Creating a new agent attribute in Symantec DLP

By | Symantec DLP Endpoint Prevent, Symantec DLP Enforce | No Comments

To create user-defined attributes, follow these steps:

  1. Choose Agent Groups from the System > Agents menu. Then, click the Manage Agent Attributes link.
  2. On the Agent Attributes screen, click New to begin the attribute creation process. A Configure Agent Attribute screen appears.
  3. Add the name of the attribute. Names can contain 1 to 100 characters.
  4. Add a description of attribute. Descriptions must contain only alpha and numeric characters.
  5. Select a domain, either User Domain or Machine Domain. There are two types of attributes for user-defined agent groups:
    • User Domain – Attributes related to the logged-in user; for example, the domain attribute “department.”
    • Computer domain – Attributes related to the computer; for example, computer attribute “location.”
  6. Add a search filter. You can select from existing applied attributes to define a search filter.
  7. Specify an Active Directory attribute. Only Active Directory attributes are supported for user-defined agent group attributes.
  8. Click Save. Clicking Save saves your attribute but does not apply it.
  9. Test the attribute and fix any issues you find in testing. To test, export the attribute(s) from the Attribute List screen and review the attribute. Then, use the Attribute Query Resolver test tool that runs on the Windows host where the endpoint is installed, to test the attribute
  10. Apply the tested attributes. Agents start reporting attribute values as soon as the agents resolves the attributes on Active Directory.
  11. Verify that agents are reporting attribute values. Go to the System > Agents > Overview > Agent List screen and verify that the agents are reporting attribute values. You can select a particular agent entry and see the Preview Pane. The Preview Pane lists all predefined and user-defined attributes and their values, conflicts, and alerts.

Troubleshooting Symantec File Reader Restarts

By | Symantec DLP Endpoint Prevent, Symantec DLP Network Discover | No Comments

FileReader restarts usually occur due to timeout issues.  These timeouts are generally caused by the following:

  1. Connectivity issues with the Monitor Controller or Network
  2. Poorly written RegEx Rules
  3. A bad email message.  Bad messages can be caused by incorrect header information or foreign characters in the message that Symantec DLP is unable to process

If the FileReader restarts itself occasionally, this is normal behavior.  However, if you are experiencing consistent FileReader restarts in your environment, there are a few things you can do to determine the cause:

  1. FileReader may fail to start (and restart) if it can’t receive all the configuration information it needs. To troubleshoot the exact cause, look in the FileReader log first to identify which FileReader subsystem isn’t starting. Once it’s identified that a particular subsystem isn’t receiving its configuration, one should look in the MonitorController log to see if the corresponding subsystem has been initialized successfully. One of the common failures is inability to ignite cryptographic keys in the MonitorController because the ignition password on the disk got out of sync with the Administrator password in the database. In this case the password issue must be fixed and only after that should the MonitorController be restarted. Look at the VontuMonitorController.conf file in the config directory. Check the java heap size. If it is the default value of 128 and 256, you will probably need to increase the memory setting of the heap depending on the RAM available on the server.
  2. Too many exceptions in policies. Each new exception, while improving the ability to “short-circuit” detection, also has the knock-on effect of multiplying the size of the overall detection matrix – all of which is loaded into memory when FileReader starts. While there is no exact limit on the total number of exception, a good rule of thumb is that more than 10 exceptions in a policy will start to have an impact at some point – after which the next exception may result in FileReader being unable to load.
  3. Check to make sure the MessageChain.CacheSize & MessageChain.NumChains match the CPU Cores.
  4. Check your policies.  Oftentimes FileReader restarts will occur because of a particular policy.  For example, if a Regex in a particular policy exceeds given thresholds (such as maximum component time), then the FileReader will restart.  Look at the log files for the “intentionally restarting process” message which identifies the message chain component causing the restart.  If this component is “Detection” the most likely cause is a poorly written regular expression.
  5. Check for “bad” messages. Save the *.vpcap file that contains the message in question. You can use the file for testing without having to actually send the message again.
  6. Check for locked *.vpcap files.
    1. Stop Packet Capture so that you do not get noise in the test. Start FileReader process. If the *.vpcap file gets picked up, the inductor is working. If the inductor is not working, find out why. The most common problem is that some process has a lock on the files. Other than that, collect the FileReader log and contact support.
  7. If the inductor is working, the problem may be in the Layer 7 Parser or the Content Extractor. Visually inspect the FileReader log for any exceptions, warnings or severe log messages.
  8. While the Content Extractor can often have problems processing various file formats it can rarely, if ever, be blamed for a FileReader restart.
  9. Dying threads can cause FileReader to stop reporting heartbeats and eventually be restarted. Look in VontuMonitor.log for exceptions. Each exception in that log file is an indicator of a serious problem (Java crash or other defect) and is a likely cause of a FileReader restart.

Troubleshoot Agents not reporting into the Enforce Console

By | Symantec DLP Endpoint Prevent | No Comments

For thorough troubleshooting Its recommend starting with the first step and going through each step in order to ensure that all steps are checked.

1. Check for basic network connectivity.

  • PING <ipaddress>
  • Ping the Endpoint Server from the Enforce Server to confirm they can see each other.
  • Ping the Endpoint Server from the Agent to confirm they can see each other.
  • If the ping command fails, then you have a basic networking issue and the two machines are unable to see each other.


  • TELNET <ipaddress> <port>
  • Telnet from the Enforce Server to the Endpoint Server over port 8100
  • Telnet from the Endpoint Agent to the Endpoint Server over port 10443
  • If the ping works, but the telnet fails that tells us that we can communicate with the machine, but the specific port is not open. This likely means there is either a firewall blocking the port, or the service is not running.

2. Check that all servers and services are showing up and running.

  • Enforce Server
  • Log into the Enforce Server
  • Confirm that all of the Enforce Services are up and running
    • SymantecDLPDetectionServerController
    • SymantecDLPIncidentPersister
    • SymantecDLPManager
    • SymantecDLPNotifier
  • The DetectionServerController service is the one we are most interested in as this controls communication between the Enforce Server and all of the Detection Servers, but all services should be up and running normally.


  • Endpoint Server
  • Log into the Endpoint Server
  • Confirm that the DetectionServerService is up and running.
  • Log into the Enforce Console
  • Go to the System Overview Page
  • Confirm that your Endpoint Server is reporting in and showing running.
  • Open the Endpoint Server Details page
  • Again, confirm everything looks like it is running.
  • And take note of what you have listed as the “Host”, this should be an IP address or a Hostname


  • Endpoint Agent
  • Log into the Endpoint Agent
  • Confirm that the EDPA and WDP services are running.

3. Confirm the Endpoint Agent is pointed to the correct Endpoint Server.

  • Log into the Endpoint Agent
  • Copy the “vontu_sqlite3.exe” tool into the “Endpoint Agent” installation directory
    • Agent Tools can be found in the “Tools” directory from the Agent Package originally downloaded from Symantec.
    • Please also note that if you have to make changes to the Endpoint Server information, you will also need to copy the “service_shutdown.exe” tool.
  • Open an Administrative CMD prompt
  • CD to the Endpoint Agent installation location where the tools and .ead files are located.
  • Open the “cg.ead” file using vontu_sqlite3.exe
    • vontu_sqlite3 -db=cg.ead
    • You will be prompted for your Tools password
  • Query the cg.ead file for the server information.
    • SELECT * FROM configuration WHERE name=”ServerCommunicator” AND setting=”SERVER_HOST_AND_PORT_LIST”;
    • We are interested in the IP Address and Port listed, in the above screenshot “
    • This tells us what server it is pointed to and what port it is using (default port is 10443).
    • We should compare the IP Address or Hostname to what was seen in Step#2 above from the Endpoint Server, these should match exactly in most scenarios.
    • If these values do not match, then update your agent configuration with the below command…
    • UPDATE configuration SET value=”<EndpointServer>:<Port>” WHERE name=”ServerCommunicator” AND setting=”SERVER_HOST_AND_PORT_LIST”;
      • EXAMPLE:UPDATE configuration SET value=”” WHERE name=”ServerCommunicator” AND setting=”SERVER_HOST_AND_PORT_LIST”;
      • After making changes to the Endpoint Server you MUST restart the Agent Services before the changes will take effect.

If you are still having problems at this point, you should open a ticket with Technical Support. When you do so please provide all of the above information for the agent along with a full set of logs from your Endpoint Agent, Endpoint Server and Enforce Server so the Technical Support Engineer can quickly and easily assist you with determining what is going on.

Generating agent installation packages for Symantec DLP

By | Symantec DLP Endpoint Prevent | No Comments


1. Navigate to the Agent Packaging page.

Log on to the Enforce Server administration console as an administrator and navigate to the System > Agents > Agent Packaging page.


2. Select one or more DLP Agent installation files.

Browse to the folder on the Enforce Server where you copied the agent installer files:

Windows 64-bit: AgentInstall64_15_0.msi

Windows 32-bit: AgentInstall_15_0.msi

Mac 64-bit: AgentInstall_15_0.pkg

3. Select the agent version. Select an item in the Select the agent version list that matches the agent installer files you selected.

You must select 32- and 64-bit installation files that match the agent version you selected. For example, selecting a version 14.6 32-bit and a version 15.0 64-bit installation file while selecting Version 15.0 in the list is unsupported. Selecting mis-matched versions prevents agents from installing on endpoints.


4. Enter the server host name. Typically you enter the common name (CN) of the Endpoint Server host, or you can enter the IP address of the server.

Be consistent with the type of identifier you use (CN or IP). If you used the CN for the Endpoint Server when deploying it, use the same CN for the agent package. If you used an IP address to identify the Endpoint Server, use the same IP address for the agent package.

Alternatively, you can enter the CN or IP address of a load balancer server.


5. Enter the port number for the server.

The default port is 10443. Typically you do not need to change the default port unless it is already in use or intended for use by another process on the server host.


6. Add additional servers (optional).

Click the plus sign icon to add additional servers for failover.

Symantec Data Loss Prevention allots 2048 characters for Endpoint Server names. This allotment includes the characters that are used for the Endpoint Server name, port numbers, and semicolons to delimit each server.

The first server that is listed is the primary; additional servers are secondary and provide backup if the primary is down.

See the topic “About Endpoint Server redundancy” in the Symantec Data Loss Prevention Installation Guide.


7. Enter the Endpoint tools password.

A password is required to use the Endpoint tools to administer DLP Agents. The Endpoint tools password is case-sensitive. The password is encrypted and stored in a file on the Enforce Server. You should store this password in a secure format of your own so that it can be retrieved if forgotten.

After installing agents, you can change the password on the Agent Password Management screen.

8. Re-enter the Endpoint tools password.

The system validates that the passwords match and displays a message if they do not.


9. Enter the target directory for the agent installation (Windows only).

The default installation directory for Windows 32- and 64-bit agents is %PROGRAMFILES%\Manufacturer\Endpoint Agent. Change the default path if you want to install the Windows agent to a different location on the endpoint host. You can only install the DLP Agent to an ASCII directory using English characters. Using non-English characters can prevent the DLP Agent from starting and from monitoring data in some scenarios.

Include the drive letter if you plan to change the default directory. For example, use C:\Endpoint Agent. Not including a drive letter causes the agent installation to fail.

The target directory for the Mac agent is set by default.

10. Enter the uninstall password (optional, Windows only).

The agent uninstall password is supported for Windows agents. The uninstall password is a tamper-proof mechanism that requires a password to uninstall the DLP Agent.

The password is encrypted and stored in a file on the Enforce Server. You should store this password in a secure format of your own so that it can be retrieved if forgotten.

See the topic “About uninstallation passwords” in the Symantec Data Loss Prevention Installation Guide.

After installing agents, you can change the password on the Agent Password Management screen.

11. Re-enter the uninstall password.

The system validates that the passwords match and displays a message if they do not.


12. Click Generate Installer Packages.

This action generates the agent installer package for each platform that you selected in step 3.

If you generate more than one package the generation process may take a few minutes.


13. Save the agent package zip file.

When the agent packaging process is complete, the system prompts you to download the agent installation package. Save the zip file to the local file system. After you save the file you can navigate away from the Agent Packaging screen to complete the process.

