What's New and What's Changed in Symantec™ Data Loss Prevention 15.5
Last updated: 11 June 2019 What's New and What's Changed in Symantec™ Data Loss Prevention 15.5
Documentation version: 15.5c Legal Notice Copyright © 2019 Symantec Corporation. All rights reserved. Symantec, CloudSOC, Blue Coat, the Symantec Logo, the Checkmark Logo, the Blue Coat logo, and the Shield Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This Symantec product may contain third party software for which Symantec is required to provide attribution to the third party (“Third Party Programs”). Some of the Third Party Programs are available under open source or free software licenses. The License Agreement accompanying the Software does not alter any rights or obligations you may have under those open source or free software licenses. Please see the Third Party Legal Notice Appendix to this Documentation or TPIP ReadMe File accompanying this Symantec product for more information on the Third Party Programs. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and Commercial Computer Software Documentation," as applicable, and any successor regulations, whether delivered by Symantec as on premises or hosted services. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement. Symantec Corporation 350 Ellis Street Mountain View, CA 94043 https://www.symantec.com Symantec Support
All support services will be delivered in accordance with your support agreement and the then-current Enterprise Technical Support policy. Knowledge Base Articles and Symantec Connect Before you contact Technical Support, you can find free content in our online Knowledge Base, which includes troubleshooting articles, how-to articles, alerts, and product manuals. In the search box of the following URL, type the name of your product: https://support.symantec.com Access our blogs and online forums to engage with other customers, partners, and Symantec employees on a wide range of topics at the following URL: https://www.symantec.com/connect Technical Support and Enterprise Customer Support Symantec Support maintains support centers globally 24 hours a day, 7 days a week. Technical Support’s primary role is to respond to specific queries about product features and functionality. Enterprise Customer Support assists with non-technical questions, such as license activation, software version upgrades, product access, and renewals. For Symantec Support terms, conditions, policies, and other support information, see: https://entced.symantec.com/default/ent/supportref To contact Symantec Support, see: https://support.symantec.com/en_US/contact-support.html Contents
Symantec Support ...... 4 Chapter 1 Introducing Symantec Data Loss Prevention 15.5 ...... 7 About this guide ...... 7 Change history ...... 7 Summary of new and changed features ...... 8 Detection features ...... 8 Enforce Server and platform features ...... 9 Endpoint features ...... 10 Discover features ...... 13 Cloud features ...... 14 Installation and upgrade features ...... 15 Integration with other Symantec products ...... 15 Removed and deprecated features ...... 15 Chapter 2 New and changed features in Symantec Data Loss Prevention 15.5 ...... 16 Detection features ...... 16 Support for Exact Match Data Identifier (EMDI) detection ...... 16 Diagnostics for sizing OCR server deployments ...... 17 Ability to extract images from Office documents for OCR and Form Recognition ...... 18 Larger inspection file sizes and content extraction limits ...... 18 Support for high-performance content extraction for Office Open XML files ...... 18 Enforce Server and platform features ...... 19 New and updated data identifiers and policy templates ...... 19 Updated service names ...... 22 SERVICE_NAME parameter now used for connecting to the Oracle database ...... 22 Endpoint features ...... 23 Data Loss Prevention policies dynamically classify documents on the endpoint ...... 23 Ability to scan and tag existing data on endpoints ...... 23 Contents 6
Endpoint Prevent for cloud sync applications on Mac ...... 23 Agent records precise last update time ...... 24 Support for application monitoring for specific agent groups ...... 24 URL content awareness support for Firefox 57 and later on Mac endpoints ...... 24 Enhanced command prompt monitoring and incident logging ...... 25 Ability to display blocked email domains and file attachments in notification pop-ups ...... 25 Automatically apply ICE encryption to file and folder browser uploads ...... 25 Support for shared authentication for Symantec Information Centric Encryption (ICE) and the DLP Agent ...... 26 ICE Utility support for using network proxies to connect to the Symantec ICE Cloud ...... 26 Installation of ICE Utility necessary to automatically apply ICE encryption to files that are copied to removable storage devices ...... 26 New system event for DLP Agent policy updates ...... 27 Discover features ...... 27 Support for SMB2 in Network Discover and Network Protect ...... 27 Network Protect support for quarantine of confidential SharePoint files to file shares ...... 27 Simplified Network Protect release of quarantined SharePoint files ...... 27 New email alerts for Network Discover scan events ...... 28 Detection server support for using network proxies for communication between Network Discover and the Symantec ICE Cloud ...... 28 Cloud features ...... 29 Updated support for CloudSOC securlets ...... 29 New and updated response rules for CloudSOC securlets ...... 29 Installation and upgrade features ...... 29 Updated installation path names ...... 30 Integrations with other Symantec products ...... 30 Integration with Symantec Endpoint Protection (SEP) for Symantec Intensive Protection and Information Centric Defense ...... 31 Removed and deprecated platforms and capabilities ...... 32 Chapter 1
Introducing Symantec Data Loss Prevention 15.5
This chapter includes the following topics:
■ About this guide
■ Summary of new and changed features
About this guide The What's New and What's Changed in Symantec Data Loss Prevention 15.5 guide describes new features and capabilities that are associated with the release. It also highlights changes relative to previous releases, including removal of features or supported platforms. This guide does not contain implementation or configuration details for these new features. It provides an overview of each new feature in Symantec Data Loss Prevention 15.5, including, where appropriate, enough detail to help you understand how this feature is used. It also includes deployment information to help you plan for rolling out these new features to your organization. Where possible, the guide provides pointers to further information about new and changed functionality. For the complete Product Documentation Library for Symantec Data Loss Prevention 15.5, see https://www.symantec.com/docs/DOC11228. See also the online Help at https://help.symantec.com/home/dlp15.5?locale=EN_US.
