Advanced server settings

This topic covers the advanced settings for detection servers. There is another topic for advanced settings for cloud detectors.
Click
Server Settings
on the detection server's
System > Servers and Detectors > Overview > Server/Detector Detail
screen to modify the settings on that server.
Use caution when modifying these settings on a server. Contact Symantec Support before changing any of the settings on this screen. Changes to these settings normally do not take effect until after the server has been restarted.
You cannot change settings for the Enforce Server from the
Server/Detector Detail
screen. The
Server/Detector Detail - Advanced Settings
screen only displays for detection servers and detectors.
If you change advanced server settings to Endpoint Servers in a load-balanced environment, you must apply the same changes to all Endpoint Servers in the load-balanced environment.
Detection server advanced settings
Setting
Default
Description
BoxMonitor.Channels
Varies
The values are case-sensitive and comma-separated if multiple.
Although any mix of them can be configured, the following are the officially supported configurations:
  • Network Monitor Server:
    Packet Capture
    ,
    Copy Rule
  • Discover Server:
    Discover
  • Endpoint Server:
    Endpoint
  • Network Prevent for Email
    :
    Inline SMTP
  • Network Prevent for Web
    :
    ICAP
BoxMonitor.DetectionServerDatabase
on
Enables the BoxMonitor process to start the Automated Incident Remediation Tracking database on the Detection Server. If you set this to
off
, you must start the remediation tracking database manually.
BoxMonitor.DetectionServer DatabaseMemory
-Xrs -Xms300M -Xmx1024M
Any combination of JVM memory flags can be used.
BoxMonitor.DiskUsageError
90
The amount of disk space filled (as a percentage) that will trigger a severe system event. For instance, if
Symantec Data Loss Prevention
is installed on the C drive and this value is 90, then the detection server creates a severe system event when the C drive usage is above 90%.
BoxMonitor.DiskUsageWarning
80
The amount of disk space filled (as a percentage) that will trigger a warning system event. For instance, if
Symantec Data Loss Prevention
is installed on the C drive and this value is
80
, then the detection server generates a warning system event when the C drive usage is above 80%.
BoxMonitor.EndpointServer
on
Enables the Endpoint Server.
BoxMonitor.EndpointServerMemory
-Xrs -Xms300M -Xmx4096M
Any combination of JVM memory flags can be used. For example:
-Xrs -Xms300m -Xmx1024m
.
BoxMonitor.FileReader
on
If off, the BoxMonitor cannot start the FileReader, although it can still be started manually.
BoxMonitor.FileReaderMemory
-Xrs -Xms1200M -Xmx4G
FileReader JVM command-line arguments.
BoxMonitor.HeartbeatGapBeforeRestart
960000
The time interval in milliseconds that the BoxMonitor waits for a monitor process (for example, FileReader, IncidentWriter) to report the heartbeat. If the heartbeat is not received within this time interval the BoxMonitor restarts the process.
BoxMonitor.IncidentWriter
on
If off, the BoxMonitor cannot start the IncidentWriter in the two-tier mode, although it can still be started manually. This setting has no effect in the single-tier mode.
BoxMonitor.IncidentWriterMemory
-Xrs
IncidentWriter JVM command-line arguments. For example:
-Xrs
BoxMonitor.InitialRestartWaitTime
5000
The time interval in milliseconds that the BoxMonitor waits after restarting a monitor process, such FileReader or IncidentWriter.
BoxMonitor.MaxRestartCount
3
The number of times that a process can be restarted in one hour before generating a SEVERE system event.
BoxMonitor.MaxRestartCount DuringStartup
5
The maximum times that the monitor server will attempt to restart on its own.
BoxMonitor.PacketCapture
on
If off, the BoxMonitor cannot start PacketCapture, although it can still be started manually. The PacketCapture channel must be enabled for this setting to work.
BoxMonitor.PacketCaptureDirectives
-Xrs
PacketCapture command line parameters (in Java). For example:
-Xrs
BoxMonitor.ProcessLaunchTimeout
30000
The time interval (in milliseconds) for a monitor process (e.g. FileReader) to start.
BoxMonitor.ProcessShutdownTimeout
45000
The time interval (in milliseconds) allotted to each monitor process to shut down gracefully. If the process is still running after this time the BoxMonitor attempts to kill the process.
BoxMonitor.RequestProcessor
on
If off, the BoxMonitor cannot start the RequestProcessor; although, it can still be started manually. The Inline SMTP channel must be enabled for this setting to work.
BoxMonitor.RequestProcessorMemory
-Xrs -Xms300M -Xmx1300M
Any combination of JVM memory flags can be used. For example:
-Xrs -Xms300M -Xmx1300M
BoxMonitor.RmiConnectionTimeout
15000
The time interval (in milliseconds) allowed to establish connection to the RMI object.
BoxMonitor.RmiRegistryPort
37329
The TCP port on which the BoxMonitor starts the RMI registry.
BoxMonitor.StatisticsUpdatePeriod
10000
The monitor statistics are updated after this time interval (in milliseconds).
Classification.WebserviceLog RetentionDats
7
Specifies the number of days classification web service logs are retained.
ContentExtraction.DefaultCharset ForSubFileName
N/A
Defines the default character set that is used in decoding the sub-filename if the charset conversion fails.
ContentExtraction.EnableMetaData
off
Allows detection on file metadata. If the setting is turned
on
, you can detect metadata for Microsoft Office and PDF files. For Microsoft Office files, OLE metadata is supported, which includes the fields Title, Subject, Author, and Keywords. For PDF files, only Document Information Dictionary metadata is supported, which includes fields such as Author, Title, Subject, Creation, and Update dates. Extensible Metadata Platform (XMP) content is not detected. Note that enabling this metadata detection option can cause false positives.
ContentExtraction.Image ExtractorEnabled
1
Allows you to adjust or turn off content extraction for Form Recognition.