If you generated a single agent package, the zip file is named one of the following corresponding to the agent installer you uploaded:

If you upload more than one agent installer, the package name is In this case, the zip file contains separate zip files for each agent package for each platform you selected in step 23.

14.Install DLP Agents using the agent package.

Once you have generated and downloaded the agent package, you use it to install all agents for that platform.

See the topic “DLP Agent installation overview” in the Symantec Data Loss Prevention Installation Guide.

How to start DLP Agents that run on Mac endpoints

By | Symantec DLP Endpoint Prevent | No Comments

ou can use the start_agent tool to start DLP Agents that run on Mac endpoints. You use the tool if the agents have been shut down using the shutdown task on the Agent List screen.

To start agents using the start_agent tool:
  1. From the Symantec Data Loss Prevention Agent installation directory, run the following command:

    sudo ./start_agent

    where the installation directory is the directory where you installed Symantec Data Loss Prevention.

  2. Go to the Agent List screen and confirm that the agent is running.

Best Practice for Endpoint Agents with Antivirus Protection

By | Symantec DLP Endpoint Prevent | No Comments

With a typical antivirus program, excluding a folder prevents the AV program from monitoring data that are written to, or read from, the folder.

Excluding a binary or executable file prevents the AV engine monitoring executable during read and write operations.

It is recommended to whitelist all of the processes, files, and folders that are listed below.


Endpoint Agent Installation Location C:\Program Files\Manufacturer\Endpoint Agent
Endpoint Agent Temp Folder Location C:\Program Files\Manufacturer\Endpoint Agent\temp
Processes edpa.exe
Drivers vfsmfd.sys
Files C:\Program Files\Manufacturer\Endpoint Agent\*.ead


Endpoint Agent Installation Location /Library/Manufacturer/Endpoint Agent
Endpoint Agent Temp Folder Location /Library/Manufacturer/Endpoint Agent/Temp
Processes edpa
Drivers N/A
Files /Library/Manufacturer/Endpoint Agent/*.ead

How to install the Symantec DLP Agent (Windows)

By | Symantec DLP Endpoint Prevent | No Comments

Creating the Agent Package

1. Log into your Enforce console page and navigate to System – Agents – Agent Packaging as per the image below      

2. Once you are get to the Agent packaing screen you will need to do the following:

Select the Agent Version – In my install I opted for 15.1 & above

Browse and upload the file

Enter the Endpoint Server name or IP address and confirm the port is 10443

Enter a Tools password of your choice

Enter an uninstall password of your choice

Click the ‘Generate Installer Package’

See the following image for extra help

3. When you click the generate package button it will package up your settings and you will then be promted to download, download this to a place that you can easily access

4. Now we have downloaded the package we need to extract it

5. The extracted files should look like the image below

6. If you click double click the install_agent.bat command prompt will flash up and go away quickly. If you double click the msi you will get an install prompt

7. Click next and then accept the ‘Terms’ and click next again

8. After confirming the terms you will see the following screen

These details can be obatianed from the install_agent.bat if you right click and edit it will open up in notepad. Enter the details that you see in notepad for the ‘Agent Configuration’

9.  Once you have entered the details in the above image click next. You will now be asked to supply the certificates. These can be found in the extracted file location and the password can be found in the install_agent.bat

10. Once you have entered in these details click next and confirm the install location

11. Click next and then click ‘Install’

12. Once you click the install you will see the installation status

13. Another box will pop up and you will be promted to click ‘Yes’

14. After a few seconds you will see the following error message

15. To rectify the issue and to successfully install the agent we need to do the following, open up cmd as ‘Administrator’

16. Navigate to the extracted file location

17. Once you are at the file location type install_agent.bat and press enter

18. Once you press enter you will see the following pop up in command prompt

This is showing the install details of the Agent. As we have ran CMD as ‘Administrator’ it is able to run all the required tasks as administrator and it will now successfully install

19. Once it has finished you should see the following command prompt screen

20. . You can confirm that the agent installed and is talking to the Endpoint server by logging into the enforce and going to system – Agents – Overview and clicking on the ok button. Once you have done that you should see your agent appear as per the image below



In this document we have covered what how to package your agent for install, how not to install the agent and how to install the agent. Hopefully you will find this document easy to follow and helpful.