Change history The following item have changed since first publication of this guide. Introducing Symantec Data Loss Prevention 15.5 8 Summary of new and changed features
Table 1-1 Change history
Date Description
11 June Added "Support for high-performance content extraction for Office Open XML files." Corrected 2019 "New and updated response rules for CloudSOC securlets."
Summary of new and changed features New and changed features in Symantec Data Loss Prevention 15.5 are summarized in this chapter. You can find more deployment details and explanations of the features in chapter 2.
Detection features
Table 1-2 New and changed features for Detection for Symantec Data Loss Prevention 15.5
Feature Short description
Support for Exact Match Data Identifier (EMDI) Exact Match Data Identifier (EMDI) detection is a detection powerful detection technology that enables you to detect structured data, especially PII, with a high degree of accuracy. You can use EMDI, which adds an additional validation to built-in and custom data identifiers, to exactly match indexed records across all Data Loss Prevention channels, including Endpoint. Fast performing and secure, EMDI can help you reduce and nearly eliminate false positives in your Data Loss Prevention environment. See “Support for Exact Match Data Identifier (EMDI) detection” on page 16.
Diagnostics for sizing OCR server deployments You can capture image traffic data to help you better understand your OCR environment sizing needs. By enabling an advanced server setting, you can measure OCR load and use those values in the OCR Server Sizing Estimator spreadsheet. See “Diagnostics for sizing OCR server deployments” on page 17. Introducing Symantec Data Loss Prevention 15.5 9 Summary of new and changed features
Table 1-2 New and changed features for Detection for Symantec Data Loss Prevention 15.5 (continued)
Feature Short description
Ability to extract images from Office documents for You can extract images from Microsoft Office OCR and Form Recognition. documents for OCR and Form Recognition detection scanning. See “Ability to extract images from Office documents for OCR and Form Recognition” on page 18.
Larger inspection file size and content extraction Data Loss Prevention now supports larger file sizes limits and content extraction limits, beyond the default maximum content inspection size of 30 MB. Larger maximum inspection sizes can be easily adjusted to higher values at both the individual detection server and agent configuration level. Guidelines for adjusting server settings and physical memory are automatically provided in the Enforce Server administration console. See “Larger inspection file sizes and content extraction limits” on page 18.
Support for high-performance content extraction for Symantec Data Loss Prevention supports content Office Open XML files extraction of a variety of formats of Office Open XML files. See “Support for high-performance content extraction for Office Open XML files” on page 18.
Enforce Server and platform features
Table 1-3 New and changed features for the Enforce Server and platform for Symantec Data Loss Prevention 15.5
Feature Short description
New and updated data identifiers and policy Symantec Data Loss Prevention includes 64 new templates data identifiers. In addition, eight data identifiers have been updated, and one removed. Six policy templates have been updated. See “New and updated data identifiers and policy templates” on page 19. Introducing Symantec Data Loss Prevention 15.5 10 Summary of new and changed features
Table 1-3 New and changed features for the Enforce Server and platform for Symantec Data Loss Prevention 15.5 (continued)
Feature Short description
Updated service names Symantec Data Loss Prevention 15.5 includes a change to all service names. All service names are appended with "Service." See “Updated service names” on page 22.
SERVICE_NAME parameter for connecting to the Symantec Data Loss Prevention uses the the Oracle database SERVICE_NAME parameter for connecting to the Oracle database.
See “SERVICE_NAME parameter now used for connecting to the Oracle database” on page 22.
Endpoint features
Table 1-4 New and changed features for the Endpoint for Symantec Data Loss Prevention 15.5
Feature Short description
Data Loss Prevention policies dynamically classify You can use Data Loss Prevention policies instead documents on the endpoint of Information Centric Tagging (ICT) rules to drive classification of Microsoft Office and Microsoft Outlook documents on the endpoint. End users receive automatically suggested classifications, based on Data Loss Prevention policies. This automation adds stronger information protection. See “Data Loss Prevention policies dynamically classify documents on the endpoint” on page 23.
Ability to scan and tag existing data on endpoints Use classification scans to classify existing endpoint data. Once you configure the endpoint targets for a scan, Data Loss Prevention can apply an appropriate tag as a response to a policy violation. See “Ability to scan and tag existing data on endpoints” on page 23.
Endpoint Prevent for cloud sync applications on The DLP Agent provides monitor and prevent Mac support for cloud file sync and share applications on Mac endpoints. See “Endpoint Prevent for cloud sync applications on Mac” on page 23. Introducing Symantec Data Loss Prevention 15.5 11 Summary of new and changed features
Table 1-4 New and changed features for the Endpoint for Symantec Data Loss Prevention 15.5 (continued)
Feature Short description
Agent records precise last update time The DLP Agent displays the last time it was updated in the Last Update Received column on the Agent list screen. See “Agent records precise last update time” on page 24.
Support for application monitoring for specific agent You can control which applications, and which groups specific channels, to monitor for different agent groups. See “Support for application monitoring for specific agent groups” on page 24.
URL content awareness support for Firefox 57 and Data Loss Prevention administrators can apply URL later on Mac endpoints filters for Mozilla Firefox monitoring. Block and notify pop-ups display URLs when sensitive files are uploaded. See “URL content awareness support for Firefox 57 and later on Mac endpoints” on page 24.
Enhanced command prompt monitoring and incident Files moved to network shares using a command logging prompt are monitored. When incidents are logged, the file location is included in the incident detail. See “Enhanced command prompt monitoring and incident logging” on page 25.
Ability to display blocked email domains and file You can configure policies to display blocked email attachments in notification pop-ups domains and file attachments that contain sensitive data in endpoint notification pop-ups. See “Ability to display blocked email domains and file attachments in notification pop-ups” on page 25.
