1, the FOM dll will be hooked into the command processor and monitors copy and move operations from the command prompt. If the value is 0, then there is no hooking and the command prompt is not monitored. |
Hooking.EXPLORER_APPLICATION_HOOKING.int | 1 | Allows the DLP Agent to monitor when a user performs a right-click print through Windows Explorer. To turn off right-click print monitoring, change this setting to 0. |
Hooking.EXPLORER_HOOKING.int | 7 | Allows the DLP Agent to monitor Microsoft Windows Explorer traffic. |
Hooking.SIP_Agent_OSX_VERSION_ COMPATABILITY.str | For a new installation:
For upgraded systems, previous entries are appended to the default settings. | Allows the DLP Agent to monitor applications that are protected by System Integrity Protection (SIP). For the latest supported macOS versions and information on adding monitoring for updated macOS, see Symantec Data Loss Prevention System Requirements and Compatibility Guide Related Documents at the Tech Docs Portal |
Hooking.USE_LOADLIBRARYW_FROM_IMAGE.int | 0 | The method to find the LoadLibraryW function address. You can specify a value of either 0 or 1. 0 uses the GetProcAddress API to find the library. 1 reads the exports table of kernel32.dll to find the library. |
IncidentHandler.CACHE_SIZE_THRESHOLD.int | 30 | The percentage of used endpoint database cache space that triggers Endpoint Discover to pause. |
IncidentHandler.MAX_BACKOFF.int | 3600000 | Maximum time, in milliseconds, to wait before it retries to send an incident to the server if the first attempt fails. |
IncidentHandler.MAX_INCIDENT_FILE_SIZE | 31457280 | Size, in bytes, of the largest file to be sent from the agent as part of an incident. |
IncidentHandler.MAX_TTD_FILE_SIZE | 31457280 | Size, in bytes, of the largest file to be sent from agent for two-tier detection. |
IncidentHandler.MIN_BACKOFF.int | 30000 | Minimum time, in milliseconds, to wait before the agent re-sends an incident to the Endpoint Server after the first attempt fails. |
IncidentHandler.PERSISTER_MAX_ DAR_ENTRIES.int | 5 | The maximum number of persisted Endpoint Discover incidents that are kept in queue. |
IncidentHandler.PERSISTER_MAX_ENTRIES.int | 25 | The maximum limit of incidents in the Agent Store before the agent starts evicting incidents. |
IncidentHandler.SENDER_CHUNK_SIZE.int | 65536 | Size, in bytes, of chunks to read from the database as it sends files. |
LocalizationManager.LOCALE_RECEIVING_DELAY_ON_ NEWUSER_LOGON_IN_SECONDS.int | 2 | The number of seconds the agent waits before fetching the user locale. You can enter between 1 and 20 seconds. |
Logging.OperationLogFileSize.long | 5120000 | The size of the operational log file. This setting specifies how large, in bytes, each operational log can be. Logs that exceed this setting are not retained. |
Logging.OperationLogMaxFiles.int | 30 | The maximum number of operation logs, per scan, that are retained at any one time. If this number is exceeded, operational log files are purged from the folder until the limit is reached. Log files are purged according to the date that they were created. The oldest log files are purged first. This setting is not applicable to the entire directory. |
Logging.OperationLogTTL.int | 90 | The number of days that operational logs are kept in the directory. If the operational log is not accessed or modified in the specified number of days, the file is deleted. |