The default setting,
1
, loads the Image Extractor plug-in on demand. If one or more Form Recognition rules are used, the Dynamic Image Extractor plug-in automatically loads on the detection server when corresponding policy updates are received. When Form Recognition rules are deleted or disabled, the plug-in automatically unloads. This option prevents the Dynamic Image Extractor plug-in from running if Form Recognition is not being used.
Enter
O
to disable the Image Extractor plug-in. This setting prevents Form Recognition from extracting images, effectively disabling the feature.
Enter
2
if you want the Image Extractor plug-in load when the content extraction service launches after the detection server starts up. The plugin continues to run regardless of whether form Recognition policies have been configured or not.
ContentExtraction.LongContentSize
1M
If the message component exceeds this size (in bytes) then the
ContentExtraction.LongTimeout
is used instead of
ContentExtraction.ShortTimeout
.
ContentExtraction.LongTimeout
Varies
The default value for this setting varies depending on detection server type (
60,000
or
120,000
).
The time interval (in milliseconds) given to the
ContentExtractor
to process a document larger than
ContentExtraction.
LongContentSize
. If the document cannot be processed within the specified time it's reported as unprocessed. This value should be greater than
ContentExtraction.
ShortTimeout
and less than
ContentExtraction.
RunawayTimeout
.
ContentExtraction.MarkupAsText
off
Bypasses Content Extraction for files that are determined to be XML or HTML. This should be used in cases such as web pages containing data in the header block or script blocks. Default is off.
ContentExtraction.MaxContentSize
30M
The maximum size (in MB) of the document that can be processed by the ContentExtractor.
ContentExtraction.MaxNumImages ToExtract
10
The maximum number of images to extract from PDF files and multi-page TIFF documents.
ContentExtraction.RunawayTimeout
300,000
The time interval (in milliseconds) given to the ContentExtractor to finish processing of any document. If the ContentExtractor does not finish processing some document within this time it will be considered unstable and it will be restarted. This value should be significantly greater than
ContentExtraction.
LongTimeout
.
ContentExtraction.ShortTimeout
30,000
The time interval (in milliseconds) given to the ContentExtractor to process a document smaller than ContentExtraction.LongContentSize. If the document cannot be processed within the specified time it is reported as unprocessed. This value should be less than
ContentExtraction.
LongTimeout
.
ContentExtraction.TemporaryDirectory
N/A
Specifies the directory for temporary content extraction files.
ContentExtraction.TrackedChanges
off
Allows detection of content that has changed over time (Track Changes content) in Microsoft Office documents.
Using the foregoing option might reduce the accuracy rate for IDM and data identifiers. The default is set to off (disallow).
To index content that has changed over time, set
ContentExtraction.
TrackedChanges=on
in the
Indexer.properties
file. The default and recommended setting is
off
.
DDM.MaxBinMatchSize
30,000,000
The maximum size (in bytes) used to generate the MD5 hash for an exact binary match in an IDM. This setting should not be changed. The following conditions must be matched for IDM to work correctly:
  • This setting must be exactly identical to the
    max_bin_
    match_size
    setting on the Enforce Server in the
    indexer.properties
    file.
  • This setting must be smaller or equal to the
    FileReader.
    FileMaxSize
    value.
  • This setting must be smaller or equal to the
    ContentExtraction.
    MaxContentSize
    value on the Enforce Server in the
    indexer.properties
    file.
Changing the first or third item in the list requires re-indexing all IDM files.
Detection.EncodingGuessing DefaultEncoding
ISO-8859-1
Specifies the backup encoding assumed for a byte stream.
Detection.EncodingGuessingEnabled
on
Designates whether the encoding of unknown byte streams should be guessed.
Detection.EncodingGuessing MinimumConfidence
50
Specifies the confidence level required for guessing the encoding of unknown byte streams.
Detection.MessageTimeout ReportIntervalInSeconds
3600
Number of seconds between each System Event published to display the number of messages that have timed out recently. These System Events are scheduled to be published at a fixed rate, but will be skipped if no messages have timed out in that period.
DI.MaxViolations
100
Specifies the maximum number of violations allowed with data identifiers.
Discover.CountAllFilteredItems
false
Provides more accurate scan statistics by counting the items in folders skipped because of filtering.
Setting the value to
false
enables optimized Discover path filters, which improve performance but may occasionally lead to unexpected filter behavior. Optimized filters normalize slashes, truncate filter strings before wildcard characters, and remove trailing slashes. Therefore, the filter string
/Fol*der
will match
/Folder
, but it will also match
/FolXYZ
.
Set this value to
true
to disable optimized Discover path filters.
Discover.Exchange.FollowRedirects
true
Specifies whether to follow redirects.
Symantec Data Loss Prevention
follows redirects only from the public root folder.
Discover.Exchange.ScanHiddenItems
false
Scan hidden items in Exchange repositories, when set to true.
Discover.Exchange.UseSecure HttpConnections
true
Specifies whether connections to Exchange repositories and Active Directory are secure when using the Exchange Web Services crawler.
Discover.IgnorePstMessageClasses
IPM.Appointment,
IPM.Contact,
IPM.Task,
REPORT.
IPM.
Note.
DR,
REPORT.
IPM.
Note.
IPNRN
This setting specifies a comma-separated list of
.pst
message classes. All items in a
.pst
file that have a message class in the list will be ignored (no attempt will be made to extract the
.pst
item). This setting is case-sensitive.
Discover.IncludePstMessageClasses
IPM.Note
This setting specifies a comma-separated list of
.pst
message classes. All items in a
.pst
file that have a message class in the list will be included.
When both the include setting and the ignore setting are defined, Discover.IncludePstMessageClasses takes precedence.
Discover.PollInterval
10000
Specifies the time interval (in milliseconds) at which Enforce retrieves data from the Discover monitor while scanning.
Discover.Sharepoint.FetchACL
true
Turns off ACL fetching for integrated SharePoint scans. The default value is true (on).
Discover.Sharepoint.SocketTimeout
60000
Sets the timeout value of the socket connection (in milliseconds) between the
Network Discover
server and the SharePoint target.
