Advanced agent settings

The following settings affect only the DLP Agent. These settings should not be modified without the assistance of Symantec Support. If you want to make modifications to this screen, contact Symantec Support before making any changes.
Agent advanced settings provides a list of agent settings, along with the default value and description of each setting.
If you change advanced agent settings and the agents connect to Endpoint Servers in a load-balanced environment, you must apply the same changes to all Endpoint Servers in the load-balanced environment.
Agent advanced settings
Name of Setting
Default values
Description
AgentManagement.DISABLE_ENABLE_ TASK_TIMEOUT_SECONDS.int
300
The amount of time, in seconds, the Disable or Enable agent troubleshooting task waits before it sends the Agent Requires Restart system event.
AgentTamperProtection.ENABLE_AGENT_ TAMPER_PROTECTION.int
7
This setting enables tamper protection on the
Symantec Data Loss Prevention
Endpoint agent.
A setting of 0 disables all tamper protection.
A setting of 1 prevents the agent and the watchdog files from being deleted or modified.
A setting of 2 prevents the agent and the watchdog services from being stopped.
A setting of 3 prevents the agent and the watchdog files and services from being deleted, modified or stopped.
A setting of 4 prevents the agent and the watchdog services from being deleted from the operating-system registry.
A setting of 7 enables file, service, and registry protection.
AgentThreadPool.IDLE_TIME_IN_SECONDS.int
60
The maximum time a thread can be inactive before it is removed from the thread pool. Threads are also known as agent tasks.
AgentThreadPool.MAX_CAPACITY.int
20
The maximum number of threads in the thread pool. The threads can be either active or inactive.
AgentThreadPool.MIN_CAPACITY.int
2
The minimum number of threads that are allowed in the thread pool. The thread pool must always contain this number of threads. The threads can be either active or inactive.
AggregatorCommunicator.ENABLE_ENDPOINT_ DATAFLOW_CACHING.int
1
If enabled (1), this setting prevents agent from downloading data, like policies and configuration files, that have already been downloaded. Enter
0
to disable this setting.
ApplicationConnector.KEY_LENGTH.int
64
The length of the key, in bytes, that is used to obfuscate communication between the agent and the application hooks.
ApplicationConnector.MAX_CONNECTIONS.int
255
The maximum number of application hooks (per type of hook) that can simultaneously connect to the agent.
ApplicationConnector.TEMPORARY_DIRECTORY.str
%TMP%
The temporary location where application hooks store obfuscated content.
AttributeResolver.ATTRIBUTE_REFRESH_INTERVAL_IN_DAY.int
7
The number of days the agent waits to refresh Active Directory attribute information. If the agent finds the information that is older than the number of days indicated, then contacts the Active Directory server. If value is set to 0, the agent does not contact AD server to retrieve attribute information.
Clipboard.ENABLE_CLIPBOARD_KEYBOARD_AND_ MOUSE_VIEWER.int
1
Enables keyboard and mouse monitoring for Clipboard paste operations.
If you observe unexpected behavior in applications, enter
0
to disable this setting.
Disabling this setting may result in false positive incidents when the agent blocks an application from accessing Clipboard data.
ClipboardViewer.SLEEP_TIME_IN_MS.int
10
The time delay, in milliseconds, before the agent fetches contends from the endpoint clipboard.
CommLayer.MAX_FRAME_SIZE_KILOBYTES.int
8
The maximum size of each outbound frame. This is the maximum number of kilobytes per frame read from the applications.
Changes to this setting apply to all new connections. Changes do not affect existing connections.
CommLayer.NO_TRAFFIC_TIMEOUT_SECONDS.int
300 seconds (5 minutes)
The application level heartbeat interval. To detect idle dead connections the agent uses an application level heartbeat message. Data Loss Prevention closes the connection for which a heartbeat has not been received in the specified timeout interval. The agent does not send heartbeats and relies on the TCP keepalive instead. A
0
value indicates that the heartbeat should be disabled. This value is also used as an application handshake timeout value.
Changes to this setting apply to existing and new connections.
You can enter a value between 60 and 86400 seconds.
ComponentLoaderSettings.MAX_ COMPONENT_SHUTDOWN_TIME.int
60000
The maximum amount of time, in milliseconds, that the agent waits for a component to shut down.
ComponentLoaderSettings.PROCESS_PRIORITY.str
NORMAL
The priority level that dictates what priority the DLP Agent runs on the endpoint. You can also enter
NORMAL
and
ABOVE_NORMAL
.
ContentAnalysisSDK.CHROME_MONITORING.int
0
The setting that allows the DLP Agent to monitor Google Chrome by integrating with the Google Chrome Content Analysis Connector Agent SDK.
Enter
1
to enable this monitoring method.
Enter
0
to disable this monitoring method.
If you want to stop monitoring Google Chrome by disabling the
Chrome (HTTPS)
channel in the agent configuration, make sure to also set the value of this setting to
0
.
This will ensure that endpoints do not report an incorrect agent status.
CrashDump.ENABLE_CRASH_DUMP_COLLECTION.int
1
The setting that allows the system to create a dump file when the DLP Agent crashes. Setting this value to
1
enables the crash dump file to be created. Enter
0
to disable the file.
CrashDump.MAX_DAYS_TO_KEEP_DUMP.int
2
The maximum time, in days, that the crash dump file is stored.