MIP.HTTP_OPERATION_TIMEOUT.int | 60 | The maximum time (in seconds) allowed for an MIP HTTP operation to complete. If the operation times out, the operation is cancelled. |
MIP.MIP_AUTHENTICATION.int | 0 | Let you configure when users are promped to authenticate to the MIP service using their Azure AD credentials. To prompt users for authentication only when needed, enter 0 .To prompt users when they log on to the endpoint , or when the agent service starts, or when there is a change in the MIP configuration on the Enforce Server, enter 1 . |
MonitorSystemUsers.CLIPBOARD.int | 0 | Enables system user monitoring for Clipboard feature. Set to inactive by default. Set to 1 to enable. |
MonitorSystemUsers.LOCAL_DRIVE.int | 0 | Enables system user monitoring for the local drive feature. Set to inactive by default. Set to 1 to enable. This setting is not used in Symantec Data Loss Prevention . |
MonitorSystemUsers.NETWORK.int | 0 | Enables system user monitoring for network protocols in the driver (HTTP, FTP). Set to inactive by default. Set to 1 to enable. |
MonitorSystemUsers.PRINT_FAX.int | 0 | Enables system user monitoring for print/fax feature. By default, this feature is set to inactive. Set to 1 to enable. |
NetworkMonitor.APPLY_PREFILTERS_ TO_FPR.int | 0 | Enables ignoring of File Path Resolution (FPR) for data transfers over HTTP and FTP. The DLP Agent uses FPR to define the path to files a user uploads from the endpoint—whether from an application or from the endpoint filesystem—through a browser, and when the browser opens a file in the background. The detection engine uses the full path when scanning each file for sensitive data. Set to 1 if the browser performance is degraded. This setting prevents the agent from defining a full path for each file that is moved through a browser. Also, the agent does not monitor temporary file locations that the browser uses and predefined file paths. To ensure that browser performance is optimized, add a monitoring filter that ignores temporary files that browsers commonly use. Use the following settings for the ignore filter:
|
NetworkMonitor.DISABLE_SPDY_PROTOCOL | 1 | The default setting (1) enables SPDY and HTTP2 protocol monitoring for Internet Explorer and Firefox running on endpoints. Set to 0 to disable. Disabling this setting allows endpoint users to enable the SPDY and HTTP2 protocols. When endpoint users enable SPDY, monitoring for data loss can be affected. |
NetworkMonitor.ENABLE_HTTP_GET_ MONITORING.int | 0 | Enables HTTP/HTTPS GET request monitoring. By default, this setting is disabled. Set to 1 to enable. |
NetworkMonitor.HTTP_DETECTION_ TIMEOUT.int | 120 | The length of time, in seconds, that the agent waits during a scan of HTTP and HTTPS data. |
NetworkMonitor.IM_DETECTION_ SESSION_TIMEOUT.int | 120 | The duration, in seconds, of the detection session window for all instant messaging clients. |
NetworkMonitor.MIN_BYTE_COUNT_TO_ IDENTIFY_PROTOCOL.int | 200 | The number of bytes in packet that the agent ignores in a given network session before detection begins. |
NetworkMonitor.THREAD_POOL_MAX_CAPACITY | 20 | The number of listener threads running that listen for network driver requests.
|
NetworkMonitor.NUM_OF_LISTENER_THREADS.int | 1 | The maximum number of threads that can be used by the network thread pool to serve network detection requests.