Discover.ValidateSSLCertificates
false
Set to true to enable validation of the SSL certificates for the HTTPS connections for SharePoint and Exchange targets. When validation is enabled, scanning SharePoint or Exchange servers using self-signed or untrusted certificates fails. If the SharePoint web application or Exchange server is signed by a certificate issued by a certificate authority (CA), then the server certificate or the server CA certificate must reside in the Java trusted keystore used by the Discover Server. If the certificate is not in the keystore, you must import it manually using the
keytool
utility.
DiscoverCluster.AclFetcherTimeoutInSeconds
180
DiscoverCluster.FetchAclAsynchronously
false
DiscoverCluster.UseNativeMounting
false
DiscoverCluster.ContentFetcherThreadPoolSize
24
Specify the bounded thread pool size for content fetcher between 4 to 24.
DiscoverCluster.CrawlerThreadPoolSize
1
Number of crawler threads on the worker node. Crawler thread is responsible for picking up next folder for scanning
EDM.HighlightAllMatchesInProximity
false
If false (default), the system highlights the minimum number of matches, starting from the leftmost. For example, if the EDM policy is configured to match 3 out of 8 column fields in the index, only the first 3 matches are highlighted in the incident snapshot.
If true, the system highlights all matches occurring in the proximity window, including duplicates. For example, if the policy is configured to match 3 of 8 and there are 7 matches occurring within the proximity window, the system highlights all 7 matches in the incident snapshot.
EDM.MatchCountVariant
3
Specifies how matches are counted.
  • 1 - Counts the total number of token sets matched.
  • 2 - Counts the number of unique token sets matched.
  • 3 - Counts the number of unique super sets of token sets. (default)
EDM.MaximumNumberOfMatches ToReturn
100
Defines a top limit on the number of matches returned from each RAM index search.
EDM.RunProximityLogic
true
If true, runs the token proximity check.
EDM.SimpleTextProximityRadius
35
Number of tokens that are evaluated together when the proximity check is enabled.
EDM.TokenVerifierEnabled
false
If enabled (true), the server validates tokens for Chinese, Japanese, and Korean (CJK) keywords.
Default is disabled (false).
EMDI.MaxLookups
10000
Maximum number of EMDI lookups.
Increasing the limit above the default value of 10000 increases the likelihood of false positives and performance degrades linearly. For example, a setting of 20000 is twice as slow as a setting of 10000.
To change this setting,  you add
EMDI.MaxLookups=<value>
to the
protect.properties
file.
EndpointCommunications. AllConnInboundDataThrottleInKBPS
0
If enabled, limits the transfer rate of all inbound traffic in kilobits per second.
Default is disabled.
Changes to this setting apply to all new connections. Changes do not affect existing connections.
EndpointCommunications. AllConnOutboundDataThrottleInKBPS
0
If enabled, limits the transfer rate of all outbound traffic in kilobits per second.
Default is disabled.
Changes to this setting apply to all new connections. Changes do not affect existing connections.
EndpointCommunications. ApplicationHandshakeTimeoutInSeconds
60
Maximum time for server to wait for each round trip during application handshake communications before closing the server-to-agent connection.
Applies to the duration of time between when the agent accepts the TCP connection and when the agent receives the handshake message. This duration includes the SSL handshake and the agent receiving the HTTP headers. If the process exceeds the specified duration, the connection closes.
Changes to this setting apply to all new connections. Changes do not affect existing connections.
EndpointCommunications.MaxActive AgentsPerServer
90000
Sets the maximum number of agents associated with a given server at any moment in time.
This setting is implemented after the next Endpoint Server restart.
EndpointCommunications. MaxActiveAgentsPerServerGroup
150000
Sets the maximum number of agents that will be associated with a given group of servers behind the same local load balancer at any moment in time. Used for maximum sizes of caches for internal endpoint features.
This setting is implemented after the next Endpoint Server restart.
EndpointCommunications. MaxConcurrent Connections
90000
Sets the maximum number of simultaneous connections to allow.
Changes to this setting apply to all new connections. Changes do not affect existing connections.
EndpointCommunications. MaxConnectionLifetimeInSeconds
86400
(1 day)
Sets the maximum time to allow a connection to remain open. Do not set connections to remain open indefinitely. Connections that close ensure that SSL session keys are frequently updated to improve security. This timeout only applies during the normal operation phase of a connection, after the SSL handshake and application handshake phases of a connection.
This setting is implemented immediately to all connections.
EndpointCommunications.Shutdown TimeoutInMillis
5000
(5 seconds)
Sets the maximum time to wait to gracefully close connections during shutdown before forcing connections to close.
This setting is implemented immediately to all connections.
EndpointCommunications. SSLCipherSuites
TLS_RSA_WITH_ AES_128_CBC_SHA
Lists the allowed SSL cipher suites. Enter multiple entries, separated by commas.
Changes to this setting apply to all new connections. Changes do not affect existing connections. You must restart the Endpoint Server for changes you make to take effect. Server controls
If you are using FIPS 140-2 mode for communication between the Endpoint Server and DLP Agents, do not use Diffie-Hellman (DH) cipher suites. Mixing cipher suites prevents the agent and Endpoint Server from communicating.
EndpointCommunications. SSLSessionCacheTimeoutInSeconds
86400
Sets the maximum SSL session entry lifetime in the SSL session cache.
The default settings equals one day. This setting is implemented after the next Endpoint Server restart.
EndpointMessageStatistics.MaxFile DetectionCount
100
The maximum number of times a valid file will be scanned. The file must not cause an incident. After exceeding this number, a system event is generated recommending that the file be filtered out.
EndpointMessageStatistics.MaxFolder DetectionCount
1800
The maximum number of times a valid folder will be scanned. The folder must not cause an incident. After exceeding this number, a system event is generated recommending that the file be filtered out.
EndpointMessageStatistics.Max MessageCount
2000
The maximum number of times a valid message will be scanned. The message must not cause an incident. After exceeding this number, a system event is generated recommending that the file be filtered out.