CrashDump.MAX_NUMBER_OF_FILES_IN_ DUMP_FOLDER.int
3
The maximum number of files to keep in the crash dump folder.
Detection.CHUNK_OVERLAP.int
45
The number of characters each chunk borrows from the end of the previous chunk.
Detection.CHUNK_SIZE.int
65536
The text chunk size in bytes.
Detection.DAR_KVOOP_PRIORITY.str
BELOW_NORMAL
The priority of the external kvoop process while it extracts text for
Endpoint Discover
scans.
Detection.ENABLE_METADATA.str
off
Allows detection on file metadata when a user attempts to transfer or print a file. If the setting is turned on, you can detect metadata for Microsoft Office and PDF files. For Microsoft Office files, OLE metadata is supported, which includes the fields Title, Subject, Author, and Keywords. For PDF files, only Document Information Dictionary metadata is supported, which includes fields such as Author, Title, Subject, Creation, and Update dates. Extensible Metadata Platform (XMP) content is not detected. Enabling this option can cause false positives.
Detection.FILE_HEADER_KB_TO_READ.int
1
The maximum amount of bytes read for custom file type detection.
Set this value to 37KB or greater to enable detection on the DLP Agent to determine the ISO file type.
Detection.FILTER_TIMEOUT.int
420000
The time limit, in milliseconds, for filtering text.
Detection.LOCAL_DRIVE_KVOOP_PRIORITY.str
BELOW_NORMAL
The priority of the external kvoop process while it extracts text for local drive events.
Detection.MARKUP_AS_TEXT.str
off
Stops the detection on any text that has XML or HTML tags associated with it.
Detection.MAX_DETECTION_TIME.int
900000
The maximum amount of time to complete endpoint detection in milliseconds.
Detection.MAX_EMDI_LOOKUPS.int
10000
Maximum number of EMDI validations that are run per detection request, regardless of how many EMDI validators are configured.
After the limit is reached, each EMDI validator stops validating any additional data identifier matches. If there is a document with a large number of DI matches, not all of them appear in the incident when EMDI validation is enabled. 
DLP-63950
Increasing the limit above the default value of 10000 increases the likelihood of false positives and performance degrades linearly. For example, a setting of 20000 is twice as slow as a setting of 10000.
Detection.MAX_FILTER_FILE_SIZE.int
31457280
Maximum file size for text filtering in bytes.
Detection.MAX_IDM_FILE_SIZE
30000000
The maximum size (in bytes) used to generate the MD5 hash for an exact binary match in an IDM. This setting should not be changed. The following conditions must be matched for IDM to work correctly:
  • This setting must be identical to the
    max_bin_ match_size
    setting on the Enforce Server in the
    indexer.properties
    file.
  • This setting must be smaller or equal to the
    FileReader. FileMaxSize
    value.
  • This setting must be smaller or equal to the
    ContentExtraction. MaxContentSize
    value on the Enforce Server in the
    indexer.properties
    file.
Changing the first or third item in the list requires re-indexing all IDM files.
Detection.MAX_NUM_MATCHES.int
300
Maximum number of matches for a given matcher.
Detection.MAX_QUEUE_SIZE.int
10000
The maximum number of items that simultaneously wait for detection.
Detection.MIN_EXTRACTED_CHARS_FOR_TEXT_IDM_MATCH
30
Minimum size of the normalized content before the cracked content is indexed, otherwise an exact match is performed against the raw (binary) content. Must match the min_normalized_size parameter in the Indexer.properties file.
Detection.NEWLINE_ELIMINATION.str
on
Sets whether newlines are eliminated before detection.
Detection.OFFICE_OPEN_XML_ENABLED.str
on
Detection.OFFICE_OPEN_XML_EXTRACT_EMFWMF.str
on
Detection.OFFICE_OPEN_XML_IMAGE_SIGNATURES.str
on
Detection.OFFICE_OPEN_XML_SKIP_FILES_WITH_SIGNATURES.str
on
Detection.OFFICE_OPEN_XML_STREAM_CONFIGURATION.str
on
Detection.RULESRESULTSCACHE_ENABLED.str
on
Rules results caching (RRC) is a way to cache the results of content on a DLP Agent that does not violate a policy.
By default, RRC is set to on. If you do not want to use RRC, set this parameter to off.
Detection.RULESRESULTSCACHE_FAST_CACHE_SIZE.int
2048
The size of the rules results caching first-level database, the Level 1 database. Rules results caching sends new entries of recorded, non-violating files to the Level 1 database. After the Level 1 database is full, entries are flushed to the Level 2 database to maintain the space of the Level 1 database.
Detection.SHORT_DAR_DETECTION_TIME.int
2000
The amount of time, in milliseconds, taken to detect on a file before the file is considered too large.
Detection.TRACKED.CHANGES.str
off
Allows the detection of content that has changed over time (Track Changes content) in Microsoft Office documents. Using this option might reduce the accuracy rate for IDM and data identifiers.
Detection.TWO_TIER_IDM_ENABLED.str
See description
Enables two-tier detection for IDM for the DLP Agent. Set to "off" to use IDM on the endpoint. Set to "on" to use two-tier detection.
For new installations the default is set to "off" so that by default the DLP Agent uses IDM on the endpoint.
