Detecting content at the beginning of a file works without issue; however when the content value you are trying to detect is at the end of a file, detection does not occur.
The issue with detecting content at the end of the file is by design. The EDM Advanced Server settings are configured to scan only a specified number of tokens in any given file.
With the default settings, the EDM scan doesn’t cover the entire file size of 30 MB (default maximum) extracted content. The EDM content scans are governed by the Advanced Server setting Lexer.MaximumNumberOfTokens. The Lexer.MaximumNumberOfTokens value of 12000 in Symantec Data Loss Prevention 12.5.x and above covers approximately 100 KB of extracted content. For Symantec Data Loss Prevention 11.6, the value of 30000 covers around 200 KB of extracted content.
Note: The following steps apply only to on-premises Data Loss Prevention detectors; they do not apply to the cloud service.
To perform EDM detection on a greater number of tokens, you must modify the Lexer.MaximumNumberOfTokens setting from its default value. This value depends on the version you are running. In addition, for detecting to the end of a file that is larger than the default 30 MB, you may need to modify the values for settings IncidentDetection.MaxContentLength and ContentExtraction.MaxContentSize.
For more details, review the DLP Administrator's guide or contact Symantec Enterprise Technical Support for assistance.
Subscribing will provide email updates when this Article is updated. Login is required.