EndpointMessageStatistics.MaxSetSize
3
The maximum list of hosts displayed from where valid files, folders, and messages come. When a system event for
EndpointMessageStatistics.
MaxFileDetectionCount,
EndpointMessageStatistics.
MaxFolderDetectionCount,
or EndpointMessageStatistics.
MaxMessageCount is generated,
Symantec Data Loss Prevention
lists the host machines where these system events were generated. This setting limits the number of hosts displayed in the list.
EndpointServer.Discover.Scan StatusBatchInterval
60000
The interval of time in milliseconds the Endpoint Server accumulates
Endpoint Discover
scan statuses before sending them to the Endpoint Server as a batch.
EndpointServer.Discover.ScanStatusBatchSize
1000
The number of scan statuses the Aggregator accumulates before sending them to the Enforce Server as a batch. The Endpoint Server forwards a batch of statuses to the Enforce Server when the status count reaches the configured value.
The batch is forwarded to the Enforce Server when any of the thresholds for the following settings are met:
  • EndpointServer.Discover.
    ScanStatusBatchInterval
  • EndpointServer.Discover.
    ScanStatusBatchSize
EndpointServer.EndpointSystem EventQueueSize
20000
The maximum number of system events that can be stored in the endpoint agent's queue to be sent to the Endpoint Server. If the database connection is lost or some other occurrence results in a massive number of system events, any additional system events that occur after this number is reached are discarded. This value can be adjusted according to memory requirements.
EndpointServer.MaxPercentage MemToStoreEndpointFiles
60
The maximum amount (in percentage) of memory to use to store shadow cache files.
EndpointServer.MaxTimeToKeep EndpointFilesOpen
20000
The time interval (in minutes) that the endpoint file is kept open or the file size can exceed the
EndpointServer.
MaxEndpointFileSize
setting, whichever occurs first.
EndpointServer.MaxTimeToWaitForWriter
1000
The maximum time (in milliseconds) that the agent will wait to connect to the server.
EndpointServer.NoOfRecievers
15
The number of endpoint shadow cache file receivers.
EndpointServer.NoOfWriters
10
The number of endpoint shadow cache file writers.
FileReader.MaxFileSize
30M
The maximum size (in MB) of a message to be processed. Larger messages are truncated to this size. To process large files, ensure that this value is equal to or greater than the value of
ContentExtraction.MaxContentSize
.
FileReader.MaxFileSystemCrawler Memory
1024M
The maximum memory that is allocated for the File System Crawler. If this value is less than
FileReader.MaxFileSize
, then the greater of the two values is assigned.
FileReader.MaxReadGap
15
The time that a child process can have data but not have read anything before it stops sending heartbeats.
FileReader.ScheduledInterval
1000
The time interval (in milliseconds) between drop folder checks by the filereader. This affects Copy Rule, Packet Capture, and File System channels only.
FileReader.TempDirectory
Path to a secure directory as specified in the
filereader.
temp.
io.dir
attribute in the
FileReader.
properties
configuration file.
A secure directory on the detection server in which to store temporary files for the file reader.
FormRecognition.ALIGNMENT_ COEFFICIENT
85.00
A threshold on a scale from 0 to 100, indicating how well an image should align with an indexed gallery form in order to create an incident.
FormRecognition.CANONICAL_ FORM_WIDTH
930
The width in pixels to which all images are internally resized for form recognition.
Icap.AllowHosts
any
The default value of "any" permits all systems to make a connection to the
Network Prevent for Web
Server on the ICAP service port. Replacing "any" with the IP address or Fully-Qualified Domain Name (FQDN) of one or more systems restricts ICAP connections to just those designated systems. To designate multiple systems, separate their IP addresses of FQDNs by commas.
Icap.AllowStreaming
false
If true, ICAP output is streamed to the proxy directly without buffering the ICAP request first.
Icap.BindAddress
0.0.0.0
IP address to which a
Network Prevent for Web
Server listener binds. When BindAddress is configured, the server will only answer a connection to that IP address. The default value of 0.0.0.0 is a wild card that permits listening to all available addresses including 127.0.0.1.
Icap.BufferSize
3K
The size (in kilobytes) of the memory buffer used for ICAP request streaming and chunking. The streaming can happen only if the request is larger than FileReader.MaxFileSize and the request has a Content-Length header.
Icap.DisableHealthCheck
false
If true, disables the ICAP periodic self-check. If false, enables the ICAP periodic self-check. This setting is useful for debugging to remove clutter produced by self-check requests from the logs.
Icap.EnableIncidentSuppression
true
Enables the Incident Suppression cache for Gmail Tablet ICAP traffic.
Icap.EnableTrace
false
If set to true, protocol debug tracing is enabled once a folder is specified using the Icap.TraceFolder setting.
Icap.ExchangeActiveSync CommandsToInspect
SendMail
A comma-separated, case-sensitive list of ActiveSync commands which need to be sent through
Symantec Data Loss Prevention
detection. If this parameter is left blank, ActiveSync support is disabled. If this parameter is set to "any", all ActiveSync commands are inspected.
Icap.IncidentSuppressionCache CleanupInterval
120000
The time interval in milliseconds for running the Incident Suppression cache clean-up thread.
Icap.IncidentSuppressionCacheTimeout
120000
The time in milliseconds to invalidate the Incident Suppression cache entry.
Icap.LoadBalanceFactor
1
The number of web proxy servers that a
Network Prevent for Web
server is able to communicate with. For example, if the server is configured to communicate with 3 proxies, set the
Icap.LoadBalanceFactor
value to 3.
Icap.SpoolFolder
N/A
This value is needed for ICAP Spools.
Icap.TraceFolder
N/A
The fully qualified name of the folder or directory where protocol debug trace data is stored when the
Icap.EnableTrace
setting is true. By default, the value for this setting is left blank.