For upgrades the default is set to "off" so that there is no change in functionality for existing IDM policies deployed to the endpoint.
Detection.UNICODE_NORMALIZATION.str
on
Transforms the specific characters to UNICODE before detection. This transformation is necessary for matching policies containing data in many Asian languages.
DeviceControl.SHOW_NOTIFICATION.int
1
This setting displays pop-ups when an endpoint user exceeds device access limits. Enter 0 to disable pop-ups.
Discover.CRAWLER_THREAD_PRIORITY.str
BELOW_NORMAL
The priority of the Discover threads while drives are scanned.
This setting is not used in
Symantec Data Loss Prevention
.
Discover.SCAN_ONLY_WHEN_IDLE.int
2
Sets whether the agent performs an
Endpoint Discover
scan while the endpoint user is idle.
If set to 1, the agent only performs
Endpoint Discover
scanning while the endpoint user is idle.
If set to 2, the agent only scans small files while the endpoint is active and larger files while the endpoint user is idle. Files taking longer than the Detection.SHORT_DAR_ DETECTION_TIME value are considered large.
If set to 0, the scan runs regardless of user activity.
Discover.SECONDS_UNTIL_IDLE.int
120
If the agent does not detect any user activity in this amount of time, in seconds, the user is considered to be idle. Very small amounts of time, less than 60 seconds, may not be precisely adhered to.
Discover.STANDARD_REPORT_INTERVAL.int
900000
The interval of time between two
Endpoint Discover
scan status reports, in milliseconds.
To create a transient connection between the agent and Endpoint Server, enter an interval greater than the EndpointCommunications. IDLE_TIMEOUT_ IN_SECONDS.int value.
Email.IGNORE_SMIME.in
0
Enables agents to disregard outgoing emails in Microsoft Outlook that have the
Encrypt with S/MIME
option enabled so that Data Loss Prevention no longer blocks the email from being sent.
To monitor outgoing emails that are encrypted with S/MIME, enter
0
.
To ignore outgoing emails that are encrypted with S/MIME, enter
1
.
EncryptionDriver.FORCE_UNLOAD_TIMEOUT.int
10
The time interval in seconds that the DLP Agent waits to shut down the Encryption driver after timeout.
EncryptionDriver.LISTENER_THREADS_COUNT.int
1
This is a performance tuning setting. If many encrypted files are accessed and many files are encrypted, then increasing the listener thread count improves the responsiveness of the file encryption and access. Generally, for single user endpoints, one listener thread provides good performance. Multi-user endpoints may need more listener threads.
EncryptionDriver.MESSAGE_HANDLER_ THREADS_COUNT.int
10
This is a performance tuning setting. This setting controls the maximum number of the threads that handle responsiveness when the files get encrypted or when the encrypted files are accessed.
EndpointCommunications.HEARTBEAT_INTERVAL_IN_ SECONDS.int
270
Time interval in seconds between heartbeat messages.
The Endpoint Server sends heartbeat messages to detect dead connections to individual agents when no other traffic is being sent or received. The Endpoint Server measures the time between when the last data traffic was sent to or received by the agent until the current time.
Data traffic is defined as any bytes sent or received by the Endpoint Server, including heartbeat message bytes. When the specified duration is exceeded, the Endpoint Server sends a heartbeat message to the agent. If the value of the setting in the agent configuration changes, the new value is applied immediately to any connections that are open to agents for which the configuration applies, and to any subsequent connections.
Application-defined heartbeat messages are treated by network appliances as actual traffic and, unlike TCP keepalives, are never ignored. Heartbeat messages do not count as normal messages for determining whether the connection is idle. Sending or receiving a heartbeat message does not reset the idle timer.
Enter a value between 0 and 1000000000. Enter 0 to disable the agent heartbeat.
  EndpointCommunications.IDLE_TIMEOUT_ IN_SECONDS.int
30
The maximum time to keep an idle connection open.
The connection is closed when the specified number of seconds has passed.
This timeout only applies during the normal operation phase of a connection. This occurs after the SSL handshake and application handshake phases.
Enter a value between 0 and 1000000000. Enter 0 to prevent idle connections from closing.
EndpointLocation.MATCHES_ALL_INTERFACES_FOR _MANUAL _SETTING.int
1
The value, based on the network interface, that defines whether the endpoint is considered on or off the corporate network. This setting applies when the
Manually
setting on the
Endpoint Location
is selected.
When the value is 1, the Enforce Server considers the agent on the corporate network if the endpoint IP matches all of the IP addresses entered in the IP field on
Endpoint Location
screen.
When the value is 0, the Enforce Server considers the agent on the corporate network if the Endpoint IP matches at least one of the IP addresses entered in the IP field on
Endpoint Location
screen.
ExtensionEnablement.DISPLAY_BROWSER_EXTENSION_ NOTIFICATION.int.
1
The value controls whether the extension enablement reminder dialog for Firefox and Safari browsers displays on the endpoint.
When the value is 0, the extension enablement reminder does not display on the endpoint.
ExtensionEnablement.DISPLAY_SAFARI_EXTENSION_ NOTIFICATION.int
1
The value controls whether the
Enable the Symantec extension for Safari
dialog displays on the endpoint.
When the value is 0, the
Enable the Symantec extension for Safari
does not display on the endpoint.
