A Critical status indicates that the DLP Agents in this state have experienced the conditions that require immediate attention:
Critical agent alerts generally include the following:
A driver is not running
The DLP Agent version is not compatible with the Endpoint Server
Active Directory permissions conflict with Symantec Data Loss Prevention permissions
The DLP Agent cannot report to the Endpoint Server
The DLP Agent is unable to monitor the macOS applications that are protected by System Integrity Protection (SIP)
Agent not reporting
The agent has not reported to an Endpoint Server within the specified period of time. If the agent does not report after 18 hours, then Symantec Data Loss Prevention identifies the agent as not-reporting. Not-reporting agents do not receive the latest policies and configuration information, so they are marked with a Critical agent alert.
To fix the issue:
Verify that the endpoint where the agent is installed exists. If it does not exist, you can delete the agent from the Enforce Server.*
Verify that the agent is running on the endpoint.
Verify the network connection between the Endpoint Server and the endpoint.
*You access the Agents List screen by clicking an agent status or alert type link on the System > Agents > Overview screen.
Agent version is not supported
The agent is two versions older than the Endpoint Server version to which it connects. For example, if the Endpoint Server is version 15.0 and the agent is 12.0.x, a Critical agent alert displays. The features available in Enforce and Endpoint Server are not available for these agents. Symantec Data Loss Prevention identifies these agents with a Critical alert because these agents do not provide current Symantec Data Loss Prevention features and may not operate as designed.
Upgrade the agent to the latest version.
File system driver is down
The agent service cannot communicate with the Symantec Data Loss Prevention driver installed on the endpoint. Communication may not occur for the following reasons:
The file system drivers have been deleted.
Symantec Data Loss Prevention identifies the driver as invalid. This invalidation sometimes occurs when the driver has been modified.
Communication between Symantec Data Loss Prevention and the agent driver is broken due to attack.
To fix the issue:
Restart the endpoint.
Reinstall the endpoint
Mac OS application is not monitored
The DLP Agent monitors the macOS applications that are protected by System Integrity Protection (SIP) on macOS 10.11 through 10.12. Updating the macOS version beyond the supported version causes the agent to no longer monitor the applications that are protected by SIP. The agent continues to monitor all other channels.