ImagePreclassifier.ENABLE_ FORM_RECOGNITION _PRECLASSIFIER
true
Determines what types of images are processed for form recognition. If
true
,
Symantec Data Loss Prevention
filters out colorful photographs, images such as logos, email signatures, and other images that are not characteristic of forms. If
false
,
Symantec Data Loss Prevention
processes all images.
ImagePreclassifier.ENABLE_ OCR_PRECLASSIFIER
true
Determines what types of images are processed for optical character recognition (OCR). If
true
,
Symantec Data Loss Prevention
filters out colorful photographs, images such as logos, email signatures, and other images that do not include meaningful text. If
false
,
Symantec Data Loss Prevention
processes all images.
ImageRecognition.NUM_ WORKER_THREADS
2
The number of threads in the pool used by the image recognition detection process. The value for this setting should equal half of the number of physical cores on your system.
IncidentDetection.Incident LimitResetTime
86400000
Specifies the time frame (in milliseconds) used by the
IncidentDetection.
MaxIncidentsPerPolicy
setting. The default setting 86400000 equals one day.
IncidentDetection.MaxContentLength
2000000
Applies only to regular expression rules. On a per-component basis, only the first MaxContentLength number of characters are scanned for violations. The default (2,000,000) is equivalent to > 1000 pages of typical text. The limiter exists to prevent regular expression rules from taking too long.
IncidentDetection.MaxIncidentsPerPolicy
10000
Defines the maximum number of incidents detected by a specific policy on a particular monitor within the time-frame specified in the
IncidentDetection.
IncidentTimeLimitResetTime.
The default is 10,000 incidents per policy per time limit.
IncidentDetection.MessageWaitSevere
240
The number of minutes to wait before sending a severe system event about message wait times.
IncidentDetection.MessageWaitWarning
60
The number of minutes to wait before sending a warning system event about message wait times.
IncidentDetection.MinNormalizedSize
30
This setting applies to IDM detection. It MUST be kept in sync with the corresponding setting in the Indexer.properties file on the Enforce Server (which applies to indexing). Derivative detections only apply to messages when their normalized content is greater than this setting. If the normalized content size is less than this setting, IDM detection does a straight binary match.
IncidentDetection.patternCondition MaxViolations
100
The maximum number of matches a detection server reports. The detection server does not report matches more than the value of the
IncidentDetection.
patternConditionMaxViolations
parameter, even if there are any.
IncidentDetection.StopCachingWhen MemoryLowerThan
400M
Instructs Detection to stop caching tokenized and cryptographic content between rule executions if the available JVM memory drops below this value (in megabytes). Setting this attribute to 0 enables caching regardless of the available memory and is not recommended because OutOfMemoryErrors may occur.
Setting this attribute to a value close to, or larger than, the value of the -Xmx option in BoxMonitor.FileReaderMemory effectively disables the caching.
Note that setting this value too low can have severe performance consequences.
IncidentDetection.TrialMode
false
Prevention trial mode setting to generate prevention incidents without having a prevention setup.
If true, SMTP incidents coming from the Copy Rule and Packet Capture channels appear as if they were prevented and HTTP incidents coming from Packet Capture channel appear as if they were prevented.
IncidentWriter.BacklogInfo
1000
The number of incidents that collect in the log before an information level message about the number of messages is generated.
IncidentWriter.BacklogSevere
10000
The number of incidents that collect in the log before a severe level message about the number of messages is generated.
IncidentWriter.BacklogWarning
3000
The number of incidents that collect in the log before a warning level message about the number of messages is generated.
IncidentWriter.ResolveIncident DNSNames
false
If true, only recipient host names are resolved from IP.
IncidentWriter.ShouldEncryptContent
true
If true, the monitor will encrypt the body of every message, message component and cracked component before writing to disk or sending to Enforce.
Keyword.TokenVerifierEnabled
false
Default is disabled (false).
If enabled (true), the server validates tokens for Asian language keywords (Chinese, Japanese, and Korean).
L7.cleanHttpBody
true
If true, the HTML entity references are replaced with spaces.
L7.DefaultBATV
Standard
This setting determines the tagging scheme that
Network Prevent for Email
uses to interpret Bounce Address Tag Validation (BATV) tags in the MAIL FROM header of a message. If this setting is “Standard” (the default),
Network Prevent
uses the tagging scheme described in the BATV specification:
Change this setting to “Ironport” to enable compatibility with the IronPort proxy’s implementation of BATV tagging.
L7.DefaultUrlEncodedCharset
UTF-8
Defines the default character set to be used in decoding query parameters or URL-encoded body when the character set information is missing from the header.
L7.discardDuplicateMessages
true
If true, the Monitor ignores duplicate messages based on the messageID.
If Network Prevent for Email is not blocking messages correctly in a Microsoft 365 environment, even though incidents are properly generated, set
L7.discardDuplicateMessages
to false.
L7.ExtractBATV
true
If true (the default),
Network Prevent for Email
interprets Bounce Address Tag Validation (BATV) tags that are present in the MAIL FROM header of a message. This allows
Network Prevent
to include a meaningful sender address in incidents that are generated from messages having BATV tags. If this setting is false,
Network Prevent for Email
does not interpret BATV tags, and a message that contains BATV tags may generate an incident that has an unreadable sender address.
L7.httpClientIdHeader
X-Forwarded-For
The sender identifier header name.
L7.MAX_NUM_HTTP_HEADERS
50
If any HTTP message that contains more than the specified header lines, it is discarded.
L7.maxWordLength
30
The maximum word length (in characters) allowed in UTCP string extraction.
L7.messageIDCacheCleanupInterval
600000
The length of time that the messageID is cached. The system will not cache duplicate messages during this time period if the L7.discardDuplicateMessages setting is set to true.
L7.minSizeOfGetUrl
100
The minimum size of the GET URL to process. HTTP GET actions are not inspected by
Symantec Data Loss Prevention
for policy violations if the number of bytes in the URL is less than the value of this setting. For example, with the default value of 100, no detection check is performed when a browser displays the Symantec web site at: http://www.symantec.com/index.jsp. The reason is that the URL contains only 33 characters, which is less than the 100 minimum.