ExtensionEnablement.INSTALL_BROWSER_EXTENSION.int
1
Lets you control whether the extensions for Microsoft Edge and Google Chrome are installed automatically from the Microsoft Edge Addons store and the Chrome Web Store on Windows endpoints.
To configure Windows agents to install the extension automatically, enter
1
(default).
If you set the value of this setting to
0
, the extension gets uninstalled from both browsers.
If you want to deploy the extension on Windows endpoints using a Group Policy Object, enter
0
.
To monitor printing within Microsoft Edge and Google Chrome, ensure that the Symantec DLP extension is deployed using the DLP Agent or a GPO and is enabled in the browser.
FileService.MAX_CACHE_SIZE.int
250
The maximum number of recently opened file paths that have been recorded for each endpoint process.
FileSystem.APPS_LIST_USES_TRUNCATE_FILE_FOR_ BLOCK_RULE
  • TextEdit
  • Microsoft PowerPoint
TextEdit
This setting helps to prevent duplicate incidents and minimizes application pop-ups, crashes, and hangs when an endpoint user edits a sensitive file located on a Mac removable storage device using TextEdit and Microsoft PowerPoint. When this setting is enabled, temporary files that contain sensitive information are truncated instead of deleted. This setting removes content from temporary files.
If you observe unexpected behavior in applications, you can also ignore the application from being monitored. Ignoring macOS applications
FileSystem.DRIVER_FILE_OPEN_ REQUEST_TIMEOUT.int
10
Lets you configure the timeout value, in seconds, for a file open request that is sent from a driver to the agent. This setting is helpful in case the file system connector is slow in responding to the driver. If the connection is slow, the system performs badly. Each file open request is postponed by the driver waiting for the agent to respond. You cannot leave this setting blank and a value of 0 is not allowed.
FileSystem.ENABLE_FILE_RESTORATION.int
1
This setting provides the ability to turn on or turn off file restoration. File restoration is the ability to restore the original file in case it is overwritten with a newer file containing confidential data. File restoration is enabled by default. Enter 0 to disable this setting.
FileSystem.ENABLE_VEP_ FILE_ELIMINATION.int
3
This setting provides the ability to select for which detection channel a
.vep
is created. This process also runs detection on the original file and resolves any sharing violations for
EDPA.exe
and
KVOOP.exe
, when needed.
You can make changes to this setting if your environment does not contain any of the following:
  • Data retention policies
  • Two-tier detection policies
You can use the following values:
  • 0 creates a
    .vep
    file for all channels.
  • 1 runs detection on original files moving through the Removable Storage channel. A
    .vep
    file is created for all other scanned files.
  • 2 runs detection on files moving through the application file access and cloud storage channels, and through CD/DVD applications. A
    .vep
    file is created for all other scanned files.
  • 3 runs detection on files moving through the application file access, cloud storage, and removable storage channels. A
    .vep
    file is created for all other scanned files.
FileSystem.IGNORE_STORAGE_ BUS_TYPE.str
None
This setting controls which storage devices
Symantec Data Loss Prevention
ignores. You typically adjust this setting when you want to allow the copying of sensitive information to company-provided external devices like USB drives and SD cards.
Enter
All
to ignore removable devices attached to Windows endpoints. USB and FireWire devices are monitored.
Enter
None
to monitor all storage devices, whether attached to Windows or Mac endpoints.
You can set
Symantec Data Loss Prevention
to ignore storage devices attached to Mac endpoints by entering the BUS type of the device you want to ignore. You can generate the BUS type for a device using the DeviceID tool.
You can enter the following Mac removable device BUS types:
  • USB
  • Secure Digital
  • FireWire
If you enter more than one storage device to ignore, use a semi-colon (;) to separate each setting.
FileSystem.MAX_BACKLOG
20
The maximum number of snapshot files that are created when removable storage is monitored.
FileSystem.MONITOR_ APPLICATION_CHILD_ PROCESS_FILE_ACCESS.INT
1
This setting allows the user to enable or disable the Application File Access feature that monitors child processes. Enter
1
to enable or enter
0
to disable.
FileSystem.MONITOR_READ_ONLY_ VOLUMES.int
1
Controls whether DLP monitoring is done in the case of an Explorer copy if the destination volume is a read-only volume. Enter
1
to continue monitoring read-only volumes in an Explorer copy operation. Enter
0
to stop monitoring of read-only volumes in an Explorer copy operation.
FileSystem.NUM_OF_LISTENER_THREADS
1
The number of listener threads that listen to file system driver requests. You can enter any positive integer value.
FileSystem.NUM_TIMES_TO_OVERWRITE_FILE.int
2
This setting indicates how many times a file is overwritten with a secure pattern before it is deleted during prevention. A value of 0 indicates that the file cannot be overwritten.
  FileSystem.THREAD_POOL_MAX_CAPACITY
20
The maximum number of threads that the filesystem threadpool can use to serve file system requests.
FileSystem.USE_CDDVD_DEFAULT_EXCLUDE_PATHS.int
1
This setting allows user to exclude any file that is opened by a CD/DVD application from the following directories:
  • Installed directory of the application; for example, if the application is Roxio, then
    c:\program files\roxio
  • System directories; for example,
    %windir%\system32
  • Program Files\Common Files
It is enabled by default.
FlexResponse.MAX_INCIDENT_FILE_SIZE.int
31457280
Reserved for future use.