Automatically apply ICE encryption to file and folder Use built-in Symantec Information Centric browser uploads Encryption (ICE) capabilities to encrypt sensitive files or folders that are uploaded with browsers using HTTPS on Windows endpoints. See “Automatically apply ICE encryption to file and folder browser uploads” on page 25. Introducing Symantec Data Loss Prevention 15.5 12 Summary of new and changed features
Table 1-4 New and changed features for the Endpoint for Symantec Data Loss Prevention 15.5 (continued)
Feature Short description
Support for shared authentication for Symantec Endpoint users are prompted to authenticate only Information Centric Encryption (ICE) and the DLP once when they encrypt using the DLP Agent or Agent decrypt files using the ICE Utility. Users can also decrypt encrypted files when they are disconnected from the Internet. See “Support for shared authentication for Symantec Information Centric Encryption (ICE) and the DLP Agent” on page 26.
ICE Utility support for using network proxies to The ICE Utility now supports the use of network connect to the Symantec ICE Cloud proxies to connect to the Symantec ICE cloud. Additionally, in managed environments, the ICE Utility uses the same authorized network proxy as the DLP Agent. See “ICE Utility support for using network proxies to connect to the Symantec ICE Cloud” on page 26.
Installation of ICE Utility necessary to automatically The Symantec Information Centric Encryption apply ICE encryption to files that are copied to capabilities for Endpoint Prevent have changed. removable storage devices Endpoint Prevent now applies ICE encryption to the sensitive files that are copied to removable storage devices only through Windows Explorer, Command Line, or PowerShell. Files that are copied through any other medium to the removable storage devices are blocked. See “Installation of ICE Utility necessary to automatically apply ICE encryption to files that are copied to removable storage devices” on page 26.
New system event for DLP Agent policy updates When DLP Agent policies are updated, Symantec Data Loss Prevention displays an INFO-level event on the System > Agents > Events page. See “New system event for DLP Agent policy updates” on page 27. Introducing Symantec Data Loss Prevention 15.5 13 Summary of new and changed features
Discover features
Table 1-5 New and changed features for Discover for Symantec Data Loss Prevention 15.5
Feature Short description
Server Message Block (SMB) 2 protocol support Symantec Data Loss Prevention now supports for Network Discover and Network Protect SMB2 for Network Discover detection and Network Protect incident response. See “Support for SMB2 in Network Discover and Network Protect” on page 27.
Network Protect quarantine of confidential Configure Network Protect to automatically SharePoint files to file shares quarantine confidential files from Microsoft SharePoint repositories to a file share using the Network Protect: Quarantine File response action. Alternatively, configure the SharePoint Quarantine smart response action to manually quarantine SharePoint files to a file share. See “Network Protect support for quarantine of confidential SharePoint files to file shares” on page 27.
Simplified Network Protect release of quarantined To release quarantined Microsoft SharePoint files, SharePoint files configure the Network Protect: SharePoint Release from Quarantine smart response action. You no longer need to configure the SharePoint Release from Quarantine FlexResponse plug-in. You can release quarantined files back to their original location from either a SharePoint quarantine location or a file share quarantine location. See “Simplified Network Protect release of quarantined SharePoint files” on page 27.
New email alerts for Network Discover scan events When you initiate a scan using Network Discover, you can now configure up to five new email alerts based on the scan state using the corresponding event codes. See “New email alerts for Network Discover scan events” on page 28. Introducing Symantec Data Loss Prevention 15.5 14 Summary of new and changed features
Table 1-5 New and changed features for Discover for Symantec Data Loss Prevention 15.5 (continued)
Feature Short description
Detection server support for using network proxies Use the Enforce Server administration console to for communication between Network Discover and specify a proxy server in your environment and, the Symantec ICE Cloud optionally, provide the credentials for connecting to it. During SharePoint and File System (file shares) scans, Network Discover uses the authorized network proxy to communicate with the Symantec ICE Cloud. See “Detection server support for using network proxies for communication between Network Discover and the Symantec ICE Cloud” on page 28.
Cloud features
Table 1-6 New and changed features for Cloud for Symantec Data Loss Prevention 15.5
Feature Short description
Updated support for CloudSOC securlets Symantec Data Loss Prevention includes support for the following Symantec CloudSOC securlets:
■ Amazon S3 ■ Cisco Spark ■ Slack
See “Updated support for CloudSOC securlets” on page 29.
New and updated response rules for CloudSOC Symantec Data Loss Prevention includes the securlets following new smart response rules for Symantec CloudSOC securlets:
■ Encrypt ■ Remove collaborators ■ Remove shared links
The Quarantine Data-at-Rest automated response rule has been updated to include a customizable marker file. See “New and updated response rules for CloudSOC securlets” on page 29. Introducing Symantec Data Loss Prevention 15.5 15 Summary of new and changed features
Installation and upgrade features
Table 1-7 New and changed features for Installation and upgrade for Symantec Data Loss Prevention 15.5
Feature Short description
Updated installation path names Installation paths for Symantec Data Loss Prevention 15.5 no longer contain spaces. See “Updated installation path names” on page 30.
Integration with other Symantec products
Table 1-8 New and changed features for Integration with other Symantec products for Symantec Data Loss Prevention 15.5
Feature Short description
Integration with Symantec Endpoint Protection Symantec Data Loss Prevention can leverage (SEP), Symantec Intensive Protection file reputation Symantec Endpoint Protection (SEP) information service and Information Centric Defense about application reputation and create incidents when suspect applications are used to open files. This ability is provided even if you do not have a SEP deployment. If SEP is deployed, Symantec Data Loss Prevention can notify SEP about the existence of sensitive files through a new response rule. The integration of SEP and Symantec Data Loss Prevention adds Information Centric Defense security capabilities to your organization. See “Integration with Symantec Endpoint Protection (SEP) for Symantec Intensive Protection and Information Centric Defense” on page 31.
