Advanced server settings
This topic covers the advanced settings for detection servers. There is another topic for advanced settings for cloud detectors.
Click
Server Settings
on the detection server's System > Servers and Detectors > Overview > Server/Detector Detail
screen to modify the settings on that server. Use caution when modifying these settings on a server. Contact Symantec Support before changing any of the settings on this screen. Changes to these settings normally do not take effect until after the server has been restarted.
You cannot change settings for the Enforce Server from the
Server/Detector Detail
screen. The Server/Detector Detail - Advanced Settings
screen only displays for detection servers and detectors. If you change advanced server settings to Endpoint Servers in a load-balanced environment, you must apply the same changes to all Endpoint Servers in the load-balanced environment.
Setting | Default | Description |
|---|---|---|
BoxMonitor.Channels | Varies | The values are case-sensitive and comma-separated if multiple. Although any mix of them can be configured, the following are the officially supported configurations:
|
BoxMonitor.DetectionServerDatabase | on | Enables the BoxMonitor process to start the Automated Incident Remediation Tracking database on the Detection Server. If you set this to off , you must start the remediation tracking database manually. |
BoxMonitor.DetectionServer DatabaseMemory | -Xrs -Xms300M -Xmx1024M | Any combination of JVM memory flags can be used. |
BoxMonitor.DiskUsageError | 90 | The amount of disk space filled (as a percentage) that will trigger a severe system event. For instance, if Symantec Data Loss Prevention is installed on the C drive and this value is 90, then the detection server creates a severe system event when the C drive usage is above 90%. |
BoxMonitor.DiskUsageWarning | 80 | The amount of disk space filled (as a percentage) that will trigger a warning system event. For instance, if Symantec Data Loss Prevention is installed on the C drive and this value is 80 , then the detection server generates a warning system event when the C drive usage is above 80%. |
BoxMonitor.EndpointServer | on | Enables the Endpoint Server. |
BoxMonitor.EndpointServerMemory | -Xrs -Xms300M -Xmx4096M | Any combination of JVM memory flags can be used. For example: -Xrs -Xms300m -Xmx1024m . |
BoxMonitor.FileReader | on | If off, the BoxMonitor cannot start the FileReader, although it can still be started manually. |
BoxMonitor.FileReaderMemory | -Xrs -Xms1200M -Xmx4G | FileReader JVM command-line arguments. |
BoxMonitor.HeartbeatGapBeforeRestart | 960000 | The time interval in milliseconds that the BoxMonitor waits for a monitor process (for example, FileReader, IncidentWriter) to report the heartbeat. If the heartbeat is not received within this time interval the BoxMonitor restarts the process. |
BoxMonitor.IncidentWriter | on | If off, the BoxMonitor cannot start the IncidentWriter in the two-tier mode, although it can still be started manually. This setting has no effect in the single-tier mode. |
BoxMonitor.IncidentWriterMemory | -Xrs | IncidentWriter JVM command-line arguments. For example: -Xrs |
BoxMonitor.InitialRestartWaitTime | 5000 | The time interval in milliseconds that the BoxMonitor waits after restarting a monitor process, such FileReader or IncidentWriter. |
BoxMonitor.MaxRestartCount | 3 | The number of times that a process can be restarted in one hour before generating a SEVERE system event. |
BoxMonitor.MaxRestartCount DuringStartup | 5 | The maximum times that the monitor server will attempt to restart on its own. |
BoxMonitor.PacketCapture | on | If off, the BoxMonitor cannot start PacketCapture, although it can still be started manually. The PacketCapture channel must be enabled for this setting to work. |
BoxMonitor.PacketCaptureDirectives | -Xrs | PacketCapture command line parameters (in Java). For example: -Xrs |
BoxMonitor.ProcessLaunchTimeout | 30000 | The time interval (in milliseconds) for a monitor process (e.g. FileReader) to start. |
BoxMonitor.ProcessShutdownTimeout | 45000 | The time interval (in milliseconds) allotted to each monitor process to shut down gracefully. If the process is still running after this time the BoxMonitor attempts to kill the process. |
BoxMonitor.RequestProcessor | on | If off, the BoxMonitor cannot start the RequestProcessor; although, it can still be started manually. The Inline SMTP channel must be enabled for this setting to work. |
BoxMonitor.RequestProcessorMemory | -Xrs -Xms300M -Xmx1300M | Any combination of JVM memory flags can be used. For example: -Xrs -Xms300M -Xmx1300M |
BoxMonitor.RmiConnectionTimeout | 15000 | The time interval (in milliseconds) allowed to establish connection to the RMI object. |
BoxMonitor.RmiRegistryPort | 37329 | The TCP port on which the BoxMonitor starts the RMI registry. |
BoxMonitor.StatisticsUpdatePeriod | 10000 | The monitor statistics are updated after this time interval (in milliseconds). |
Classification.WebserviceLog RetentionDats | 7 | Specifies the number of days classification web service logs are retained. |
ContentExtraction.DefaultCharset ForSubFileName | N/A | Defines the default character set that is used in decoding the sub-filename if the charset conversion fails. |
ContentExtraction.EnableMetaData | off | Allows detection on file metadata. If the setting is turned on , you can detect metadata for Microsoft Office and PDF files. For Microsoft Office files, OLE metadata is supported, which includes the fields Title, Subject, Author, and Keywords. For PDF files, only Document Information Dictionary metadata is supported, which includes fields such as Author, Title, Subject, Creation, and Update dates. Extensible Metadata Platform (XMP) content is not detected. Note that enabling this metadata detection option can cause false positives. |
ContentExtraction.Image ExtractorEnabled | 1 | Allows you to adjust or turn off content extraction for Form Recognition. The default setting, 1 , loads the Image Extractor plug-in on demand. If one or more Form Recognition rules are used, the Dynamic Image Extractor plug-in automatically loads on the detection server when corresponding policy updates are received. When Form Recognition rules are deleted or disabled, the plug-in automatically unloads. This option prevents the Dynamic Image Extractor plug-in from running if Form Recognition is not being used.Enter O to disable the Image Extractor plug-in. This setting prevents Form Recognition from extracting images, effectively disabling the feature.Enter 2 if you want the Image Extractor plug-in load when the content extraction service launches after the detection server starts up. The plugin continues to run regardless of whether form Recognition policies have been configured or not. |
ContentExtraction.LongContentSize | 1M | If the message component exceeds this size (in bytes) then the ContentExtraction.LongTimeout is used instead of ContentExtraction.ShortTimeout . |
