IDM detection with print or fax detection may not work. A file that is copied to the USB generates an incident. When the same file is sent to a printer it may not generate an incident.
If using a DCM policy, the same file is detected regardless of which component is monitored.
Steps to reproduce
Create an IDM profile with some files smaller than 1kb and some larger.
Enable print/fax, clipboard, and removable storage for endpoint
Create an IDM policy using the profile you created, and a DCM policy
From an endpoint agent, copy the files (less than 1kb) used the IDM profile to a USB, or to the clipboard. An incident is generated for both policies
Print the same file (less than 1kb) – no incident is generated for the IDM policy, but one incident is generated for the DCM policy
Print other files (larger than 2kb) – incident is generated for both policies
At present, Print/Fax is not supported for IDM detection. IDM detection for printing has known issues.
If a file has fewer than 1000 non-whitespace characters, then we only do an exact match, which means an md5 of the binary file. If that happens, we do not detect on print because the print driver captures the print events. Detection never sees the original file, so we cannot do the md5 match.
The message is based on the print spool, not based on the original file. The pages may be sent to the printer out of order. The order change may change the percentage matches.
If the print job injects any content (page #, etc.) then the match percentage could be considerably lower.
Imported Document ID: TECH220592
Subscribing will provide email updates when this Article is updated. Login is required.