In Enforce, incidents appear in pairs, always identical, the order may be different. Each incident highlights the same Matches, has the same Incident Details, Attributes (if Lookup used) and Policy Matches.
This issue was detected on v11.1 in December, 2011, according to Etrack 2636025. A fix will be included in a future version.
The Endpoint Agent performs keyword or protocol monitoring and generates incidents, which are transmitted back to the Endpoint Server. The Agent is unable to process EDM/IDM rules, so it cracks the information for later detection on the Endpoint Server. As a result, the EP server, running the EDM/IDM rule, detects the same violations and creates a second incident for the same violation.
The client needs to review their policies. Best to split up policies with EDM/IDM to not also include Active Directory lookup.
Imported Document ID: TECH221840
Subscribing will provide email updates when this Article is updated. Login is required.