Removed and deprecated features Several features have been removed or deprecated in Data Loss Prevention version 15.5. See “Removed and deprecated platforms and capabilities” on page 32. Chapter 2
New and changed features in Symantec Data Loss Prevention 15.5
This chapter includes the following topics:
■ Detection features
■ Enforce Server and platform features
■ Endpoint features
■ Discover features
■ Cloud features
■ Installation and upgrade features
■ Integrations with other Symantec products
■ Removed and deprecated platforms and capabilities
Detection features The following detection features are new or improved in Symantec Data Loss Prevention 15.5.
Support for Exact Match Data Identifier (EMDI) detection Exact Match Data Identifier (EMDI) detection is a powerful exact matching detection technology that enables you to detect structured data, especially personally-identifiable information (PII), with a high degree of accuracy. You can use EMDI to exactly match indexed records across all Data Loss Prevention channels. Fast performing and secure, EMDI can help you reduce New and changed features in Symantec Data Loss Prevention 15.5 17 Detection features
and potentially eliminate false positives in your Data Loss Prevention environment. EMDI provides better matching performance and greater memory efficiency than Exact Data Matching (EDM). EMDI works as an additional validation check against Data Identifier pattern matchers. For example, instead of Data Loss Prevention relying on the Credit Card Number data identifier to match any pattern that looks like a credit card number, EMDI enables customers to exactly match only the credit card numbers that are contained within their index of records by specifying at least an additional column of identification data in the data source used for the EMDI profile. Both system (built-in) and custom data identifiers are supported. While EMDI is a different underlying detection technology the EDM, and is not a substitute or replacement, EMDI does provide an exact match technology on the endpoint. EDM is not available on the endpoint. Other benefits and comparisons with EDM include:
■ EMDI can support every EDM detection scenario that involves matching against two or more columns of a profile data source when at least one of those columns matches a Data Identifier.
■ EMDI performs matching from within the DLP Agent, so there is no need to implement two-tier detection.
■ Supports both Windows and macOS 64-bit DLP Agents.
■ In most scenarios, matching performance for EMDI is faster than EDM.
■ The memory footprint for EMDI is 1/5 of the memory footprint for EDM for the same indexed data source. However, EMDI has a lower maximum size limit for indexed data sources.
■ EMDI has a stringent security model that makes it suitable for profile deployment on endpoints. You configure EMDI in the same way that you configure EDM, at Manage Data Profiles > Exact Data > Add Exact Match Data Identifier Profile.
Diagnostics for sizing OCR server deployments You can measure image traffic data to help you better understand your OCR environment sizing needs. When you enable the advanced setting OCR.RECORD_REQUEST_STATISTICS, the results appear in the OCR log. The resulting values can be used in the OCR Server Sizing Estimator spreadsheet to help you determine how to size your OCR Server deployment. The OCR Server Sizing Estimator spreadsheet is at the Symantec Support Center at https://www.symantec.com/docs/DOC10612. New and changed features in Symantec Data Loss Prevention 15.5 18 Detection features
Ability to extract images from Office documents for OCR and Form Recognition You can extract images from Microsoft Office documents for OCR and Form Recognition detection. Data Loss Prevention can extract the BMP, PNG, and JPG image file formats from Word (doc and docx), Excel (xls and xlsx), and PowerPoint (ppt and pptx).
Larger inspection file sizes and content extraction limits Data Loss Prevention 15.5 supports larger file sizes and content extraction limits. It also provides an easier way for administrators to configure large file settings. The default maximum file inspection size is unchanged (30 MB), but larger maximum inspection sizes can be easily adjusted to higher values. These adjustments can be made at both the individual detection server and agent configuration level. Depending on the content inspection size you choose, certain advanced settings are automatically adjusted. For configuring settings in properties files, which you manually edit, Tuning Guidelines are provided. Additionally, the Enforce Server administration console automatically informs you if additional system memory is required based on your desired content inspection size.
Note: The maximum inspection sizes for the Symantec Data Loss Prevention cloud services has not changed. Administrators cannot increase these limits for cloud services. This feature is only available for the detection servers, appliances, and DLP Agents.
You can implement this feature at the Enforce Server administration console. For detection servers, tuning is done at the Servers > Configuration tab. For the DLP Agents, tuning is done at the Agent Configuration > Settings tab. For more information about larger file sizes and content extraction limits, see the Help topics Server configuration - basic and About agent configurations.
Support for high-performance content extraction for Office Open XML files Symantec Data Loss Prevention supports content extraction of a variety of formats of Office Open XML files. Microsoft Office 2007 and later uses the Open Office XML format by default for file formats such as DOCX, DOTX, PPTX, and XLSX. This feature works with Microsoft Office Desktop versions 2007, 2010, 2013, 2016, as well as with Microsoft Office 365. This feature is now available on the servers; it is not available on the DLP Agent at this time. New and changed features in Symantec Data Loss Prevention 15.5 19 Enforce Server and platform features
Enforce Server and platform features The following Enforce Server and platform features are new or improved in Symantec Data Loss Prevention 15.5.