ContentExtraction.LongTimeout | Varies | The default value for this setting varies depending on detection server type ( 60,000 or 120,000 ). The time interval (in milliseconds) given to the ContentExtractor to process a document larger than ContentExtraction. LongContentSize . If the document cannot be processed within the specified time it's reported as unprocessed. This value should be greater than ContentExtraction. ShortTimeout and less than ContentExtraction. RunawayTimeout . |
ContentExtraction.MarkupAsText | off | Bypasses Content Extraction for files that are determined to be XML or HTML. This should be used in cases such as web pages containing data in the header block or script blocks. Default is off. |
ContentExtraction.MaxContentSize | 30M | The maximum size (in MB) of the document that can be processed by the ContentExtractor. |
ContentExtraction.MaxNumImages ToExtract | 10 | The maximum number of images to extract from PDF files and multi-page TIFF documents. |
ContentExtraction.RunawayTimeout | 300,000 | The time interval (in milliseconds) given to the ContentExtractor to finish processing of any document. If the ContentExtractor does not finish processing some document within this time it will be considered unstable and it will be restarted. This value should be significantly greater than ContentExtraction. LongTimeout . |
ContentExtraction.ShortTimeout | 30,000 | The time interval (in milliseconds) given to the ContentExtractor to process a document smaller than ContentExtraction.LongContentSize. If the document cannot be processed within the specified time it is reported as unprocessed. This value should be less than ContentExtraction. LongTimeout . |
ContentExtraction.TemporaryDirectory | N/A | Specifies the directory for temporary content extraction files. |
ContentExtraction.TrackedChanges | off | Allows detection of content that has changed over time (Track Changes content) in Microsoft Office documents. Using the foregoing option might reduce the accuracy rate for IDM and data identifiers. The default is set to off (disallow). To index content that has changed over time, set ContentExtraction. TrackedChanges=on in the Indexer.properties file. The default and recommended setting is off . |
DDM.MaxBinMatchSize | 30,000,000 | The maximum size (in bytes) used to generate the MD5 hash for an exact binary match in an IDM. This setting should not be changed. The following conditions must be matched for IDM to work correctly:
Changing the first or third item in the list requires re-indexing all IDM files. |
Detection.EncodingGuessing DefaultEncoding | ISO-8859-1 | Specifies the backup encoding assumed for a byte stream. |
Detection.EncodingGuessingEnabled | on | Designates whether the encoding of unknown byte streams should be guessed. |
Detection.EncodingGuessing MinimumConfidence | 50 | Specifies the confidence level required for guessing the encoding of unknown byte streams. |
Detection.MessageTimeout ReportIntervalInSeconds | 3600 | Number of seconds between each System Event published to display the number of messages that have timed out recently. These System Events are scheduled to be published at a fixed rate, but will be skipped if no messages have timed out in that period. |
DI.MaxViolations | 100 | Specifies the maximum number of violations allowed with data identifiers. |
Discover.CountAllFilteredItems | false | Provides more accurate scan statistics by counting the items in folders skipped because of filtering. Setting the value to false enables optimized Discover path filters, which improve performance but may occasionally lead to unexpected filter behavior. Optimized filters normalize slashes, truncate filter strings before wildcard characters, and remove trailing slashes. Therefore, the filter string /Fol*der will match /Folder , but it will also match /FolXYZ .Set this value to true to disable optimized Discover path filters. |
Discover.Exchange.FollowRedirects | true | Specifies whether to follow redirects. Symantec Data Loss Prevention follows redirects only from the public root folder. |
Discover.Exchange.ScanHiddenItems | false | Scan hidden items in Exchange repositories, when set to true. |
Discover.Exchange.UseSecure HttpConnections | true | Specifies whether connections to Exchange repositories and Active Directory are secure when using the Exchange Web Services crawler. |
Discover.IgnorePstMessageClasses | IPM.Appointment, IPM.Contact, IPM.Task, REPORT. IPM. Note. DR, REPORT. IPM. Note. IPNRN | This setting specifies a comma-separated list of .pst message classes. All items in a .pst file that have a message class in the list will be ignored (no attempt will be made to extract the .pst item). This setting is case-sensitive. |
Discover.IncludePstMessageClasses | IPM.Note | This setting specifies a comma-separated list of .pst message classes. All items in a .pst file that have a message class in the list will be included.When both the include setting and the ignore setting are defined, Discover.IncludePstMessageClasses takes precedence. |
Discover.PollInterval | 10000 | Specifies the time interval (in milliseconds) at which Enforce retrieves data from the Discover monitor while scanning. |
Discover.Sharepoint.FetchACL | true | Turns off ACL fetching for integrated SharePoint scans. The default value is true (on). |
Discover.Sharepoint.SocketTimeout | 60000 | Sets the timeout value of the socket connection (in milliseconds) between the Network Discover server and the SharePoint target. |
Discover.ValidateSSLCertificates | false | Set to true to enable validation of the SSL certificates for the HTTPS connections for SharePoint and Exchange targets. When validation is enabled, scanning SharePoint or Exchange servers using self-signed or untrusted certificates fails. If the SharePoint web application or Exchange server is signed by a certificate issued by a certificate authority (CA), then the server certificate or the server CA certificate must reside in the Java trusted keystore used by the Discover Server. If the certificate is not in the keystore, you must import it manually using the keytool utility. |
DiscoverCluster.AclFetcherTimeoutInSeconds | 180 | |
DiscoverCluster.FetchAclAsynchronously | false | |
DiscoverCluster.UseNativeMounting | false | |
DiscoverCluster.ContentFetcherThreadPoolSize | 24 | Specify the bounded thread pool size for content fetcher between 4 to 24. |
DiscoverCluster.CrawlerThreadPoolSize | 1 | Number of crawler threads on the worker node. Crawler thread is responsible for picking up next folder for scanning |
EDM.HighlightAllMatchesInProximity | false | If false (default), the system highlights the minimum number of matches, starting from the leftmost. For example, if the EDM policy is configured to match 3 out of 8 column fields in the index, only the first 3 matches are highlighted in the incident snapshot. If true, the system highlights all matches occurring in the proximity window, including duplicates. For example, if the policy is configured to match 3 of 8 and there are 7 matches occurring within the proximity window, the system highlights all 7 matches in the incident snapshot. |
EDM.MatchCountVariant | 3 | Specifies how matches are counted.