How to collect the Endpoint Agent logs

By | Symantec DLP Endpoint Prevent | No Comments

There are two general methods to gathering the agent log files. The first method is to remotely pull the logs via the Enforce console from the clients. Use the first method whenever possible. The second method is to collect the logs locally from the client by using the endpoint agent logdump tool or by deobfuscating the log files. The second method is used when the agent has no connectivity to the enforce console and the agent needs to be diagnosed.

Method 1: Remotely Pull Logs From Enforce Console

Gathering the Endpoint Agent logs directly from the Enforce UI is a two step process in which an Endpoint Agent task is sent from the Enforce Server to the Endpoint Agent. Once the task is complete, then the logs can be gathered from the Endpoint Server.

Step 1: Instruct Agent to upload files to Endpoint Server

  1. Go to System> Agent Overview
  2. Select the affected agent.
    DLP 14.6 Console
  3. After selecting the affected agent, select the drop down menu and select “Pull Logs”.
  4. Select Agent logs then click OK

A task running icon (clipboard with play button) should now appear next to the agent. Once the log files have been collected from the agent this should disappear. Wait for the task running icon to disappear before moving to step 2.

Step 2: Collect logs from Endpoint Server

Once the task has been sent to the Endpoint Agent use the following steps to gather the Endpoint Agent logs from the Endpoint Servers.

  1. Go to System> Server> Logs
  2. Select the drop down and choose the Endpoint Server
  3. Select the Agent logs dialog box and Enforce logs (if needed)
  4. Select Collect Logs button

An “in Progress” and “waiting to receive files from x servers” message should appear below the check boxes. Once the log files are available a link will appear to download a .zip that contains the logs.


Method 2: Local Agent Log File Collection

This method is used when the agent is unable to connect to the server and upload the files. There are two options when collecting the agent log files locally. The first is to deobfuscate the logs. The second is to use the logdump utility.

Option 1: Deobfuscate the logs

To deobfuscate the log file you can use the update_configuration.exe (windows only and versions earlier than and including DLP 15.0) . The second option is to use the vontu_sqlite3 (Mac and Windows clients) tool to update the configuration table in the cg.ead and set Obfuscate to 0 for the Logging setting

Example steps of using deobfuscating tools

  1. Copy endpoint tools to client machine
  2. Stop the DLP Agent (use service_shutdown tool)
  3. Delete / Rename the old log files
  4. Start the DLP Agent
  5. Run tool to deobfuscate log (Either update_configuration or vontu_sqllite3)
  6. Stop the DLP Agent
  7. Start the DLP Agent
  8. Verify the edpa logs are readable
  9. Duplicate the issue
  10. Collect log files (edpa*.log) for support

Option 2: Use the logdump utility

The log dump utility can be used to read the obfuscated logs and then save them to a readable file. The main downside is that if the FINEST level logging is not set then the log files may not have the needed information to diagnose the issue.

Example steps using logdump utility:

  1. Copy endpoint tools to client machine
  2. Duplicate issue
  3. Run logdump utility on edpa logs.
  4. Collect readable log file

How to troubleshoot DLP Agent status not reporting as expected on Enforce

By | Symantec DLP Endpoint Prevent | No Comments

Basic network connectivity

Verify the Agent machine can ping the Endpoint server by name or IP address.

Check both Agent and Aggregator logs for errors.

Within the agent logs, look for the lines following CurlTransportLayer and ServerCommunicatorService. You may notice certificate errors such as handshake failures.

Within the aggregator logs, any communication errors should result in a severe error that describes the problem.

Performance Tuning

There are many settings that relate to performance and convenience within various properties files and the advanced agent settings.

Advanced Agent settings:

This setting controls how often an agent checks in with the Endpoint Server. This should generally be left at the default of 15 minutes (900 seconds). If this has been decreased, it should not be decreased below 1 minute per every 1000 agents.

This setting controls when the agent will close the connection if no traffic or hearbeat has been received from the server.  Under normal circumstances, this setting should not come into play. Agents should transfer all data and be disconnected by the server well before this time is reached. This should be left at the default of 300 seconds.