Other request types such as POST or PUT are not affected by L7.minSizeofGetURL. In order for
Symantec Data Loss Prevention
to inspect any GET actions at all, the L7.processGets setting must be set to true.
L7.processGets
true
If true, the GET requests are processed. If false, the GET requests are not processed. Note that this setting interacts with the L7.minSizeofGetURL setting.
Lexer.IncludePunctuationInWords
true
If true, punctuation characters internal to a token are considered during detection.
Lexer.MaximumNumberOfTokens
30000
Maximum number of tokens extracted from each message component for detection. Applicable to all detection technologies where tokenization is required (EDM, profiled DGM, and the system patterns supported by those technologies). Increasing the default value may cause the detection server to run out of memory and restart.
Lexer.Validate
true
If true, performs system pattern-specific validation.
Max_EMDI_Lookup.int
10000
Maximum number of EMDI lookups. Increasing this number increases the likelihood of false positives.
MessageChain.ArchiveTimedOutStreams
false
Specifies whether messages should be archived to the temp folder
MessageChain.CacheSize
8
Limits the number of messages that can be queued in the message chains.
MessageChain.ContentDumpEnabled
false
If set to true, each message entering the detection message chain is logged to ${\SymantecDLP.temp.dir\}/dump. This setting is intended for use in troubleshooting and debugging.
MessageChain.MaximumComponentTime
Varies
The time interval (in milliseconds) allowed before any chain component is restarted.
The setting varies based on the type of detection server:
  • Network Monitor
    : 360000
  • Network Discover
    : 600000
  • Network Prevent for Email
    : 40000
  • Network Prevent for Web
    : 40000
  • Endpoint Prevent
    : 360000
  • Combination of
    Network Monitor
    ,
    Endpoint Prevent
    , and
    Network Discover
    : 600000
MessageChain.MaximumFailureTime
360000
Number of milliseconds that must elapse before restarting the file reader. This is tracked after a message chain error is detected and that message chain has not been recovered.
MessageChain.MaximumMessageTime
Varies
The maximum time interval (in milliseconds) that a message can remain in a message chain.
The setting varies based on the type of detection server:
  • Network Monitor
    : 600000
  • Network Discover
    : 1800000
  • Network Prevent for Email
    : 60000
  • Network Prevent for Web
    : 60000
  • Endpoint Prevent
    : 600000
  • Combination of
    Network Monitor
    ,
    Endpoint Prevent
    , and
    Network Discover
    : 1800000
MessageChain.MemoryThrottler ReservedBytes
200,000,000
Number of bytes required to be available before a message is sent through the message chain. This setting can avoid out of memory issues. The default value is 200 MB. The throttler can be disabled by setting this value to 0.
MessageChain.MinimumFailureTime
30000
Number of milliseconds that must elapse before failure of a message chain is tracked. Failure eventually leads to restarting the message chain or file reader.
MessageChain.NumChains
Varies
This number varies depending on detection server type. It is either
4
or
8
.
The number of messages, in parallel, that the file reader will process. Setting this number higher than 8 (with the other default settings) is not recommended. A higher setting does not substantially increase performance and there is a much greater risk of running out of memory. Setting this to less than 8 (in some cases 1) helps when processing big files, but it may slow down the system considerably.
MessageChain.StopProcessing WhenMemoryLowerThan
200M
Instructs detection to stop drilling down into and processing sub-files if JVM available memory drops below this value. Setting this attribute to
0
will force sub-file processing, regardless of how little memory is available. Setting this attribute to a value close to or larger than the value of the
-Xmx
option in
BoxMonitor.FileReaderMemory
will effectively disable sub-file processing.
OCR.ENABLE_AUTO_ LANGUAGE_DETECTION
true
When
true
, this setting enables the OCR engine to extract text more quickly by automatically identifying the language or languages in an image, rather than processing every language in the OCR configuration. When
false
, the OCR engine extracts the text using every language in the OCR configuration, making text extraction slower but improving accuracy.
OCR.ENABLE_SPELL_CHECK
true
When
true
, this setting enables the OCR engine to extract text more accurately by using internal spelling dictionaries. When
false
, the accuracy of extracted text may be reduced.
OCR. RECORD_REQUEST _STATISTICS
false
When
true
, this setting enables the OCR sizing tool. The OCR sizing tool gives you insight into your image traffic data, which helps you determine the sizing requirements for your OCR implementation.
PacketCapture.DISCARD_HTTP_GET
true
If
true
, discards HTTP GET streams.
PacketCapture.DOES_DISCARD_ TRIGGER_STREAM_DUMP
false
If
true
, a list of tcpstreams is dumped to an output file in the log directory the first time a discard message is received.
PacketCapture.ENDACE_BIN_PATH
N/A
To enable packet-capture using an Endace card, enter the path to the Endace
/bin
directory. Note that environment variables (such as
%ENDACE_HOME%
) cannot be used in this setting. For example:
/usr/local/bin
PacketCapture.ENDACE_LIB_PATH
N/A
To enable packet-capture using an Endace card, enter the path to the Endace
/lib
directory. Note that environment variables (such as
%ENDACE_HOME%
) cannot be used in this setting. For example:
/usr/local/lib
PacketCapture.ENDACE_XILINX_PATH
N/A
To enable packet-capture using an Endace card, enter the path to the Endace /xilinx directory. Note that environment variables (such as
%ENDACE_HOME%
) cannot be used in this setting. For example:
/usr/local/dag/xilinx
PacketCapture.Filter
tcp || ip proto 47 || (vlan && (tcp || ip proto 47))
When set to the default value all non-TCP packets are filtered out and not sent to Network Monitor. The default value can be overridden using the tcpdump filter format documented in the tcpdump program. This setting allows specialists to create more exact filters (source and destination IPs for given ports).
PacketCapture.INPUT_SOURCE_FILE
/dummy.dmp
The full path and name of the input file.