New and updated data identifiers and policy templates Symantec Data Loss Prevention includes the following new data identifiers:
■ Australia Driver's License Number
■ Bulgaria Value Added Tax (VAT) Number
■ Canada Driver's License Number
■ Canada Passport Number
■ Canada Permanent Residence (PR) Number
■ Croatia National Identification Number
■ Cyprus Tax Identification Number
■ Cyprus Value Added Tax (VAT) Number
■ Czech Driver's License Number
■ Czech Tax Identification Number
■ Czech Value Added Tax (VAT) Number
■ Estonia Driver's License Number
■ Estonia Personal Identification Code
■ Estonia Passport Number
■ Estonia Value Added Tax (VAT) Number
■ European Health Insurance Card Number
■ Greece Passport Number
■ Greece Value Added Tax (VAT) Number
■ Hungarian Driver's License Number
■ Hungarian Passport Number
■ Iceland Passport Number
■ Iceland National Identification Number
■ Iceland Value Added Tax (VAT) Number
■ India Rupay Card Number New and changed features in Symantec Data Loss Prevention 15.5 20 Enforce Server and platform features
■ Kazakhstan Passport Number
■ Latvia Driver's License Number
■ Latvia Passport Number
■ Latvia Value Added Tax (VAT) Number
■ Liechtenstein Passport Number
■ Lithuania Personal Code
■ Lithuania Tax Identification Number
■ Lithuania Value Added Tax (VAT) Number
■ Macau Individual Identification Number
■ Malaysia Passport Number
■ Malta National Identification Number
■ Malta Tax Identification Number
■ Malta Value Added Tax (VAT) Number
■ Netherlands Bank Account Number
■ New Zealand Driver's License Number
■ New Zealand Passport Number
■ Norway Driver's License Number
■ Norway National Identification Number
■ Norway Value Added Tax (VAT) Number
■ Poland Driver's License Number
■ Poland European Health Insurance Number
■ Poland Passport Number
■ Poland Value Added Tax (VAT) Number
■ Romania Driver's License Number
■ Romania Value Added Tax (VAT) Number
■ SEPA Creditor Identifier Number North
■ SEPA Creditor Identifier Number South
■ SEPA Creditor Identifier Number West
■ Serbia Unique Master Citizen Number
■ Serbia Value Added Tax (VAT) Number New and changed features in Symantec Data Loss Prevention 15.5 21 Enforce Server and platform features
■ Slovakia Driver's License Number
■ Slovakia Passport Number
■ Slovakia Value Added Tax (VAT) Number
■ Slovenia Passport Number
■ Slovenia Tax Identification Number
■ Slovenia Value Added Tax (VAT) Number
■ Sri Lanka National Identity Number
■ Switzerland Health Insurance Card Number
■ Switzerland Passport Number
■ Switzerland Value Added Tax (VAT) Number
■ Thailand Passport Number Symantec Data Loss Prevention includes updates to the following data identifiers:
■ French Passport Number
■ Hong Kong ID
■ IPv6 Address
■ Mexico Tax Identification Number
■ People's Republic of China ID
■ Swiss Social Security Number (AHV)
■ US Individual Tax Identification Number (ITIN) The following data identifier has been removed from Symantec Data Loss Prevention:
■ Brazilian Bank Account Number
Note: If you have included the Brazilian Bank Account Number data identifier in any policies, the data identifier will remain as-is in your deployment of Symantec Data Loss Prevention. If you have not included this data identifier in your policies, it will automatically be removed from your deployment after upgrade.
The following policy templates have been updated:
■ CAN-SPAM Act: Changed IDM Match Count from 100% to 90%.
■ NERC Security Guidelines for Electric Utilities: Changed IDM Match Count from 100% to 90%. New and changed features in Symantec Data Loss Prevention 15.5 22 Enforce Server and platform features
■ General Data Protection Regulation (Banking and Finance): Added new European data identifiers.
■ General Data Protection Regulation (Government Identification): Added new European data identifiers.
■ General Data Protection Regulation (Healthcare and Insurance): Added new European data identifiers.
■ General Data Protection Regulation (Travel): Added new European data identifiers.
■ Symantec DLP Awareness and Avoidance: Removed the keyword "Vontu" from the keyword list.
Updated service names Symantec Data Loss Prevention 15.5 includes a change to all service names. All service names are appended with "Service." This change occurs automatically during the upgrade to version 15.5. The new service names are as follows:
■ SymantecDLPManagerService
■ SymantecDLPDetectionServerControllerService
■ SymantecDLPNotifierService
■ SymantecDLPIncidentPersisterService
■ SymantecDLPDetectionServerService
For more information about working with Symantec Data Loss Prevention services, see the Help topic About Symantec Data Loss Prevention services.
SERVICE_NAME parameter now used for connecting to the Oracle database Symantec Data Loss Prevention uses the SERVICE_NAME parameter for connecting to the Oracle database, which provides greater flexibility for your Oracle deployment for Data Loss Prevention. If you are upgrading from a previous version of Symantec Data Loss Prevention, you switch from SID to the SERVICE_NAME parameter before you begin the migration process. See the Symantec Data Loss Prevention Upgrade Guide. This guide is available online at the Symantec Support Center at: http://www.symantec.com/docs/DOC9258 New and changed features in Symantec Data Loss Prevention 15.5 23 Endpoint features
Note: If you downloaded Symantec Data Loss Prevention version 15.1 starting on 21 September 2018 you should have already switched from SID to the SERVICE_NAME parameter. You can upgrade to Symantec Data Loss Prevention version 15.5 without completing additional steps.
Endpoint features The following endpoint features are new or improved in Symantec Data Loss Prevention 15.5.
Data Loss Prevention policies dynamically classify documents on the endpoint You can use Data Loss Prevention policies instead of Information Centric Tagging (ICT) rules to drive classification of Microsoft Office and Microsoft Outlook documents on the endpoint. End users receive automatically suggested classifications, based on Data Loss Prevention policies. This automation adds stronger information protection. To enable this feature:
■ Use the ICT console to configure Data Loss Prevention policy integration.
■ Use the Enforce Server administration console to create response rules (ICT Classification And Tagging Action type) that apply imported ICT tags to classify content.