|
EDM.MaximumNumberOfMatches ToReturn | 100 | Defines a top limit on the number of matches returned from each RAM index search. |
EDM.RunProximityLogic | true | If true, runs the token proximity check. |
EDM.SimpleTextProximityRadius | 35 | Number of tokens that are evaluated together when the proximity check is enabled. |
EDM.TokenVerifierEnabled | false | If enabled (true), the server validates tokens for Chinese, Japanese, and Korean (CJK) keywords. Default is disabled (false). |
EMDI.MaxLookups | 10000 | Maximum number of EMDI lookups. Increasing the limit above the default value of 10000 increases the likelihood of false positives and performance degrades linearly. For example, a setting of 20000 is twice as slow as a setting of 10000. To change this setting, you add EMDI.MaxLookups=<value> to the protect.properties file. |
EndpointCommunications. AllConnInboundDataThrottleInKBPS | 0 | If enabled, limits the transfer rate of all inbound traffic in kilobits per second. Default is disabled. Changes to this setting apply to all new connections. Changes do not affect existing connections. |
EndpointCommunications. AllConnOutboundDataThrottleInKBPS | 0 | If enabled, limits the transfer rate of all outbound traffic in kilobits per second. Default is disabled. Changes to this setting apply to all new connections. Changes do not affect existing connections. |
EndpointCommunications. ApplicationHandshakeTimeoutInSeconds | 60 | Maximum time for server to wait for each round trip during application handshake communications before closing the server-to-agent connection. Applies to the duration of time between when the agent accepts the TCP connection and when the agent receives the handshake message. This duration includes the SSL handshake and the agent receiving the HTTP headers. If the process exceeds the specified duration, the connection closes. Changes to this setting apply to all new connections. Changes do not affect existing connections. |
EndpointCommunications.MaxActive AgentsPerServer | 90000 | Sets the maximum number of agents associated with a given server at any moment in time. This setting is implemented after the next Endpoint Server restart. |
EndpointCommunications. MaxActiveAgentsPerServerGroup | 150000 | Sets the maximum number of agents that will be associated with a given group of servers behind the same local load balancer at any moment in time. Used for maximum sizes of caches for internal endpoint features. This setting is implemented after the next Endpoint Server restart. |
EndpointCommunications. MaxConcurrent Connections | 90000 | Sets the maximum number of simultaneous connections to allow. Changes to this setting apply to all new connections. Changes do not affect existing connections. |
EndpointCommunications. MaxConnectionLifetimeInSeconds | 86400 (1 day) | Sets the maximum time to allow a connection to remain open. Do not set connections to remain open indefinitely. Connections that close ensure that SSL session keys are frequently updated to improve security. This timeout only applies during the normal operation phase of a connection, after the SSL handshake and application handshake phases of a connection. This setting is implemented immediately to all connections. |
EndpointCommunications.Shutdown TimeoutInMillis | 5000 (5 seconds) | Sets the maximum time to wait to gracefully close connections during shutdown before forcing connections to close. This setting is implemented immediately to all connections. |
EndpointCommunications. SSLCipherSuites | TLS_RSA_WITH_ AES_128_CBC_SHA | Lists the allowed SSL cipher suites. Enter multiple entries, separated by commas. Changes to this setting apply to all new connections. Changes do not affect existing connections. You must restart the Endpoint Server for changes you make to take effect. Server controls If you are using FIPS 140-2 mode for communication between the Endpoint Server and DLP Agents, do not use Diffie-Hellman (DH) cipher suites. Mixing cipher suites prevents the agent and Endpoint Server from communicating. |
EndpointCommunications. SSLSessionCacheTimeoutInSeconds | 86400 | Sets the maximum SSL session entry lifetime in the SSL session cache. The default settings equals one day. This setting is implemented after the next Endpoint Server restart. |
EndpointMessageStatistics.MaxFile DetectionCount | 100 | The maximum number of times a valid file will be scanned. The file must not cause an incident. After exceeding this number, a system event is generated recommending that the file be filtered out. |
EndpointMessageStatistics.MaxFolder DetectionCount | 1800 | The maximum number of times a valid folder will be scanned. The folder must not cause an incident. After exceeding this number, a system event is generated recommending that the file be filtered out. |
EndpointMessageStatistics.Max MessageCount | 2000 | The maximum number of times a valid message will be scanned. The message must not cause an incident. After exceeding this number, a system event is generated recommending that the file be filtered out. |
EndpointMessageStatistics.MaxSetSize | 3 | The maximum list of hosts displayed from where valid files, folders, and messages come. When a system event for EndpointMessageStatistics. MaxFileDetectionCount, EndpointMessageStatistics. MaxFolderDetectionCount, or EndpointMessageStatistics. MaxMessageCount is generated, Symantec Data Loss Prevention lists the host machines where these system events were generated. This setting limits the number of hosts displayed in the list. |
EndpointServer.Discover.Scan StatusBatchInterval | 60000 | The interval of time in milliseconds the Endpoint Server accumulates Endpoint Discover scan statuses before sending them to the Endpoint Server as a batch. |
EndpointServer.Discover.ScanStatusBatchSize | 1000 | The number of scan statuses the Aggregator accumulates before sending them to the Enforce Server as a batch. The Endpoint Server forwards a batch of statuses to the Enforce Server when the status count reaches the configured value. The batch is forwarded to the Enforce Server when any of the thresholds for the following settings are met:
|
EndpointServer.EndpointSystem EventQueueSize | 20000 | The maximum number of system events that can be stored in the endpoint agent's queue to be sent to the Endpoint Server. If the database connection is lost or some other occurrence results in a massive number of system events, any additional system events that occur after this number is reached are discarded. This value can be adjusted according to memory requirements. |
EndpointServer.MaxPercentage MemToStoreEndpointFiles | 60 | The maximum amount (in percentage) of memory to use to store shadow cache files. |
EndpointServer.MaxTimeToKeep EndpointFilesOpen | 20000 | The time interval (in minutes) that the endpoint file is kept open or the file size can exceed the EndpointServer. MaxEndpointFileSize setting, whichever occurs first. |
EndpointServer.MaxTimeToWaitForWriter | 1000 | The maximum time (in milliseconds) that the agent will wait to connect to the server. |
EndpointServer.NoOfRecievers | 15 | The number of endpoint shadow cache file receivers. |
EndpointServer.NoOfWriters | 10 | The number of endpoint shadow cache file writers. |
FileReader.MaxFileSize | 30M | The maximum size (in MB) of a message to be processed. Larger messages are truncated to this size. To process large files, ensure that this value is equal to or greater than the value of ContentExtraction.MaxContentSize . |
FileReader.MaxFileSystemCrawler Memory | 1024M | The maximum memory that is allocated for the File System Crawler. If this value is less than FileReader.MaxFileSize , then the greater of the two values is assigned. |
FileReader.MaxReadGap | 15 | The time that a child process can have data but not have read anything before it stops sending heartbeats. |
FileReader.ScheduledInterval | 1000 | The time interval (in milliseconds) between drop folder checks by the filereader. This affects Copy Rule, Packet Capture, and File System channels only. |
FileReader.TempDirectory | Path to a secure directory as specified in the filereader. temp. io.dir attribute in the FileReader. properties configuration file. | A secure directory on the detection server in which to store temporary files for the file reader. |
FormRecognition.ALIGNMENT_ COEFFICIENT | 85.00 | A threshold on a scale from 0 to 100, indicating how well an image should align with an indexed gallery form in order to create an incident. |
FormRecognition.CANONICAL_ FORM_WIDTH | 930 | The width in pixels to which all images are internally resized for form recognition. |
Icap.AllowHosts | any | The default value of "any" permits all systems to make a connection to the Network Prevent for Web Server on the ICAP service port. Replacing "any" with the IP address or Fully-Qualified Domain Name (FQDN) of one or more systems restricts ICAP connections to just those designated systems. To designate multiple systems, separate their IP addresses of FQDNs by commas. |
Icap.AllowStreaming | false | If true, ICAP output is streamed to the proxy directly without buffering the ICAP request first. |
Icap.BindAddress | 0.0.0.0 | IP address to which a Network Prevent for Web Server listener binds. When BindAddress is configured, the server will only answer a connection to that IP address. The default value of 0.0.0.0 is a wild card that permits listening to all available addresses including 127.0.0.1. |
Icap.BufferSize | 3K | The size (in kilobytes) of the memory buffer used for ICAP request streaming and chunking. The streaming can happen only if the request is larger than FileReader.MaxFileSize and the request has a Content-Length header. |
Icap.DisableHealthCheck | false | If true, disables the ICAP periodic self-check. If false, enables the ICAP periodic self-check. This setting is useful for debugging to remove clutter produced by self-check requests from the logs. |
Icap.EnableIncidentSuppression | true | Enables the Incident Suppression cache for Gmail Tablet ICAP traffic. |
Icap.EnableTrace | false | If set to true, protocol debug tracing is enabled once a folder is specified using the Icap.TraceFolder setting. |
Icap.ExchangeActiveSync CommandsToInspect | SendMail | A comma-separated, case-sensitive list of ActiveSync commands which need to be sent through Symantec Data Loss Prevention detection. If this parameter is left blank, ActiveSync support is disabled. If this parameter is set to "any", all ActiveSync commands are inspected. |
Icap.IncidentSuppressionCache CleanupInterval | 120000 | The time interval in milliseconds for running the Incident Suppression cache clean-up thread. |
Icap.IncidentSuppressionCacheTimeout | 120000 | The time in milliseconds to invalidate the Incident Suppression cache entry. |
Icap.LoadBalanceFactor | 1 | The number of web proxy servers that a Network Prevent for Web server is able to communicate with. For example, if the server is configured to communicate with 3 proxies, set the Icap.LoadBalanceFactor value to 3. |
Icap.SpoolFolder | N/A | This value is needed for ICAP Spools. |
Icap.TraceFolder | N/A | The fully qualified name of the folder or directory where protocol debug trace data is stored when the Icap.EnableTrace setting is true. By default, the value for this setting is left blank. |
ImagePreclassifier.ENABLE_ FORM_RECOGNITION _PRECLASSIFIER | true | Determines what types of images are processed for form recognition. If true , Symantec Data Loss Prevention filters out colorful photographs, images such as logos, email signatures, and other images that are not characteristic of forms. If false , Symantec Data Loss Prevention processes all images. |
ImagePreclassifier.ENABLE_ OCR_PRECLASSIFIER | true | Determines what types of images are processed for optical character recognition (OCR). If true , Symantec Data Loss Prevention filters out colorful photographs, images such as logos, email signatures, and other images that do not include meaningful text. If false , Symantec Data Loss Prevention processes all images. |
ImageRecognition.NUM_ WORKER_THREADS | 2 | The number of threads in the pool used by the image recognition detection process. The value for this setting should equal half of the number of physical cores on your system. |
IncidentDetection.Incident LimitResetTime | 86400000 | Specifies the time frame (in milliseconds) used by the IncidentDetection. MaxIncidentsPerPolicy setting. The default setting 86400000 equals one day. |
IncidentDetection.MaxContentLength | 2000000 | Applies only to regular expression rules. On a per-component basis, only the first MaxContentLength number of characters are scanned for violations. The default (2,000,000) is equivalent to > 1000 pages of typical text. The limiter exists to prevent regular expression rules from taking too long. |
IncidentDetection.MaxIncidentsPerPolicy | 10000 | Defines the maximum number of incidents detected by a specific policy on a particular monitor within the time-frame specified in the IncidentDetection. IncidentTimeLimitResetTime. The default is 10,000 incidents per policy per time limit. |
