McAfee Security for Microsoft Exchange 8.6.0

Configure DLP and compliance scanner settings

Configure DLP and Compliance Scanner settings in a policy to identify noncompliant textual data in an email or attachment and take necessary actions.

Task
1 From Policy Manager, select a submenu item that has the DLP and Compliance scanner.
The policy page for the submenu item appears.
2 Click Master policy or any subpolicy you want to configure, then click List All Scanners tab.
3 Click DLP and Compliance Scanner.
4 In Activation, select Enable to activate the DLP and compliance scanner settings for the selected submenu item.
By default, all scanner setting options are disabled for DLP and Compliance Scanner.
If you are configuring settings for a subpolicy, select Use configuration from parent policy to inherit settings from the parent policy.
If you add a new scanner to the policy, you can specify a time slot when to enable the scanner, using What time would you like this to apply drop-down list.
5 In Options, you can use:
Include document and database formats — To scan documents and database formats, for noncompliant content. Create — To create an alert message when the content of an email message is replaced due to a rule being triggered. See Create an alert for more instructions.
Scan the text of all attachments — To scan the text of all attachments. View/Hide — To display or hide the preview of the alert message. If the preview is hidden, clicking this link displays it. If the preview is displayed, clicking this link hides it.
6 In DLP and Compliance rules and associated actions, click Add rule.
The DLP and Compliance Rules page appears.
7 In Specify actions for rule, select the language from the Select a Language drop-down menu.
You can also view and edit all supported locale dictionaries. (The supported locales are Chinese Simplified, French, German, Japanese, and Spanish.)
For example, when MSME is installed in the German locale, you can still view and edit other supported locale dictionaries. Any new category that you create is available for all supported locales.
8 In Specify actions for rule, select a rule group from the Select rule group drop-down menu that triggers an action, if one or more of its rules are broken. Each phrase can have a Score set for a category, under DLP and Compliance Scanner Phrase.
For some rule groups, you might need to specify these options:
Threshold score — To specify the maximum threshold score upon which the scanner triggers.
Max Term Count — To specify the maximum number of times this rule group can be triggered. Exceeding this count triggers the scanner to take the specified action.
The equation for current Threshold score = Score x Term Count (instance). A rule is triggered when the value equals or exceeds the Threshold score.

To understand how Threshold score and Max Term Count helps in triggering a rule, let us consider an example on Pascal Language dictionary. Consider that you have set the Score for the DLP and Compliance Scanner Phrase "PAnsiChar" to 5.

Under Select rule group, if you have selected Pascal Language dictionary, and set the value for:

Threshold score = 15
Max Term Count = 4

If "PAnsiChar" is found twice in the code, the current threshold score becomes 10, and the rule is not triggered.

If "PAnsiChar" is found five times in the code, the current threshold score will still be calculated as Score x Max Term Count which is 5 * 4 = 20. This value is greater than the defined threshold score. So, the rule is triggered.

Consider that you have modified the Score for "PAnsiChar" to 8. If the phrase "PAnsiChar" is found thrice in the code, the current threshold score becomes 24. Now the rule will be triggered as it exceeded the specified Threshold score.

If there are multiple rules, the Threshold score is the combined value of all the rules for a dictionary.

A rule will be triggered only when the value equals or exceeds the Threshold score and is not triggered even if the instance of phrase exceeds the Max Term Count value in an email.
9 From If detected, take the following action:, select the DLP and compliance scanner actions that must be taken if some content in an email message is detected as noncompliant.
10 From And also, select one or more actions.
11 Click Save to apply the settings and return to the policy settings page.
12 Click Apply to configure these settings to a policy.