Ability to scan and tag existing data on endpoints Use classification scans to classify existing endpoint data. Once you configure the endpoint targets for a scan, Data Loss Prevention can apply an appropriate tag as a response to a policy violation. Note that if you configure a scan for Classification Only, no incidents are generated. When creating your policies, you define response rules, using the ICT Classification And Tagging Action type, that use imported Information Centric Tagging (ICT) tags to classify content.
Endpoint Prevent for cloud sync applications on Mac The DLP Agent monitors cloud file sync and share applications on Mac endpoints. If sensitive content is added to files that are to be synced to the cloud application, Symantec Data Loss Prevention prevents the sensitive file from moving to the cloud and creates a new Cloud Storage incident. The sensitive file is quarantined on the endpoint. The endpoint user can restore the previous file version that contained no sensitive content from the configured recovery location. New and changed features in Symantec Data Loss Prevention 15.5 24 Endpoint features
The following cloud applications have been added as default items to the Global Application Monitoring screen:
■ Box
■ Dropbox
■ iCloud
■ OneDrive You enable the feature by selecting Cloud Storage on the Channels tab of the Agent Configuration screen. You can also add a monitor file filter in which Cloud Storage monitoring is enabled. When you create a policy for cloud storage, set Symantec Data Loss Prevention to monitor data uploaded from the endpoint using a cloud storage sync application.
Agent records precise last update time The Last Update Received column on the Agent List screen records the latest updated time of the agent. The updates to the agent recorded include the following:
■ When an agent event occurs
■ When new attributes are added
■ When new policies are created or existing polices are updated
■ When incidents are generated
Support for application monitoring for specific agent groups You can control which applications, and which channels, to monitor for a particular agent group; previously, you could only monitor the same applications, with the same monitoring settings, for all agent groups. The general application monitoring settings page is now known as the Global Application Monitoring page (at System > Agents > Global Application Monitoring). To override settings on the global page and customize settings for a specific agent configuration, you add applications (Windows or Mac) and select the monitoring filters you want at System > Agents > Agent Configuration, on the Application Monitoring tab. For information about using the Application Monitoring tab, see the Help topic Application Monitoring settings.
URL content awareness support for Firefox 57 and later on Mac endpoints Data Loss Prevention administrators can apply URL filters for Mozilla Firefox monitoring on Mac endpoints. Block and notify pop-ups display URLs when sensitive files are uploaded using the browser. New and changed features in Symantec Data Loss Prevention 15.5 25 Endpoint features
To provide URL content awareness, the DLP Agent uses an extension. Endpoint users must enable the Symantec extension on the endpoint to enable the feature. The Agent Overview screen identifies endpoints where the extension is not yet enabled.
Note: This support requires that endpoint users running Firefox 50-56 enable the Symantec extension on the endpoint to continue monitor support.
For more information about enabling the Symantec extension, see the Help topic Enable monitoring on the Firefox browser.
Enhanced command prompt monitoring and incident logging Command prompt monitoring on Windows endpoints includes the following improvements:
■ Files copied to network shares are monitored. Monitoring occurs at the file location on the endpoint.
■ Files copied to local disk from network shares.
■ When incidents are logged, the file location is included in the incident detail.
Ability to display blocked email domains and file attachments in notification pop-ups You can configure policies to display email domains and file attachments in the on-screen notification to the user when the system blocks an attempt to send confidential data. You enable this feature by adding the Matching Attachments variable to match files and attachments and the Matching Recipient Domains variable when you create a response rule.
Automatically apply ICE encryption to file and folder browser uploads The Symantec Information Centric Encryption (ICE) capabilities for Endpoint Prevent have been expanded so that you can more easily apply ICE encryption to sensitive files or folders that are uploaded with browsers using HTTPS such as Chrome, Edge, Firefox, and Internet Explorer. You use the Prevent: Encrypt action in your response rule to automatically apply ICE to sensitive files or folders that are monitored through the browser channel on Windows endpoints. You need to deploy the ICE Utility to view and manage user access to protected files. You can now upload ICE encrypted files or folders from a local disk, network share, or a removable storage device using a browser. When a user uploads a sensitive file or folder using a browser, the DLP Agent blocks the user action and automatically encrypts the file with an HTML extension and replaces the original file at the source location. When you configure the New and changed features in Symantec Data Loss Prevention 15.5 26 Endpoint features
Prevent: Encrypt action on the Enforce Server administration console, you can create an alert that informs the user to upload this encrypted file or folder. For more information, see the Help topic Configuring the Endpoint Prevent: Encrypt action.
Support for shared authentication for Symantec Information Centric Encryption (ICE) and the DLP Agent The ICE Utility and the DLP Agent now share authentication. As a result, endpoint users are prompted to authenticate only once when they encrypt a file using DLP Agent, or decrypt the file using the ICE Utility. Previously, users were required to authenticate separately using the DLP Agent and the ICE Utility to encrypt or decrypt a file. Also, the feature enables the file owner to decrypt ICE-encrypted files when endpoints are not connected to the Internet. Previously, even the file owners were required to enroll and access the encrypted files before disconnecting from the Internet to decrypt files.
ICE Utility support for using network proxies to connect to the Symantec ICE Cloud The Symantec ICE Utility automatically detects a network proxy that is configured on an endpoint and uses it to connect to the Symantec ICE Cloud. Additionally, in managed environments, the ICE Utility uses the same network proxy settings in the agent configuration for the DLP Agent that is installed on the same endpoint. For more information, see the Help topic Agent proxy settings.