IncidentDetection.MessageWaitSevere | 240 | The number of minutes to wait before sending a severe system event about message wait times. |
IncidentDetection.MessageWaitWarning | 60 | The number of minutes to wait before sending a warning system event about message wait times. |
IncidentDetection.MinNormalizedSize | 30 | This setting applies to IDM detection. It MUST be kept in sync with the corresponding setting in the Indexer.properties file on the Enforce Server (which applies to indexing). Derivative detections only apply to messages when their normalized content is greater than this setting. If the normalized content size is less than this setting, IDM detection does a straight binary match. |
IncidentDetection.patternCondition MaxViolations | 100 | The maximum number of matches a detection server reports. The detection server does not report matches more than the value of the IncidentDetection. patternConditionMaxViolations parameter, even if there are any. |
IncidentDetection.StopCachingWhen MemoryLowerThan | 400M | Instructs Detection to stop caching tokenized and cryptographic content between rule executions if the available JVM memory drops below this value (in megabytes). Setting this attribute to 0 enables caching regardless of the available memory and is not recommended because OutOfMemoryErrors may occur. Setting this attribute to a value close to, or larger than, the value of the -Xmx option in BoxMonitor.FileReaderMemory effectively disables the caching. Note that setting this value too low can have severe performance consequences. |
IncidentDetection.TrialMode | false | Prevention trial mode setting to generate prevention incidents without having a prevention setup. If true, SMTP incidents coming from the Copy Rule and Packet Capture channels appear as if they were prevented and HTTP incidents coming from Packet Capture channel appear as if they were prevented. |
IncidentWriter.BacklogInfo | 1000 | The number of incidents that collect in the log before an information level message about the number of messages is generated. |
IncidentWriter.BacklogSevere | 10000 | The number of incidents that collect in the log before a severe level message about the number of messages is generated. |
IncidentWriter.BacklogWarning | 3000 | The number of incidents that collect in the log before a warning level message about the number of messages is generated. |
IncidentWriter.ResolveIncident DNSNames | false | If true, only recipient host names are resolved from IP. |
IncidentWriter.ShouldEncryptContent | true | If true, the monitor will encrypt the body of every message, message component and cracked component before writing to disk or sending to Enforce. |
Keyword.TokenVerifierEnabled | false | Default is disabled (false). If enabled (true), the server validates tokens for Asian language keywords (Chinese, Japanese, and Korean). |
L7.cleanHttpBody | true | If true, the HTML entity references are replaced with spaces. |
L7.DefaultBATV | Standard | This setting determines the tagging scheme that Network Prevent for Email uses to interpret Bounce Address Tag Validation (BATV) tags in the MAIL FROM header of a message. If this setting is “Standard” (the default), Network Prevent uses the tagging scheme described in the BATV specification: Change this setting to “Ironport” to enable compatibility with the IronPort proxy’s implementation of BATV tagging. |
L7.DefaultUrlEncodedCharset | UTF-8 | Defines the default character set to be used in decoding query parameters or URL-encoded body when the character set information is missing from the header. |
L7.discardDuplicateMessages | true | If true, the Monitor ignores duplicate messages based on the messageID. If Network Prevent for Email is not blocking messages correctly in a Microsoft 365 environment, even though incidents are properly generated, set L7.discardDuplicateMessages to false.
|
L7.ExtractBATV | true | If true (the default), Network Prevent for Email interprets Bounce Address Tag Validation (BATV) tags that are present in the MAIL FROM header of a message. This allows Network Prevent to include a meaningful sender address in incidents that are generated from messages having BATV tags. If this setting is false, Network Prevent for Email does not interpret BATV tags, and a message that contains BATV tags may generate an incident that has an unreadable sender address.http://tools.ietf.org/html/draft-levine-mass-batv-02 for more information about BATV. |
L7.httpClientIdHeader | X-Forwarded-For | The sender identifier header name. |
L7.MAX_NUM_HTTP_HEADERS | 50 | If any HTTP message that contains more than the specified header lines, it is discarded. |
L7.maxWordLength | 30 | The maximum word length (in characters) allowed in UTCP string extraction. |
L7.messageIDCacheCleanupInterval | 600000 | The length of time that the messageID is cached. The system will not cache duplicate messages during this time period if the L7.discardDuplicateMessages setting is set to true. |
L7.minSizeOfGetUrl | 100 | The minimum size of the GET URL to process. HTTP GET actions are not inspected by Symantec Data Loss Prevention for policy violations if the number of bytes in the URL is less than the value of this setting. For example, with the default value of 100, no detection check is performed when a browser displays the Symantec web site at: http://www.symantec.com/index.jsp. The reason is that the URL contains only 33 characters, which is less than the 100 minimum.Other request types such as POST or PUT are not affected by L7.minSizeofGetURL. In order for Symantec Data Loss Prevention to inspect any GET actions at all, the L7.processGets setting must be set to true. |
L7.processGets | true | If true, the GET requests are processed. If false, the GET requests are not processed. Note that this setting interacts with the L7.minSizeofGetURL setting. |
Lexer.IncludePunctuationInWords | true | If true, punctuation characters internal to a token are considered during detection. |
Lexer.MaximumNumberOfTokens | 30000 | Maximum number of tokens extracted from each message component for detection. Applicable to all detection technologies where tokenization is required (EDM, profiled DGM, and the system patterns supported by those technologies). Increasing the default value may cause the detection server to run out of memory and restart. |
Lexer.Validate | true | If true, performs system pattern-specific validation. |
Max_EMDI_Lookup.int | 10000 | Maximum number of EMDI lookups. Increasing this number increases the likelihood of false positives.