FlexResponse.PLUGIN_HOST_LOG_ MAXFILE_SIZE.long
5120000
The maximum size of a plug-in log file. The default number is in bytes.
FlexResponse.PLUGIN_HOST_LOG_MAX_ NUMBER_OF_FILES.long
1
The maximum number of plug-in log files that can be kept.
FlexResponse.PLUGIN_HOST_ MESSAGE_TIMEOUT.long
180000
The amount of time that the plug-in host can process messages. The default time is in milliseconds.
FlexResponse.PLUGIN_HOST_ STARTUP_TIMEOUT.long
30000
The amount of time that the plug-in host can take to start up. The default time is in milliseconds. If the plug-in host does not start in the specified amount of time, the plug-in host sends a fail event to the log.
FlexResponse.PLUGIN_QUEUE_LIMIT
100
The number of FlexResponse plugin invocation requests placed in queue.
GroupResolution.DAYS_DATA_STALING.int
7
The amount of time, in days, that the agent retains Active Directory (AD) user group information. Information that is older than this limit causes the agent to contact the AD server.
Hooking.APPLICATION_LOAD_TIMEOUT.int
300000
Specifies the time, in milliseconds, that the agent tries to hook into an application if that application takes a long time to load.
Hooking.CLOUD_STORAGE_HOOKING.int
0
Enter
1
to allow the DLP Agent to block files being moved to cloud storage applications.
This setting applies to Microsoft Office 2010 and 2013 applications that save data to the Box cloud storage application.
This setting only applies to 14.0.x agents.
Hooking.CMD.HOOKING.int
1
Enables and disables FOM hooking into the command processor.
When set to 1, the FOM dll will be hooked into the command processor and monitors copy and move operations from the command prompt. If the value is 0, then there is no hooking and the command prompt is not monitored.
Hooking.EXPLORER_APPLICATION_HOOKING.int
1
Allows the DLP Agent to monitor when a user performs a right-click print through Windows Explorer. To turn off right-click print monitoring, change this setting to 0.
Hooking.EXPLORER_HOOKING.int
7
Allows the DLP Agent to monitor Microsoft Windows Explorer traffic.
Hooking.SIP_Agent_OSX_VERSION_ COMPATABILITY.str
For a new installation:
15.8.0:10.14.6; 15.8.0:10.15.7
For upgraded systems, previous entries are appended to the default settings.
Allows the DLP Agent to monitor applications that are protected by System Integrity Protection (SIP). For the latest supported macOS versions and information on adding monitoring for updated macOS, see
Symantec Data Loss Prevention System Requirements and Compatibility Guide
Related Documents at the Tech Docs Portal
Support for Monitoring Applications Protected by System Integrity Protection.
Hooking.USE_LOADLIBRARYW_FROM_IMAGE.int
0
The method to find the LoadLibraryW function address. You can specify a value of either 0 or 1.
0 uses the GetProcAddress API to find the library.
1 reads the exports table of kernel32.dll to find the library.
IncidentHandler.CACHE_SIZE_THRESHOLD.int
30
The percentage of used endpoint database cache space that triggers
Endpoint Discover
to pause.
IncidentHandler.MAX_BACKOFF.int
3600000
Maximum time, in milliseconds, to wait before it retries to send an incident to the server if the first attempt fails.
IncidentHandler.MAX_INCIDENT_FILE_SIZE
31457280
Size, in bytes, of the largest file to be sent from the agent as part of an incident.
IncidentHandler.MAX_TTD_FILE_SIZE
31457280
Size, in bytes, of the largest file to be sent from agent for two-tier detection.
IncidentHandler.MIN_BACKOFF.int
30000
Minimum time, in milliseconds, to wait before the agent re-sends an incident to the Endpoint Server after the first attempt fails.
IncidentHandler.PERSISTER_MAX_ DAR_ENTRIES.int
5
The maximum number of persisted
Endpoint Discover
incidents that are kept in queue.
IncidentHandler.PERSISTER_MAX_ENTRIES.int
25
The maximum limit of incidents in the Agent Store before the agent starts evicting incidents.
IncidentHandler.SENDER_CHUNK_SIZE.int
65536
Size, in bytes, of chunks to read from the database as it sends files.
LocalizationManager.LOCALE_RECEIVING_DELAY_ON_ NEWUSER_LOGON_IN_SECONDS.int
2
The number of seconds the agent waits before fetching the user locale. You can enter between 1 and 20 seconds.
Logging.OperationLogFileSize.long
5120000
The size of the operational log file. This setting specifies how large, in bytes, each operational log can be. Logs that exceed this setting are not retained.
Logging.OperationLogMaxFiles.int
30
The maximum number of operation logs, per scan, that are retained at any one time. If this number is exceeded, operational log files are purged from the folder until the limit is reached. Log files are purged according to the date that they were created. The oldest log files are purged first. This setting is not applicable to the entire directory.
Logging.OperationLogTTL.int
90
The number of days that operational logs are kept in the directory. If the operational log is not accessed or modified in the specified number of days, the file is deleted.
MIP.HTTP_OPERATION_TIMEOUT.int
60
The maximum time (in seconds) allowed for an MIP HTTP operation to complete. If the operation times out, the operation is cancelled.
MIP.MIP_AUTHENTICATION.int
0
Let you configure when users are promped to authenticate to the MIP service using their Azure AD credentials.