Installation of ICE Utility necessary to automatically apply ICE encryption to files that are copied to removable storage devices The Symantec Information Centric Encryption capabilities for Endpoint Prevent have changed. Endpoint Prevent now applies ICE encryption to the sensitive files that are copied to removable storage devices only through Windows Explorer, Command Line, or PowerShell. Files that are copied through any other medium to the removable storage devices are blocked. Symantec Information Centric Encryption now requires the installation of the ICE Utility to encrypt or decrypt the encrypted files. The ICE Utility decrypts the encrypted files, and opens them in the native applications on removable storage devices. The DLP Agent blocks the Save As operation for an encrypted file on a removable storage device. The ICE Utility allows the Save operation when the user updates an encrypted file on a removable storage device. The Provide this application encrypted content when reading ICE files option has been removed from the Application Monitoring screen. New and changed features in Symantec Data Loss Prevention 15.5 27 Discover features
New system event for DLP Agent policy updates When DLP Agent policies are updated, Symantec Data Loss Prevention displays an INFO-level event on the System > Agents > Events page. You can also view this event on the System > Agents > Events > Event Detail page. Symantec Data Loss Prevention does not display this event if you only update the response rule for a DLP Agent policy.
Discover features The following discover features are new or improved in Symantec Data Loss Prevention 15.5.
Support for SMB2 in Network Discover and Network Protect Network Discover and Network Protect now support the Server Message Block (SMB) 2 protocol on Linux and Windows, providing enhanced protection for Network Discover file system targets. This change in SMB support is transparent and requires no effort on the part of the Symantec Data Loss Prevention administrator.
Network Protect support for quarantine of confidential SharePoint files to file shares You can configure Network Protect to automatically quarantine confidential files in Microsoft SharePoint repositories to a file share using the Network Protect: Quarantine File response action. You configure the quarantine location in the Protect tab of SharePoint scan targets. You can select either SharePoint or File System (file shares) as the quarantine location. To quarantine SharePoint files to a file share manually, configure the Network Protect: SharePoint Quarantine smart response action. You can select either SharePoint or File System (file shares) as the quarantine location. For more information, see the Help topics Configuring Network Protect for SharePoint servers and Configuring the Network Protect: SharePoint Quarantine smart response action.
Simplified Network Protect release of quarantined SharePoint files You can now easily configure Network Protect to release files that were previously quarantined from Microsoft SharePoint repositories. You can release quarantined files back to their original location in SharePoint from either a SharePoint location or a file share location. To release quarantined SharePoint files using a Smart Response rule, use the Network Protect: SharePoint Release from Quarantine response action. You no longer have to configure the SharePoint Release from Quarantine FlexResponse plug-in. In addition, you can also release files that were previously quarantined using the SharePoint Quarantine FlexResponse plug-in. If you have installed the SharePoint solution New and changed features in Symantec Data Loss Prevention 15.5 28 Discover features
and if a SharePoint file was quarantined using Symantec Data Loss Prevention 15.1, file metadata is restored when you release the file from quarantine. If the file was quarantined using a version earlier than 15.1, the file is released without restoring its metadata. The Symantec Data Loss Prevention SharePoint Release from Quarantine FlexResponse plug-in is no longer supported as of this release. Beginning with version 15.5, you must use the Network Protect: SharePoint Release from Quarantine smart response action to manually release quarantined SharePoint files instead of the SharePoint Release from Quarantine FlexResponse plug-in. For more information, see the Help topic Configuring the Network Protect: SharePoint Release from Quarantine smart response action.
New email alerts for Network Discover scan events Network Discover now logs up to five new scan events, depending on the scan progress or the administrator’s actions:
■ Scan started (1720)
■ Scan paused (1721)
■ Scan stopped (1722)
■ Scan queued (1723)
■ Scan failed (1724)
Note: The existing Scan completed (1702) event remains unchanged.
You can configure email alerts for the new scan events for real-time remote updates about the progress of ongoing scans.
Detection server support for using network proxies for communication between Network Discover and the Symantec ICE Cloud You can identify a network proxy in your setup and, optionally, specify the authentication credentials for connecting to it. Network Discover uses the proxy server to communicate with ICE Cloud whenever File System (file share) and SharePoint scans trigger an encryption response action. For File System scans, you enable a proxy directly in the detection server configuration. For SharePoint scans, you enable a network proxy using the Enforce to Cloud Proxy Settings on the System > General > Settings screen. For network proxies that require authentication, you must save the authentication credentials in the Enforce Server administration console before configuring your proxy settings. By default, New and changed features in Symantec Data Loss Prevention 15.5 29 Cloud features
detection servers are configured to either not use a network proxy, or to assume that a transparent proxy exists. For more information, see the Help topics Configuring Network Discover to use a proxy to connect to the Symantec ICE Cloud for file share scans and Configuring the Enforce Server to use a proxy to connect to cloud services.
Cloud features The following cloud features are new or improved in Symantec Data Loss Prevention 15.5.
Updated support for CloudSOC securlets Symantec Data Loss Prevention includes support for the following Symantec CloudSOC securlets:
■ Amazon S3
■ Cisco Spark
■ Slack For more information about using Symantec CloudSOC to detect policy violations in cloud applications, see the Help topic About Application Detection.
New and updated response rules for CloudSOC securlets Symantec Data Loss Prevention includes the following new smart response rules for Symantec CloudSOC Securlets:
■ Encrypt: Encrypt sensitive files in cloud storage repositories.
■ Remove collaborators: Remove collaborator access to sensitive files in cloud storage repositories.
■ Remove shared links: Remove shared links to sensitive files in cloud storage repositories. The Quarantine Data-at-Rest automated response rule has been updated to include a customizable marker file. For more information about smart response rules for CloudSOC securlets, see the Help topic Response rule actions for Cloud Applications and API appliance detectors.
Installation and upgrade features The following installation and upgrade features are new or improved in Symantec Data Loss Prevention 15.5. New and changed features in Symantec Data Loss Prevention 15.5 30 Integrations with other Symantec products
Updated installation path names Installation paths for Symantec Data Loss Prevention 15.5 no longer contain spaces. Table 2-1 lists installation directories for Windows and Linux systems.