|
MessageChain.ArchiveTimedOutStreams | false | Specifies whether messages should be archived to the temp folder |
MessageChain.CacheSize | 8 | Limits the number of messages that can be queued in the message chains. |
MessageChain.ContentDumpEnabled | false | If set to true, each message entering the detection message chain is logged to ${\SymantecDLP.temp.dir\}/dump. This setting is intended for use in troubleshooting and debugging. |
MessageChain.MaximumComponentTime | Varies | The time interval (in milliseconds) allowed before any chain component is restarted. The setting varies based on the type of detection server:
|
MessageChain.MaximumFailureTime | 360000 | Number of milliseconds that must elapse before restarting the file reader. This is tracked after a message chain error is detected and that message chain has not been recovered. |
MessageChain.MaximumMessageTime | Varies | The maximum time interval (in milliseconds) that a message can remain in a message chain. The setting varies based on the type of detection server:
|
MessageChain.MemoryThrottler ReservedBytes | 200,000,000 | Number of bytes required to be available before a message is sent through the message chain. This setting can avoid out of memory issues. The default value is 200 MB. The throttler can be disabled by setting this value to 0. |
MessageChain.MinimumFailureTime | 30000 | Number of milliseconds that must elapse before failure of a message chain is tracked. Failure eventually leads to restarting the message chain or file reader. |
MessageChain.NumChains | Varies | This number varies depending on detection server type. It is either 4 or 8 .The number of messages, in parallel, that the file reader will process. Setting this number higher than 8 (with the other default settings) is not recommended. A higher setting does not substantially increase performance and there is a much greater risk of running out of memory. Setting this to less than 8 (in some cases 1) helps when processing big files, but it may slow down the system considerably. |
MessageChain.StopProcessing WhenMemoryLowerThan | 200M | Instructs detection to stop drilling down into and processing sub-files if JVM available memory drops below this value. Setting this attribute to 0 will force sub-file processing, regardless of how little memory is available. Setting this attribute to a value close to or larger than the value of the -Xmx option in BoxMonitor.FileReaderMemory will effectively disable sub-file processing. |
OCR.ENABLE_AUTO_ LANGUAGE_DETECTION | true | When true , this setting enables the OCR engine to extract text more quickly by automatically identifying the language or languages in an image, rather than processing every language in the OCR configuration. When false , the OCR engine extracts the text using every language in the OCR configuration, making text extraction slower but improving accuracy. |
OCR.ENABLE_SPELL_CHECK | true | When true , this setting enables the OCR engine to extract text more accurately by using internal spelling dictionaries. When false , the accuracy of extracted text may be reduced. |
OCR. RECORD_REQUEST _STATISTICS | false | When true , this setting enables the OCR sizing tool. The OCR sizing tool gives you insight into your image traffic data, which helps you determine the sizing requirements for your OCR implementation. |
PacketCapture.DISCARD_HTTP_GET | true | If true , discards HTTP GET streams. |
PacketCapture.DOES_DISCARD_ TRIGGER_STREAM_DUMP | false | If true , a list of tcpstreams is dumped to an output file in the log directory the first time a discard message is received. |
PacketCapture.ENDACE_BIN_PATH | N/A | To enable packet-capture using an Endace card, enter the path to the Endace /bin directory. Note that environment variables (such as %ENDACE_HOME% ) cannot be used in this setting. For example: /usr/local/bin |
PacketCapture.ENDACE_LIB_PATH | N/A | To enable packet-capture using an Endace card, enter the path to the Endace /lib directory. Note that environment variables (such as %ENDACE_HOME% ) cannot be used in this setting. For example: /usr/local/lib |
PacketCapture.ENDACE_XILINX_PATH | N/A | To enable packet-capture using an Endace card, enter the path to the Endace /xilinx directory. Note that environment variables (such as %ENDACE_HOME% ) cannot be used in this setting. For example: /usr/local/dag/xilinx |
PacketCapture.Filter | tcp || ip proto 47 || (vlan && (tcp || ip proto 47)) | When set to the default value all non-TCP packets are filtered out and not sent to Network Monitor. The default value can be overridden using the tcpdump filter format documented in the tcpdump program. This setting allows specialists to create more exact filters (source and destination IPs for given ports). |
PacketCapture.INPUT_SOURCE_FILE | /dummy.dmp | The full path and name of the input file. |
PacketCapture.IS_ARCHIVING_PACKETS | false | DO NOT USE THIS FIELD. Diagnostic setting that creates dumps of packets captured in packetcapture for later reuse. This feature is unsupported and does not have normal error checking. May cause repeated restarts on pcap. |
PacketCapture.IS_ENDACE_ENABLED | false | To enable packet-capture using an Endace card, set this value to true. |
PacketCapture.IS_FTP_RETR_ENABLED | false | If true, FTP GETS and FTP PUTS are processed. If false, only process FTP PUTS are processed. |
PacketCapture.IS_INPUT_SOURCE_FILE | false | If true, continually reads in packets from a tcpdump formatted file indicated in INPUT_SOURCE_FILE. Set to dag when an Endace card is installed. |
PacketCapture.IS_NAPATECH_ENABLED | false | To enable packet-capture using a Napatech card, set this value to true. The default setting is false. |
PacketCapture.KERNEL_BUFFER_ SIZE_I686 | 64M | For 32-bit Linux platforms, this setting specifies the amount of memory allocated to buffer network packets. Specify K for kilobytes or M for megabytes. Do not specify a value larger than 128M. |