PacketCapture.IS_ARCHIVING_PACKETS
false
DO NOT USE THIS FIELD. Diagnostic setting that creates dumps of packets captured in packetcapture for later reuse. This feature is unsupported and does not have normal error checking. May cause repeated restarts on pcap.
PacketCapture.IS_ENDACE_ENABLED
false
To enable packet-capture using an Endace card, set this value to true.
PacketCapture.IS_FTP_RETR_ENABLED
false
If true, FTP GETS and FTP PUTS are processed. If false, only process FTP PUTS are processed.
PacketCapture.IS_INPUT_SOURCE_FILE
false
If true, continually reads in packets from a tcpdump formatted file indicated in INPUT_SOURCE_FILE. Set to dag when an Endace card is installed.
PacketCapture.IS_NAPATECH_ENABLED
false
To enable packet-capture using a Napatech card, set this value to true. The default setting is false.
PacketCapture.KERNEL_BUFFER_ SIZE_I686
64M
For 32-bit Linux platforms, this setting specifies the amount of memory allocated to buffer network packets. Specify K for kilobytes or M for megabytes. Do not specify a value larger than 128M.
PacketCapture.KERNEL_BUFFER_ SIZE_Win32
16M
For 32-bit Windows platforms, this setting specifies the amount of memory allocated to buffer network packets. Specify K for kilobytes or M for megabytes.
PacketCapture.KERNEL_BUFFER_ SIZE_X64
64M
For 64-bit Windows platforms, this setting specifies the amount of memory allocated to buffer network packets. Specify K for kilobytes or M for megabytes.
PacketCapture.KERNEL_BUFFER_ SIZE_X86_64
64M
For 64-bit Linux platforms, this setting specifies the amount of memory allocated to buffer network packets. Specify K for kilobytes or M for megabytes. Do not specify a value larger than 64M.
PacketCapture.MAX_FILES_PER_ DIRECTORY
30000
After the specified number of file streams are processed a new directory is created.
PacketCapture.MBYTES_LEFT_ TO_DISABLE_CAPTURE
1000
If the amount of disk space (in MB) left on the drop_pcap drive falls below this specification, packet capture is suspended. For example, if this number is 100, pcap will stop writing out drop_pcap files when there is less than 100 MB on the installed drive
PacketCapture.MBYTES_REQUIRED _TO_RESTART_CAPTURE
1500
The amount of disk space (in MB) needed on the drop_pcap drive before packet capture resumes again after stopping due to lack of space. For example, if this value is 150 and packet capture is suspended, packet capture resumes when more than 150 MB is available on the drop_pcap drive.
PacketCapture.NAPATECH_TOOLS_PATH
N/A
This setting specifies the location of the Napatech Tools directory. This directory is not set by default. If packet-capture is enabled for Napatech, enter the fully qualified path to the Napatech Tools installation directory.
PacketCapture.NO_TRAFFIC_ALERT _PERIOD
86,400
The refresh time (in seconds), between no traffic alert messages. No traffic system events are created for a given protocol based on this time period. For instance, if this is set to 24*60*60 seconds, a new message is sent every day that there is no new traffic for a given protocol. Do not confuse with the per protocol traffic timeout, that tells us how long we initially go without traffic before sending the first alert.
PacketCapture.NUMBER_BUFFER_ POOL_PACKETS
600000
The number of standard-sized preallocated packet buffers used to buffer and sort incoming traffic.
PacketCapture.NUMBER_JUMBO_ POOL_PACKETS
1
The number of large-sized preallocated packet buffers that are used to buffer and sort incoming traffic.
PacketCapture.NUMBER_SMALL_ POOL_PACKETS
200000
The number of small-sized preallocated packet buffers that are used to buffer and sort incoming traffic.
PacketCapture.RING_CAPTURE_LENGTH
1518
Controls the amount of packet data that is captured. The default value of 1518 is sufficient to capture typical Ethernet networks and Ethernet over 802.1Q tagged VLANs.
PacketCapture.RING_DEVICE_MEM
67108864
This setting is deprecated. Instead, use the PacketCapture.KERNEL_ BUFFER_SIZE_I686 setting (for 32-bit Linux platforms) or the PacketCapture.KERNEL_ BUFFER_SIZE_X86_64 setting (for 64-bit Linux platforms).
Specifies the amount of memory (in bytes) to be allocated to buffer packets per device. (The default of 67108864 is equivalent to 64MB.)
PacketCapture.SIZE_BUFFER_ POOL_PACKETS
1540
The size of standard-sized buffer pool packets.
PacketCapture.SIZE_JUMBO_ POOL_PACKETS
10000
The size of jumbo-sized buffer pool packets.
PacketCapture.SIZE_SMALL_ POOL_PACKETS
150
The size of small-sized buffer pool packets.
PacketCapture.SPOOL_DIRECTORY
N/A
The directory in which to spool streams with large numbers of packets. This setting is user defined.
PacketCapture.STREAM_ WRITE_TIMEOUT
5000
The time (in milliseconds) between each count (StreamManager's write timeout)
RequestProcessor.AddDefaultHeader
true
If true, adds a default header to every email processed (when in Inline SMTP mode). The default header is
RequestProcessor.DefaultHeader
. This header is added to all messages that pass through the system, i.e., if it is redirected, if another header is added, if the message has no policy violations then the header is added.
RequestProcessor.AddHeader OnMessageTimeout
false
The default value sets the system to continue sending messages if there is a message timeout.
Set to
true
, then the X-Header "X-Symantec-DLP: Message timed out (potential Enforce System event 1213)” is inserted in the email message. The downstream edge MTA uses this header information to handle the message, and the log message displays “Passed message through due to timeout, with added timeout header.”
RequestProcessor.AllowExtensions
8BITMIME VRFY DSN HELP PIPELINING SIZE ENHANCEDSTATUSCODES STARTTLS
This setting lists the SMTP protocol extensions that
Network Prevent for Email
can use when it communicates with other MTAs.