Table 2-1 Updated installation path names
Component System New path
Enforce Server Windows C:\Program Files\Symantec\DataLossPrevention\EnforceServer
Linux /opt/Symantec/DataLossPrevention/EnforceServer
Detection server Windows C:\Program Files\Symantec\DataLossPrevention\DetectionServer
Linux /opt/Symantec/DataLossPrevention/DetectionServer
Single-tier Windows C:\Program Files\Symantec\DataLossPrevention\SingleTierServer
Linux /opt/Symantec/DataLossPrevention/SingleTierServer
Content Extraction Windows C:\Program Service Files\Symantec\DataLossPrevention\ContentExtractionService
Linux /opt/Symantec/DataLossPrevention/ContentExtractionService
Server Platform Windows C:\Program Common Files\Symantec\DataLossPrevention\ServerPlatformCommon
Linux /opt/Symantec/DataLossPrevention/ServerPlatformCommon
Server JRE Windows C:\Program Files\Symantec\DataLossPrevention\ServerJRE
Linux /opt/Symantec/DataLossPrevention/ServerJRE
Integrations with other Symantec products The following integration features are new or improved in Symantec Data Loss Prevention 15.5. New and changed features in Symantec Data Loss Prevention 15.5 31 Integrations with other Symantec products
Integration with Symantec Endpoint Protection (SEP) for Symantec Intensive Protection and Information Centric Defense Symantec Data Loss Prevention 15.5 integrates with Symantec Endpoint Protection (beginning with SEP 14.0.1) to enable a new channel of Endpoint monitoring, SEP Intensive Protection. By leveraging the application reputation information that SEP provides, the DLP Agent can dynamically monitor applications and can prevent potentially harmful applications from accessing sensitive files on the endpoint. You can configure the DLP Agent, using a SEP Intensity Level control during agent configuration, to monitor applications of a specified reputation threshold that is established by SEP; the application reputations can be Malicious, Suspicious, or Unknown. You can use these reputations as conditions in response rules you create, so Symantec Data Loss Prevention can take different actions based on specific reputations, for multiple endpoint channels and policies. The DLP Agent is able to obtain the application reputation information from SEP in one of two ways:
■ If the SEP agent is installed on the endpoint, the SEP agent sends the information to the DLP Agent directly. If the SEP agent does not have information, the DLP Agent gets information from the SEP Intensive Protection file reputation service in the Symantec cloud.
■ If the SEP agent is not installed, the DLP Agent gets the information from the SEP Intensive Protection file reputation service in the Symantec cloud. The incident details for dynamic application monitoring include the application reputation. You can also filter incidents by SEP Intensity Level categories. The dynamic monitoring of applications based on reputation requires only an Endpoint Prevent license; no additional license is needed. Symantec Data Loss Prevention 15.5 also includes a new Endpoint response rule, Information Centric Defense. In an environment in which SEP is deployed and integrated with Data Loss Prevention, the response rule notifies SEP about the existence of sensitive files. The information that Symantec Data Loss Prevention provides to SEP provides robust Information Centric Defense security, in addition to Information Protection, to your SEP-Symantec Data Loss Prevention environment. New and changed features in Symantec Data Loss Prevention 15.5 32 Removed and deprecated platforms and capabilities
Removed and deprecated platforms and capabilities Removed support
Table 2-2 Removed platforms and capabilities in Symantec Data Loss Prevention 15.5
Product area Feature Details
Endpoint Microsoft Windows 10 Version 1511 and Version Support is removed for Endpoint Data Loss 1607 endpoint operating systems Prevention.
Limit Incident Data Retention response rule The Limit Incident Data Retention response rule is no longer supported with Endpoint Discover. If existing policies use this response rule, policy violations trigger an incident, but the data the triggered the incident is not attached.
Endpoint Prevent applications The following applications are no longer supported with Endpoint Prevent:
■ Microsoft Office 2007 ■ Edge RS1
Network Discover SQL database targets The following SQL database targets are no longer supported with Network Discover:
■ Oracle 10g ■ SQL Server 2005
Microsoft Exchange Server 2007 SP3 server Support is removed. target
File system scanner targets support The following file system scanner targets are no longer supported:
■ Red Hat Enterprise Linux 5.x ■ AIX 6.5 ■ Solaris 9 (SPARC platform)
FlexResponse plug-ins for SharePoint SharePoint Quarantine and Release from Quarantine and SharePoint Release from Quarantine are now supported by automated Quarantine response rules and smart response actions in Network Protect. You no longer need to install and configure a FlexResponse plug-in to enable and use these functions. New and changed features in Symantec Data Loss Prevention 15.5 33 Removed and deprecated platforms and capabilities
Table 2-2 Removed platforms and capabilities in Symantec Data Loss Prevention 15.5 (continued)
Product area Feature Details
Enforce Server and Oracle 11g (11.2.0.4) database Support is removed. platform Note: Symantec support is extended to December 2020 if you purchased the Extended Support plan.
Support for stunnel Support is removed.
Red Hat Enterprise Linux 7.1 and 7.2 for Support is removed. on-premises Symantec Data Loss Prevention servers and the Oracle database.
Deprecated support Features indicated as “deprecated” indicates that while the feature is supported in the current release, Symantec plans to remove support in an upcoming release. If your Symantec Data Loss Prevention environment includes a deprecated feature, you should plan on updating it to a later supported version or a different supported feature as soon as possible.
Table 2-3 Deprecated features in Symantec Data Loss Prevention 15.5
Product area Feature Description
Network Discover Documentum (scanner) targets All versions are deprecated.
Livelink scanner targets All versions are deprecated.
For full details of supported platforms for Symantec Data Loss Prevention 15.5, see the Symantec Data Loss Prevention System Requirements and Compatibility Guide at https://www.symantec.com/docs/DOC10602.