PacketCapture.KERNEL_BUFFER_ SIZE_Win32 | 16M | For 32-bit Windows platforms, this setting specifies the amount of memory allocated to buffer network packets. Specify K for kilobytes or M for megabytes. |
PacketCapture.KERNEL_BUFFER_ SIZE_X64 | 64M | For 64-bit Windows platforms, this setting specifies the amount of memory allocated to buffer network packets. Specify K for kilobytes or M for megabytes. |
PacketCapture.KERNEL_BUFFER_ SIZE_X86_64 | 64M | For 64-bit Linux platforms, this setting specifies the amount of memory allocated to buffer network packets. Specify K for kilobytes or M for megabytes. Do not specify a value larger than 64M. |
PacketCapture.MAX_FILES_PER_ DIRECTORY | 30000 | After the specified number of file streams are processed a new directory is created. |
PacketCapture.MBYTES_LEFT_ TO_DISABLE_CAPTURE | 1000 | If the amount of disk space (in MB) left on the drop_pcap drive falls below this specification, packet capture is suspended. For example, if this number is 100, pcap will stop writing out drop_pcap files when there is less than 100 MB on the installed drive |
PacketCapture.MBYTES_REQUIRED _TO_RESTART_CAPTURE | 1500 | The amount of disk space (in MB) needed on the drop_pcap drive before packet capture resumes again after stopping due to lack of space. For example, if this value is 150 and packet capture is suspended, packet capture resumes when more than 150 MB is available on the drop_pcap drive. |
PacketCapture.NAPATECH_TOOLS_PATH | N/A | This setting specifies the location of the Napatech Tools directory. This directory is not set by default. If packet-capture is enabled for Napatech, enter the fully qualified path to the Napatech Tools installation directory. |
PacketCapture.NO_TRAFFIC_ALERT _PERIOD | 86,400 | The refresh time (in seconds), between no traffic alert messages. No traffic system events are created for a given protocol based on this time period. For instance, if this is set to 24*60*60 seconds, a new message is sent every day that there is no new traffic for a given protocol. Do not confuse with the per protocol traffic timeout, that tells us how long we initially go without traffic before sending the first alert. |
PacketCapture.NUMBER_BUFFER_ POOL_PACKETS | 600000 | The number of standard-sized preallocated packet buffers used to buffer and sort incoming traffic. |
PacketCapture.NUMBER_JUMBO_ POOL_PACKETS | 1 | The number of large-sized preallocated packet buffers that are used to buffer and sort incoming traffic. |
PacketCapture.NUMBER_SMALL_ POOL_PACKETS | 200000 | The number of small-sized preallocated packet buffers that are used to buffer and sort incoming traffic. |
PacketCapture.RING_CAPTURE_LENGTH | 1518 | Controls the amount of packet data that is captured. The default value of 1518 is sufficient to capture typical Ethernet networks and Ethernet over 802.1Q tagged VLANs. |
PacketCapture.RING_DEVICE_MEM | 67108864 | This setting is deprecated. Instead, use the PacketCapture.KERNEL_ BUFFER_SIZE_I686 setting (for 32-bit Linux platforms) or the PacketCapture.KERNEL_ BUFFER_SIZE_X86_64 setting (for 64-bit Linux platforms). Specifies the amount of memory (in bytes) to be allocated to buffer packets per device. (The default of 67108864 is equivalent to 64MB.) |
PacketCapture.SIZE_BUFFER_ POOL_PACKETS | 1540 | The size of standard-sized buffer pool packets. |
PacketCapture.SIZE_JUMBO_ POOL_PACKETS | 10000 | The size of jumbo-sized buffer pool packets. |
PacketCapture.SIZE_SMALL_ POOL_PACKETS | 150 | The size of small-sized buffer pool packets. |
PacketCapture.SPOOL_DIRECTORY | N/A | The directory in which to spool streams with large numbers of packets. This setting is user defined. |
PacketCapture.STREAM_ WRITE_TIMEOUT | 5000 | The time (in milliseconds) between each count (StreamManager's write timeout) |
RequestProcessor.AddDefaultHeader | true | If true, adds a default header to every email processed (when in Inline SMTP mode). The default header is RequestProcessor.DefaultHeader . This header is added to all messages that pass through the system, i.e., if it is redirected, if another header is added, if the message has no policy violations then the header is added. |
RequestProcessor.AddHeader OnMessageTimeout | false | The default value sets the system to continue sending messages if there is a message timeout. Set to true , then the X-Header "X-Symantec-DLP: Message timed out (potential Enforce System event 1213)” is inserted in the email message. The downstream edge MTA uses this header information to handle the message, and the log message displays “Passed message through due to timeout, with added timeout header.” |
RequestProcessor.AllowExtensions | 8BITMIME VRFY DSN HELP PIPELINING SIZE ENHANCEDSTATUSCODES STARTTLS | This setting lists the SMTP protocol extensions that Network Prevent for Email can use when it communicates with other MTAs. |
RequestProcessor.AllowHosts | any | The default value of any permits all systems to make connections to the Network Prevent for Email Server on the SMTP service port. Replacing any with the IP address or Fully-Qualified Domain Name (FQDN) of one or more systems restricts SMTP connections to just those designated systems. To designate multiple systems, separate their addresses with commas. Use only a comma to separate addresses; do not include any spaces between the addresses. |
RequestProcessor.Allow UnauthenticatedConnections | false | The default value ensures that MTAs must authenticate with Network Prevent for Email for TLS communication. |
RequestProcessor.Backlog | 12 | The backlog that the request processor specifies for the server socket listener. |
RequestProcessor.BindAddress | 0.0.0.0 | IP address to which a Network Prevent for Email Server listener binds. When BindAddress is configured, the server will only answer a connection to that IP address. The default value of 0.0.0.0 is a wild card that permits listening to all available addresses including 127.0.0.1. |