RequestProcessor.AllowHosts
any
The default value of any permits all systems to make connections to the
Network Prevent for Email
Server on the SMTP service port. Replacing any with the IP address or Fully-Qualified Domain Name (FQDN) of one or more systems restricts SMTP connections to just those designated systems. To designate multiple systems, separate their addresses with commas. Use only a comma to separate addresses; do not include any spaces between the addresses.
RequestProcessor.Allow UnauthenticatedConnections
false
The default value ensures that MTAs must authenticate with
Network Prevent for Email
for TLS communication.
RequestProcessor.Backlog
12
The backlog that the request processor specifies for the server socket listener.
RequestProcessor.BindAddress
0.0.0.0
IP address to which a
Network Prevent for Email
Server listener binds. When BindAddress is configured, the server will only answer a connection to that IP address. The default value of 0.0.0.0 is a wild card that permits listening to all available addresses including 127.0.0.1.
RequestProcessor.BlockStatusCode Override
5.7.1
Enables overriding of the ESMTP status code sent back to the upstream MTA when executing a block response rule.
Accepted values are 5.7.0 and 5.7.1. If any other values are entered, this setting will fall back to the default of 5.7.1.
Use of the 5.7.0 value (other or undefined security status) is preferred when the detection server is working with Office365 email, because the 5.7.1 value provides an incorrect context for the Office365 use case.
RequestProcessor.CacheCleanupInterval
120000
Specifies the interval after which the cached responses are cleaned from the cache. Units are in milliseconds.
RequestProcessor.CachedMessage Timeout
120000
Specifies the amount of time after generation when a given cached response can be cleared from the cache. Units are in milliseconds.
RequestProcessor.CacheEnabled
false
Enables caching of responses for duplicate SMTP messages. The cache was added as part of the cloud solution to support envelope splitting.
RequestProcessor.DefaultCommand Timeout
300
Specifies the number of seconds the
Network Prevent for Email
Server waits for a response to an SMTP command before closing connections to the upstream and downstream MTAs. The default is 300 seconds. This setting does not apply to the "." command (the end of a DATA command). Do not modify the default without first consulting Symantec support.
RequestProcessor.DefaultPassHeader
X-CFilter-Loop: Reflected
This is the default header that is added to messages that pass through Email Prevent.
RequestProcessor.DotCommandTimeout
600
Specifies the number of seconds the
Network Prevent for Email
Server waits for a response to the "." command (the end of a DATA command) before closing connections to the upstream and downstream MTAs. The default is 600 seconds. Do not modify the default without first consulting Symantec support.
RequestProcessor.ForwardConnection Timeout
20000
The timeout value to use when forwarding to an MTA.
RequestProcessor.KeyManagement Algorithm
SunX509
The key management algorithm used in TLS communication.
RequestProcessor.MaxLineSize
1048576
The maximum size (in bytes) of data lines expected from an external MTA. If the data lines are larger than they are broken down to this size.
RequestProcessor.Mode
ESMTP
Specifies the protocol mode to use (SMTP or ESMTP).
RequestProcessor.MTAResubmitPort
10026
This is the port number used by the request processor on the MTA to resend the SMTP message.
RequestProcessor.NumberOf DNSAttempts
4
The maximum number of DNS queries that
Network Prevent for Email
performs when it attempts to obtain mail exchange (MX) records for a domain.
Network Prevent for Email
uses this setting only if you have enabled MX record lookups.
RequestProcessor.RPLTimeout
360000
The maximum time in milliseconds allowed for email message processing by a Prevent server. Any email messages not processed during this time interval are passed on by the server.
RequestProcessor.ServerSocketPort
10025
The port number to be used by the SMTP monitor to listen for incoming connections from MTA.
RequestProcessor.TagHighestSeverity
false
When set to true, an additional email header that reports the highest severity of all the violated policies is added to the message. For example, if the email violated a policy of severity HIGH and a policy of severity LOW, it shows: X-DLP-MAX-Severity:HIGH.
RequestProcessor.TagPolicyCount
false
When set to true an additional email header reporting the total number of policies that the message violates is added to the message. For example, if the message violates 3 policies a header reading: X-DLP-Policy-Count: 3 is added.
RequestProcessor.TagScore
false
When set to true an additional email header reporting the total cumulative score of all the policies that the message violates is added to the message. Scores are calculated using the formula: High=4, Medium=3, Low=2, and Info=1. For example, if a message violates three policies, one with a severity of medium and two with a severity of low a header reading: X-DLP-Score: 7 is added.
RequestProcessor.TrustManagement Algorithm
PKIX
The trust management algorithm that
Network Prevent for Email
uses when it validates certificates for TLS communication. You can optionally specify a built-in Java trust manager algorithm (such as SunX509 or SunPKIX) or a custom algorithm that you have developed.
RequestProcessorListener.Server SocketPort
12355
The local TCP port that FileReader will use to listen for connections from RequestProcessor on a Network Prevent server.
ServerCommunicator.CONNECT_
DELAY_POST_WAKEUP_
OR_POST_VPN_
SECONDS
60
The delay time (in seconds) after which a detection server returning online attempts to connect to the Enforce Server. The default value is 60 seconds. The range for this setting is 30 to 600 seconds.
SocketCommunication.BufferSize
8K
The size of the buffer that
Network Prevent for Web
uses to process ICAP requests. Increase the default value only if you need to process ICAP requests that are greater than 8K. Certain features, such as Active Directory authentication, may require an increas in buffer size.
UnicodeNormalizer.AsianCharRanges
default
Can be used to override the default definition of characters that are considered Asian by the detection engine. Must be either default, or a comma-separated list of ranges, for example: 11A80-11F9,3200-321E
UnicodeNormalizer.Enabled
on
Can be used to disable Unicode normalization.
Enter
off
to disable.
UnicodeNormalizer.Newline EliminationEnabled
on
Can be used to disable newline elimination for Asian languages.
Enter
off
to disable.