|
NetworkMonitor.URL_TIMEOUT.int | 3000 | The amount of mime, in milliseconds, to get the URL. |
Outlook.MONITOR_TECHNIQUE | 1 | Lets you specify whether the DLP Agent monitors Outlook on macOS endpoints using application hooks or using the on-send web add-in for Outlook. The default setting 1 enables monitoring for Outlook using the add-in.To enable monitoring using application hooks instead, set the value to 0 . |
PluginInstaller.TAMPERPROOFING_ IGNORE_ PROCESS_TIMEOUT.int | 15000 | Lets you specify a time, in milliseconds, to ignore any short-lived processes that do not load plug-ins. If the process ends before this time limit is reached, the plug-in installer does not start. |
PostProcessor.MIP_DEFAULT_ACTION.int | 1 | Lets you control whether user actions are blocked or allowed when users attempt to copy or transfer files that are encrypted by Microsoft Information Protection. The default setting 1 blocks the user action.Enter 0 to allow the user action. |
PostProcessor.MIP_APPLY_LABEL_MAX_RETRY_COUNT.int | 5 | The number of attempts that the DLP Agent make to apply labels to sensitive documents when the Endpoint: MIP Classification response action is triggered. |
PostProcessor.ENABLE_FLEXRESPONSE.int | 0 | Lets you enable or disable Endpoint FlexResponse capability. By default, Endpoint FlexResponse is turned off. Change the setting to 1 to enable Endpoint FlexResponse. |
PostProcessor.ENCRYPT_WITH_CANCEL_ DEFAULT_ACTION.int | 1 | The default setting 1 blocks the file move if the endpoint user does not select an action in the Encrypt pop-up within the specified period of time. Enter 2 to allow the action. |
PostProcessor.FILE_SYSTEM_USER_ RESPONSE_TIMEOUT.int | 60 | The amount of time, in seconds, that endpoint users have to select a response action to the User Cancel pop-up notification. This setting only applies to events that are generated by attempting to transfer files that violate a policy. |
PostProcessor.NETWORK_USER_ RESPONSE_TIMEOUT.int | 60 | The amount of time, in seconds, that endpoint users have to select a response action to the User Cancel pop-up notification. This setting applies to HTTP and FTP events only. |
PostProcessor.NOTIFY_ON_FIXED_DRIVE.int | 0 | Enables the response notifications for fixed-drive incidents. The default is set to disable notifications. Set to 1 to enable. |
PostProcessor.NOTIFY_WITH_CANCEL_ DEFAULT_ACTION | 1 | The default action to take if an endpoint user does not select the action from the User Cancel pop-up notification within the specified time. Enter 1 to block the action or enter 0 to allow the action. |
PostProcessor.OTHER_USER_ RESPONSE_TIMEOUT | 60 | The amount of time, in seconds, that endpoint users have to select a response action to the User Cancel pop-up notification. This setting only applies to Clipboard, Print, Email, and HTTPS events. |
print.FILE_BASED_SCAN_ONLY_PROCESS | Adobe Reader | On macOS endpoints, force the DLP Agent to monitor the entire file that is printed from the specified applications instead of scanning individual pages of the document. This setting accepts the process names of applications as input. Use commas to separate multiple values. |
Quarantine.MAX_QUEUE_SIZE.int | 100 | The maximum number of quarantine requests that can be in the queue at any one time. Requests that exceed this number are dropped and are not quarantined. |
ResponseCache.AFAC_TIMEOUT | 10000 | The amount of time, in milliseconds, that an application file access incident is cached. Duplicate incidents that occur during this time period are not generated and do not trigger response rule messages. |
ResponseCache.CD_TIMEOUT.int | 2000 | The amount of time, in milliseconds, that a CD/DVD incident is cached. Duplicate incidents within this time period are not generated or cause Prevent pop-up notifications. |
ResponseCache.FTP_TIMEOUT.int | 60000 | The amount of time, in milliseconds, that an FTP incident is cached. Duplicate incidents within this time period are not generated or cause Prevent pop-up notifications. |