To prompt users for authentication only when needed, enter
0
.
To prompt users when they log on to the endpoint , or when the agent service starts, or when there is a change in the MIP configuration on the Enforce Server, enter
1
.
MonitorSystemUsers.CLIPBOARD.int
0
Enables system user monitoring for Clipboard feature. Set to inactive by default. Set to 1 to enable.
MonitorSystemUsers.LOCAL_DRIVE.int
0
Enables system user monitoring for the local drive feature. Set to inactive by default. Set to 1 to enable.
This setting is not used in
Symantec Data Loss Prevention
.
MonitorSystemUsers.NETWORK.int
0
Enables system user monitoring for network protocols in the driver (HTTP, FTP). Set to inactive by default. Set to 1 to enable.
MonitorSystemUsers.PRINT_FAX.int
0
Enables system user monitoring for print/fax feature. By default, this feature is set to inactive. Set to 1 to enable.
NetworkMonitor.APPLY_PREFILTERS_ TO_FPR.int
0
Enables ignoring of File Path Resolution (FPR) for data transfers over HTTP and FTP. The DLP Agent uses FPR to define the path to files a user uploads from the endpoint—whether from an application or from the endpoint filesystem—through a browser, and when the browser opens a file in the background. The detection engine uses the full path when scanning each file for sensitive data.
Set to 1 if the browser performance is degraded. This setting prevents the agent from defining a full path for each file that is moved through a browser. Also, the agent does not monitor temporary file locations that the browser uses and predefined file paths.
To ensure that browser performance is optimized, add a monitoring filter that ignores temporary files that browsers commonly use. Use the following settings for the ignore filter:
  • Select
    Ignore (do not monitor)
    .
  • Select
    HTTP/HTTPS Attachment
    .
  • Enter file types to ignore in the
    Type
    field. For example, enter
    INI
    and
    TMP
    to filter the temporary files that browsers commonly use during file upload.
NetworkMonitor.DISABLE_SPDY_PROTOCOL
1
The default setting (1) enables SPDY and HTTP2 protocol monitoring for Internet Explorer and Firefox running on endpoints.
Set to 0 to disable. Disabling this setting allows endpoint users to enable the SPDY and HTTP2 protocols. When endpoint users enable SPDY, monitoring for data loss can be affected.
NetworkMonitor.ENABLE_HTTP_GET_ MONITORING.int
0
Enables HTTP/HTTPS GET request monitoring. By default, this setting is disabled. Set to 1 to enable.
NetworkMonitor.HTTP_DETECTION_ TIMEOUT.int
120
The length of time, in seconds, that the agent waits during a scan of HTTP and HTTPS data.
NetworkMonitor.IM_DETECTION_ SESSION_TIMEOUT.int
120
The duration, in seconds, of the detection session window for all instant messaging clients.
NetworkMonitor.MIN_BYTE_COUNT_TO_ IDENTIFY_PROTOCOL.int
200
The number of bytes in packet that the agent ignores in a given network session before detection begins.
NetworkMonitor.THREAD_POOL_MAX_CAPACITY
20
The number of listener threads running that listen for network driver requests.
NetworkMonitor.NUM_OF_LISTENER_THREADS.int
1
The maximum number of threads that can be used by the network thread pool to serve network detection requests.
NetworkMonitor.URL_TIMEOUT.int
3000
The amount of mime, in milliseconds, to get the URL.
Outlook.MONITOR_TECHNIQUE
1
Lets you specify whether the DLP Agent monitors Outlook on macOS endpoints using application hooks or using the on-send web add-in for Outlook.
The default setting
1
enables monitoring for Outlook using the add-in.
To enable monitoring using application hooks instead, set the value to
0
.
PluginInstaller.TAMPERPROOFING_ IGNORE_ PROCESS_TIMEOUT.int
15000
Lets you specify a time, in milliseconds, to ignore any short-lived processes that do not load plug-ins. If the process ends before this time limit is reached, the plug-in installer does not start.
PostProcessor.MIP_DEFAULT_ACTION.int
1
Lets you control whether user actions are blocked or allowed when users attempt to copy or transfer files that are encrypted by Microsoft Information Protection.
The default setting
1
blocks the user action.
Enter
0
to allow the user action.
PostProcessor.MIP_APPLY_LABEL_MAX_RETRY_COUNT.int
5
The number of attempts that the DLP Agent make to apply labels to sensitive documents when the
Endpoint: MIP Classification
response action is triggered.
PostProcessor.ENABLE_FLEXRESPONSE.int
0
Lets you enable or disable Endpoint FlexResponse capability. By default, Endpoint FlexResponse is turned off. Change the setting to 1 to enable Endpoint FlexResponse.
PostProcessor.ENCRYPT_WITH_CANCEL_ DEFAULT_ACTION.int
1
The default setting
1
blocks the file move if the endpoint user does not select an action in the
Encrypt
pop-up within the specified period of time. Enter
2
to allow the action.
PostProcessor.FILE_SYSTEM_USER_ RESPONSE_TIMEOUT.int
60
The amount of time, in seconds, that endpoint users have to select a response action to the User Cancel pop-up notification. This setting only applies to events that are generated by attempting to transfer files that violate a policy.
