How to test policies by using test E-mail files for Symantec DLP Detection
search cancel

How to test policies by using test E-mail files for Symantec DLP Detection

book

Article ID: 159802

calendar_today

Updated On:

Products

Data Loss Prevention Network Monitor Data Loss Prevention Enforce Data Loss Prevention Data Loss Prevention Enterprise Suite Data Loss Prevention Network Monitor and Prevent for Email Data Loss Prevention Network Monitor and Prevent for Email and Web Data Loss Prevention Network Discover Data Loss Prevention Network Monitor and Prevent for Web Data Loss Prevention Network Prevent for Email

Issue/Introduction

Using Gmail, you can save .eml files into a drop folder to make sure a policy will generate incidents as expected.

Resolution

    • Using Gmail, create an email that contains content to trigger a DLP policy. 
    • Send it to yourself or a test email address.
    • Open the email and Download Message to your desktop. For example, as test.eml
    • Copy the test.eml file into the drop folder where the Symantec DLP Detection Server is installed, for example "C:\ProgramData\Symantec\DataLossPrevention\DetectionServer\16.0.00000\drop\SMTP"
    • You will see that the .eml file disappears.  This means that the email was processed by the Detection Server and you should see an incident if the email has content that matches a policy.

Note: The Drop folder only processes the email for detection. It will not actually send the email to the recipient.

Note: For the Drop folder to function, the 'Copy Rule' channel needs to be added to BoxMonitor.Channels in the Server Settings of the Detection Server.

Within the Symantec DLP Enforce UI (Administration -> Overview) you will notice that the processed messages increased by 1.

If an incident was created from the test email, it will have a timestamp from when the email was actually saved. You can sort the incident list by incident ID. Since the test email was one of the latest ones to trigger an incident, it should show up with one of the higher incident ID numbers.

If the email has a date/time specified within the email it will process the incident using that data/time. If no date/time is specified in the test email, then it will use the current date/time when the incident is actually processed (this would be the recommended approach for testing).

 

You can also use the following sample text to create a simple .eml file for testing purposes...

From: [email protected]
To: [email protected]
Subject: This is a keyword test
MIME-Version: 1.0
Content-Type: text/plain;

This test should detect on the following keywords…
- dlpkeyword

Symantec Test Email

The above email is a stripped down email that contains the minimum amount of data. In this case we are testing the keyword "dlpkeyword". Simply modify the above email as needed, then save it as a .eml file and drop it into the SMTP drop folder for processing.

Powered by Wolken Software