ResponseCache.HTTP_TIMEOUT.int | 60000 | The amount of time, in milliseconds, that an HTTP/HTTPS incident is cached. Duplicate incidents within this time period are not generated or cause Prevent pop-up notifications. You adjust this setting if multiple incidents and Block pop-ups occur. This occurs when a Block response rule is implemented, any of the HTTPS channels are enabled, and users upload folders that contain sensitive data from a web browser to web applications. Set this value to 120000 milliseconds or greater to prevent multiple incidents and Block pop-ups. |
ResponseCache.MAX_SIZE.int | 100 | The maximum number of incidents that are cached at any time. |
ServerCommunicator.CONNECT_ BACKOFF_DURATION_MULTIPLIER.int | 2 | The factor by which each the last backoff period is multiplied. |
ServerCommunicator.CONNECT_ POLLING_INTERVAL_SECONDS.int | 900 | The amount of time, in seconds, that the agent waits before it initiates connections. The minimum value you enter depends on the minimum time difference between when the Enforce Server and Endpoint Server communicate. Entering 10 is the minimum value you can enter to maintain a persistent connection. You can enter a value between 60 and 86400 seconds to maintain a non-persistent connection. |
ServerCommunicator.INITIAL_ CONNECT_BACKOFF_DURATION_SECONDS.int | 30 | The duration of time, in seconds, that the agent should back off after the first back off error. Enter a value less than the ServerCommunicator.MAX_ CONNECT_BACKOFF _DURATION_SECONDS.int value. |
ServerCommunicator.MAX_ CONNECT_BACKOFF_DURATION_SECONDS.int | 1800 | The maximum duration of time, in seconds, that an agent should spend in back off before it fails over to the next server. You can enter a value between 60 and 86400 seconds. |
ServerRedundancy.FAILOVER_INTERVAL.long | 3600 | Interval of time, in seconds, an agent spends trying to connect to an Endpoint Server before it tries to failover to a new Endpoint Server. |
ServerRedundancy.MAX_TIME_ BETWEEN_CONNECTION_ATTEMPTS.long | 600 | The maximum amount of time, in seconds, the agent waits between connection retries to the same Endpoint Server. |
Transport.ALLOW_EXPIRED_CERTIFICATES.int | 1 | Controls whether or not expired certificates are accepted. This setting applied to all new agent connections. |
Transport.AUTO_FLUSH_LIMIT_KILOBYTES.int | 16 | The maximum amount of outbound data, in kilobytes, to enqueue for a connection before auto-flushing. Enter a value less than the Transport.MAX_OUTBOUND_ KILOBYTES_TO_BUFFER.int value. |
Transport.DNS_HOST_CACHE_ TIMEOUT_SECONDS.int | 86,400 | The timeout in seconds for DNS host cache. Name resolves are kept in memory for this number of seconds. Set to zero to completely disable caching, or set to -1 to save all cached entries. This setting applies to all new agent connections. You can enter a value between -1 and 604800 seconds. |
Transport.MAX_CONNECT_WAIT_ SECONDS.int | 30 | The time in seconds to wait for the connect call to succeed. This setting applies to all new agent connections. You can enter a value between 1 and 300 seconds. |
Transport.MAX_INBOUND_KILOBYTES_ TO_BUFFER.int | 100 | The maximum of inbound data, in kilobytes, to enqueue for a connection. You can enter a value between 16 and 2048. |
Transport.MAX_OUTBOUND_KILOBYTES_ TO_BUFFER.int | 100 | The maximum amount of outbound data, in kilobytes, to queue for a connection. You can enter a value between 16 and 2048. Enter a value greater than the CommLayer.MAX_FRAME _SIZE_KILOBYTES.int value. |
Transport.MAX_SSL_SESSION_ LIFETIME_SECONDS.int | 86,400 | The time duration in seconds for which agent re-uses an SSL session ID. When the duration equal to the configured value elapses, the SSL session ID is discarded by the agent and a new SSL session is established on the subsequent connection with the Endpoint Server. This setting applies to new agent connections. Enter 0 to disable SSL re-use. |
Transport.VERIFY_SERVER_HOSTNAME.int | 0 | Controls whether the Endpoint Server certificate (server distinguished/common name) is checked on the client during the SSL handshake process. This setting applies to new connections. Enter 1 to enable the setting. |
UI.BUTTON_ENCRYPT_ALLOW.str | Blank | Controls the text on the Encrypt button for the Encrypt response rule pop-up notification. Change this setting if you use a locale that is not supported. The default language is English. |
UI.BUTTON_OK.str | OK | Controls the text on the OK button on the user-facing notification message. Change this setting if you use a locale that is not supported. The default language is English. |