PostProcessor.NETWORK_USER_ RESPONSE_TIMEOUT.int
60
The amount of time, in seconds, that endpoint users have to select a response action to the User Cancel pop-up notification. This setting applies to HTTP and FTP events only.
PostProcessor.NOTIFY_ON_FIXED_DRIVE.int
0
Enables the response notifications for fixed-drive incidents. The default is set to disable notifications. Set to 1 to enable.
PostProcessor.NOTIFY_WITH_CANCEL_ DEFAULT_ACTION
1
The default action to take if an endpoint user does not select the action from the User Cancel pop-up notification within the specified time. Enter
1
to block the action or enter
0
to allow the action.
PostProcessor.OTHER_USER_ RESPONSE_TIMEOUT
60
The amount of time, in seconds, that endpoint users have to select a response action to the User Cancel pop-up notification. This setting only applies to Clipboard, Print, Email, and HTTPS events.
print.FILE_BASED_SCAN_ONLY_PROCESS
Adobe Reader
On macOS endpoints, force the DLP Agent to monitor the entire file that is printed from the specified applications instead of scanning individual pages of the document.
This setting accepts the process names of applications as input. Use commas to separate multiple values.
Quarantine.MAX_QUEUE_SIZE.int
100
The maximum number of quarantine requests that can be in the queue at any one time. Requests that exceed this number are dropped and are not quarantined.
ResponseCache.AFAC_TIMEOUT
10000
The amount of time, in milliseconds, that an application file access incident is cached. Duplicate incidents that occur during this time period are not generated and do not trigger response rule messages.
ResponseCache.CD_TIMEOUT.int
2000
The amount of time, in milliseconds, that a CD/DVD incident is cached. Duplicate incidents within this time period are not generated or cause Prevent pop-up notifications.
ResponseCache.FTP_TIMEOUT.int
60000
The amount of time, in milliseconds, that an FTP incident is cached. Duplicate incidents within this time period are not generated or cause Prevent pop-up notifications.
ResponseCache.HTTP_TIMEOUT.int
60000
The amount of time, in milliseconds, that an HTTP/HTTPS incident is cached. Duplicate incidents within this time period are not generated or cause Prevent pop-up notifications.
You adjust this setting if multiple incidents and Block pop-ups occur. This occurs when a Block response rule is implemented, any of the HTTPS channels are enabled, and users upload folders that contain sensitive data from a web browser to web applications.
Set this value to 120000 milliseconds or greater to prevent multiple incidents and Block pop-ups.
ResponseCache.MAX_SIZE.int
100
The maximum number of incidents that are cached at any time.
ServerCommunicator.CONNECT_ BACKOFF_DURATION_MULTIPLIER.int
2
The factor by which each the last backoff period is multiplied.
ServerCommunicator.CONNECT_ POLLING_INTERVAL_SECONDS.int
900
The amount of time, in seconds, that the agent waits before it initiates connections.
The minimum value you enter depends on the minimum time difference between when the Enforce Server and Endpoint Server communicate. Entering 10 is the minimum value you can enter to maintain a persistent connection. You can enter a value between 60 and 86400 seconds to maintain a non-persistent connection.
ServerCommunicator.INITIAL_ CONNECT_BACKOFF_DURATION_SECONDS.int
30
The duration of time, in seconds, that the agent should back off after the first back off error.
Enter a value less than the ServerCommunicator.MAX_ CONNECT_BACKOFF _DURATION_SECONDS.int value.
ServerCommunicator.MAX_ CONNECT_BACKOFF_DURATION_SECONDS.int
1800
The maximum duration of time, in seconds, that an agent should spend in back off before it fails over to the next server.
You can enter a value between 60 and 86400 seconds.
ServerRedundancy.FAILOVER_INTERVAL.long
3600
Interval of time, in seconds, an agent spends trying to connect to an Endpoint Server before it tries to failover to a new Endpoint Server.
ServerRedundancy.MAX_TIME_ BETWEEN_CONNECTION_ATTEMPTS.long
600
The maximum amount of time, in seconds, the agent waits between connection retries to the same Endpoint Server.
Transport.ALLOW_EXPIRED_CERTIFICATES.int
1
Controls whether or not expired certificates are accepted.
This setting applied to all new agent connections.
Transport.AUTO_FLUSH_LIMIT_KILOBYTES.int
16
The maximum amount of outbound data, in kilobytes, to enqueue for a connection before auto-flushing.
Enter a value less than the Transport.MAX_OUTBOUND_ KILOBYTES_TO_BUFFER.int value.
Transport.DNS_HOST_CACHE_ TIMEOUT_SECONDS.int
86,400
The timeout in seconds for DNS host cache. Name resolves are kept in memory for this number of seconds. Set to zero to completely disable caching, or set to -1 to save all cached entries.
This setting applies to all new agent connections.
You can enter a value between -1 and 604800 seconds.
Transport.MAX_CONNECT_WAIT_ SECONDS.int
30
The time in seconds to wait for the connect call to succeed.
This setting applies to all new agent connections.
You can enter a value between 1 and 300 seconds.
Transport.MAX_INBOUND_KILOBYTES_ TO_BUFFER.int
100
The maximum of inbound data, in kilobytes, to enqueue for a connection.
You can enter a value between 16 and 2048.
Transport.MAX_OUTBOUND_KILOBYTES_ TO_BUFFER.int
100
The maximum amount of outbound data, in kilobytes, to queue for a connection.
