Detecting content at the beginning of a file works without issue;  however when the content value you are trying to detect is at the end of a file, detection does not occur.

The issue with detecting content at the end of the file is by design.  The EDM Advanced Server settings are configured to scan only a specified number of tokens in any given file. 

With the default settings, the EDM scan doesn’t cover the entire file size of 30 MB (default maximum) extracted content.  The EDM content scans are governed by the Advanced Server setting Lexer.MaximumNumberOfTokens. The Lexer.MaximumNumberOfTokens default value is 30000 tokens.

Note:  The following steps apply only to on-premises Data Loss Prevention Detection Servers; they do not apply to the Cloud Service Detectors. 

To perform EDM detection on a greater number of tokens, you must modify the Lexer.MaximumNumberOfTokens setting from its default value.  This value depends on the version you are running. In addition, for detecting to the end of a file that is larger than the default 30 MB, you may need to modify the values for settings IncidentDetection.MaxContentLength and ContentExtraction.MaxContentSize.

For more details, review the article Guidelines for tuning Symantec Data Loss Prevention to scan large files (broadcom.com).

In depth configuration options are also discussed in this Online Help topic Configuring Advanced Settings for EDM policies (symantec.com)

If more information is require, please contact Symantec Enterprise Technical Support for assistance.