UI.BUTTON_OKTOALL.str | OK To All | Controls the text on the OK To All button on the user-facing notification message. Change this setting if you use a locale that is not supported. The default language is English. |
UI.CONSECUTIVE_TRANSACTION_TIME.str | 10 | Maximum time, in seconds, between two file operations to be considered as a single transaction. |
UI.ENCRYPT_CANCEL_MSG_TITLE.str | Blank | Enter text to customize the Encrypt response rule message title. |
UI.ENCRYPT_CANCEL_TITLEBAR.str | Blank | Enter text to customize the Encrypt response rule dialog title. |
UI.MONITOR_MSG_TITLE.str | The message title for a notification pop-up message. | |
UI.MONITOR_TITLEBAR.str | Warning | Controls the static title message in the title bar for the Endpoint Notify notification pop-up message. Change this setting if you use a locale that is not supported. The default setting is Warning. |
UI.NOTIFY_CANCEL_MSG_TITLE | Blank | Enter text here to customize the User Cancel response rule message title. |
UI.NOTIFY_CANCEL_TITLEBAR | Blank | Enter text here to customize the User Cancel response rule dialog title. |
UI.NO_SCAN.int | 0 | If any number other than zero, the scan dialog does not display. |
UI.NWC_EVENT_LIMIT_FS.int | 5 | The maximum number of events that can be queued before a default action for further incidents is accepted. This setting applies to File System events only. |
UI.NWC_EVENT_LIMIT_NW.int | 2 | The maximum number of events that can be queued before a default action for further incidents is accepted. This setting applies to Network events only. |
UI.POPUP_QUEUE_LIMIT.int | 100 | The limit of pop-up notifications that a user sees in a single session. These pop-up notifications require a user justification for the validation. If the limit is exceeded, any pop-up notifications past the limit automatically contain a Not Applicable (N/A) justification. |
UI.PREVENT_MSG_TITLE.str | Message title for a block pop-up message. | |
UI.PREVENT_TIMEOUT.int | 300 | Timeout value, in seconds, before the incident is generated. If this limit is exceeded, the incident is created regardless of what the user chooses from the pop-up window. |
UI.PREVENT_TITLEBAR.str | Blocked | Controls the static title message in the title bar for the Endpoint block notification pop-up dialog box. |
UI.PREVENT_WINPOSITION.int | 0 | Start position of the Prevent dialog window. |
UI.QUARANTINE_PROMPT.str | The file is quarantined at: | Controls the text that specifies where the quarantined data is located. |
UI.SCAN_BAR.str | (blank) | This setting lets you change the text in the body of the scan window. This text is static and appears regardless of the locale of the endpoint. |
UI.SCAN_DELAY.int | 0 | The amount of time, in seconds, that occurs before the scan dialog window is displayed. |
UI.SCAN_EMAIL.int | 0 | This setting activates the toggle for email scanning. If this setting is set to 0, users cannot select email monitoring. |
UI.SCAN_FTP.int | 0 | This setting activates the toggle for FTP scanning. If this setting is set to 0, users cannot select FTP monitoring. |
UI.SCAN_HTTP.int | 0 | This setting activates the toggle for HTTP monitoring. If this setting is set to 0, users cannot select HTTP monitoring. |
UI.SCAN_PRINTFAX.int | 0 | This setting activates the toggle for Print/Fax scanning. If this setting is set to 0, users cannot select Print/Fax monitoring. |
UI.SCAN_REMOVABLEMEDIA.int | 1 | This setting activates the toggle for removable media scanning. If this setting is set to 0, users do not have the option of selecting removable media monitoring. |
UI.SCAN_SHOWTIME.int | 2 | Minimum time, in seconds, for the scan dialog to remain on the screen. |
UI.SCAN_TITLE.str | (blank) | This setting lets you enter the title of the scan window that appears for the user. This title is a static message that appears regardless of the locale of the endpoint. |
UI.USERINPUT_PROMPT.str | Others: | Controls the prompt that appears in the block and notify pop-up messages at the user input field. Change this prompt if you use a locale that is not supported. The default setting is in English. |
UninstallPassword.RETRY_LIMIT.int | 3 | Defines the number of times a user can attempt to uninstall the DLP Agent without entering the correct uninstall password. |