RequestProcessor.BlockStatusCode Override | 5.7.1 | Enables overriding of the ESMTP status code sent back to the upstream MTA when executing a block response rule. Accepted values are 5.7.0 and 5.7.1. If any other values are entered, this setting will fall back to the default of 5.7.1. Use of the 5.7.0 value (other or undefined security status) is preferred when the detection server is working with Office365 email, because the 5.7.1 value provides an incorrect context for the Office365 use case. |
RequestProcessor.CacheCleanupInterval | 120000 | Specifies the interval after which the cached responses are cleaned from the cache. Units are in milliseconds. |
RequestProcessor.CachedMessage Timeout | 120000 | Specifies the amount of time after generation when a given cached response can be cleared from the cache. Units are in milliseconds. |
RequestProcessor.CacheEnabled | false | Enables caching of responses for duplicate SMTP messages. The cache was added as part of the cloud solution to support envelope splitting. |
RequestProcessor.DefaultCommand Timeout | 300 | Specifies the number of seconds the Network Prevent for Email Server waits for a response to an SMTP command before closing connections to the upstream and downstream MTAs. The default is 300 seconds. This setting does not apply to the "." command (the end of a DATA command). Do not modify the default without first consulting Symantec support. |
RequestProcessor.DefaultPassHeader | X-CFilter-Loop: Reflected | This is the default header that is added to messages that pass through Email Prevent. |
RequestProcessor.DotCommandTimeout | 600 | Specifies the number of seconds the Network Prevent for Email Server waits for a response to the "." command (the end of a DATA command) before closing connections to the upstream and downstream MTAs. The default is 600 seconds. Do not modify the default without first consulting Symantec support. |
RequestProcessor.ForwardConnection Timeout | 20000 | The timeout value to use when forwarding to an MTA. |
RequestProcessor.KeyManagement Algorithm | SunX509 | The key management algorithm used in TLS communication. |
RequestProcessor.MaxLineSize | 1048576 | The maximum size (in bytes) of data lines expected from an external MTA. If the data lines are larger than they are broken down to this size. |
RequestProcessor.Mode | ESMTP | Specifies the protocol mode to use (SMTP or ESMTP). |
RequestProcessor.MTAResubmitPort | 10026 | This is the port number used by the request processor on the MTA to resend the SMTP message. |
RequestProcessor.NumberOf DNSAttempts | 4 | The maximum number of DNS queries that Network Prevent for Email performs when it attempts to obtain mail exchange (MX) records for a domain. Network Prevent for Email uses this setting only if you have enabled MX record lookups. |
RequestProcessor.RPLTimeout | 360000 | The maximum time in milliseconds allowed for email message processing by a Prevent server. Any email messages not processed during this time interval are passed on by the server. |
RequestProcessor.ServerSocketPort | 10025 | The port number to be used by the SMTP monitor to listen for incoming connections from MTA. |
RequestProcessor.TagHighestSeverity | false | When set to true, an additional email header that reports the highest severity of all the violated policies is added to the message. For example, if the email violated a policy of severity HIGH and a policy of severity LOW, it shows: X-DLP-MAX-Severity:HIGH. |
RequestProcessor.TagPolicyCount | false | When set to true an additional email header reporting the total number of policies that the message violates is added to the message. For example, if the message violates 3 policies a header reading: X-DLP-Policy-Count: 3 is added. |
RequestProcessor.TagScore | false | When set to true an additional email header reporting the total cumulative score of all the policies that the message violates is added to the message. Scores are calculated using the formula: High=4, Medium=3, Low=2, and Info=1. For example, if a message violates three policies, one with a severity of medium and two with a severity of low a header reading: X-DLP-Score: 7 is added. |
RequestProcessor.TrustManagement Algorithm | PKIX | The trust management algorithm that Network Prevent for Email uses when it validates certificates for TLS communication. You can optionally specify a built-in Java trust manager algorithm (such as SunX509 or SunPKIX) or a custom algorithm that you have developed. |
RequestProcessorListener.Server SocketPort | 12355 | The local TCP port that FileReader will use to listen for connections from RequestProcessor on a Network Prevent server. |
ServerCommunicator.CONNECT_ DELAY_POST_WAKEUP_ OR_POST_VPN_ SECONDS | 60 | The delay time (in seconds) after which a detection server returning online attempts to connect to the Enforce Server. The default value is 60 seconds. The range for this setting is 30 to 600 seconds.
|
SocketCommunication.BufferSize | 8K | The size of the buffer that Network Prevent for Web uses to process ICAP requests. Increase the default value only if you need to process ICAP requests that are greater than 8K. Certain features, such as Active Directory authentication, may require an increas in buffer size. |
UnicodeNormalizer.AsianCharRanges | default | Can be used to override the default definition of characters that are considered Asian by the detection engine. Must be either default, or a comma-separated list of ranges, for example: 11A80-11F9,3200-321E |
UnicodeNormalizer.Enabled | on | Can be used to disable Unicode normalization. Enter off to disable. |
UnicodeNormalizer.Newline EliminationEnabled | on | Can be used to disable newline elimination for Asian languages. Enter off to disable. |