You can enter a value between 16 and 2048.
Enter a value greater than the CommLayer.MAX_FRAME _SIZE_KILOBYTES.int value.
Transport.MAX_SSL_SESSION_ LIFETIME_SECONDS.int
86,400
The time duration in seconds for which agent re-uses an SSL session ID. When the duration equal to the configured value elapses, the SSL session ID is discarded by the agent and a new SSL session is established on the subsequent connection with the Endpoint Server.
This setting applies to new agent connections.
Enter 0 to disable SSL re-use.
Transport.VERIFY_SERVER_HOSTNAME.int
0
Controls whether the Endpoint Server certificate (server distinguished/common name) is checked on the client during the SSL handshake process.
This setting applies to new connections.
Enter 1 to enable the setting.
UI.BUTTON_ENCRYPT_ALLOW.str
Blank
Controls the text on the
Encrypt
button for the
Encrypt
response rule pop-up notification. Change this setting if you use a locale that is not supported. The default language is English.
UI.BUTTON_OK.str
OK
Controls the text on the
OK
button on the user-facing notification message. Change this setting if you use a locale that is not supported. The default language is English.
UI.BUTTON_OKTOALL.str
OK To All
Controls the text on the
OK To All
button on the user-facing notification message. Change this setting if you use a locale that is not supported. The default language is English.
UI.CONSECUTIVE_TRANSACTION_TIME.str
10
Maximum time, in seconds, between two file operations to be considered as a single transaction.
UI.ENCRYPT_CANCEL_MSG_TITLE.str
Blank
Enter text to customize the
Encrypt
response rule message title.
UI.ENCRYPT_CANCEL_TITLEBAR.str
Blank
Enter text to customize the
Encrypt
response rule dialog title.
UI.MONITOR_MSG_TITLE.str
The message title for a notification pop-up message.
UI.MONITOR_TITLEBAR.str
Warning
Controls the static title message in the title bar for the Endpoint Notify notification pop-up message. Change this setting if you use a locale that is not supported. The default setting is Warning.
UI.NOTIFY_CANCEL_MSG_TITLE
Blank
Enter text here to customize the
User Cancel
response rule message title.
UI.NOTIFY_CANCEL_TITLEBAR
Blank
Enter text here to customize the
User Cancel
response rule dialog title.
UI.NO_SCAN.int
0
If any number other than zero, the scan dialog does not display.
UI.NWC_EVENT_LIMIT_FS.int
5
The maximum number of events that can be queued before a default action for further incidents is accepted. This setting applies to File System events only.
UI.NWC_EVENT_LIMIT_NW.int
2
The maximum number of events that can be queued before a default action for further incidents is accepted. This setting applies to Network events only.
UI.POPUP_QUEUE_LIMIT.int
100
The limit of pop-up notifications that a user sees in a single session. These pop-up notifications require a user justification for the validation. If the limit is exceeded, any pop-up notifications past the limit automatically contain a Not Applicable (N/A) justification.
UI.PREVENT_MSG_TITLE.str
Message title for a block pop-up message.
UI.PREVENT_TIMEOUT.int
300
Timeout value, in seconds, before the incident is generated. If this limit is exceeded, the incident is created regardless of what the user chooses from the pop-up window.
UI.PREVENT_TITLEBAR.str
  Blocked
Controls the static title message in the title bar for the Endpoint block notification pop-up dialog box.
UI.PREVENT_WINPOSITION.int
0
Start position of the Prevent dialog window.
UI.QUARANTINE_PROMPT.str
The file is quarantined at:
Controls the text that specifies where the quarantined data is located.
UI.SCAN_BAR.str
(blank)
This setting lets you change the text in the body of the scan window. This text is static and appears regardless of the locale of the endpoint.
UI.SCAN_DELAY.int
0
The amount of time, in seconds, that occurs before the scan dialog window is displayed.
UI.SCAN_EMAIL.int
0
This setting activates the toggle for email scanning. If this setting is set to 0, users cannot select email monitoring.
UI.SCAN_FTP.int
0
This setting activates the toggle for FTP scanning. If this setting is set to 0, users cannot select FTP monitoring.
UI.SCAN_HTTP.int
0
This setting activates the toggle for HTTP monitoring. If this setting is set to 0, users cannot select HTTP monitoring.
UI.SCAN_PRINTFAX.int
0
This setting activates the toggle for Print/Fax scanning. If this setting is set to 0, users cannot select Print/Fax monitoring.
UI.SCAN_REMOVABLEMEDIA.int
1
This setting activates the toggle for removable media scanning. If this setting is set to 0, users do not have the option of selecting removable media monitoring.
UI.SCAN_SHOWTIME.int
2
Minimum time, in seconds, for the scan dialog to remain on the screen.
UI.SCAN_TITLE.str
(blank)
This setting lets you enter the title of the scan window that appears for the user. This title is a static message that appears regardless of the locale of the endpoint.
UI.USERINPUT_PROMPT.str
Others:
Controls the prompt that appears in the block and notify pop-up messages at the user input field. Change this prompt if you use a locale that is not supported. The default setting is in English.
UninstallPassword.RETRY_LIMIT.int
3
Defines the number of times a user can attempt to uninstall the DLP Agent without entering the correct uninstall password.