This setting controls when the server will send a heartbeat to the agent to detect if it is still connected. This setting is only used if the agent idle timeout is disabled. The normal, expected, behavior is for traffic to cease for 30 seconds, thus causing the server to disconnect the agent after CommLayer.NO_TRAFFIC_TIMEOUT_SECONDS This should be left at the default of 270 seconds.

This setting controls when the server will disconnect the agent. When an agent checks in during its normal polling interval, after it has transferred all data, and then remain idle. After 30 seconds of this idle connection, the server will initiate a disconnect on the agent.  This is considered normal and default behavior. This should be left at the default of 30 seconds.

Enforce General Settings

Not reporting time

When navigating to System -> Settings -> General within Enforce, there is a setting labeled ‘Show Agent as “Not Reporting” after’.  This setting controls how long Endpoint Server will wait before it reports to Enforce that the agent has stopped reporting. The default is 18 hours. This setting can be raised or lowered depending on preferences, however it cannot be made lower than

Server Properties files


Both and on the endpoint server have a setting of MaxQueueSize. This setting controls how many tasks can be queued on each of the respective servers. The default value is 5000. It is recommended that this value be increased. On we should use a value of 2x the number of agents that regularly connect to that server. On this should be increased to 10,000.

Triggering an update

Often times, it is assumed that ‘Last Update Time’ refers to the last time the agent checked in. This is false. The ‘Last Update Time’ is only updated when agents’ attributes or statuses receive a new update in the oracle database.

In order to force an update of ‘last update time’, we can modify the description of the agent configuration applied to that agent. This will force an update that will update the agent’s last update time. See Article 162207 for more details.

Load Balancers.

When agents are connected to their endpoint servers. A couple of considerations are needed.

      • SSL Session Persistence. This refers to whether or not an agent will reuse the same session ID on consecutive handshakes with the server. This should not directly impact agent reporting status
      • Server Affinity. This refers to what server a load balancer will decide to connect an agent to when they check in. In general an agent should check into the same server as it did previously whenever possible. This is because of the strong relationship between ‘Connect_Polling_Interval’ in the advanced agent settings and ‘Not Reporting Time’ in the Enforce General Settings.

Since the entity responsible for signaling to Enforce that an agent is not reporting is an Endpoint server, this occurs as soon as its ‘Not Reporting Time’(18 hours by default) has been reached. If an agent checks in with different servers on each polling interval, then the chance that it will not connect to a server for 18 straight hours is highly likely. At this point, the endpoint server will report the agent as ‘Not Reporting’ despite the agent being successfully connected to another endpoint server.

Cache Deletion 14.0 – 15.0

In some scenarios, the agent may be communicating with a different Endpoint Server than expected, causing the status of the agent to remain unchanged in Enforce. Deleting the Endpoint Server may resolve this issue.

    1. Start by forcing an agent to directly connect to a single endpoint server.
    2. Shut down the SymantecDLPDetectionServerService on the Endpoint Server
    3. Delete any files found in SymantecDLP/Protect/agentupdates and SymantecDLP/Protect/agentatttributes.
    4. Restart SymantecDLPDetectionServerControllerService on Enforce.
    5. Start SymantecDLPDetectionServerService on the Endpoint Server.
    6. Update the agent’s configuration to force an update.

Cache Deletion 15.1+ instructions

  1. Ensure that the endpoint agent is communicating directly to an endpoint server. If its load balanced we want to force traffic to a specific endpoint server.
  2. On the Detection server shut down Symantec DLP Detection Server service.
  3. On that same Detection server navigate to the following directory and delete any files present.
    • (15.1) C:\ProgramData\Symantec\Data Loss Prevention\DetectionServer\15.1\agentattributes
    • (15.5) C:\ProgramData\Symantec\Data Loss Prevention\DetectionServer\15.5\agentattributes
  4.  Restart Symantec DLP Detection Server Controller on the Enforce Server.
  5. Start Symantec DLP Detection Server Service on the Endpoint Detection Server.
  6. On Enforce, navigate to: System ->Agents-> Agent Configuration -> <Name of Config>
    1. Select or deselect a monitoring option.
    2. Save the agent configuration.
    3. Publish the agent configuration to the agent group to force the update.