Best Practice: DLP Policy Exception Count for Endpoints
Last Updated April 26, 2019
High memory usage of the DLP agent can be caused by compound exceptions in the endpoint agent policies. A policy change can take place that will increase the size of the execution matrix; which will lead to an increase in the amount of memory being used by the agent.
The current design of the execution matrix is such that its size can increase by a factor of 2 or more just by modifying a policy and adding a single compound exception. A policy matrix of 15K rows, which is functional, can quickly become 45K rows and become nonfunctional. Because the symptom of this issue is high memory usage it can go unnoticed for some time thus making identifying the exact change in policy or configuration impractical to identify. Other factors such as agent configuration / channels monitored, CPU and physical memory on the client will have an impact on the severity with which such symptoms may manifest.
Symantec recommends optimizing policies to best fit the environment. DLP Admins may find that a policy matrix of 5k or 10k runs fine in their environment. Try to keep within that target in the future to avoid reoccurrence this issue. Below is an example of how the policy matrix is calculated.
num of rows = (number of matching rules) * (number of rules in excep1) * (num of rules in except2) * ... * (num of rules in exception n)
A policy with the following rules
Detection Rules matches - keywords "hello", "bye" AND keywords "what", "why" and matches - regex "[a-z]"
Exceptions #1 matches - keywords "root", "admin" AND ssn 111-99-3023 #2 matches - keyword "everyone" AND regex "99*" #3 matches - keyword "abc" AND keyword "def" AND keyword "zyx"
Calculating the total rows: Number of Detection rules = 2 number of rules in exception #1 = 2 number of rules in exception #2 = 2 number of rules in exception #3 = 3 Number of rows in the execution matrix for the policy = 2 * 2 * 2 * 3 for a total of 24 rows
Using this formula, you will be able to roughly calculate the impact of a policy in an environment.
Symantec recommends tuning the policies down to the lowest size matrix as practical. This will allow incident detection to have a much lower impact on the machine resources and improve the response time of the detection process.
Note that network discover has higher resource requirement and can handle a larger matrix than endpoints.
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe