Mcafee Data Loss Prevention 11.6.x Interface Reference Guide 11-1-2022

McAfee Data Loss Prevention 11.6.
x
Interface Reference Guide
Contents
DLP Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
DLP Settings page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
General settings page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Advanced settings page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Classification settings page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Incident Manager settings page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Operations Center settings page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Case Management settings page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
MVISION Cloud server page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Backup & Restore settings page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Registered servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
MS-RMS details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Seclore details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
User management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Permission Sets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Edit Permission Set: Data Loss Prevention page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Edit Permission Set: DLP Help Desk Actions page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Edit Permission Set - Appliance Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Edit Permission Set — Appliance Management Common Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Edit Permission Set: DLP Appliance Management Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
DLP Help Desk page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Policy Catalog settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
DLP policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Active Rule Sets page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Endpoint Discovery scan page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Settings page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Policy Validation page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Windows Client Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Advanced Configuration page for Windows client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Clipboard Protection page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Content Tracking page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Corporate connectivity page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Debugging and Logging page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Device control page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Discovery (Endpoint) page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Email Protection page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Shared Storage and Evidence page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Operational Mode and Modules page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Printing Protection page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Quarantine page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Removable Storage Protection page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Screen capture protection page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
User Interface Components page for Windows client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Web Protection page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Client configuration Whitelist. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Add or edit the client configuration whitelist. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Mac OS X Client Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Advanced Configuration page for macOS client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Content Tracking page for Mac OS X client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Corporate connectivity page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Debugging and Logging page for Mac OS X client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Discovery (Mac) page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Shared Storage and Evidence page for Mac OS X client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Operational Mode and Modules page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Removable Storage Protection page for Mac OS X client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
User Interface Components page for Mac OS X client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Server Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Box page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Shared Storage and Evidence page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Logging page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Registered Documents page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Rights Management page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
SharePoint. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Text Extractor page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
DLP Appliance Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
General. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
McAfee DLP Capture Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
McAfee DLP Monitor Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
McAfee DLP Prevent Email Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
McAfee DLP Prevent Web Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Users and groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Classification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Classification page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Classification Criteria page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Application content fingerprinting Criteria page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Box content fingerprinting criteria. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Location content fingerprinting Criteria page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
SharePoint content fingerprinting criteria page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Web Application content fingerprinting criteria page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Choose from existing values page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Proximity Operator page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Location in file page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Exact Data Fingerprints Match Criteria page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Manual classification page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Register Documents page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Whitelisted Text page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Definitions: Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Advanced Pattern definition page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Dictionary definition page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Document Properties definition page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
File extension definition page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
File Information definition page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
True File Type definition page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Definitions: Source/Destination. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Application Template page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
End-User Group definition page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Network Share definition page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
URL List definition page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Classification tester page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
DLP Capture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Search List. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Forensic investigation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Rule tuning - email protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Rule tuning - network communication protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Rule tuning — web protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Search Results. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Search results details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Datasets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Create or edit datasets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
DLP Discover. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Discover Servers page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Discovery definitions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Definitions page (McAfee DLP Discover). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Credentials definition page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

Scheduler page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
SSL Certificate definition page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Scan Operations page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Scan operations - New scan page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Select Server page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Box repository page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
File Server repository page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Database repository definition page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
SharePoint repository page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Choose from existing values page (Scan scheduler). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Choose from existing values page (Scan repositories). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Choose from existing values page (Scan filters). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Choose classifications page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Choose from existing values page (Scan rule sets). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
DLP Policy Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
DLP Policy Manager Definitions page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Data definitions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
File extension definition page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Device control definitions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Device Class definition page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Device Templates page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Serial Number & End User Pair page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Notification definitions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Justification definition page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
User Notification definition page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Other definitions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Scheduler page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Source/Destination definitions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Application Template page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Application Template definition page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

Protocol Identifier Template definitions page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Email Address List definition page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
End-User Group definition page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Local Folder definition page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Network Address definition page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Network Port definition page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Network Printer definition page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Network Share definition page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
File name list page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
URL List definition page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Window Title definition page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Rule sets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
DLP Rule Sets page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Policy Assignment page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Reactions page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Application File Access Protection Rule page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Clipboard Protection rule page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Cloud Protection rule page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Email Protection rule page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Network Communication Protection rule page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Network Share Protection rule page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Printer Protection rule page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Removable Storage Protection rule page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Screen Capture Protection rule page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Web Protection rule page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Data Protection page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Device Control page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Removable Storage Device Rule page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Citrix Xenapp Device Rule page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Fixed Hard Drive Rule page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

Plug And Play Device Rule page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Removable storage file access device rule page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
TrueCrypt Device Rule page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Discovery page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Local file system protection page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Endpoint Discovery Rule - Local Email Storage page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Network Discovery Rule - Box page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Network Discovery Rule - File Server page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Network Discovery Rule - SharePoint page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Network Discovery Rule - Database rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Application Control page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Web Application Control rule page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
Policy Assignment page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Incidents, Operations, and Cases. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
DLP Incident Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
Analytics page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
Incident List page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
DLP Incident Manager details page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Incident tasks/Operational events tasks page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Set Reviewer Task/Rule page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
Automatic Mail Notification Task/Rule page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Email incidents page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Purge Events/Rule page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Incident History page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
DLP Operations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Operational Event List page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Operational event tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Operational event history. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
User Information page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Operational events – Incident detail page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262

DLP Case Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Case List page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
New case page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
Case Management page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
Move window. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Move to existing case window. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Contacts and Users page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Managing data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
DLP predefined dashboards. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
DLP Discover analytics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Data Inventory page - Raw Data display. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Data Inventory page - Grid display. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Data Inventory page - Dashboard display. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
System health. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Appliance Management page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Option definitions — General settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Option definitions — SNMP settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Option definitions — System Health. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
McAfee DLP appliances system health cards. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Error messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289

1| DLP Configuration
DLP Configuration
DLP Settings page
General settings page
Use this page to specify licensing and other McAfee DLP-specific settings.
Option definitions
Category Option Definition
Last Modified Displays the date and time stamp

of the last changes to the
settings.
License keys Used to enter the license keys

for purchased products. You can
enter the following license keys:
• McAfee DLP Endpoint — For

Device Control or McAfee DLP
Endpoint
• McAfee DLP Discover
• McAfee Legacy Network DLP
(v9.3.x) — For using unified
policies with Network DLP
• McAfee DLP Prevent
• McAfee DLP Monitor
Add Use this button for each license

key you want to add.
For more information... click here Link to the McAfee DLP FAQ page.
Shared Storage Shared Storage Location Specifies the UNC path to the
evidence storage folder.
Specify this path to store:
• Evidence files
• File with classification matches
10 McAfee Data Loss Prevention 11.6.x Interface Reference Guide

• Registered document
fingerprints.
For Automatic Registered
Document, Discover Server
copies the fingerprint to the
evidence share location defined
in Server Configuration.
DLP Server then loads the
fingerprints from all evidence
share of Discover Servers and
makes it available through REST
API.
For Manual Registered
Document, the fingerprints are
copied to all available evidence
share.
• Package containing ignored
texts
• Endpoint discovery scan
summary in CSV file format
• Exact database matches for
McAfee DLP Prevent, McAfee
DLP Monitor, and McAfee DLP
Discover
• Search results for McAfee
DLP Prevent and McAfee DLP
Monitor
Copy using the following Radio button to specify a user

credentials name and password to copy
evidence.
For Windows only environment You can use the local system
- Use local Windows system account to copy evidence. Not
account. supported by McAfee DLP
Endpoint for Mac or McAfee DLP
Prevent.
Test Credential Tests the connection to the

storage share. You can save the
McAfee Data Loss Prevention 11.6.x Interface Reference Guide 11

configuration even if the test is

unsuccessful.
Shared Password Specifies the override password

for uninstalling the software,
removing files from quarantine,
encrypting evidence, and
temporary client bypass.
As a mandatory security
requirement, reset the default
Shared Password. For more
information, see section "Reset
the Shared Password".
Note: In McAfee DLP

Discover, the password is
used for encrypting evidence
only.
Backwards Compatibility Sets the client compatibility.

Use this setting for policy
compatibility in networks with
more than one McAfee DLP
Endpoint client version.
Policy Validation Sets the policy validation mode:
• Strict Mode — policy with

errors can't be applied
• Non-Strict Mode —
administrator can force
application of a policy with
errors
• No Validation
Advanced settings page
Use this page to specify McAfee DLP advanced settings.

Option definitions
Option Definition
Last Modified Displays the date and time stamp of the last changes
to the settings.
Challenge-Response key Specifies long (16 digit) or short (8 digit) key

for requesting DLP Help Desk release keys for
quarantine or client bypass.
Secured Master Release code — When selected,
master release keys are generated and distributed
with strengthened security.
Note: The secured master release code is

only supported by specific versions of other
McAfee DLP products. Do not select this
checkbox if you are still using unsupported
products. See KB90417 for information on
supported versions.
Enforce system tree permissions Specifies whether System Tree permissions are used
or ignored. System Tree permissions can be used to
filter incidents in the DLP Incident Manager and DLP
Operations consoles.
Customized Event Timezone Sets the custom time zone for DLP Incident Manager
and DLP Operations.
Customized event time zone allows administrators to
order events according to their local time zone. The
setting is the offset from UTC time.
Policy Manager Sets default rule state and default reaction in the
DLP Policy Manager.
REST API Enables or disables McAfee DLP REST API, a set of

REST API actions used to create definitions, control
policies, import users, and so forth.

Option Definition
Using McAfee DLP REST API requires a valid McAfee

ePO user.
Classification settings page
Use this page to specify the Classification settings.

Option definitions
Category Definition
to the settings.
Registered Documents Sets the maximum number of signatures to store

in the master registered documents signature
database.
Incident Manager settings page
Use this page to specify the Incident Manager settings.

Option definitions
Option Definition
to the settings.
Automatic Email Notifications When selected, all stakeholders receive an email

notification when an incident is changed. Use the
Stakeholders checkboxes to add reviewers or users
to the stakeholder list.
Short Match String Configures storage of short match string data in the
McAfee ePO database as encrypted or clear text.
Incident Management Use the options to determine whether product

vectors are displayed in the incident list.

Option Definition
Redaction Fields Choose specific fields for redaction (relevant when

Obfuscate sensitive incidents data permission is
activated).
Note: The Source field is applicable only to

Removable Storage Protection rules. Select the
Source field to hide the location of the file from
where it is copied to the removable storage
media in the incident details.
Status Enable or disable status designations in the incident

list. Built-in status can be:
• New
• Pending
• Viewed
• Under Investigation
• Escalated
• Resolved
• False Positive
Resolution Enable or disable resolution designations in the

incident list. Built-in resolution can be:
• None
• Case opened
• Resolved - HR notified
• Resolved - Manager notified
• Resolved - User notified
• Closed - Authorized
• Closed Business workflow
• Closed - False positive
• Closed - test
Actions → Add Status Create a custom status definition.
Actions → Add Resolution Create a custom resolution definition.

Operations Center settings page
Use this page to specify the Operations Center settings.
Option definitions
Option Definition
to the settings.
Automatic Email Notifications Select the checkbox to send email notifications to

all stakeholders when an event is changed. Add
reviewers or users to the stakeholder list by selecting
the appropriate checkbox.

• New
• Pending
• Viewed
• Under Investigation
• Escalated
• Resolved
• False Positive

• None
• Case opened
• Resolved - HR notified
• Resolved - Manager notified
• Resolved - User notified
• Closed - Authorized
• Closed Business workflow
• Closed - False positive
• Closed - test

Case Management settings page
Use this page to specify case management settings.
Option definitions
Option Definition
to the settings.
Automatic Email Notifications Select the checkbox to send email notifications to all
stakeholders when a case is changed. Add reviewers
or users to the stakeholder list by selecting the
appropriate checkbox.

• New
• In progress
• Escalated
• Resolved
• Closed

• Under investigation
• User notified
• Manager notified
• False positive
• Closed
MVISION Cloud server page
Use this page to configure the MVISION Cloud server.

Option definitions
Option Option Definition
Last Modified Displays the date and time stamp

of the last changes to the
settings.
MVision Cloud Connection Connect to McAfee MVISION When selected, enables

Cloud communication with the
MVISION Cloud server.
MVision Cloud Server Specifies the UNC path to the

MVISION Cloud server, user
name, and password.
Test Connectivity Checks the connection.
Note: Connectivity is also

checked when you click Save.
The user name and password
are those of the MVISION
Cloud McAfee ePO server
tenant.
Delete DLP policy Use this option to delete a

McAfee DLP policy from the
MVISION Cloud server.
Note: You can only delete

a policy that isn't in use in
MVISION Cloud.
Modules Pull incidents from MVISION When selected, reports MVISION

Cloud Cloud incidents in DLP Incident
Manager.

Option Option Definition
Push DLP policy to MVISION When selected, enables the

Cloud selected McAfee DLP policy to be
uploaded to the MVISION Cloud
server.
DLP Policy Name Select the policy to push from the

drop-down list.
Status Reports the system status. There

are no user options in this field.
Save Closes and saves the

configuration.
Backup & Restore settings page
Use this page to backup the McAfee DLP configuration or restore a configuration from a saved file.
Option definitions
Last Backup Include policy injection object Select the checkbox to save the
(OPG) (OPG applies to McAfee policy injection object (OPG) in
DLP Endpoint, McAfee DLP the backup.
Prevent, and McAfee DLP
Monitor.)
Backup to file Backs up the configuration.

Options allow you to select the
backup path, and to open the file
as well as save it. The display
shows the time and date of the
last backup, and the revision
number.
Last Restore Restore from file Restores the configuration from

the selected file. The display

shows the time and date of last

restore and the revision number.
Registered servers
Use this page to identify and describe a Microsoft RMS, LDAP or Seclore IRM server that you want to register with this McAfee
ePO server.
Note
This page is applicable only to McAfee DLP Endpoint and McAfee DLP Discover.
Option definitions
Option Definition
Name Specifies the name of the server.
Notes Optional information about the RM server.
Server type Specifies the type of server. Select the RM server

from the drop-down list:
• Microsoft RMS Server

• Seclore Server
MS-RMS details
Use this page to provide details for a Microsoft RMS server.
Note

Option definitions
Microsoft RMS server Retrieve RMS template using Selects the server path. Select
from the drop-down list and
enter the details.
• Web service URL

• Network share path
User@Domain Specifies the user name.
Password Specifies the user password.
Test Connectivity Attempts connecting to the

server with the details provided.
DLP enforcement settings Local path to RMS template Optional local path for storing
templates.
RMS server discovery Select auto-service or specify

certification and licensing URLs.
Seclore details
Use this page to specify the information required to connect to a Seclore IRM server.
Note
This page is applicable only to McAfee DLP Endpoint.
Option definitions
Seclore policy server settings FileSecure server URL Text box for entering Seclore
server URLs. You can specify as
many servers as required.

HotFolder Cabinet ID HotFolder Cabinet ID Specifies the Seclore policy folder

ID.
HotFolder Cabinet passphrase Specifies the password for the

policy folder.
Test Connectivity Attempts connecting to the IRM

server with the details provided.
Policy Server License type office formats Specifies additional license for
(used to specify additional office formats other than
licenses) Microsoft Office and PDF (default
license).
Autocad file formats Specifies a license for AutoCAD

formats.
Visio Specifies an license for Visio .vsd

format.
User management
Permission Sets
Edit Permission Set: Data Loss Prevention page
Permission set options are designed to give granular control over administrator roles.
While the division of roles is generally optional, if you are using the sensitive data redaction feature, you must create separate
permission sets for the monitor viewer and the administrator who can reveal the encrypted data.
Option definitions
Policy Catalog N/A Users can view any McAfee DLP

policy. Users can edit policies if
they are an owner or if they

are a member of the global

administrator permission set.
DLP Discover Discover Permissions Select to have full control over

configuring and running scans.
Note: Users must

have DLP Policy Manager
permissions to use rule sets
in remediation scans.
DLP Policy Manager Rule Sets Access Control Select Use permissions to select
rule sets for use in policies and
scans.
Select View and use permissions

to select rule sets for use in
policies and scans and view
details of rule sets and rules.
Select Full permissions to use,

view, create, modify, and delete
rule sets and rules.
Override permission for specific Select a permission level for a

rule sets specific rule set to override the
inherited permission.
Rule Types Checkboxes for data protection,

device control, and discovery
rules. Sets the rule types that are
available.
Classifications Classification Actions Select Manage manual

classifications to manage
manual classifications.

Select Registered documents

and whitelisted text to upload
files for registering documents or
whitelisting text.
Classification Permissions Select Use permissions to select

classifications for use in rules and
view classification and tagging
criteria.
Select View and use permissions

to select classifications for use in
rules.
Select Full permissions to use,

classifications.
Override permission for specific Select a permission level for a

rule sets specific classification to override
the inherited permission.
Definitions Definition Permissions Select use to select the definition

in classifications, rules, and
policies.
Select view and use to select

the definition in classifications,
rules, and policies, and can view
definition content.
Select full access to use,

definitions.
Incident Management Incident Access by Type Deselect rule types to limit access
to only those types selected.

Incident Access by Reviewer Select User can view incidents

(advanced) assigned to him to view incidents
assigned to the owner. If
redaction is selected, sensitive
fields are blocked.
Select User can view incidents

assigned to the following
permission sets to view incidents
assigned to the selected
permission sets. If redaction
is selected, sensitive fields are
blocked.
Click ... to select one or more
permission sets.
Select User can view all

incidents to view all incidents
regardless of assignment. If
fields are blocked.
Evidence File Access Select options to view evidence

files or match string files or both.
Incidents Data Redaction Select Supervisor permission to

only reveal redacted fields when
the incident is opened by a
reviewer with access to the file.
Select Obfuscate sensitive

incidents data to encrypt
sensitive data so that it is not
visible to the reviewer. This is
considered a best practice.
Incident Tasks Select User can create a Mail

Notification task to create a task

that sends email notification of

policy violations.
Select User can create a Purge

notification task to create a
task that notifies recipients of an
upcoming database purge.
Select User can create a Set

Reviewer task to create a
task that assigns reviewers to
incidents.
REST API Select User can view the

contents of evidence files
through REST API to allow use of
the REST API option.
Operational Events Operational Reviewer Select User can view operational

events assigned to him to view
operational events assigned to
a user. If redaction is selected,
sensitive fields are blocked.
Select User can view operational

events assigned to the following
permission sets to view
operational events assigned to
the selected permission sets. If
fields are blocked.
permission sets.
Select User can view all

operational events to view all
operational events regardless
of assignment. If redaction is

selected, sensitive fields are

blocked.
Operational Tasks Select User can create a Mail

Notification task to create a task
that sends email notification of
policy violations.
Select User can create a Purge

notification task to create a
task that notifies recipients of an
upcoming database purge.
Select User can create a Set

Reviewer task to create a
task that assigns reviewers to
incidents.
Case Management Owner Select User can view cases

assigned to him to view cases
assigned to the user. If redaction
blocked.
Select User can view cases

assigned to the following
permission sets to view cases
assigned to the selected
permission sets. If redaction
blocked.
permission sets.
Select User can view all cases

to view all cases regardless
of assignment. If redaction is
selected, sensitive fields are
blocked.

DLP Settings DLP Settings Tabs Deselect tabs to limit the DLP
Settings users can access.
Capture Capture Permissions Allows the user to work with

captured content to look for
previously unidentified data
loss incidents, save results as
incidents and add them to cases,
and tune rules or classification
settings without affecting your
live data analysis.
Edit Permission Set: DLP Help Desk Actions page
Use this page to set DLP Help Desk permissions for administrators.
Option definitions
Option Definition
Generate client uninstall key Grants the selected administrator permission to

create uninstall keys.
Generate bypass client key Grants the selected administrator permission to

create bypass keys.
Generate release from quarantine key Grants the selected administrator permission to
create quarantine release keys.
Generate master response key for the keys above Grants the selected administrator permission to
create master release keys.
Edit Permission Set - Appliance Management
Use this page to specify permissions for appliances using the Appliance Management extension.

Option definitions
Option Definition
Appliance Health and Statistics

• No permissions — Grants no access for the
Appliance Health and Statistics.
• View health and statistics — Grants access to
view the Appliance Health and Statistics from the
Appliance Management page.
Note: Use the System Tree access

permission set to choose the appliances to
display.
Appliance Database
• No permissions — Allows you to view — but not
to create, change, or run — the Purge Obsolete
Appliance Management Data task.
• View, create and change database tasks; run
database tasks on-demand — Grants the ability to
run the Purge Obsolete Appliance Management
Data task.
You must also select the corresponding permission
in the Server tasks permission set.
Edit Permission Set — Appliance Management Common Policy
Use this page to specify permissions for the common policy used by appliances managed by the Appliance Management
extension.
Option definitions
Option Definition
Common Appliance Management 1.0.0: Policy and

• No permissions — Grants no access to create or
Tasks view the common appliance management policy.
• View policy and task settings — Grants access
only to view the common appliance management
policy.

Option Definition
• View and change policy and task settings —

Grants access to view and edit the common
appliance management policy.
Note
After setting user permissions, you must add the relevant user to the Owner list on the Policy Catalog → Common Appliance
Management 1.0.0 page.
Edit Permission Set: DLP Appliance Management Policy
Restrict access to the DLP Appliance Management settings in the Policy Catalog.
Note
This page is applicable only to McAfee DLP Prevent and McAfee DLP Monitor.
Option definitions
Option Definition
DLP Appliance Management <version>: Policy and

• No permissions — The user is unable to view the
Tasks DLP Appliance Management policy.
• View policy and task settings — The user can see
the DLP Appliance Management policy and task
settings.
• View and change policy and task settings — The
user can see the DLP Appliance Management
policy and task settings, and make changes.
DLP Help Desk page
Use this page to set up an override key request.

Option definitions
Option Definition
Key Type Selects the type of key from a drop-down list.

Options:
• Client bypass key

• Release from quarantine key
• Uninstall key
End user name * Text field for user name.
End user email address * Text field for user email address.
End user computer name Text field for user computer name
Request details (Business reason) Text field for business reason for the key.
Client bypass password Provides two options for bypass password:
• Policy name and revision number

• Manual entry
Identification code * Provides two options for identification code:
• Challenge code generated by the McAfee DLP

Endpoint client and supplied by the user when
requesting an override key
• Master release code
Release code Click Generate Key to generate a release code. The

button is not available until all required fields are
filled in.
Bypass duration Selects the override duration from a drop-down list.

Option varies from 5 minutes to 30 days.
* indicates required fields. For more information, see Create override keys.

2| Policy Catalog settings
Policy Catalog settings

DLP policy
Active Rule Sets page
Use this page to view active rule sets, and to activate inactive rule sets.
Option definitions
Option Definition
Rule Set [name] Click a rule set name to view or edit the rule set.
Actions → Activate Rule Set Opens the Activate Rule Set dialog box. Use this
dialog box to activate or deactivate rule sets.
Actions → Choose Columns Opens the Select the Columns to Display page.
This standard McAfee ePO control page is used to
determine the Active Rule Sets page display.
Enter a comment here Text box for adding comments.
Duplicate Creates a duplicate of the policy (all of the active rule

sets).
Apply policy Applies the policy to the McAfee ePO database.
Close Closes the policy page, and returns you to the Policy
Catalog page.
Endpoint Discovery scan page
Use this page to create or edit an Endpoint Discovery scan.
Note

Option definitions
Option Definition
Name Enter a unique name for the scan.
Schedule Selects a Scheduler definition to schedule the scan.
Incident Handling Drop-down lists to define maximum incidents per

scan and stop scan parameters.
Error Handling Drop-down lists to define maximum errors per scan

and stop scan parameters.
User Interaction Selects user initiated scans and self-remediation.
State Selects the State parameter. Default: Disabled.
Folders For email storage scans: Checkboxes to select email

storage type (OST, PST) and folders to scan.
For local file system storage scans: Presents two
Actions options.
• Select All Folders — Sets the scan to All Folders.

• Select Folders — Opens the Choose from existing
values window to select defined folders.
Filters (Local File System scans only) Allows selection of defined filters (File Information
definitions).
Rules Displays rules and rule sets applied to the scan.

sets).
Catalog page.

Settings page
These policy settings apply to all rules and rule sets in the policy. Use this page to set default Application Strategy, Device Class
overrides, and Privileged Users.
Application Strategy option definitions
Note: These options are applicable only to Windows platform.
Option Definition
Application Strategy for Unknown Applications Sets the default strategy for applications not defined
in the McAfee DLP database. Default: Editor.
Override Application Settings Selects applications for temporary override of

Strategy or analysis of memory mapped files.
Device Classes option definitions
Option Definition
Override Device Class Settings (Windows only) Selects device classes for temporary override of
Status or Filter Type.
Privileged Users option definitions
Option Definition
Add Users Selects Active Directory users and groups to add to

the Privileged Users category. Rules are not applied
Add Groups for users in this category, but an event is logged in

DLP Incident Manager when the rule is triggered.

Option Definition

sets).
Catalog page.
Policy Validation page
The Policy Validation page lists errors in the policy, such as backward compatibility errors, and allows you to correct them.
Option definitions
Option Definition
Severity Specifies the severity.
Item Type Type of rule containing the error.
Item Name Name of the rule containing the error.
Details Describes the error. For backward compatibility

errors, describes what can happen on incompatible
endpoints.
Actions Click Edit to open the rule and view the error.

sets).
Apply policy Applies the policy to the McAfee ePO database. The
button is grayed out as long as errors appear on the
page.
Catalog page.

Windows Client Configuration

Advanced Configuration page for Windows client
Use this page for configuring access protection and other settings for the McAfee DLP Endpoint for Windows client.
You can access the Advanced Configuration page from Menu → Policy → Policy Catalog → Data Loss Prevention <version> →
Windows → edit a policy → Settings → Advanced Configuration.
Option definitions
Endpoint Settings Delay the start of DLP client Time interval between logging on
and client up. In rare cases, the
endpoint software needs more
time to load. Reset this default
as recommended by Support.
Changing this setting requires an
endpoint restart. Default: Run
immediately
Run DLP client in Safe Mode When enabled, activates

endpoint protection when the
computer starts in Safe Mode.
Default: Disabled
Maximum DLP client memory Limits the McAfee DLP Endpoint

used (MB) client memory. If a process
pushes the client software over
the set limit, it closes and
restarts. Range: 150–500
Access Protection Settings DLP access protection When enabled, activates the DLP
data access protection features.
Default: Enabled in both Device
Control and full McAfee DLP
Endpoint.
Show challenge response on When enabled, activates

upgrade the challenge/response pop-up

window on upgrade. Default:

Enabled
Show challenge response on When enabled, activates

uninstall the challenge/response pop-up
window on uninstall. Default:
Enabled
Run DLP client watch dog When enabled, monitors the

endpoint processes and restarts
them if closed. Changing this
setting requires a client computer
restart. Default: Enabled
Run DLP client service watch When enabled, monitors the

dog watch dog and restarts it if
it closes. Changing this setting
requires a client computer
restart. Default: Enabled
Agent Bypass Stop agent bypass immediately When selected, stops the
when a new client configuration agent bypass when the
is loaded by McAfee DLP client configuration is updated.
Endpoint client. Default: Deselected (bypass
continues to timeout)
Clipboard Protection page
Use this page to edit the clipboard whitelisted applications list, and to enable or disable the Microsoft Office clipboard.
Option definitions
Whitelisted Processes Process name Enter an application name in the

text box to add it to whitelisted
processes.

Add Adds the process name to the

whitelist.
Actions Allows the user to edit or delete

the process name.
Microsoft Office Clipboard Enabled / Disabled When enabled, copying content

from one Microsoft Office
application to another is allowed.
Default: Enabled
Content Tracking page
Use this page to set text extractor options.
Option definitions
Text Extractor Use the following fallback ANSI Allows the administrator to
code page select the fallback character set.
The text extractor uses this
character set to read input
files when there is a problem
identifying the correct code
page. The default is to use
the endpoint computer operating
system native language.
Maximum memory used (MB) Sets the maximum amount used

per process for text extraction. Default: 75
Maximum input file size to scan The maximum file size the text
(MB) extractor can handle. Default: 20
Maximum output file size (MB) The maximum file size the text
extractor generates to be used by
the McAfee DLP Endpoint client.
Default: 10

Content fingerprinting Select which technologies to use Optimizes content fingerprinting

for adding meta-data performance.
Content fingerprinting for Preserve content fingerprints in When selected, restores content
Outlook attachments when sending or fingerprints of email attachments
receiving an email if the recipient has McAfee DLP
Outlook add-in installed.
Whitelisted Processes Process name Specifies an application name to

add it to whitelisted processes.
Folder Specifies the folder name.

Optional unless extensions are
specified.
All files Adds all files in a named folder.
Specific extensions Adds the named extensions.
Empty extension Adds a blank extension.
Web When selected, dynamic

fingerprints for web upload are
not created.
App When selected, files opened by

the named application in the
named location are not analyzed.
File When selected, tags for files

opened by the named application
in the named location are not
analyzed.
Actions Allows editing or deletion of the

whitelisted process.

Corporate connectivity page
Use this page to define servers to test connectivity to a corporate VPN.
Option definitions
Corporate Network Detection Detect if McAfee DLP Endpoint is Radio buttons to choose
Corporate VPN Detection inside the corporate network: connectivity test:
• By testing connectivity to
McAfee ePO
defined servers
Server Address Specifies the server IP address

or host name for testing
connectivity.
Server Port Specifies the server port for

testing connectivity.
Actions Adds, edits, or deletes an entry.
Debugging and Logging page
Use this page to set logging and automatic memory dump parameters.
Option definitions
Logs Save log messages to files When selected, saves log

messages but does not display
them.
Print log messages to When selected, displays log

DebugView (Win) and Console messages in DebugView or
(OSX) Console. Messages are not saved.
Log Level Determines the log output:

• Log all messages (for

debugging)
• Warnings and Errors
• Errors only
Automatic memory dump Process to create memory dump Specifies the McAfee DLP
Endpoint process or processes to
create a dump.
Create memory dump in any of Specifies the dump creation

the following conditions conditions. You can select any
or all checkboxes and vary the
thresholds as required.
Number of dumps to create Sets the number of dumps

created automatically. Default: 3
Log DLP events to external HTTP Send DLP events to HTTP server Enables/Disables sending events
server to an external server. Use the
text box enter the path.
Syslog Server Settings Send DLP events to Syslog Drop-down list to enable or
server disable the Syslog connection.
Server Address (IP address or Text box to enter the Syslog

Host name) server path.
Server UDP Port Text box to enter the UDP port.

Default: 514
Actions Click Add to add the text box

information to the definition
settings.
Device control page
Use this page to set Device Control parameters.

Option definitions
Option Definition
iPhone Protection Mode (Plug and Play) Sets the charging option when the device is blocked.
Default: Block and do not allow to charge.
Device Control Settings (Plug and Play) Enables or disables enforcing the policy immediately.
When disabled, policies are only enforced when the
McAfee DLP Endpoint client is restarted, or when
the device is physically or logically enabled/disabled.
Default: Enabled.
Discovery (Endpoint) page
Use this page to set scan performance limitations for endpoint discovery.
Option definitions
Performance Suspend scan when the Limits scans to times when

system's CPU is above (%): available CPU is above a specified
threshold. Default: 50%
Suspend scan when the Limits scans to times when

system's used RAM is above (%): available RAM is above a
specified threshold. Default: 50%
Email storage discovery Add the following prefix to Defines the quarantined email
(Windows only) the subject of emails that DLP file prefix.
quarantines
Email Protection page
Use this page to set McAfee DLP Endpoint parameters for email processing.

Option definitions
Option Definition
Email Caching Stores tag signatures from emails to disk to

eliminate re-parsing emails. Default: Enabled
Email recipients Sets the maximum number of email recipients to

report. Default: 10
Email Handling API Selects the API used to add functionality to outgoing
mail. Select between:
• MAPI
• Outlook object model
Outlook 3rd party add-in integration Sets integration with either Titus or Boldon James
email classification software.
Outlook Background Processing (Only for McAfee Enable background processing of emails to reduce
DLP Endpoint 11.6 or later) user impact when sending emails using Microsoft
Outlook.
Set the maximum amount of time allowed to analyze
the emails.
• Maximum time allowed to analyze - 600 seconds

• Maximum time allowed to analyze in foreground -
120 seconds
Enable a pop-up message that allows the end-user

to either review a blocked email or to discard
it. Enabling this pop-up message overrides the
notification configurations defined in the Email
Protection rule.
Set the action taken to either send the email or to
block it if the analyzing time exceeds.
Email Timeout Strategy (Applicable for McAfee DLP Sets maximum time to analyze an email and the
Endpoint lower than 11.6 when Outlook Background action if the time is exceeded.
Processing is enabled.)

Option Definition
Outgoing Email User Notification (Applicable for Sets the user notification message and when it is
McAfee DLP Endpoint lower than 11.6 when Outlook displayed.
Background Processing is enabled.)
Shared Storage and Evidence page
Use this page to configure the client Shared Storage and Evidence for McAfee DLP Endpoint for Windows.
Option definitions
Shared Storage Shared Storage Location The UNC path to the location
on the server where evidence is
saved. To collect evidence, specify
a folder for evidence collection
in this text box. You can specify
these paths:
• Evidence files
fingerprints
share
texts
Use local Windows system You can use the local system
account account to copy evidence. Not
supported by McAfee DLP
Endpoint for Mac or McAfee DLP
Prevent.

Copy files using the following When selected, uses the specified
credentials user and password to copy
evidence. Fill in the User
Name, Password, and Confirm
Password text boxes to specify a
user.

unsuccessful.
Client Settings Maximum evidence file size The maximum size of an

(MB) evidence file. Range: 10–2,575
Default: 25
Free space on hard drive must The minimum free space on the
be greater than (MB) managed computer including the
evidence storage space. Default:
250
Maximum local evidence age The maximum number of days

(Days) that evidence remains on the
managed computer before it is
deleted. Default: 30
Maximum evidence The network bandwidth available

transmission bandwidth (KBps) between the managed computer
and the server. Default: 2048
Maximum evidence files to copy Sets the maximum number

per event of evidence files copied.
Select options from 100–10000.
Default: 1000
Store original file Select from the drop-down list.

Default: Enabled

Classification matches file Sets the hit highlighting

display option. Default: Create
abbreviated results
Incident Information Report short match string in When selected, displays the short
incident details match string on the Evidence tab
of the incident details page.
Operational Mode and Modules page
Use this page to select between McAfee Device Control and full McAfee DLP Endpoint, and to activate modules.
Option definitions
Operational Mode Device control and full content Standard setting for full McAfee
protection DLP Endpoint. When selected,
supports all data protection,
Note: Changes in this
category require a McAfee
DLP Endpoint client restart rules, as well as manual tagging.
Device control and content Standard setting for Device

aware removable storage Control. When selected, supports
protection (without tag support) all device control rules
plus removable storage data
protection rules. Manual tagging
is not supported.
Device control only When selected, supports all

device control rules. Content
classification is not supported.
Data Protection Modules Select modules to activate them. We recommend deselecting modules
that you do not use to improve speed and efficiency.

Note: Enable the Outlook Add-ins if you are using Endpoint

Discovery rules that quarantine emails. If the Show Release from
quarantine controls in Outlook control is not enabled, you cannot
release emails from quarantine.
Printing Protection page
Use this page to edit the application whitelist for printers.
Option definitions
Whitelisted Processes Process name Enter an application name in the

text box to add it to whitelisted
processes.
Add Adds the process name to the

whitelist.
Actions Allows the user to edit or delete

the process name.
Quarantine page
Use this page to set quarantine file and folder parameters.
Option definitions
Folder Settings Quarantine location Sets the folder for quarantine

files.
Quarantine duration (Days) Sets the length of quarantine.

After this time, files are deleted.

Removable Storage Protection page
Use this page to set the removable storage deletion mode.
Option definitions
Deletion mode Sets the deletion mode to

Normal (delete only) or
Aggressive (unrecoverable).
Show end-user notification... Select the checkbox to display

the user notification when file
analysis is more than 5 seconds.
Notification text Text box to enter custom

user notification. (Maximum 150
characters)
Timeout Strategy File analysis maximum time Select a time from the drop-down
menu. (Range: 10 sec-30 min)
Action to perform if maximum Select an action from the drop-

time is exceeded down menu. (default: No action)
Show end-user notification... Select the checkbox to display the

user notification if the analysis
exceeds the timeout and the
action is Block.
Screen capture protection page
Use this page to edit the screen capture application list.
Option definitions
Option Definition
Screen Capture Protection Enter an application name to add it to the list of

protected screen capture applications.

Option Definition
Note: The list is pre-populated with the most

common screen capture applications.
Windows Explorer Preview Pane When selected, disables Windows Explorer preview
pane functionality. Default: Enabled
User Interface Components page for Windows client
Use this page to set the appearance of the McAfee DLP Endpoint client display on end-user computers.
Option definitions
Client User Interface (option checkboxes) Selects the options for the client
user interface display.
Challenge and Response Message Text boxes for custom message,

link and URL text. Default text is
Link text entered for the message.
Link URL
Release code lockout policy Maximum number of incorrect Use the scroll wheel to select
attempts number of attempts. Range: 1–25
(in five steps)
Release code lockout time Use the scroll wheel to select

(mins) lockout time. Range: 5–60 (in four
steps)
Client Banner Image Browse Text box for locating the image to
be used as the banner.
Sample Opens a window to display

how the banner appears

in notifications and request

justification uses.
Restore Default Restores the default (McAfee)

banner.
Web Protection page
Use this page to set web post HTTP GET requests.

Option definitions
Option Definition
Web protection evaluation Select inputs for web request evaluation when
matching web protection rules. These settings allow
blocking requests sent by A JAX to a different URL
from the one displayed in the address bar. At least
one option must be selected.
Process HTTP Get requests When enabled, enforces web protection rules on GET
commands. Typically, web protection rules apply to
HTTP POST and PUT commands. The GET function is
resource-intensive, and should be used with caution.
Default: Disabled
Supported Chrome versions Browse field to update Google Chrome to the latest
installed version. The XML file listing supported
versions can be obtained from McAfee Support.
Web Timeout Strategy Sets maximum time to analyze a web post and the
action if the time is exceeded.
Whitelisted URLs Select a URL to be whitelisted from the drop-down

list. Use the New, Edit, or Delete options to change
available whitelists.

Client configuration Whitelist
Use this page to create or edit a client configuration whitelist.
Note
The whitelisted URL list is a common item used by all client configurations. Editing it in one client configuration thus affects
all other client configurations in the system. After backup and restore client configurations are not applied automatically, and
must be applied manually.
Option definitions
Option Definition
Name * Enter a unique name for the definition. This field is

required.
Description Use this field for information to identify the

definition or indicate when it is used. This field is
optional.
Quick find Text box for searching when there is a long list. You
can search on the host, path, or description fields.
Apply Searches for the text in the text box and displays the
matching whitelists.
Clear Clears the search.
Import Entries Imports entries from a CSV file.
Export Entries Exports the definition to a CSV file. Only saved

definitions can be exported.
Save Closes and saves the definition.
Cancel Closes the definition without saving changes.
Actions Adds a URL description to the list.

Option Definition
Note: * indicates a required field
Add or edit the client configuration whitelist
Use this page to create or edit a whitelist URL definition.
Option definitions
Type: Domain Protocol Text box for adding a protocol

such as https.
Host Text box for adding a hostname

or IPv4 address. Wildcards are
supported.
Match Subdomains When selected, matches all

subdomains
Port Text box for adding a port.
Path Text box for adding a path.

Wildcards are supported.
Description Use this field for information to

identify the definition or indicate
when it is used. This field is
optional.
Parse Text box for adding a path. Click

Parse to fill in the table.
Type: IP Range Protocol Text box for adding a protocol

such as https.

From IP Text box for adding the IP range

start
To IP Text box for adding the IP range

end.
Path Text box for adding a path.

Wildcards are supported.

when it is used. This field is
optional.
Save and New (Add only) Saves the definition and opens a
new Add window.
Save (Add only) Closes and saves the definition.
OK (Edit only) Closes and saves the definition.
Cancel Closes the definition without

saving changes.
Note: Supported wildcards are: * matches multiple characters; ? matches a single character.
Mac OS X Client Configuration

Advanced Configuration page for macOS client
Use this page for configuring agent bypass for the McAfee DLP Endpoint for Mac client.

Option definitions
Agent Bypass Stop agent bypass immediately When selected, stops the
when a new client configuration agent bypass when the
is loaded by McAfee DLP client configuration is updated.
endpoint client Default: Deselected (bypass
continues to timeout)
Access Protection Settings DLP access protection When enabled, activates the DLP
data access protection features.
Default: Enabled
Show challenge key response on When enabled, activates

uninstall the challenge/response pop-up
window on uninstall. Default:
Enabled
Content Tracking page for Mac OS X client
Use this page to set text extractor options forMcAfee DLP Endpoint for Mac.
Option definitions
Text Extractor Use the following fallback ANSI Allows the administrator to select
code page the fallback character set. The
text extractor uses this character
set to read input files when
there is a problem identifying the
correct code page. The default is
to use the endpoint computer OS
native language.
Maximum memory used (MB) Sets the maximum amount used

per process for text extraction. Default: 75

the McAfee DLP Endpoint client.
Default: 10
Whitelisted Processes Process name Specifies an application name to

add it to whitelisted processes.
Folder Specifies the folder name.

Optional unless extensions are
specified.
All files Adds all files in a named folder.
Specific extensions Adds the named extensions.
Empty extension Adds a blank extension.
Actions Allows editing or deletion of the

whitelisted process.
Corporate connectivity page
Use this page to define servers to test connectivity to a corporate VPN.
Option definitions
Corporate Network Detection Detect if McAfee DLP Endpoint is Radio buttons to choose
Corporate VPN Detection inside the corporate network: connectivity test:
McAfee ePO
defined servers

Server Address Specifies the server IP address

or host name for testing
connectivity.
Server Port Specifies the server port for

testing connectivity.
Actions Adds, edits, or deletes an entry.
Debugging and Logging page for Mac OS X client
Use this page to set logging and automatic memory dump parameters forMcAfee DLP Endpoint for Mac.
Option definitions
Logs Save log messages to files When selected, saves log

messages but does not display
them.
Log Level Determines the log output:
• Log all messages (for

debugging)
• Warnings and Errors
• Errors only
Discovery (Mac) page
Use this page to set scan performance limitations for McAfee DLP Endpoint for Mac discovery.
Option definitions
Performance Suspend scan when the Limits scans to times when

system's CPU is above (%): available CPU is above a specified
threshold. Default: 50%

Suspend scan when the Limits scans to times when

system's used RAM is above (%): available RAM is above a
specified threshold. Default: 50%
Shared Storage and Evidence page for Mac OS X client
Use this page to configure the client Shared Storage and Evidence for McAfee DLP Endpoint for Mac.
Option definitions
Shared Storage Storage Share Location The UNC path for the location
a folder for evidence collection in
this text box. Specify this path to
store:
• Evidence files
Copy files using the following Uses the specified user and
credentials password to copy evidence. Fill in
the User Name, Password, and
Confirm Password text boxes to
specify a user.

unsuccessful.
Client Settings Maximum evidence file size The maximum size of an

Default: 25

Free space on hard drive must The minimum free space on the
be greater than (MB) managed computer including the
evidence storage space. Default:
250

Store original file Select from the drop-down list.

Default: Enabled

abbreviated results
Incident Information Report short match string in When selected, displays the short
incident details match string on the Evidence tab
of the incident details page.
Operational Mode and Modules page
Use this page to select between McAfee Device Control and full McAfee DLP Endpoint, and to activate modules.
Option definitions
Operational Mode Device control and full content Standard setting for full McAfee
protection DLP Endpoint. When selected,
supports all data protection,
rules, as well as manual tagging.
Device control and content Standard setting for Device

aware removable storage Control. When selected, supports
protection (without tag support) all device control rules
plus removable storage data

protection rules. Manual tagging

is not supported.
Device control only When selected, supports all

device control rules. Content
classification is not supported.
Data Protection Modules Device Blocking When selected, activates device

rules that are configured in the
policy.
Reporting Service When selected, activates the

reporting service. (See also
settings on the Evidence Copy
Service page.)
Evidence Copy Service When selected, activates the

evidence copy service. (See also
settings on the Evidence Copy
Service page.)
Manual Classification User When selected, activates DLP

Interface (McAfee DLP 11.1.100 Finder integration. Default:
and later) selected.
Note: When this option is

changed the user might need
to log off the endpoint then
log back on for it to take
effect.
Removable Storage Protection page for Mac OS X client
Use this page to set the removable storage deletion mode for McAfee DLP Endpoint for Mac.

Option definitions
Option Definition
Deletion mode Sets the deletion mode to Normal (delete only) or

Aggressive (unrecoverable).
User Interface Components page for Mac OS X client
Use this page to set the appearance of the McAfee DLP Endpoint for Mac client display on end-user computers.
Option definitions
Client User Interface Selects the options for the client user interface display.
Challenge and Response Message Text box for custom message.

Default text is entered.
Link text Text box for link text.
Link URL Text box for link URL.
Release code lockout policy Maximum number of incorrect Use the scroll wheel to select
attempts number of attempts. Range: 1–25
(in five steps)
Release code lockout time Use the scroll wheel to select

(mins) lockout time. Range: 5–60 (in four
steps)
Server Configuration
Box page
Use this page to set Box repository options.

Note
This page is applicable only to McAfee DLP Discover.
Option definitions
Option Definition
Use trash when deleting files If selected and Box does not use the recycle bin, any
Move actions taken on files will fail and will default
to Copy. The default setting in Box is to enable the
recycle bin.
Keep version history when encrypting files When selected, the RMS policy encrypts and uploads
a file as a new version of the unencrypted file. In this
case, you can revert back to the unencrypted version
of the file.
When deselected, the encrypted file replaces the
existing file.
Note: An operational event is created for any

problems or failures with uploading encrypted
files.
Shared Storage and Evidence page
Use this page to configure the server Shared Storage and Evidence by selecting the Enforce on field.
Option definitions
Shared Storage Copy files to network storage

share
Storage Share (UNC) The UNC path for the location

a folder for evidence collection in
this text box.
• Evidence files


fingerprints
For Automatic Registered
Document, Discover Server
copies the fingerprint to the
evidence share location defined
in Server Configuration.
DLP Server then loads the
fingerprints from all evidence
share of Discover Servers and
makes it available through REST
API.
share.
texts
• Exact database matches for
McAfee DLP Prevent, McAfee
DLP Monitor, and McAfee DLP
Discover
• Search results for McAfee
Monitor

unsuccessful.
Copy files using local system When selected, uses the system
account account to copy files. McAfee DLP
Discover only.
Copy files using the following When selected, uses the specified
credentials user and password to copy
evidence. Fill in the User
Name, Password, and Confirm

Password text boxes to specify a

user.
For McAfee DLP Prevent, if you
do not specify a user and
password, the copy fails.
Evidence Storage HTTP Service Enable Evidence Storage HTTP When selected:
service
• Allows DLP Server to act as
a HTTP proxy for McAfee
Monitor when storing evidence
files to the storage share.
• DLP Server stores the evidence
files on behalf of McAfee
Monitor on the configured
Storage Share (UNC).
Evidence Settings Maximum evidence file size The maximum size of an

Default: 25

Maximum evidence files to copy Sets the maximum number

per event of evidence files copied.
Select options from 100–10000.
Default: 100
Store original file Toggle to enable/disable file

storage. Default: Enabled

abbreviated results

Incident Information When selected, reports the short

match string in the incident
details.
Note: The option to

disable short match string
reporting was added
to comply with some
recent legal and regulatory
requirements.
Logging page
Use this page to set the logs and automatic memory dump.
Option definitions
Logs Save log messages to files When selected, saves messages

to files.
Print log messages to When selected, saves messages

DebugView (Win) to Microsoft Windows
DebugView. You can select both
options.
Log Discover CrawlerLevel Drop-down list to select the level.

The default is Info Warning and
Errors.
Automatic Memory Dump Process to create memory dump Options to select on which
McAfee DLP Discover process to
run an Automatic Memory Dump
to store contents of memory, for
analyzing system issues.

Registered Documents page
Use this page to set up registration scans.
Note
This page is not applicable to McAfee DLP Endpoint.
Option definitions
Option Definition
Registered Documents package distribution This cell is a read-only copy of the Storage Share
(McAfee Network DLP) (UNC) on the Evidence Copy Service page.
Registered Documents Content matching service Select a radio button to enable or disable registered
(McAfee DLP Discover and McAfee Network DLP) documents. If you enable the registered documents
feature, enter the path to the DLP Server for
fingerprint matching. Click Test Connectivity to
verify the path.
Registered Documents package loading (DLP Read-only section. Lists all server configuration
Server) policies, with the evidence storage UNC and
credentials.
Rights Management page
Use this page to set up the Microsoft RM service.
Option definitions
Option Definition
Domain Text box for entering the domain name of the RMS
server.
Username Text box for entering the user name authorized to

retrieve RMS templates.
Password Text box for entering the user password.

SharePoint
Use this page to set the SharePoint repository options.
Note
This page is applicable only to McAfee DLP Discover.
Option definitions
Option Definition
Use Recycle Bin when deleting a file. Default: selected.
Text Extractor page
Use this page to set text extractor options.
This page can be accessed from Policy Catalog → Data Loss Prevention<version> → Server Configuration.
Option definitions
Text Extractor (Applicable only Use the following fallback ANSI Allows the administrator to select
for McAfee DLP Discover) code page the fallback character set. The
text extractor uses this character
set to read input files when
there is a problem identifying the
correct code page. The default
is to use the native language of
the endpoint computer operating
system.
McAfee DLP Discover. Default: 50

Execution timeout per file Maximum time for processing a

(seconds) file. Default: 300
Inactivity timeout per file Time the text extractor waits

(seconds) with no input or export before
rejecting the file. Default: 60
Optical Character Recognition Use OCR to extract text from When selected, enables OCR in
(OCR) (Applicable for McAfee DLP images and scanned PDF files classification and remediation
Discover, McAfee DLP Prevent, scans of file repositories.
and McAfee DLP Monitor) To use OCR, you must install the
Note: The OCR feature
OCR package on the McAfee DLP
is supported in McAfee DLP
Discover 11.1.100 and later Discover server. See KB91046 for
and in McAfee DLP appliances more information.
11.4.0 and later. The OCR package is pre-loaded
in McAfee DLP Prevent and
McAfee DLP Monitor appliances,
but is unavailable unless the
appropriate license key is
installed.
DLP Appliance Management

General
Apply timeout and load balancing settings to McAfee DLP appliances. This category is available from Policy Catalog → DLP
Appliance Management<version> → General.
Option definitions
Option Definition
Load balancing
• Enable — Allow the appliance to be part of a
cluster.
• Cluster Id — Add an identifier for the cluster. The
identifier must be from 1 — 254.
• Virtual IP — If load balancing is enabled, add a
virtual IP address for all appliances in the cluster to
listen to.

Option Definition
The cluster appliances use the netmask assigned to

the physical IP address.
Caution: The cluster ID and virtual IP address

of the McAfee DLP Monitor cluster must be
different from the cluster ID and virtual IP
address of the McAfee DLP Prevent cluster.
Security mode Enable FIPS 140-2 mode — When selected, the

McAfee DLP appliance performs cryptographic
operations in a way that is compliant with FIPS 140-2.
Using FIPS 140-2 can impact performance when
analyzing SMTP content.
Analysis Settings
• Maximum analysis time — The maximum time,
in minutes, that McAfee DLP Prevent attempts to
analyze an email or a web message. For McAfee
DLP Monitor, this is the maximum time in minutes
taken to analyze any network payload.
The maximum analysis time you can set is 999
minutes.
• Maximum nesting depth — The maximum depth
of .zip file attachments that McAfee DLP Prevent or
McAfee DLP Monitor analyzes.
The maximum nesting depth you can set is 100.
• Maximum file size — The maximum file size, in
megabytes, of expanded attachments that McAfee
DLP Prevent or McAfee DLP Monitor analyzes.
The maximum file size you can set for analysis is
2047 MB.
HTTP Proxy
• Enable — Allow cloud lookup functions with a
proxy.
• Hostname — If HTTP proxy is enabled, add an IPv4
or host name for the proxy.
• Port — If HTTP proxy is enabled, specify the port to
be used. Default: 80

Option Definition
• Username — If HTTP proxy is enabled, enter a user

name for the proxy.
• Password — If HTTP proxy is enabled, enter a
password for the proxy.
Out-of-Band Management Disable in-band access to management ports

— When selected, McAfee DLP Monitor accesses
management ports using the management interface
rather than the traffic interface.
• 22 (SSH)
• 161 (SNMP)
• 10443 (Local UI)
You can add or remove management ports as
needed.
McAfee DLP Server for Evidence Copy If your McAfee DLP appliance is in a demilitarized
zone (DMZ) with no network access to the evidence
file share, you can provide the host name or IP
address of a DLP Server.
The appliance then sends the evidence files to the
configured DLP Server, which in turn copies the
evidence files onto the evidence file share.
• Use TLS — Specify whether TLS encryption is used

for the connection.
• Host — Enter the IP addresses or host names of
the DLP Servers.
If multiple DLP servers are configured, the appliance

uses a round-robin approach to send the evidence
files.
If a DLP server is configured for evidence copy, it is
also used for deleting any evidence files associated
with DLP Capture searches when you delete a
capture search.

Option Definition
Note: Make sure that Evidence Storage HTTP

Service is enabled in the Data Loss Prevention
<version> → Server Configuration → Evidence
Copy Service page.
McAfee DLP Server for Registered Documents Connects the McAfee DLP appliance and a McAfee
DLP Discover server installed in the DLP Server role.
• Use TLS — Specify whether TLS encryption is used

for the connection.
• Host — Enter the IP addresses or host names of
the McAfee DLP Discover database servers.
Custom Logon Banner Display a custom banner (must be plain text) —

When selected, you can type your own text for
display on the top of the McAfee DLP appliance
console and SSH logon screen.
McAfee DLP Capture Settings
Enable the DLP Capture feature and store captured items that can be searched later or used to tune rules and classifications..
Option definitions
Option Definition
Enable Capture When selected, a McAfee DLP appliance can capture

data for searching or tuning.
If an appliance contains captured content but the
DLP Capture feature has been disabled on it, the
captured content can still be searched.
Delete captured items older than (days) When selected, enables the delete function. Select
the number of days with the thumbwheel.
Default setting: selected Range:1 -365, default 28

McAfee DLP Monitor Settings
Set the rule type that McAfee DLP Monitor uses to inspect SMTP, HTTP, or FTP traffic and create rules to analyze certain types of
traffic.
Option definitions
Option Definition
Protocol Rule Application If you don't want to analyze SMTP, HTTP, or FTP
traffic with email and web protection rules, you can
deselect the corresponding checkboxes.
• Analyze SMTP traffic applying Email Protection

Rules — Evaluates protocol attributes and applies
Email Protection rules when analyzing SMTP
traffic.
• Analyze HTTP traffic applying Web Protection
Rules — Evaluates protocol attributes and applies
Web Protection rules when analyzing HTTP traffic.
• Analyze FTP traffic applying Web Protection Rules
— Evaluates protocol attributes and applies Web
Protection rules when analyzing FTP traffic.
Traffic Rules The list of rules are evaluated in order. When the
traffic matches the rule criteria, all subsequent rules
in the list are ignored.
• Rule name — The name you gave the rule.

• Rule — The network attributes to evaluate against
the traffic.
• Analyze Traffic ? — Deselect this option to stop
McAfee DLP Monitor analyzing traffic that matches
the rule.
• The default rule analyzes all traffic by default. It
cannot be deleted. It always stays at the bottom
of the list and is used if no other rule in the list
matches.
Click + to add new traffic filtering rules in the Add

- Define Rule dialog box. The Match and Value
options change depending on the attribute you
select:
• Criteria — Click + to specify the network attributes

that you want the rule to contain.

Option Definition
• Attribute — Select the type of network attribute

that you want to add to the rule criteria.
Important: The source and destination

attributes relate to the flow of data, not the
network connection.
• Match — Select the type of comparison for that

criteria.
• Value — Type or select the value of the criteria.
URL and email address values support wildcards.
Note: Email address rules apply only to

SMTP; URL rules apply only to HTTP.
• Update — Adds the criteria to the rule. You can

add several criteria to a rule, but you can only add
an attribute once to each rule.
McAfee DLP Prevent Email Settings
Disable SMTP scanning, add permitted hosts and more MTAs, bypass scanning emails sent from the specified email addresses,
and specify Transport Layer Security (TLS) settings.
Tip
To stop the appliance being an open relay, specify permitted hosts that can receive email. At times of heavy email traffic,
having more than one Smart Host can help to distribute the load.
In McAfee ePO, open the Policy Catalog. Select the DLP Appliance Management product, choose the McAfee DLP Prevent Email
Settings category, and open the policy you want to edit.
Option definitions
Option Definition
SMTP
• Enable SMTP — Enabled by default. Allows SMTP
communication over port 25. You can disable this

Option Definition
option on appliances dedicated to analyzing ICAP

traffic.
• Enable Authenticated Mail Submission (Uses
SMTP AUTH over TLS on port 587) — Disabled
by default. Allows authenticated email submission
over port 587. You can disable this option on
appliances dedicated to analyzing ICAP traffic.
Connection Settings
• Onward connection — The maximum time, in
seconds, that McAfee DLP Prevent waits to
establish a connection with an MTA.
• Onward delivery — The maximum time, in
seconds, that McAfee DLP Prevent waits for the
final dot to be acknowledged when it delivers an
email message.
• Between SMTP commands — The maximum
time, in seconds, that McAfee DLP Prevent waits
between two SMTP commands.
Bounce Messages Sender Specify the sender email address for a bounced
email message.
Smart Hosts
• Round-robin — McAfee DLP Prevent delivers
messages to the list of MTAs using a round-robin
approach.
• Host — Add details of the MTAs that you want
to use to deliver messages. McAfee DLP Prevent
attempts to deliver the messages to the MTAs from
the top to the bottom of the list. Use the arrows to
set the priority.
Permitted Hosts
• Accept mail from any host — McAfee DLP Prevent
accepts messages from any computer.
• Accept mail from these hosts only — When
selected, you can type the details of permitted
hosts that McAfee DLP Prevent can receive
messages from. Enter the details of the host

Option Definition
using its IP address with subnet, domain name, or

wildcard domain name.
You can create groups of permitted hosts using

subnets or wildcard domains. To add more than one
subnet, you must create separate entries for each.
DLP Scan Bypass

• Add header X-RCIS-Action (BYPASS) — McAfee
DLP Prevent appliance bypasses scanning of emails
sent from the specified sender email addresses
and adds a header in the message sent to the
configured Smart Host.
• No Action — McAfee DLP Prevent appliance
bypasses scanning of emails sent from the
specified sender email addresses and doesn't add
a header in the message sent to the configured
Smart Host.
• Sender Email Address — Sender email address
that you want to bypass from scanning. Use the
is format to specify the actual email address.
Use the matches format to specify multiple email
addresses using *@domain_name.com.
Transport Layer Security

• Inbound communication
Always — Rejects email from the sending MTA
if their communication does not try to start
encryption.
Never — Connections to McAfee DLP Prevent
never use TLS encryption.
Opportunistic — This is the default setting. If
available, the connection uses TLS encryption.
• Outbound communication
Always — Always use TLS to send messages.
If the Smart Host is not configured with TLS,
McAfee DLP Prevent sends a 550 (Denied
by policy. TLS conversation required) error
message.
Never — Connections to the Smart Host never
use TLS encryption.

Option Definition
Opportunistic — This is the default setting. If

available, the connection uses TLS encryption.
McAfee DLP Prevent Web Settings
Disable ICAP scanning, and manage the types of requests that you want the appliance to handle.
Option definitions
Option Definition
Web Settings The McAfee DLP Prevent appliance analyzes traffic

from Web Gateway through the secure and
unencrypted port.
Disable all unused services.
If you choose to disable one of the channels, McAfee
DLP Prevent only accepts connections from the
enabled channel.
• Services — If both channels are selected, both the

secure and unencrypted ICAP ports are open.
Secure ICAP (port 11344) — ICAP traffic is

encrypted over a TLS connection using the
appliance's default certificate. Enabled by default.
Use the encrypted channel for your ICAP traffic.
Unencrypted ICAP (port 1344) — The ICAP
communication is in plain text. Enabled by
default.
If neither channel is selected, the REQMOD and

RESPMOD options are unavailable.
• Methods — Specify the type of requests that you
want the McAfee DLP Prevent appliance to analyze.
REQMOD — Enables scanning of ICAP Request

Modification (REQMOD) requests to identify
potential data loss incidents in content uploaded
to the Internet by employees. Enabled by default.
You might want to disable REQMOD if you only
want to analyze RESPMOD requests.
RESPMOD — Enable scanning of ICAP Response
Modification (RESPMOD) requests to identify

Option Definition
potential data loss incidents in content

downloaded from your organization's web
servers by external users. Disabled by default.
Only enable RESPMOD if you have web servers
that external users can download information
from that you want to analyze.
Permitted Hosts
• Accept request from any host — McAfee DLP
Prevent accepts requests from any computer.
• Accept request from these hosts only — When
selected, you can type the details of permitted
hosts that McAfee DLP Prevent can receive
requests from. Enter the details of the host using
its IP address with subnet, domain name, or
wildcard domain name.
You can create groups of permitted hosts using

subnets or wildcard domains. To add more than one
subnet, you must create separate entries for each.
Users and groups
Select the registered LDAP servers that you want to push group information to McAfee DLP appliances, and add details of
McAfee Logon Collector servers.
Option definitions
Option Definition
LDAP Servers
• Server Name — Registered LDAP server
• Server IP/Domain — The IP address or domain
name of a registered LDAP server that you want
to use.
Use the Registered Servers page to connect LDAP
servers with McAfee ePO.
• Initiate daily synchronization at — Use this field to
set the time when the daily synchronization of the
appliance with the LDAP servers must happen.
The default is 3.00 a.m.

Option Definition
• Delay synchronization start by up to (hours) —

Select the checkbox to specify the synchronization
delay between the appliances.
The default is 2 hours. You can set the random
synchronization start interval between 1–10 hours.
McAfee Logon Collector

• Identify users making web requests — Select to
enable McAfee Logon Collector with McAfee DLP
appliances.
• + — Opens the Add dialog box where you can
specify the details of the McAfee Logon Collector
server.
Server IP or Hostname — The McAfee Logon

Collector IP address in IPv4 format.
Port — The McAfee Logon Collector port. The
default port is 61613.
Import from file — Browse to a file that contains
the Base64 certificate text you copied from
McAfee Logon Collector.
Paste from clipboard — Add the Base64
certificate text from McAfee Logon Collector.
• Server — Contains the IP address or host name of

the selected McAfee Logon Collector server.
You can add more than one Logon Collector.
• Port — The McAfee Logon Collector port.
Save Click to save the LDAP server, LDAP synchronization,

and McAfee Logon Collector server settings.

3| Classification
Classification
Classification page
The Classification page contains a list of existing content classifications and classification groups. Use this page to add new
content classifications and groups, or to edit or delete existing content classification and groups.
The default page for the classification feature includes tabs for Manual Classification, Register Documents, Whitelisted
Text, Definitions and Classification Tester. Create new classifications before going to the Manual Classification or Register
Documents tab to define user groups with permission to classify manually. Definitions can be defined in advance, or when
defining a new classification.
Note
Register Documents and Whitelisted Text are only supported on McAfee DLP Endpoint for Windows.
Option definitions
Content Classification Name Editable text box for classification

name. The initial name displayed
is the one entered when creating
the classification. This field is
needed.
Description Editable text box for descriptive

text to help identify the
classification. This field is
optional.
Tag ID Displays the ID assigned when

the classification was created.
You can edit or reset the value.
Manual Classification Lists the number of user groups

allowed to classify files manually
for this classification.

3| Classification
Register Documents Lists the number and total size

of documents registered as this
classification.
Automatic Classification Lists all content classification and

fingerprint criteria assigned to
the classification.
Automatic classifications can
be set on files by McAfee
DLP Endpoint for Windows.
McAfee DLP Discover, McAfee
DLP Prevent, and McAfee DLP
Endpoint for Mac can enforce
data protection rules based
on automatic classifications, but
can't set or view them.
Classification Group Name Editable text box for classification

group name. The initial name
displayed is the one entered
when creating the group. This
field is required.
Description Editable text box for descriptive

text to help identify the
classification group. This field is
optional.
Classifications Lists all content classification

assigned to the group. You can
view more details about a specific
classification by clicking its link.

3| Classification
Actions definitions
Content Classification Classification Usage Displays a list of all rules that use
the selected classification.
Delete Classification Removes the selected

classification from the database,
after verification.
Duplicate Classification Use this option to create working

copies of read-only, built-in
sample classifications.
New Content Classification Opens a properties page to

Criteria define new criteria for the
selected classification.
New Content Fingerprinting Use the submenu to select the

Criteria type of fingerprinting criteria to
define:
• Application — Selects content

based on the application that
created it
• Location — Selects files based
on UNC path
• Web Application — Selects
content based on the URL being
posted to
Save Classification Saves the changes in the

database.
Classification Group Manage Classifications Opens a window to select one

or more classifications to add for
the selected group.

3| Classification
Save Classification Group Saves or removes the selected

classification group.
Delete Classification Group Removes the selected

classification group and moves
classification/s to Unassigned
group.
Other control options definitions
Content Classification New Classification Opens a window where you

can enter a name, description,
and choose a group for a new
classification. The classification
is added to the left pane of
the classification page when you
complete creating it.
Classification Group New Classification Group Opens a window where you can
enter a group name and group
description. The classification
group is added to the left pane of
the classification page when you
complete creating it.
Classification Criteria page
Use this page to create new content classification criteria.
Option definitions
Option Definition
Name Enter a unique name for the criteria definition. This

field is required.

3| Classification
Option Definition
Property Select properties for application tagging from the

Data conditions or File conditions options.
Note: File conditions are not evaluated when

the classification is used to inspect content that is
not a file.
Comparison Select the Boolean comparison criteria (AND, OR,

NOT) for multiple values.
Value Click the Select icon ( ) to open the Choose from

existing values window. Select a value from the list.
To add additional values, click .
Note
Every selected property must have a value assigned to it. To save the definition, deselect any properties that do not have
values assigned.
Application content fingerprinting Criteria page
Use this page to add criteria for application content fingerprinting.
Option definitions
Option Definition
Classification Displays the name of the classification you are

adding criteria to.
Criteria Name Enter a unique name for the criteria definition. This
field is required.
Applications Click the Select icon ( ) to open the Choose from

existing values window.

3| Classification
Option Definition
Available Properties Select properties for application tagging from

available Data conditions and File conditions.


Note
Every selected property must have an assigned value. To save the definition, deselect any properties that do not have
assigned values.
Box content fingerprinting criteria
Use this page to define and add box content fingerprinting criteria.
Note
Option definitions
Option Definition
Classification Displays the name of the classification where you are

adding criteria.
field is required.
Box Account Names Account can be any file or a specified Box account. If
you select Files located in one of the following Box
Accounts, use Actions to add accounts.

3| Classification
Option Definition
Available Properties Select properties for content classifications from the


not a file.
Comparison Selects the Boolean comparison criteria (AND, OR,


Location content fingerprinting Criteria page
Use this page to define and add location content fingerprinting criteria.
Option definitions
Option Definition

adding criteria.
field is required.
Removable Media Specify if the location is on removable media. This

field is optional.
Network shares (UNC) Specifies a network share for the location tagging.
This field is required. Click the Select icon ( ) to

open the Choose from existing values window.
Available Properties Select properties for content classifications from


3| Classification
Option Definition

not a file.


Note
Every selected property must have an assigned value. To save the definition, deselect any properties that do not have
assigned values.
SharePoint content fingerprinting criteria page
Use this page to define and add SharePoint content fingerprinting criteria.
Note
Option definitions
Option Definition

adding criteria.
field is required.

3| Classification
Option Definition
Web Address (URL) Specifies a web address. This field is required. Click
the Select icon ( ) to open the Choose from



not a file.


Web Application content fingerprinting criteria page
Use this page to define and add web application content fingerprinting criteria.
Note
Option definitions
Option Definition

adding criteria.
field is required.

3| Classification
Option Definition
Web Address (URL) Specifies a web address. This field is required. Click
the Select icon ( ) to open the Choose from



not a file.


Choose from existing values page
Use this window to select definitions.
The options available depend on the type of definition selected.
Option definitions
Option Definition
Filter items Specifies a string filter.

For example, if you type FTP, only definitions with
FTP in the title are displayed.
GO Activates the definition in the Filter items field.
Show selected items only When selected, limits the display to selected items.

3| Classification
Option Definition
Include Built-in items When selected, displays items from the McAfee
default catalog.
Show Groups Used with Device Templates only. When selected,

displays all group definitions.
Show Items Used with Device Templates only. When selected,

displays all item definitions.
New Group Used with Device Templates only. Opens a window

to create a new device group definition.
New Item Opens a window and allows you to create a new

definition.
OK Accepts the selected items into the definition.
Cancel Terminates the operation without saving.
View Displays the catalog definition.
Note: Applies only to built-in items.
Edit Modifies the selected item.
Note: Applies only to user-defined items.
Count multiple occurences of each match string. Used with Advanced Pattern and Dictionary
properties only. Controls the way the property is
Count each match string only once. defined in the classification.
Proximity Operator page
Use this page to configure proximity classification criteria.

3| Classification
Option definitions
Option Definition
Proximity Between, and Selects the two values to specify proximity for. The
values can be a dictionary, an advanced pattern, or
a keyword. You can add multiple keywords separated
by comma (,).
Closeness Specifies how close the values must appear.

Example: If you enter 20, the two values must appear
within 20 characters of each other in order to trigger
the classification criteria.
Match Count Specifies how many times the values must appear in
proximity to each other to trigger the classification
criteria.
OK Retains your changes and closes the window.
Cancel Discards your changes and closes the window.
Location in file page
Use this page to select where to look for classification criteria in a document.
Option definitions
Option Definition
document sections Specifies where in a document to look for

classification criteria — the header, body, or footer.
within first (characters) Specifying the number of characters for the within
first (characters) option in a classification looks for
the sensitive content in the header, that is, in the
first part of the first page in a document.

3| Classification
Exact Data Fingerprints Match Criteria page
Use this screen to set up an exact data fingerprints match.
Option definitions
Option Definition
Exact Data Fingerprints Records Opens a window with a list of exact data fingerprints
to select from.
Single record match criteria Contains two text fields to specify the match criteria:
The first field specifies the number of cell values to
match. The second specifies the proximity.
Number of records to match Text field to enter the number of matches.
Manual classification page

This page contains a list of existing content classifications and the user groups that can manually set or remove them. Use this
page to add new user groups to defined classifications.
After you have created classification definitions on the Classification tab, you can specify user groups that are allowed to set or
remove these classifications from files manually.
Option definitions
Option Definition
View Selects the page organization. The options are:
• Group by classifications — Lists the End-User

groups per classification
• Group by end user groups — Lists the
classifications per End-User group
• General Settings — Contains checkboxes for
additional settings
Additional Actions (Group by classifications) Checkboxes for Manual classification and Content
fingerprinting. The default is manual classification
only, but you can select both or change the setting to
content fingerprinting only.

3| Classification
Option Definition
End-User Groups (Group by classifications) Lists the selected user groups.
Actions → Allow everyone When you group by classifications, use this option to
allow all users to set manual tags.
Actions → Select End-User Groups When you group by classifications, use this option to
add new user groups to a classification.
Actions → Select Classifications When you group by user groups, use this option to
add new classifications to a user group.
Register Documents page

Use this page to review registered documents, upload documents, and create signature packages.
The Register Documents tab of the Classification module displays a list of files that have been registered, and the classification
applied.
Tip
To upload multiple files, add the files to a compressed (zipped) folder.
Option definitions
Menu bar Type Indicates the type of registered

documents displayed on the
page. Options are Manual
Registration (from uploads),
Automatic Registration (from
McAfee DLP Discover registration
scans), and Exact Data
Fingerprints.
View Toggles the page display between

Statistics and Group by views.

3| Classification
Scan (Type: Automatic Selects a pre-defined scan filter

Registration only) (applicable only to McAfee DLP
Discover).
Classification Selects a pre-defined

classification filter.
Filter Selects a custom filter. (Use Edit

to create a filter, and Save to use
a filter in future sessions.)
Actions Menu Choose Columns Selects and orders columns to

control the view.
Create Package Adds the files to the McAfee ePO

database to be distributed to the
McAfee DLP Endpoint clients.
Note: The Create Package

command works on the
registered documents list and
the whitelisted documents
list simultaneously to
create a single package.
The maximum number of
signatures per package is 1
million each for registered
documents and whitelisted
documents.
Delete File Deletes the selected documents

from the database.
Upload File Opens a File Upload window. The

window has Browse button to
select files, and checkboxes to
assign classifications. There are
also options to replace existing

3| Classification
files, or not upload if the file

exists.
Whitelisted Text page

McAfee DLP Endpoint ignores whitelisted text when processing file content. Use whitelisting for text that commonly appears in
files, such as boilerplate, legal disclaimers, and copyright information.
The Whitelisted Text tab of the Classification module displays a list of whitelisted files and statistics on size, number of
signatures, and so forth.
Tip
To upload multiple files, add the files to a compressed (zipped) folder.
Option definitions
Option Definition
File Upload (Actions → File Upload ) Opens a File Upload window where you can select
files and assign classifications.
Create Package (Actions → Create Package ) Adds the files to the McAfee ePO database to be
distributed to the McAfee DLP Endpoint clients.
Note: The Create Package command works

on the registered documents list and the
whitelisted documents list simultaneously to
create a single package. The maximum number
of signatures per package is 1 million each
for registered documents and whitelisted
documents.
Actions → Delete Deletes the selected documents from the database.

3| Classification
Definitions: Data
Advanced Pattern definition page
Use this page to create or edit an Advanced Pattern definition.
An advanced pattern consists of an expression to be tested and an optional false positive expression. You can add multiple
expressions to a single definition to create a "Text Pattern Group".
Option definitions
Name Replace the default definition

name with a unique name
for this definition. This field is
required.

when used. This field is optional.
Matched Expression Expression The regular expression (Regex) or

keyword pattern to be matched.
Description Additional information to identify

the pattern. This field is optional.
Validator For Regex, designates an

algorithm to test the pattern.
Select an appropriate validator
from the drop-down list. Default:
No Validation
Score Weighting for the expression.

Range: -99–99
Add Adds the defined expression

to the matched expression
definition.

3| Classification
Ignored Expressions Expression A pattern that is excluded from

matching.
Type Regex or Keyword.
Add Adds the defined expression to

the false positive definition.
Import Keywords Opens a text box for entry of

multiple keywords.
Delete All Keywords Deletes all false positive

definitions using keywords.
Dictionary definition page
Use this page to create or edit a dictionary definition.
Option definitions
Name Enter a unique name for the

definition. This field is required.
Description Optional field for additional

information.
Actions → Add Opens the Add dialog box to

manually add entries.
Export Entries Exports the definition to a CSV

file. Only saved definitions can be
exported.

3| Classification

saving changes.
Entries Quick find Text field for searching large

dictionaries when editing.
Phrase The word or phrase to add to the

dictionary.
Score (+/-) The score (+/-) for each entry.

The total score for all entries is
the threshold. Defining a score
as positive or negative allows you
to look for words or phrases in
the presence of other words or
phrases.
Start with These options allow sub-string

matching. Selecting both the
End with option matches whole words

only. Not selecting either option
matches sub-string and whole
words.
Case sensitive Specifies the matching to be

case-sensitive as entered.
Action Used to edit or delete entries.

Not available for pre-defined
dictionaries.
Document Properties definition page
Use this page to create a document properties definition.

3| Classification
Option definitions
Definition Name Replace the default definition

required.

Custom Property Opens a dialog box that allows

you to add properties not listed.
Custom properties have a Value,
but do not have a Comparison,
that is, they can only be equal to
the defined value.
Properties Any property Click the arrow to the right of

the property name (or double-
click the property), select a
Note: Adds a string value
Comparison (Equals, Contains),
that matches any predefined
or user-defined document and type in a value. Use the plus
property value. Useful when icon to add additional values of
you don't know which the same property.
properties were defined in
the document, but do know a
Note: When adding
(partial) string value to match.
multiple values, the default
is to add them as Boolean
OR. Click the Boolean selector
Author if you want to add them as
AND.
Category
Comments
Company

3| Classification
Keywords (Tags)
Last Saved By
Manager Name
Security
Subject
Template
Title
File extension definition page
Use this page to create new file extension definitions.
Option definitions
Option Definition
Name Replace the default definition name with a unique

name for this definition. This field is required.

definition or indicate when used. This field is
optional.
Name A generic name for the files, for example Audio files.
Extension The file extension, for example MP3. Extensions are

entered as uppercase.
Add Adds the file name to the definition.

3| Classification
File Information definition page
Use this page to create or edit a File Information definition.
Option definitions
Name Replace the default definition

required.

Available Properties Date Accessed (UTC) Click the arrow to the right of
the property name (or double-
Date Created (UTC) click the property), select a

Comparison, and type in a
value. Use the plus icon to add
Date Modified (UTC)
additional values of the same
property.
File Extension
Note: When adding

File Name
multiple values, the default
is to add them as Boolean
File Owner OR. Click the Boolean selector
if you want to add them as
File Size AND.
True File Type definition page
Use this page to view True File Type definitions and usage. True File Type definitions identify files even if the suffix has been
changed in an attempt to hide the content. This page has no user-definable definitions.

3| Classification
Definitions: Source/Destination
Application Template page
This page contains a list of existing application definitions. Use this page to edit or create an application definition, or view a list
of rules that use a specific application definition.
Note
Option definitions
Option Definition
Edit Opens the definition for editing. This option appears

for user-defined definitions only.
Delete Deletes the definition. This option appears for user-

defined definitions only. Definitions currently in
use cannot be deleted. To delete a definition, first
remove it from all rules.
Duplicate Use this option to customize built-in definitions or

create different versions of user-defined definitions.
Usage Displays a list of all rules that use the definition.
View Opens the definition for viewing. This option applies

to built-in definitions only.
Actions → New Opens the New Application page to create a user-

defined definition.
End-User Group definition page
Use this page to create or edit an End-User Group definition.

3| Classification
Option definitions
Option Definition

name. This field is required.

optional.
LDAP Object Identification Selects the method of LDAP identification.
Add Users Opens the Active Directory search page for users.
Add Groups Opens the Active Directory search page for groups.
Add OU Opens the Active Directory search page for

Organizational Units.
Network Share definition page
Use this page to create or edit a Network Share definition.
Option definitions
Option Definition


optional.
Network Shared Folders Shared folder in UNC format. The server name can
be either a host name or IP address. Use Include
and Exclude to create granular definitions.

3| Classification
URL List definition page
Use this page to create URL List definitions.
Option definitions


information.

exported.

saving changes.
URL List Protocol Text box for adding a protocol

such as https.
Host Text box for adding a host name

or IPv4 address.
Path (Optional)Text box for adding a

path.
Query String (Advanced) The query string is a list of

parameters and values separated
by "&" symbols. It begins after
the first "?" and goes to the end
of the address.

3| Classification
Paste URL Parse A text field for pasting a URL

from a browser. Clicking Parse
adds the text to the appropriate
Protocol, Host, Port, and Path
fields. Select the check box to
include a query string.
Classification tester page

Use this page to test classifications by checking if a phase or file triggers the classifications.
Option definitions
Classifications List Select classifications for testing. Lists all your classifications,
including built-in and customized.
Use the search box to search for
classifications from the list.
Use the expand button to view
the classifications in groups and
select classifications by clicking
the checkboxes.
Test Data Select a file, or enter text to test Options for adding text.
your classifications.
• Browse — When option is
selected, the browse button is
enabled, and you can browse
your network to upload a file.
Maximum file size for upload is
50 MB.
• Plain Text — When option is
selected, you can enter text
manually.

3| Classification
Note: The Plain Text

field has a limit of 1024
characters. If the text
containing sensitive content
appears beyond this limit,
the text gets truncated and
the classification doesn't
show any match.
Run test.
• Time-out test after — Use the
menu to select the amount
of time the classification tester
attempts to provide results.
• Start Test — Starts testing the
selected classifications and text.
Test Results Displays the results of the

classification test.

4| DLP Capture
DLP Capture
Search List
The DLP Capture Search List manages the searches and their settings.
Option definitions
Menu bar Filter Drop-down list to select the

display filter. Use Edit to create
a filter. The available properties
vary according to the Search
setting. The filter can alternately
be applied and switched off
during the current session. Use
Save to use a filter between
sessions.
Group By Drop-down list to organize the

data display. Options are None,
Status, and Type.
Search display area Search List Displays details about searches,

their results, and their status
based on the current selections.
• Select a search to run,

duplicate, cancel, or delete it.
• Select the name of the search
to view or edit its settings.
• Select the appliances link to see
details of the appliances that
were searched and their health
status. From here, you can link
to the Appliance Management
feature.
• Select the results link to get
information about any search
results.

4| DLP Capture
Actions Cancel Search Cancels the selected search

without saving it.
Delete Search Deletes the selected search.
Important: Deleting the

search deletes the search
results and all related
evidence from the evidence
server.
Duplicate Search Duplicates the search to facilitate

creation of modified searches.
Export Results Summary Creates a zip file that contains

a summary and detailed
information about the selected
search and its results.
New Forensic Investigation Creates a new forensic

investigation search.
New Rule Tuning

• Email Protection — Builds new
email protection rule searches
for testing.
• Network Communication
Protection — Builds new
network communication rule
searches for testing (McAfee
DLP Monitor only).
• Web Protection — Builds new
web protection rule searches
for testing.
Run Search Select a search and have it run

immediately.

4| DLP Capture
Save as Rule Select a rule tuning search to use

it to create a new rule, or save it
as an existing rule.
Duplicate Search Select a search to create a copy of it for editing.
Forensic investigation
Create a forensic investigation search to investigate captured events for file names, keywords, or end-user names.
Note
* indicates a required field. It is possible to create a forensic investigation search without specifying additional criteria, but it
will analyze every item in the dataset.
Option definitions
Search options Name * Enter a unique name for the

scan. This field is required.
Description Optional field for adding

additional information about the
search.
Dataset * Click to select a dataset from

an existing list or create a new
one.
The number of appliances and an
approximate number of captured
events that might be searched as
part of this dataset is shown.
The number of captured events is
taken from the appliance in the
dataset that has the most events
to search.

4| DLP Capture
Click Refresh to re-evaluate the

number of events that might be
searched.
You can edit the dataset if the
number is too large, and re-
evaluate it until the number is
acceptable.
Max Results to Report Select the maximum number of

results to display in the Search
Results list for each appliance.
Default: 100
stop search when max results Select this box to stop the search
reached when the number set in Max
Results to Report is reached for
each appliance.
When this option is deselected,
the search continues and saves
all results in the detailed results
report.
Results: Store original files as Creates evidence files from any

evidence positive results.
Deselect this option to avoid
storage and performance
implications.
Condition End-User Click to select users from an

LDAP server.
File Name Enter the file name in the text

box.
Search Term Select a language from the drop-

down list, then enter the search
term in the text box. Click to

add additional search terms.

4| DLP Capture
Select exact match to match the

term, or deselect to search for
related terms.
Save & Run Select this option to run the search immediately. The search is added to
the list of searches.
Save Select this option to save the search definition and run later. The search
is added to the list of searches.
Cancel Cancels the search definition without saving.
Rule tuning - email protection
Create an email protection rule search to edit a rule's settings until you get the desired results, without affecting active data
analysis.
Option definitions
Rule options Name * Enter a unique name for the

search.

search.
Data Set * Click to create a data set or

select from existing data sets.
Shows the number of appliances
and an approximate number of
captured events that might be
searched as part of this dataset.
to search.

4| DLP Capture

searched.
You can edit the dataset if the
number is too large, and re-
evaluate it until the number is
acceptable.

Default: 100
each appliance.
report.

implications.
Condition tab / Exceptions tab Actions ( Exceptions tab only) Adds or deletes a search
exception.
Name * ( Exceptions tab only) Enter a unique name for the

exception.
Description ( Exceptions tab Optional descriptive text.

only)
State ( Exceptions tab only) Select Enabled or Disabled from

the drop-down list. The exception

4| DLP Capture
state is independent from the

state of the rule that triggered
the search.
Classification Select an operator and content

classification from the drop-down
lists. When required, click to

select a predefined classification.
Sender Select a user list source. When
required, click to select a user

from a list.
Email Envelope Select an envelope type from the

drop-down list.
Recipient List includes Select a recipient source. When
required, click to select an

email address list.
Save & Run Select this option to run immediately. The search is added to the list of
searches.
Save Select this option to save and run later. The search is added to the list of
searches.
Cancel Cancels the search without saving.
* indicates a required field
Rule tuning - network communication protection
Create a network protection rule search to edit a rule's settings until you get the desired results, without affecting active data
analysis.

4| DLP Capture
Option definitions

search.

search.
Dataset * Click to create a data set or

to search.
searched.
You can edit the dataset if
the number is too large, and
re-evaluate it until number is
acceptable.

Default: 100
each appliance.

4| DLP Capture

report.

implications.
Condition tab / Exceptions tab Actions (Exceptions tab only) Adds or deletes a search
exception.
Name * (Exceptions tab only) Enter a unique name for the

exception.
Description (Exceptions tab only) Optional descriptive text.
State (Exceptions tab only) Select Enabled or Disabled from

the search.
Classification (Conditions tab Select an operator and content

only classification from the drop-down

Network Data Flow Select the From (or Between) and

To network addresses from the
drop-down lists.
Protocol Identifier Click to select a protocol

identifier definition.
searches.

4| DLP Capture
searches.
Rule tuning — web protection
Create a web protection rule search to edit a rule's settings until you get the desired results, without affecting active data
analysis.
Option definitions

search.

search.
Data Set * Click to create a data set or

to search.
searched.
You can refine the dataset if
the number is too large, and

4| DLP Capture
re-evaluate it until you get an

acceptable number.

Default: 100
each appliance.
report.

implications.
Condition tab / Exceptions tab Actions ( Exceptions tab only) Adds or deletes a search
exception.
Name * ( Exceptions tab only) Enter a unique name for the

exception.
Description ( Exceptions tab Optional descriptive text.

only)
State ( Exceptions tab only) Select Enabled or Disabled from

the search.

4| DLP Capture
Classification Select an operator and content

classification from the drop-down

End-User Select a user list source from the

drop-down list. When required,
click to select a user from a

list.
Web address (URL) Select a web address operator.
When required, click to select

a web address list.
Upload type Select the upload type from the

drop-down list.
searches.
searches.
Search Results
View high-level information about search results.
Option definitions
Option Definition
Menu bar Search Drop-down list to select a search

for display.

4| DLP Capture
Option Definition
View Drop-down list to display the

view. Use Edit to create a view.
The view can alternately be
applied and switched off during
the current session. Use Delete
to remove a view. Use Save to
use a view between sessions.
Filter Drop-down list to select the

vary according to the Search
Delete to remove a filter. Use
sessions.
Group by Drop-down list to organize the

data display.
Search results display area Search results Displays search results based
on the current selections. Select
the search ID link to get more
information about the search
results.
Select all in this page Selects all items displayed on the

page.
Select all in all pages Selects all items displayed on all

pages.
Go to page Specifies which page of the

results list to display.
Arrow buttons Click to browse through pages.

4| DLP Capture
Option Definition
Actions Create Incident Creates an incident from the

selected result and adds it to the
DLP Incident Manager.
Export selected results Select whether to include any

evidence and match strings that
are associated with the result in
the export file.
You can also specify where
you want to store the file and
whether an email notification
should be sent when the export
task is complete.
Case Management Choose whether to add the

selected result to a new or
existing case.
Search results details
This page displays detailed information for the selected search result.
Note
The option definition table displays only those items with a user action.
Option definitions
Section or tab Option Definition
Previous / Next Navigation buttons to select

other detail pages.
Save This button is disabled.
OK Exits the page.

4| DLP Capture
General Details No actionable information NA
Endpoint Details Click the User Logon Name link to view more detail.
Reporting product Details about the appliance that reported the incident.
Additional Information Incident Triggered Click the link to view the

DLP Capture incident that was
triggered by McAfee DLP Prevent
or McAfee DLP Monitor.
Incident Created Click the link to go to the incident

you created from the search
result.
This information becomes
available when you chose to
create an incident from the
result.
Tabs Evidence Click the link to view the evidence

file in an appropriate program.
Click the Total match count link
to view matched strings.
Classifications Click the link to view the

classification details.
Actions Create Incident

Adds an incident to the DLP
Incident Manager
Case Management Choose whether to add the result

to a new or existing case.
Datasets
Use this page to create, edit, duplicate, or delete data sets.

4| DLP Capture
Option definitions
Menu bar Show built-in Datasets Checkbox to display or hide data

sets that are integral to the DLP
Capture feature.
Data set display area Shows the number of appliances

captured events that will be
searched, when the data was
evaluated, and when (if) the
dataset was modified.
You can edit, duplicate, or delete
each selected dataset.
Actions Delete Dataset Removes selected datasets from

the search list. You will not be
allowed to delete a dataset that
is used by a search.
Duplicate Dataset Duplicates the selected dataset.
New Dataset Opens the data set page to

create a dataset.
Create or edit datasets
Use this page to create or edit a dataset.
Option definitions
Option Definition
Data Set Name Enter a unique name for the dataset.
Description Optional field for adding additional information

about the dataset.

4| DLP Capture
Option Definition
Captured Events Shows the number of appliances and an

approximate number of captured events that will be
searched.
The number of captured events is taken from the
appliance in the dataset that has the most events to
search.
Click Refresh to re-evaluate the number of captured
events.
Available properties Select required properties and add a comparison

and a value.
Save Saves the dataset and evaluates the number

of appliances and captured events that will be
searched.
Cancel Exits the page without saving.

5| DLP Discover
DLP Discover
Discover Servers page
Use this page to detect Discover servers and to view information on servers in the network.
The Discover Servers page displays information on Discover servers in the network. You can filter the display by selecting
limiting values for one or more parameters with the filter Edit control. You can reuse unsaved filters throughout the work
session, or Save the filter for future use as either a public or private filter.
Filter definitions
Option Definition
Filter Drop-down list of saved filters. If no filter has been

defined, it displays no custom filter. If a filter has
been defined but not saved, it displays unsaved.
Edit Opens the McAfee ePO Edit Filter Criteria page.

Select from the available properties list, and click
Update Filter.
Delete Deletes the currently displayed filter.
Save Saves an unsaved filter. If you have changed a filter

definition, you can select Override existing filter to
save the changes.
Actions definitions
Option Definition
Detect Servers Updates the server list. You can also perform this
task with Detect Discovery Servers from McAfee
ePO: Menu → Automation → Server Tasks.
Remove Deletes the selected server from the list.

5| DLP Discover
Option Definition
Set system name Sets the optional System Name of the selected
computer.
Discovery definitions
Definitions page (McAfee DLP Discover)
Use this page to create definitions for McAfee DLP Discover scan operations.
Option definitions
Option Definition
Show built-in definitions When selected, displays the predefined definitions.
Actions New Creates a definition of the type selected in the

left pane.
For File Server and SharePoint only:
• Export Exports repositories and credentials to an

XML file.
• Import Imports repositories and credentials from
an XML file.
Edit Opens the definition for editing. This option applies

to user-defined definitions only.
Delete Deletes the definition. This option applies to user-

Duplicate Duplicates the definition.
Usage Displays all places where the definition is used.


5| DLP Discover
Credentials definition page
Use this page to define user credentials.
Option definitions
Option Definition
Name Replace the default name with a unique name for

this definition. This field is required.
Description Use this field for information to describe the

optional.
Domain name This field is required for all repository types except
Database. Leave this field blank when creating a
database credential definition.
User name All of these fields are required.
Password
Confirm password
Test Credential Tests the definition by attempting to reach the AD

server. This option becomes available when you
have filled in all required fields. You must have DNS
resolution for the target domain.
Note: This action is not available for database

credential definitions. Database credentials are
tested in database repository definition.
Scheduler page
The Scheduler stores schedules for running McAfee DLP Discover and endpoint discovery scans.
The options available depend on the Schedule type selected. Table 1 shows the options that apply to all schedule types.

5| DLP Discover
Table 1
Option Description
Name Replace the default name Scheduler with a unique

Suspend time Scans can be suspended to prevent them from

interfering with work schedules. You can set a
different suspension time for each day of the week.
Table 2 describes the additional options for all schedule types other than Run immediately.
Table 2
Option Description
Time Zone Start and stop times can be according to the

local time on the server platform or UTC, that is,
simultaneously across the entire enterprise.
Start Time Sets the start of the scan.
Effective period Sets the start date for scans run once; sets start and
end dates for all other schedule types.
Table 3 describes the Schedule type options for different types

Table 3
Schedule type Description
Run immediately and Once No options, other than setting the schedule type.
Options Runs a task that has been missed. Not available for
Run immediately.
Daily You can set a frequency for scans of 1–30 days. The
scan repeats every x days within the specified period.

5| DLP Discover
Weekly You can set a frequency for scans of 1–52 weeks. You
can also select the day of the week the scan runs.
Monthly You can set either the numerical day of the month
for the scan or a specific day of the month (first
Sunday, third Tuesday). You can also skip specific
months by selecting the monthly checkboxes.
SSL Certificate definition page
Use this page to define an SSL certificate definition.
Option definitions
Option Definition

this definition. This field is required.
Description Use this field for information to describe the

optional.
Certificate File Click Load File to browse for certificate files.
Scan Operations page

Use this page to configure a scan, or to view existing configured scans.
This page displays information on configured scans, such as the scan names, the number of files scanned, and the time that
scans were run. The display is user-configurable as to which parameters are displayed, and the order in which they are displayed
by selecting Actions → Choose Columns. You can filter the display by selecting limiting values for one or more parameters with
the filter Edit control. You can reuse unsaved filters throughout the work session, or Save the filter for future use as either a
public or private filter.
Click Apply Policy to apply the settings to the McAfee DLP Discover servers.

5| DLP Discover
Filter definitions
Option Definition
View Drop-down list of saved views. If no view has

been defined, it displays Default. If a view
has been defined but not saved, it displays
unsaved. Duplicates the Actions → Choose Columns
command, but allows you to save multiple views.

Edit (filter) Opens the McAfee ePO Edit Filter Criteria page.
Update Filter.
Edit (view) See Actions → Choose Columns.

save the changes.
Action definitions
Option Definition
Choose Columns This standard McAfee ePO option allows you to

customize the Scan Operations page display.
Clone Scan Opens the Edit Scan page with the information of
the selected scan. Edit as required. Change the name
to save the cloned scan.
Delete Scan Removes the selected scan from the list.

5| DLP Discover
Option Definition
Edit Scan Opens the selected scan configuration for editing.
Synchronize Data Updates the table with the current McAfee Agent
properties.
New Scan Creates a scan configuration.
Change State Use this option to enable or disable configured

scans.
Scan operations - New scan page
Use this page to configure a scan.
All discovery scans are configured in a similar manner. The scan options are selected in the upper Scan Details pane. The lower
pane has multiple tabs for new scans.
We recommend creating schedule, repository, filter, and rule set definitions before configuring scans. If repositories require
credentials for access, create the necessary credentials definitions as well.
Option definitions
Option Definition
Name Enter a unique name for the scan. This field is

required.
Scan Type Select an option from the drop-down list.
Discovery Server Select an entry from the selection window. This field
is required.
Note: Only one server can be selected per

scan.
Scheduler Select an entry from the selection window. This field

is required.

5| DLP Discover
Option Definition
Throttling Limits the bandwidth of the scan. When the

checkbox is selected, you can change the default
value.
Files List (All scan types except Database) Select this option if you want to display Data
Inventory information. If you deselect this option,
you can view the counters on the Data Analytics
page, but cannot expand them to display the
detailed information. For large repositories, we
recommend using this option with filters to limit the
impact on the McAfee ePO database.
Tables Information (Database scans only) Checkbox to store the database table information in
Data Inventory.
Incident Handling (Remediation scans only) Use the drop-down list to set the maximum number
of incidents to report per scan. Select the checkbox
to close the scan if a threshold is exceeded. Range:
100-100,000
Note: For Inventory and Classification scans,

the field is displayed but can't be edited.
Report Incident per Record (Database scans only) Drop-down list to report the maximum number of
incidents per DB table. The default is Do not report
incidents. You can only edit the drop-down list
for remediation scans - inventory and classification
scans report by table.
Signatures (Registration scans only) Use the drop-down list to set the maximum
number of signatures to report per scan. Range:
100.000-100,000,000
Note: The approximate RAM required is

displayed for the selected value.

5| DLP Discover
Option Definition
Error Handling Use the drop-down list to set the maximum errors
to report per scan. Select the checkbox to close the
scan if a threshold is exceeded. Range: 100-100,000
Tab options
Tabs
Tab Scan type Definition
Repositories All scan types Displays the selected Repository

definitions.
Filters Database scans Limits the number of records to

(classification and scan per table.
remediation scans only)
All other scan types Displays the selected File

Information definitions (dates,
file extension, name, owner, and
size) that are used to define the
files included or excluded.
History All scans that have run. Does Displays the scan history
not appear when creating a New information.
Scan definition.
Classifications Classification scans only Displays the selected

Classification definitions applied
to the scan.
Rules Remediation scans only Displays the selected Rule Sets

applied to the scan.
Fingerprint Criteria Registration scans only Displays the fingerprint criteria

and the network share and
type (dictionary, keyword, and so
forth) for each.

5| DLP Discover
Actions definitions
Option Definition
Select Classifications Appears only for Scan Type: Classification. Opens the
Choose from existing values window for selecting
Classification definitions.
Select Filters Opens the Choose from existing values window for
selecting File Information definitions.
Note: This option affects the crawler scan,

not just the display. Use this option to improve
scan efficiency when you don't want to scan the
entire repository.
Select Repositories Opens the Choose from existing values window for
selecting Repository definitions.
Note: Only repository definitions matching

the scan type are displayed.
Select Rule Sets Appears only for Scan Type: Remediation. Opens
the Choose from existing values window for
selecting Rule Set definitions.
Select Server page

Use this page to select the Discover server for a scan.
Option definitions
Option Definition
Server list Select the Discover server for the scan.

5| DLP Discover
Option Definition
Box repository page

Use this page to define a Box repository.
Option definitions
Option Definition
Name Replace the default category name with a unique

name for this category. This field is required.
Description Optional text box for additional information.
Type This field is filled in automatically. Verify that you

have selected the correct type of repository for your
requirements.
Host Name Displays the host name of the repository. This field is
blank if the token has not been retrieved.
Credentials
• Box website link — You can use this link to define
the Discover server application and to get the client
ID and secret.
• Client ID — Specifies the client ID.
• Client Secret — Specifies the client secret.
• Get Token — Opens a page to Box to retrieve the
token.
Note: The Discover server automatically

refreshes the token during the next scan. If
the token expires, you must use Get Token to
retrieve a new one.
Accounts Specifies whether to scan all user accounts or

specific user accounts.

5| DLP Discover
Option Definition
Save Saves your changes.
Cancel Discards your changes.
File Server repository page

Use this page to create a SMB/CIFS or NFS repository definition.
Repository definitions can contain both included and excluded repositories.
Option definitions
Option Definition
Name Replace the default category

for this category. This field is
required.
Type Drop-down list to select CIFS

or NFS repository. Default: SMB/
CIFS
Credentials Select an entry from the drop-

down list, or click New to create
a definition.
File Access Permissions Select Inspect file content only

if user has write attributes
permission if you need to
restore last access time. If
restoring last access time is not
important, select Always inspect
file content.

5| DLP Discover
Option Definition
Advanced Options Administrative shares When selected, administrative

shares on the file server are
scanned.
Reparse Points When selected, NTFS reparse

points are scanned.
Include Prefix Type The acceptable types are UNC or

IP address range.
Prefix Text box for entering the path.
Regular expression Text box for defining a path that

fits a pattern.
Add Click to add the definition to the

Include list.
Exclude Type Choose from Path starts with or

Path regular expression.
Definitions Text box for entering the path

type description (partial path or
regular expression).
Add Click to add the definition to the

Exclude list.
Database repository definition page

Use this page to define a database repository
Option definitions
Option Definition

this repository. This field is required.

5| DLP Discover
Option Definition
Type The type Database is filled in automatically. Select

the type of database from the drop-down list.
Connection Details The Port definition is added automatically, but can

be edited. All three fields are required.
Credentials Select a credential definition from the drop-down

list.
SSL certificate Select or create a certificate, or specify any certificate

or none.
Filter Use Actions → Add Filter to create a new filter.

Filters can define included or excluded databases,
schemas, or tables.
SharePoint repository page

Use this page to define a SharePoint repository.
Repository definitions can contain both included and excluded repositories. You can use the Exclude section to exclude specific
directories of the SharePoint defined in the Include section, as well as excluding other shares.
Option definitions
Option Definition
Name Replace the default category name with a unique

name for this category. This field is required.
Type This field is filled in automatically. Verify that you

have selected the correct type of repository for your
requirements.

5| DLP Discover
Option Definition
Credentials Select an entry from the drop-down list, or click New

to create a new definition.
Include Do one of the following:
• Select SharePoint server and type the URL in the

text box
• Select Sites list and enter the URLs one at a time
using the text box.
The section allows for specifying multiple URLs.
Exclude Enter a site or sub-site URL in the text box.
Add Add the definition to the list.
Choose from existing values page (Scan scheduler)

Use this page to select a scheduler definition for a scan.
Option definitions
Option Definition

For example, entering Discovery displays only the
items containing Discovery in the title.
Name list Displays schedulers based on the current filter.
Edit Edits the selected scheduler definition.
New Item Creates a scheduler definition.

5| DLP Discover
Choose from existing values page (Scan repositories)

Use this page to select repositories for a scan.
Option definitions
Option Definition

Repositories list Displays repositories based on the current filter.
Credentials Specifies the credentials for the repository.
Edit Edits the selected repository definition.
New Credentials Creates a credentials definition.
New Repository Creates a repository definition.
Choose from existing values page (Scan filters)

Use this page to select filters for a scan.
Filters apply File Information definitions to limit the scan by properties such as file size, date, or extension.

5| DLP Discover
Option definitions
Option Definition

Filters list Displays classifications based on the current filter.
Include/Exclude Specifies if the selected definition is used to include

or exclude files for a scan.
Edit Edits the selected definition.
New Item Opens the File Information definition page to create

a filter.
Choose classifications page

Use this page to select the classifications to use in a classification scan.
Option definitions
Option Definition


5| DLP Discover
Option Definition
Name list Displays classifications based on the current filter.
New Classification Enter a name for a new classification.
Add Adds a classification using the specified name.
Choose from existing values page (Scan rule sets)

Use this page to select the rule sets to use in a remediation scan.
Option definitions
Option Definition

Rule Set list Displays rule sets based on the current filter.
Rules list Displays the number of McAfee DLP Discover rules in

the rule set.

6| DLP Policy Manager
DLP Policy Manager

DLP Policy Manager Definitions page
Use this page to create definitions for DLP Policy Manager rules.
Definitions in the following categories are listed in the left pane:
• Data
• Device Control
• Notification
• Other
• Source/Destination
• Repositories
Option definitions
Option Definition
Show built-in definitions When selected, displays the predefined definitions.
Edit Opens the definition for editing. This option applies

to user-defined definitions only.
View Opens the definition for viewing the details. This

option applies to built-in definitions only.
Delete Deletes the definition. This option applies to user-

Duplicate Creates a duplicate of the definition. Built-in

definitions must be duplicated before they can be
edited.
Actions → New (for all definitions except Device Creates a definition of the type selected in the left
Templates) pane.

Option Definition
Actions (for Device Templates) Options are:
• Import from CSV — Creates a template definition

by importing the data.
• New — Creates a device item template of the type
selected.
• New Group — Creates a device group template of
the type selected.
Templates for items or groups can be one of the

following types:
• Fixed hard drive

• Plug and Play
• Removable storage
• Whitelisted Plug and Play
Data definitions
File extension definition page
Use this page to create new file extension definitions.

Option definitions
Option Definition

name for this definition. This field is required.

optional.
Name A generic name for the files, for example Audio files.
Extension The file extension, for example MP3. Extensions are

entered as uppercase.
Add Adds the file name to the definition.

Device control definitions
Device Class definition page
Use this page to create or edit a device class definition.
Option definitions
Option Definition

the device description. This field is required.
Device GUID Text box for adding a GUID.
Note: GUIDs must be unique, and must be

entered in the correct format.
Type Predefined as User Defined Device Class
Status Default is Managed. In most cases, accept the

default setting.
Filter Type Upper or lower. Most devices use the upper filter.
Device Templates page
This page contains a list of existing device definitions. Use this page to create, edit, or delete a device definition, or view a list of
rules that use a device definition.
Option definitions
Options Edit Opens the definition for editing.
Delete Deletes the definition. Definitions

currently in use cannot be
deleted. To delete a definition,

first remove it from all

classifications.
Duplicate Duplicates the definition. Use

this option as a shortcut to
creating variations of a standard
definition.
Usage Displays a list of all rules that use

the definition.
Actions → Import from CSV Fixed Hard Drive Templates Opens the Import window for
browsing and selecting files to
Plug and Play Device Templates import.
Removable Storage Device

Templates
Whitelisted Plug and Play Device

Templates
Actions → New Fixed Hard Drive Template Opens the configuration page
displaying properties for defining
a fixed hard drive device.
Plug and Play Device Template Opens the configuration page

displaying properties for defining
a plug and play device.
Removable Storage Device Opens the configuration page

Template displaying properties for defining
a removable storage device.
Whitelisted Plug and Play Device Opens the configuration page

Template displaying properties for defining
a whitelisted plug and play
device.

Actions → New Group Fixed Hard Drive Group Opens a configuration page for
adding fixed hard drive device
definitions to a group.
Plug and Play Device Group Opens a configuration page

for adding plug-and-play device
Removable Storage Device Opens a configuration page for

Group adding removable storage device
Serial Number & End User Pair page
Use this page to create device serial number - end-user pair definitions. The definitions are used in removable storage and Plug
and Play device rules to define exceptions for specific devices used by specified users. Not supported on McAfee DLP Endpoint
for Mac.
Option definitions


information.

exported.

saving changes.

Entries Device Serial Number Text box for adding the

serial number. A serial number
is a unique alphanumeric
string assigned by the device
manufacturer. It is the last part
of the Instance ID. A valid serial
number must have a minimum
of 5 alphanumeric characters and
must not contain ampersands
(&).
User Type Specifies the format of the end-

user entry.
End-User For User Type → Everyone, leave

this field blank. For User Type
→ user@fqdn, the format is
user@name.domain.

information.
Actions Adds the entry to the definition.
Notification definitions
Justification definition page
Use this page to create or edit a business justification definition.
Option definitions
Option Definition
Catalog Name Displays the name of the catalog being edited


Option Definition

optional.
Locale Actions Used to add or delete locales. The default locale

cannot be deleted.
Locale definitions
Option Definition
Default Locale Locale used if endpoint locale is not available. Any

defined locale can be set as default.
Dialog Title Text box for entering a title. This field is optional.
Justification Overview Text box for defining the justification. This field is
required.
Show Match Strings Checkbox to link to the content triggering the

incident.
More Info Checkbox to link to a webpage. If you check the box,

the URL text box is a required field.
Left Button Text label for the button. Maximum label length is 10
characters. This field is required.
Middle Button Text label for the button. Maximum label length is 10
characters. This field is required, unless you hide the
button.
Right Button Text label for the button. Maximum label length is 10
characters. This field is required, unless you hide the
button.

Option Definition
Must select Justification option Checkbox to require the user to select an option with
the button. Typically, this checkbox is selected when
the label is No Action, and left unselected for other
labels.
Hide button Optional checkbox to create a two-button

justification pop-up window.
Justification Options Lists option descriptions. Add additional descriptions

as required. User input is optional.
Placeholders
You can use placeholders in the Justification Overview text box to display pre-defined text.
Display text placeholders
Placeholder Definition
%c Displays the classifications that triggered the pop-up

window.
%r Displays the rule set that triggered the pop-up

window.
%v Displays the vector (email protection, web

protection, and so forth) that triggered the pop-up
window.
%a Displays the action that triggered the pop-up

window.
%s Displays a string value. Use this placeholder to enter

file names, device names, and so forth.
Example:

The text Provide a business justification to send email with restricted %r information. displays as: Provide a business
justification to send email with restricted SSN information. when the social security rule triggers the pop-up window, but as Provide a
business justification to send email with restricted HIPAA information. when the HIPAA rule triggers the pop-up window.
User Notification definition page
Use this page to create or edit a User Notification definition.
Option definitions
Option Definition
Catalog Name Displays the name of the catalog being edited.


optional.
Dialog Size Use the radio buttons to select the notification text
size.
Dialog Position Use the radio buttons to select the notification

position.
Default Locale Locale used if endpoint locale is not available. Any

defined locale can be set as default.
Text to display Text box for defining the notification. This field is
required. Text can contain embedded placeholders
that are replaced with real values when displayed.
More Info Checkbox to link to a web page. If you check the box,
the URL text box is a required field.
Note: For backward compatibility only. The

More Info option is not supported in McAfee DLP
11.0. To link to more information, include the link
in the Text to display box.

Placeholders
You can use placeholders in the Text to display text box to display predefined text.
Display text placeholders
Placeholder Definition
%c Displays the classifications that triggered the pop-up.
%r Displays the rule set that triggered the pop-up.
%v Displays the vector (email protection, web

protection, and so forth) that triggered the pop-up.
%a Displays the action that triggered the pop-up.
%s Displays a string value. Use this placeholder to enter

file names, device names, and so forth.
%f Displays a string value. Use this placeholder to enter

the complete path to the file, URL, and so forth.
For McAfee DLP Prevent, %f displays a string value.
Use this placeholder to enter file names, email
message parts, such as email body, email subject,
and so forth.
Example:
The text This email was blocked because it contains restricted %c information. displays as: This email was blocked
because it contains restricted SSN information. when the social security classification triggers the pop-up, but as This email was
blocked because it contains restricted HIPAA information. when the HIPAA classification triggers the pop-up.
Rich Text
You can use HTML tags to produce Rich Text notifications by placing the tags in a <DIV>.
Example:
The text This email was blocked because it contains restricted information. If you need to send this
email,<div><b>Contact your manager.</b></div> displays as:
This email was blocked because it contains restricted information. If you need to send this email,
Contact your manager.

Other definitions
Scheduler page
The Scheduler stores schedules for running McAfee DLP Discover and endpoint discovery scans.
The options available depend on the Schedule type selected. Table 1 shows the options that apply to all schedule types.
Table 1
Option Description
Name Replace the default name Scheduler with a unique

Suspend time Scans can be suspended to prevent them from

interfering with work schedules. You can set a
different suspension time for each day of the week.
Table 2 describes the additional options for all schedule types other than Run immediately.
Table 2
Option Description
Time Zone Start and stop times can be according to the

local time on the server platform or UTC, that is,
simultaneously across the entire enterprise.
Start Time Sets the start of the scan.
Effective period Sets the start date for scans run once; sets start and
end dates for all other schedule types.
Table 3 describes the Schedule type options for different types
Table 3
Run immediately and Once No options, other than setting the schedule type.

Options Runs a task that has been missed. Not available for
Run immediately.
Daily You can set a frequency for scans of 1–30 days. The
scan repeats every x days within the specified period.
Weekly You can set a frequency for scans of 1–52 weeks. You
can also select the day of the week the scan runs.
Monthly You can set either the numerical day of the month
for the scan or a specific day of the month (first
Sunday, third Tuesday). You can also skip specific
months by selecting the monthly checkboxes.
Source/Destination definitions
Application Template page
This page contains a list of existing application definitions. Use this page to edit or create an application definition, or view a list
of rules that use a specific application definition.
Note
Option definitions
Option Definition
Edit Opens the definition for editing. This option appears

for user-defined definitions only.
Delete Deletes the definition. This option appears for user-


Option Definition
Duplicate Use this option to customize built-in definitions or

create different versions of user-defined definitions.

Actions → New Opens the New Application page to create a user-

defined definition.
Application Template definition page
Use this page to define an application template.
Option definitions
Option Definition
Catalog Name Displays the name of the catalog being edited.


optional.
Process Strategy Select from the drop-down list. Default: Editor
Applies to Selects Windows or Mac operating system. The

available properties list is different for each.
Analyze memory mapped files Select from the drop-down list. Default: Disable
When enabled, analyzes memory-mapped files such
as Autodesk 3ds Max graphic files. Due to processing
overhead, we do not recommend using this option

Option Definition
unless it is specifically required. Not supported on

McAfee DLP Endpoint for Mac
Available Properties
Property Definition
Command Line Command line with arguments; partial match

allowed. Typical use case is an application that
McAfee DLP Endpoint doesn't otherwise control,
such as Java. The command line: java -jar can be
used in such instances.
Executable Directory The file path to the executable.
Executable file hash Defines a specific version of the application.
Executable file name The current file name; differs from original
executable if the name was changed.
Original Executable file name The original name of the executable. This property
will cover all versions of the application, whereas the
file hash is specific.
Product Name The name of the product as listed in the file

properties. If no name is listed, it appears as
Unknown Product.
Vendor Name Company name; partial match allowed. If no name is

listed, it appears as Unknown Company.
Window Title Title appearing in the application's title bar; partial

match allowed.
Note
Not all properties are supported on McAfee DLP Endpoint for Mac; all are supported on McAfee DLP Endpoint for Windows.

Protocol Identifier Template definitions page
Use this page to specify details about protocols for McAfee DLP Monitor.
Option definitions
Option Definition
Name (Required) Replace the default definition name with

a unique name.
Description (Optional) Use this field for information to identify

the definition or indicate when used.
Available Properties
• Encapsulated — Select whether the traffic (such as
SOCKS) is encapsulated
• Port — Specify the TCP or UDP port that the traffic
is sent over. For example, SMTP typically uses port
25
• Protocol — The protocol that you want to identify,
such as SMTP or ICAP
• Transport — Specify whether the traffic is sent
over TCP or UDP, or both
• VLAN ID — Specify whether the traffic is sent over
a VLAN.
Email Address List definition page
Use this page to create or edit an Email Address List definition.

Option definitions


information.


exported.

saving changes.
Email Addresses Operator Text box for adding a protocol

such as https.
Value Defines the type of expression

used for the Value. Select from
the drop-down list:
• Email address equals — Used

for exact address matches
• Email address expression —
Used to enter wild cards
• Display name contains — Used
to enter a substring
• Display name equals — Used
for exact display match
• Domain name equals — Used
to define just the domain
portion of the email address
Actions Add Used to enter new Operator/

Value pairs.
Edit | Delete Used to edit or delete existing

values.
End-User Group definition page
Use this page to create or edit an End-User Group definition.

Option definitions
Option Definition


optional.
LDAP Object Identification Selects the method of LDAP identification.
Add Users Opens the Active Directory search page for users.
Add Groups Opens the Active Directory search page for groups.
Add OU Opens the Active Directory search page for

Organizational Units.
Local Folder definition page
Use this page to create or edit a Local Folder definition.

Option definitions
Option Definition


optional.
Local Folders Path definition, entered as UNC. Use the Include and
Exclude options for path separation.

Network Address definition page
Use this page to create or edit a Network Address (IP address) definition.
Option definitions
Option Definition


optional.
Address Text field to enter IP addresses. You can enter a

single address, a range, or a subnet.
Network Port definition page
Use this page to edit or delete a network port definition, or view a list of rules that use a specific port definition. Click Actions →
New to create definitions. This page contains a list of built-in port definitions.
Option definitions
Option Definition


optional.
Ports Text box for entering a port number or numbers.
(Port) Description Use this field for information to identify the port.
This field is optional.
Network Printer definition page
Use this page to create or edit a Network Printer definition.

Option definitions
Option Definition


optional.
UNC Text box for entering the server name\path in UNC

format. This field is required. Substring matching of
the path entered is supported.
Model Text box for entering the printer model. This field is
optional.
Location Text box for entering the printer location. This field is
optional.
Domain Text box for entering the domain. This field is

optional.
Network Share definition page
Use this page to create or edit a Network Share definition.

Option definitions
Option Definition


optional.

Option Definition
Network Shared Folders Shared folder in UNC format. The server name can
be either a host name or IP address. Use Include
and Exclude to create granular definitions.
File name list page
Use this page to create a list of executables that can be blocked from running by rules.
Option definitions
Option Definition
Name Enter a unique name for the definition. This field is

required.
Description Optional field for additional information.
File Name Text box for entering the executable names.
Note: Microsoft Windows process names

must include the ".exe" extension. For Mac
processes the extension is optional.
Actions Click Add to add the text box entry to the list. For
entries added to the list, you can Edit or Delete.
URL List definition page
Use this page to create URL List definitions.
Option definitions



information.

exported.

saving changes.
URL List Protocol Text box for adding a protocol

such as https.
Host Text box for adding a host name

or IPv4 address.
Path (Optional)Text box for adding a

path.
Query String (Advanced) The query string is a list of

parameters and values separated
by "&" symbols. It begins after
the first "?" and goes to the end
of the address.
Paste URL Parse A text field for pasting a URL

from a browser. Clicking Parse
adds the text to the appropriate
Protocol, Host, Port, and Path
fields. Select the check box to
include a query string.

Window Title definition page
Use this page to create Window Title definitions, which can be used in clipboard or screen capture protection rules.
Option definitions
Option Definition


optional.
Window Title Contains Text box for entering a window title. Partial matching
is supported.
Rule sets
DLP Rule Sets page
Use this page to display and define rule sets to assign to policies.
Definitions
Option Definition
Name Text box to edit the rule set name.
Description Text box to enter or edit the optional description.
Delete Use this option to delete a selected rule set. This

option appears for user-defined rule sets only.
Duplicate Use this option to customize sample rule sets or

create different versions of user-defined rule sets.
Note: To edit an existing user-defined rule

set, click the name in the Rule Set column.

Option Definition
Actions → New Rule Set Use this option to create a rule set.
Actions → Choose Columns Sets which columns are displayed and their order.
This control is a standard McAfee ePO control.
Policy Assignment page
Use this page to assign rule sets to policies, apply policies to the McAfee ePO database, and edit policy or endpoint discovery
scan settings.
Option definitions
Option Definition
Apply Selected Policies Displays a window with checkboxes to select policies.
Assign a Rule Set to policies Displays a window with a drop-down list to select
a rule set, and checkboxes to select policies for the
assignment.
Select Rule Sets for policy Displays a window with a drop-down list to select
a policy, and checkboxes to select rule sets for the
assignment.
Reactions page
Use this page to define the actions and reporting for data protection, device protection, discovery, and application control rules.
Note
Data protection and device protection rules have a granular Action definition. You must define an action for each product
selected in the Enforce on field. You can also define different actions for the following:
• The computer is connected to the corporate network.

• The computer is disconnected from the corporate network.
• The computer is connected to the corporate network using VPN.
Discovery rules only apply when the computer is connected to the corporate network.

Option definitions
Option Definition
Action Select an action from the drop-down list. The default

is No Action.
Note: Selecting No Action with Report

Incident is sometimes referred to as Monitor.
For a list of prevent actions for different types of

rules, see the respective Rules page and Reactions
available for rule types.
User Notification User notification definitions are stored in the DLP

Policy Catalog. Select a predefined definition, or click
New Item to create one.
Note: The user notification option does not

appear when configuring discovery rules.
Report Incident Select the checkbox for the rule to trigger a DLP
Incident Manager report. For data protection and
discovery rules, you can also store the original file.
Note: If multiple rules trigger, the incident

is reported containing information about all
triggering rules, even if only some of them have
Report Incident selected.
These options apply to both the rule Definition and the rule Reaction.
Option definitions
Option Definition
Rule name Enter a unique name. This field is required.

Option Definition
State Select Enabled or Disabled from the drop-down list.

You can also change this parameter on the DLP Rule
Set page by selecting a rule or rules and selecting
Actions → Change State. The default is Disabled.
Severity A relative measure of the gravity of violating this

rule. The default is Warning. The color code that also
appears in the DLP Incident Manager is displayed
next to the field.
Enforce on Determines the McAfee DLP product the rule is

enforced on.
• Data Protection rules — All other rules, except

mobile protection rule can be enforced on McAfee
DLP Endpoint for Windows. Some rules can also
be enforced on McAfee DLP Endpoint for Mac or
McAfee DLP Prevent.
• Device Control rules — All rules can be enforced
on McAfee DLP Endpoint for Windows. Plug and
Play and Removable Storage device rules can also
be enforced on McAfee DLP Endpoint for Mac
• Discovery rules — Endpoint discovery rules are
enforced on McAfee DLP Endpoint for Windows
only. Network discovery rules are enforced on
McAfee DLP Discover only.
Application File Access Protection Rule page
Application file access protection rules block files based on the application that created them.
Option definitions
Rule options Rule name Enter a unique name for the rule.
This field is required.
Description Click Edit to open the description

text box. The maximum

description length is 2000

characters. The character counter
in the lower left of the window
shows the number of characters
still available. This field is
optional.
State Select Enabled or Disabled from

the drop-down list. You can also
change this parameter on the
DLP Rule Set page by selecting
a rule or rules and selecting
Actions → Change State. The
default is Disabled.
Severity A relative measure of the gravity

of violating this rule. The default
is Warning. The color code that
also appears in the DLP Incident
Manager is displayed next to the
field.
Enforce on Selects the McAfee DLP product

enforcing the rule. The default
is to enforce on both McAfee
DLP Endpoint for Windows and
McAfee DLP Endpoint for Mac
Condition tab Classification Use the is any data (ALL) option

to bypass applying a content
classification, or use the is one of
Note: All fields in this
(OR) or is all of (AND) options to
section are required.
select predefined classifications.
You can use the + icon to
add multiple classifications, and
define their relationship with the
and/or option.

End-User Select a user group from the

drop-down list. Using the +
icon, you can select multiple
groups using AND/OR logic. You
can exclude groups using the
Exceptions tab. Include at least
one group before excluding any
groups.
Applications Selecting the application,

supported browser, or TIE
reputation options opens a field
where you can select from
available definitions. If you select
non-supported Chrome versions,
the text field is for specifying a
URL.
Note: To use TIE

reputation in rules, DXL client
must be installed on the
endpoint computer.
Exceptions tab Actions Adds or deletes a rule exception.
Note: The Exceptions tab Name Enter a unique name for the
is optional. exception. This field is required.
Description Optional descriptive text.

rule state.
Classification Select a classification. See above

for option details. The exception

classification is independent from

the rule classification.

drop-down list. See above for
option details. The exception
end-user is independent from the
rule end-user.
Applications Select an application. See above

application is independent from
the rule application.
Reaction tab Action Select an action from the drop-

DLP Endpoint down list. The default is No
Data protection and device Action. Selecting No Action with
protection rules have a granular Report Incident is sometimes
Action definition. You can referred to as Monitor. For a list
define different actions for the of prevent actions for different
following: types of rules, see the available
reactions table.
• Computer connected to
corporate network
• Computer disconnected from Note: When the
the corporate network Classification field is set
to is any data (ALL), the
Block action is not allowed.
Attempting to save the
rule with these conditions
generates a warning.
User Notification User notification definitions are

stored in the DLP Policy in
the Policy Catalog. Select a
predefined definition, or click

Report Incident Select the checkbox for the rule

to trigger a DLP incident.
Store original file as evidence Select to store the original

file as evidence. If the hit
highlighting option is enabled for
the evidence server, the trigger
text is highlighted and stored as
a separate file.
Clipboard Protection rule page
Clipboard protection rules block use of the clipboard to copy sensitive data.
Option definitions

optional.



field.

enforcing the rule. This rule type
is only supported on McAfee DLP
Endpoint for Windows.

Note: All fields in
this section are required.
The default ALL can be select predefined classifications.
used instead of a defined You can use the + icon to
parameter. add multiple classifications, and
and/or option.

groups.
Source application Select the paste-from application

from the built-in list.
Destination application Select the paste-into application

from the built-in list.


rule state.


rule end-user.
Source application Select the paste-from application

from the built-in list. The
exception source application
is independent from the rule
source application.
Destination application Select the paste-into application

from the built-in list. The
exception destination application
destination application.

Data protection and device Action. Selecting No Action with
protection rules have a granular Report Incident is sometimes
Action definition. You can referred to as Monitor. For a list

define different actions for the of prevent actions for different

following: types of rules, see the available
reactions table.
corporate network
• Computer disconnected from User Notification User notification definitions are
the corporate network stored in the DLP Policy in

Store Original File Select to store the original

a separate file.
Cloud Protection rule page
Cloud protection rules monitor or block sensitive content being uploaded to the cloud with common cloud applications. Files can
be quarantined or require justification before being uploaded.
Option definitions



optional.


field.

enforcing the rule. This rule
type is supported on McAfee
McAfee DLP Endpoint for Mac.

Note: All fields in
and/or option.



groups.
top level Subfolder name Use this field to limit the rule
to specific folders. The default is
any subfolder (ALL).
Cloud Service Select one or more services with

the checkboxes.

rule state.

Data protection and device Action.
protection rules have a granular
Action definition. You can
Note: Selecting No Action
define different actions for the
with Report Incident is
following: sometimes referred to as
• Computer connected to Monitor.
corporate network
For a list of prevent actions for
• Computer disconnected from
different types of rules, see the
the corporate network
available reactions table.





a separate file.
Email Protection rule page
Email protection rules block email sent to specific destinations or users.
Option definitions
Rule options tab Rule name Enter a unique name for the rule.

optional.




field.
Enforce on Selects the McAfee DLP products

that enforce the rule. This rule
type is supported on McAfee DLP
Endpoint for Windows, McAfee
Network DLP, and Cloud DLP.
Note: Selecting McAfee

Network DLP makes the
rule available to McAfee DLP
Monitor and McAfee DLP
Prevent.
Condition tab Classification Classifications can be limited to a

specific email element (headers,
subject, body, attachment) or
apply to all elements. The
selected elements can contain
one or all of the classifications.
The one of the email elements
classification also includes a
contains any data (ALL) option
which means you do not need to
name a classification.
You can select multiple
classifications, or use the + icon
to add additional classifications.

Note: The option one of

the email elements does
not include email headers
other than subject for email
protection rules used by
the McAfee DLP appliances.
You must add other email
headers separately.
Sender Select a sender from the drop-

down list. Senders can be
selected from end-user groups or
email lists, or can be local or non-
LDAP users. Using the + icon, you
can select multiple senders using
AND/OR logic. You can exclude
groups using the Exceptions tab.
Include at least one group before
excluding any groups.
Email Envelope Specifies the encryption or other

protection.
Recipient list includes Use this option to block mail

to specified recipients, using
email address list definitions.
On the Exceptions tab, specified
recipients are excluded from a
blocking rule.


rule state.

Sender Select a sender from the drop-

down list. See above for option
details. The exception sender
sender.
Email Envelope Specifies the encryption or other

protection. The exception email
envelope is independent from
the rule email envelope.
Recipient list includes Specifies the recipient list.

See above for option details.
The exception recipient list
recipient list.
Reaction → DLP Endpoint Action Select an action from the drop-

Data protection and device down list. The default is No
protection rules have a granular Action.
following:
• Computer connected to sometimes referred to as
corporate network Monitor.
For a list of actions for different
types of rules, see the available
reactions table.

When the computer is

disconnected from the network,
the default is React the same
way as connected system.
Selecting another option displays
the notification and reporting
options.

stored in the DLP Policy category
in the Policy Catalog. Select a

Store original email as evidence Select to store the original

email as evidence. If the hit
a separate file.
Reaction → DLP Prevent Action Select an action from the drop-

down list. The default is No
Action.

sometimes referred to as
Monitor.

reactions table.
• Selecting Block and return

email to sender blocks the
email that violates the policy
and returns the original email

to the sender as an attachment

to a notification. An additional
details file in HTML format
is also attached to this
notification. You can choose a
predefined User Notification
definition or create a custom
notification.
• Selecting Add header X-RCIS-
Action displays the Value drop-
down menu for action options.
The various actions are scan
fail, block, quarantine, encrypt,
bounce, redirect, notify, and
allow.


a separate file.
Reaction → DLP Monitor Action Select an action from the drop-

Action.

Monitor.



a separate file.
Reaction → McAfee DLP Cloud Action Select an action from the drop-
Action.
Note: You can set the
action separately for McAfee
Cloud DLP configured as Note: Selecting No Action
inline protection (able to with Report Incident is
block) and McAfee Cloud sometimes referred to as
DLP configured as passive Monitor.
protection ( only monitoring
and no blocking).
Store classification match files Select to store the classification

matches that trigger the rule.
Network Communication Protection rule page
Network communication protection rules monitor or block incoming or outgoing data on your network. Rules are not supported
in clients installed on Windows server operating systems.
Option definitions



optional.


field.

Endpoint for Windows
Condition tab / Exceptions tab Classification Use the is any data (ALL) option
Note: Network
communication protection
rules do not check select predefined classifications.
content classification criteria. You can use the + icon to
Use content fingerprinting add multiple classifications, and
criteria when defining define their relationship with the
classifications used with and/or option.
Network communication
protection rules.



groups.
Network direction Select checkboxes for incoming,

outgoing, or both.
Network addresses Required field. Select a network

IP address definition, or click
Network ports Use default any port, or select a

port definition.
Application creating the Use default any application or

connection select an application definition.
Exceptions Actions Adds or deletes a rule exception.

rule state.

rule end-user.

Network direction Select a network direction. The

exception network direction is
independent from the rule
network direction.
Network addresses Select a network IP address

definition. The exception network
address is independent from the
rule network address.
Network ports Select a network port definition.

The exception network port
network port.
Application creating the Select an application definition.

connection The exception application is
application.

corporate network
corporate network using VPN


Network Share Protection rule page
Network share protection rules protect files in specified shared folders. Files can be encrypted, or require a business justification
for access.
Option definitions

shows the length of the entry.


field.

Enforce On Selects the McAfee DLP product

Condition tab / Classification Use the is any data (ALL) option

and/or option.

groups.
Network Share Select a defined network share,

or create a definition.
Application copying the file Select an application from the

built-in list, or use the default
ALL.


rule state.


rule end-user.
Network Share Select a network share. The

exception network share is
network share.
Application copying the file Select an application. The

exception application is
application.

corporate network

Note: Encrypt action is

not supported on McAfee DLP
Endpoint for Mac



a separate file.
Printer Protection rule page
Printer protection rules block files from being printed on local, network, or image printers. You can limit the rule to specific
applications.
Option definitions





field.


Note: All fields in
and/or option.



groups.
Printer Select a local, image, or network

printer.
Application printing the file Select the application or browser

printing the file.

rule state.


rule end-user.
Printer Select a printer. The exception

printer is independent from the
rule printer.
Application printing the file Select an application or browser.

The exception application is


application.

corporate network


a separate file.
Removable Storage Protection rule page
Removable storage protection rules block data from being written to removable storage devices, including mobile devices using
the Media Transfer Protocol (MTP).
To protect devices using MTP, verify that the Removable Storage Protection → Portable Devices Handler is activated in the
Policy Catalog client configuration on the Operational Mode and Modules page.

Option definitions



field.




Note: All fields in add multiple classifications, and
this section are required. define their relationship with the
The default ALL can be and/or option.
used instead of a defined
parameter.
groups.
Application copying the file Select the application or browser.
Note: Browsers are

supported only for Microsoft
Windows.
Copy Direction Select either or both directions.
Removable Media Select one or both options.
Note: CD and DVD devices

are supported only for
Microsoft Windows.



rule state.


rule end-user.
Application copying the file Select an application. The

exception application is
application.
Copy Direction Select a copy direction. The

exception copy direction is
independent from the rule copy
direction.

corporate network

Note: Encrypt action is

not supported on McAfee DLP
Endpoint for Mac



a separate file.
Screen Capture Protection rule page
Screen capture protection rules control data copied and pasted from a screen.
To use screen capture protection rules, verify that the Screen Capture Service in the Policy Catalog client configuration on the
Operational Mode and Modules page is activated. (The service is activated by default.) Specify the screen capture applications
supported on the Screen Capture Protection page.
Option definitions





field.


Note: All fields in Note: Screen capture
this section are required. protection rules do not check
The default ALL can be content classification criteria. select predefined classifications.
used instead of a defined Use content fingerprinting You can use the + icon to
parameter. criteria when defining add multiple classifications, and
classifications used with define their relationship with the
screen capture protection and/or option.
rules.



groups.
Applications Select the application or browser.

rule state.


rule end-user.
Applications Select an application or browser.

The exception application is
application.

Action.

Data protection and device

protection rules have a granular Note: Selecting No Action
Action definition. You can with Report Incident is
define different actions for the sometimes referred to as
Monitor.
following:
• Computer connected to For a list of prevent actions for

corporate network different types of rules, see the
• Computer disconnected from available reactions table.



a separate file.
Web Protection rule page
Web protection rules block data from being posted to websites, including web-based email sites.
Supported browsers are Microsoft Internet Explorer, Google Chrome, Microsoft Edge (Chromium -based), and Mozilla Firefox .
Option definitions


optional.


field.

enforcing the rule. The options
are to enforce on either McAfee
McAfee Network DLP ( McAfee
DLP Prevent).

Note: The default ALL can
be used instead of a defined
parameter. select predefined classifications.


and/or option.

groups.
Web address (URL) Select a URL list definition or

reputation.
To add a URL definition to the
list of values, select is one of
(OR), and click ..., then select New
Item.
Upload type is any data upload inspects

all web uploads. is file upload
inspects only files. This option
allows other data types, such as
webmail or web forms, to be
uploaded without inspection.

rule state.



rule end-user.

reputation. The exception web
rule web address.
Upload type Select an upload type. The

exception upload type is
upload type.

Data protection and device down list. The default is No
protection rules have a granular Action.
following:
• Computer connected to sometimes referred to as
corporate network Monitor.
• McAfee DLP Prevent (if
reactions table.
licensed)
• McAfee DLP Monitor (if
licensed) User Notification User notification definitions are

For connected computers, you

can also set when to close the
notification.

Store original file as evidence Select to store the original

a separate file.
Data Protection page
This tab contains a list of all data protection rules. You can create, edit, enable/disable, or delete rules from this page.
Option definitions
Action definitions Change State Select Enable or Disable.
Choose Columns Sets which columns are displayed

and their order. This control is a
standard McAfee ePO control.
Delete Protection Rule Deletes the selected rules.
Duplicate Rules Duplicates the rule, either to

same rule set, or to other
selected rule sets.
New Rule Select from available protection

rules to open the definition page
for that rule.
• Application File Access

Protection

• Clipboard Protection
• Cloud Protection
• Email Protection
• Network Communication
Protection
• Network Share Protection
• Printer Protection
• Removable Storage Protection
• Screen Capture Protection
• Web Protection
Note: McAfee DLP

Endpoint for Mac supports
Application File Access
Protection, Network Share
Protection, and Removable
Storage Protection rules only.
Save as Capture Search Save an email protection,

web protection, or network
communication protection rule
enforced on the McAfee DLP
appliances into a search that you
can use for rule tuning purposes.
After you finish tuning the rule,
you can save it so that it
overrides the original rule.
Option definitions Name Text box for editing the rule set
name.
Note: These definitions

apply to all tabs of the rule Definition Text box for adding or editing
definition — Data Protection, additional information on the
Device Control, Discovery. rule set. This field is optional.
and Application Control
Close Closes the rule set.

Device Control page
This page contains a list of all rules for controlling devices. You can create, edit, enable/disable, or delete rules from this page.
Option definitions

Delete Device Rule Deletes the selected rules.
Duplicate Rules Duplicates selected rules for

modification.
New Rule Select from available device

protection rules to open the
definition page for that rule.
• Citrix XenApp device rule

• Fixed hard disk device rule
• Plug and Play device rule
• Removable storage device rule
• Removable storage file access
rule
Option definitions Name Enter a unique name. This field is

required.
Note: These options

apply to all tabs of the Note Additional information on the
rule definition — Data rule set. This field is optional.
Protection, Device Control,
and Discovery.
Save Closes and saves the rule set.
Close Closes the rule set without saving

changes

Removable Storage Device Rule page
Use this page to define a Removable Storage Device Rule. Removable storage devices can be blocked, monitored, or set to
read-only.
Option definitions

optional.


field.


Condition tab End-User Select a user group from the

Note: The End User and
at least one Removable
Storage field in this section can exclude groups using the
are required. Exceptions tab. Include at least
groups.
Removable Storage Select a defined removable

storage device, or create a new
Exclusions tab Name Enter a unique name for the

exception. This field is required.
Note: The Exceptions tab

is optional. Description Optional descriptive text.
In the left pane, select a

whitelisted definition:
• Whitelisted Device Definitions state is independent from the
• Whitelisted Processes rule state.
• Whitelisted Serial Number &
User Pairs
• Whitelisted Users storage device to exclude from
the rule.
Process Name (Windows only) Select a process name definition

to exclude from the rule.
Serial Number & User Pairs Select a serial number and user
(Windows only) pair definition to exclude from
the rule.
End-User Select a user group to exclude

from the rule.


corporate network


Citrix Xenapp Device Rule page
Use this page to define a device rule to protect devices mapped to shared Citrix Xenapp desktop sessions. Citrix device rules can
block, monitor, or set devices to read-only.
Option definitions
Rule name Enter a unique name for the rule.

Rule options Description Click Edit to open the description



optional.


field.

enforcing the rule. Citrix Xenapp
device rules are enforced
on McAfee DLP Endpoint for
Windows only.

groups.
Resources Select one or more Citrix

resources you want the rule to
protect.


Note: The Exceptions tab Description Optional descriptive text.
is optional.
Whitelisted Users is the only the drop-down list. The exception
option for Citrix device rules. state is independent from the
rule state.

from the rule.
Reaction tab Action The only option for Citrix device

rules is Block. No selection is
required.
Fixed Hard Drive Rule page
Use this page to create a fixed hard drive protection rule. Fixed hard drive rules do not protect the boot or system partition. They
can block, monitor, or set the drive to read-only.
Option definitions

optional.




field.

enforcing the rule. Fixed hard
drive device rules can be
enforced on McAfee DLP
Endpoint for Windows only.

groups.
Fixed Hard Drive Select a defined fixed hard drive,

or create a definition. This field is
required.
Exclusions Name Enter a unique name for the



• Whitelisted Device Definitions
• Whitelisted Users


rule state.
Fixed Hard Drive Select a fixed hard drive

definition to exclude from the
rule.

from the rule.

corporate network


Plug And Play Device Rule page
Use this page to create a plug-and-play device rule definition. Plug-and-play rules can block or monitor devices.

Option definitions

optional.


field.




Note: All fields in this Exceptions tab. Include at least
section are required. one group before excluding any
groups.
Plug And Play Select a defined plug-and-play

device, or create a new definition.
Note: McAfee DLP

Endpoint for Mac supports
USB devices only.



• Whitelisted Serial Number & rule state.
User Pairs
• Whitelisted Users Plug And Play Select a plug-and-play device
definition to exclude from the
rule.
Serial Number & User Pairs Select a serial number and user
(Windows only) pair definition to exclude from
the rule.

from the rule.



define different actions for the Note: Selecting No Action
following: with Report Incident is
Monitor.
corporate network
• Computer disconnected from For a list of prevent actions for
the corporate network different types of rules, see the
• Computer connected to available reactions table.


Removable storage file access device rule page
Use this page to define a removable storage file access device rule.
Removable storage file access device rules are used to block executables on plug-in devices from running. Because some
executables, such as encryption applications on encrypted devices, must be allowed to run, the rule allows you to exclude one
application.
Option definitions



optional.


field.

enforcing the rule. Removable
storage file access device rules
are enforced on McAfee DLP
Endpoint for Windows only.

groups.

storage device, or create a
True File Type Select a true file type definition

(built-in), or create your own.

Note: This field has a

default entry that you can
edit as required.
File Extension Select the executables to block.
Note: This field has a

default entry that you can
edit as required.
File Name Select an executable to exclude

from the definition.



• Whitelisted File Names rule state.
• Whitelisted Users
storage device to exclude from
the rule.
File Name Select a file name list to exclude

from the rule.

from the rule.

Action.

Data protection and device

protection rules have a granular Note: Selecting No Action
Action definition. You can with Report Incident is
define different actions for the sometimes referred to as
Monitor.
following:
• Computer connected to For a list of prevent actions for

corporate network different types of rules, see the
• Computer disconnected from available reactions table.


TrueCrypt Device Rule page
Use this page to create a TrueCrypt Device Rule definition. Plug and play rules can block or monitor TrueCrypt virtual encryption
devices, or set them to read-only.
Option definitions

optional.



field.

enforcing the rule. TrueCrypt
device rules can be enforced
on McAfee DLP Endpoint for
Windows only.

groups.


Whitelisted Users is the only

option for TrueCrypt device rules.


rule state.

from the rule.

corporate network


Discovery page
Depending on the installed licences, this page contains a list of all McAfee DLP Endpoint Discovery or McAfee DLP Discover rule
sets, or both. You can create, edit, enable or disable, or delete rule sets from this page.
Option definitions


Delete Discovery Rule Deletes the selected rules.
New Endpoint Discovery Rule Select from available discovery

for that rule.
Note: Available when
license for McAfee DLP
Endpoint is installed.
New Network Discovery Rule Select from available discovery

for that rule.
Note: Available when
license for McAfee DLP
Discover is installed.

required.
Note: These options

and Discovery.
Save Closes and saves the rule set.

changes
Local file system protection page
Use this page to configure a Local File System endpoint discovery rule.

Option definitions

optional.


field.

enforcing the rule. This rule
type is supported on McAfee
Conditions tab Classification Options are:
• is one of (OR)
• is all of (AND)

You can use the + icon to add

multiple classifications, or select
multiple classifications with the
AND option.

rule state.


Action.
Note: This rule applies
whether or not the computer
is connected to the corporate Note: Selecting No Action
network. with Report Incident is
Monitor.

reactions table.



a separate file.
Endpoint Discovery Rule - Local Email Storage page
Use this page to configure a Local Email (OST, PST) discovery rule.
Option definitions
Rule name Enter a unique name for the rule.

Rule options Description Click Edit to open the description

optional.




field.
Conditions tab Classification Options are:
• is one of (OR)
• is all of (AND)
You can use the + icon to add
multiple classifications, or select
multiple classifications with the
AND option.

rule state.
Classification Click Edit to open the description


Action.
Note: This rule applies
whether or not the computer
is connected to the corporate
network.


Monitor.


to trigger an incident.

a separate file.
Network Discovery Rule - Box page
Use this page to configure a Box discovery rule.

Option definitions

optional.



field.
Conditions tab Classification Specifies a predefined

classification. Use the Boolean
comparisons AND, OR, NOT to
specify multiple classifications.
Repository Specifies the repository scanned.
File Sharing Specifies which files to scan

based on how the file is shared.

rule state.


Repository Select a repository to exclude

from the rule.
File Sharing Select files to be excluded from

the rule.
User Account (Email) Specifies accounts to exclude

from triggering the rule.

Action.

Monitor.



a separate file.

Network Discovery Rule - File Server page
Use this page to configure a CIFS or NFS discovery rule.
Option definitions

optional.


field.


Repository path definitions can

use UNC path definitions or

regular expressions.

rule state.


from the rule.

Action.

equivalent to Monitor.




a separate file.
Network Discovery Rule - SharePoint page
Use this page to configure a SharePoint discovery rule.

Option definitions

optional.




field.


Enter the URL of a SharePoint
web application, site collection,
subsite, library, or list.

rule state.


from the rule.

Action.


Monitor.



a separate file.
Network Discovery Rule - Database rule
Use this page to configure a database discovery rule.

Option definitions

optional.



field.


rule state.



from the rule.

Action.

Monitor.



a separate file.
Application Control page
This page contains a list of rules for controlling applications.
Option definitions
Action definitions Change State Enables or disables the rule.

Note: The current state is

indicated in the State column.
A solid bullet indicates
enabled.

Delete Application Rule Deletes the selected rules.
Duplicate Rules Duplicates the selected rules to

the current rule set (Duplicate
to Self) or to another rule set
(Duplicate to other Rule Sets).
New Rule Select from available rules to

open the definition page for that
rule.

required.
Note: These options

and Discovery.
Save The option is activated when you
edit the rule set name. It saves
the rule set to the changed name.

changes
Web Application Control rule page
Web application control rules block web pages by URL.

Option definitions

optional.


field.

enforcing the rule. The only
option is to enforce on McAfee
DLP Endpoint for Windows.



Note: The default ALL can one group before excluding any
be used instead of a defined groups.
parameter.

reputation.
Note: Reputation is not

available in the Exceptions
tab.
To add a URL definition to the

list of values, select is one of
(OR), and click ..., then select New
Item.

rule state.

rule end-user.

reputation. The exception web
rule web address.

Reaction tab Action The only action available for web

Data protection and device application control rules is Block .
Note: You can also choose
to report the incident.
following:
• Computer connected to For a list of actions for different
corporate network types of rules, see the available
• Computer disconnected from reactions table.

For connected computers, you
can also set when to close the
notification.

Policy Assignment page
Use this page to assign rule sets to policies, apply policies to the McAfee ePO database, and edit policy or endpoint discovery
scan settings.
Option definitions
Option Definition
Apply Selected Policies Displays a window with checkboxes to select policies.
Assign a Rule Set to policies Displays a window with a drop-down list to select
a rule set, and checkboxes to select policies for the
assignment.

Option Definition
Select Rule Sets for policy Displays a window with a drop-down list to select
a policy, and checkboxes to select rule sets for the
assignment.

7| Incidents, Operations, and Cases
Incidents, Operations, and Cases

DLP Incident Manager
Analytics page
Use this page to configure the DLP Incident Manager Analytics page.
Option definitions for the Present drop-down list
Option Definition
Data-in-use/motion Describes McAfee DLP Endpoint,

Device Control, McAfee DLP
Monitor, or McAfee DLP Prevent
data.
Data-at-rest (Endpoint) Describes McAfee DLP Endpoint

discover data
Data-at-rest (Network) Describes McAfee DLP Discover

data
Note
Only options for installed software are displayed.
Option definitions for data-in use/motion and data at rest (endpoint)
Option Definition
Filters Ruleset Drop-down list to select a single

rule set.
Incident type Drop-down list to select a single

incident type.
User Text box to display a user.

Selection is made from the list

Option Definition
displayed by clicking the

button.
Time Occurred Drop-down list to filter by time

interval.
Destinations (Data in-use/motion Text box to display a destination.

only) Selection is made from the list

button.
Classifications Drop-down list to filter by a

classification.
Option definitions for data at rest (network)
Option Definition
Filters Ruleset Drop-down list to select a single

rule set.
Classifications Drop-down list to filter by a

classification.
Repositories Text box to display a repository.


button.
Server Time Drop-down list to select the time

interval.
Container Text box to display a container.


button.

Option Definition
Repository type Drop-down list to select a single

repository type.
Incident List page
This page provides administrators with a list of events triggered by policy rules. The list can be filtered for easier viewing.
The Incident List displays only policy violations. Administrative events such as agent updates are displayed in a separate console,
DLP Operational Events.
Option definitions for the Present drop-down list
Option Definition
Data-in-use/motion Displays McAfee DLP Endpoint,

Device Control, McAfee DLP
Monitor, or McAfee DLP Prevent
data. The Reporting Product
column identifies which product
produced the incident.
Data-at-rest (Endpoint) Displays McAfee DLP Endpoint

discover data
Data-at-rest (Network) Displays McAfee DLP Discover

data
Note
Only options for installed software are displayed.
Option definitions for data-in use/motion and data at rest (endpoint)
Menu bar View Drop-down list to display the



the current session. Use Save to
Time (McAfee DLP Endpoint only) Drop-down list to display the

time filter.
Scan (McAfee DLP Discover only) Opens the Select scan and run
page to specify the scan and scan
instance to display results for.

vary according to the Present
sessions.
Group by Drop-down list to organize

data. The available filters vary
according to the Present setting.
Search Text box for searching the data.
Incident display area Incident list Displays incidents based on the

current selections.
Tip: To add or remove

columns, click Edit next to the
View drop-down list.
Select all in this page Selects all incidents displayed on

the page.

Select all in all pages Selects all incidents displayed on

all pages.

incident list to display.
Actions Add Comment Active when at least one incident

is selected. Opens a text box
for comments of up to 500
characters.
Email Selected Events Opens an email set-up window to

send selected events.
Export Selected Events Opens an export target path

set-up window to send selected
events.
Export device information to Exports the device parameters of

CSV selected incidents to a CSV file
(Data in-use/motion list only) and displays the file name as a
link. Displays an error message
if the incident is not a device
incident.
Release Redaction Opens an authorization dialog

box for entering user name and
password.
Set Properties Opens a dialog box that allows

editing of properties (Severity,
Status, and so forth) for all
selected incidents.
Stakeholders Allows the administrator to add

a stakeholder to the selected

incidents. Stakeholders receive

an email notification every time
an incident is modified.
Case Management Allows the user to choose

between adding the incidents to
an existing case or creating a new
case.
Labels Opens dialog boxes to attach,

detach, or delete labels.
View Same operations as the View

field, above.
Allows the user to customize
the list view. Columns can be
rearranged, displayed, or hidden.
The view can be saved as a
named view, with options for
Save group by, Save time filter,
and Save column filter. Saved
views can be public or private.
Filter Allows filters to be edited, saved,

deleted, or exported to Incident
Tasks. Filter → Edit opens the
Edit Filter Criteria page for
selection and definition of filter
parameters.
Create Device Template Select a device and create a

(Data in-use/motion list only) template based on the incident
device information. Displays an
error message if the selected
template type does not match
the incident device type.

DLP Incident Manager details page
This page displays detailed information for the selected incident. Some information is for display only, other information can be
modified.
Note
The option definition table displays only those items that can be changed by the user.
Option definitions
General Details Severity Specifies the severity. Select a

value from the drop-down list to
change.
Status Specifies the status. Select a

change.
Resolution Specifies the resolution. Select a

change.
Reviewer Displays the assigned reviewer.

Click the Edit button ( ) to
open the Set Reviewer window to
change the assignment.
Endpoint Details User Principal Name Click the link to view more detail.
Source Application Click the link to view more detail.
Additional Information Access Control List Click the link to view which Active
Directory users and groups have
access to files.
Tabs Evidence Click the link to view the evidence

file in an appropriate program

Rules
Classifications
Stakeholders
Audit Log
Comments
Cases
Actions Add Comment Opens a text window to add a

comment. Maximum comment
length is 500 characters.
Email Event Opens a window to send an

email containing the incident.
Manage Labels Opens a window to add or

remove labels to the incident.
Release Redaction Opens a Release Redaction

window. Enter a user name and
password of a user with sufficient
permissions to display the event
in clear text.
Stakeholders Adds a stakeholder to selected

incidents. You can add yourself,
or specify another stakeholder.
Stakeholders receive an email
notification every time an
incident is modified.
Case Management Adds the incident to a new or

existing case.

OK Closes the window.
Incident tasks/Operational events tasks page
This page allows an administrator to set up specific tasks according to defined criteria. Tasks are run by the McAfee ePO
Automation → Server Tasks feature. The Incident Tasks page and the Operational Event Tasks pages work in a similar manner,
with slightly different settings.
Data types
A drop-down list to select data type appears at the top of the page.
Note
Displayed tasks apply only to the data type selected.
The list allows creating tasks that operate on either the incident list/operational events list or the history. The Operational Event
Tasks page has only these two options.
The Incident Tasks page has multiple options, depending on the installed licenses.
Incident task types by license
License Data types
Device Control, McAfee DLP Monitor, or McAfee DLP

• Data in-use/motion
Prevent
• Data in-use/motion - History
McAfee DLP Endpoint

• Data in-use/motion
• Data at-rest (Endpoint)
• Data in-use/motion - History
• Data at-rest (Endpoint) - History
McAfee DLP Discover

• Data at-rest (Network)
• Data at-rest (Network) - History

Option definitions
Option Definition
Data type drop-down list Selects the data type. Tasks are created only for the
selected type.
Filter List Enter text to filter the displayed items.
Set Reviewer Displays reviewer tasks for the selected data type.
Automatic mail Notification Displays email notification tasks for the selected data
type.
Purge events Displays purge tasks for the selected data type.
Task list area Displays tasks based on the current selections. The
available columns vary depending on the data and
task type.
Actions Performs these actions:
• New task — Creates a task.

• Delete — Deletes selected tasks.
• State — Changes the state of selected tasks to
Enabled or Disabled.
Set Reviewer Task/Rule page
The Set Reviewer task is used to assign reviewers for role-based access to DLP incidents and operational events. Assignments can
be by reviewer group or individual reviewer.
Rule Properties
Rule properties option definitions
Option Definition
Name Task name. Required field, must be unique —

duplicate names are flagged.

Option Definition
State Enabled or disabled. All tasks are enabled by default.
Reviewer Assigns a reviewer according to the rule criteria. The

task only runs on incidents where a reviewer has
not been assigned. You cannot use it to reassign
incidents to a different reviewer.
Rule Criteria
This page defines the criteria that trigger the email notification. The Available Properties list includes McAfee DLP properties and
McAfee ePO properties. You can select any combination of properties from the list.
Rule criteria option definitions
Option Definition
Comparison Select from the drop-down list. Available

comparisons vary with the selected property.
Value Available values vary with the selected property —

some are text fields, some are drop-down lists, some
require selecting a predefined definition.
Automatic Mail Notification Task/Rule page
The mail notification task sends email notification of policy violations to users, managers, or others based on defined criteria.
Rule Properties
Option Definition
Name Specifies the name of the task. The name must be

unique. This is a required field.

Option Definition
Events to process Options are:
• Process all incidents/events (of the selected

incident type).
• Process incidents/events since the last mail
notification run.
Note: By default, tasks are run daily.
Template Allows the user to select and save a template.
From Text box to edit the From line of the email.
Recipients Required field — at least one recipient must be

selected.
CC Allows the user to select or define cc: recipients
Subject Email subject. Required field.
Body Email body. Optional field.
Insert variable Variables such as the policy name or the time the
event occurred can be inserted into the email subject
or body by selecting a variable from the drop-down
list and clicking insert.
Evidence Files Checkboxes for attaching evidence information:
Note: You can select any, all, or none of the

options.
• Attach CSV file with evidence list information

• Attach decrypted evidence files, match-string HTML
files, and incident details page

Option Definition
incident details page

decrypted evidence files
decrypted match-string HTML files
Email Size Limitation Drop-down list for selecting maximum email size.
Rule criteria
Option Definition


Email incidents page
Use this page to email selected incidents.

Option definitions
Option Definition
Name Select a template to automatically populate the

options.
Save As Specifies the name of a new template.
Delete Deletes the selected template.
Save Saves any changes to the template.

If a name is specified in the Save As field, the
template is saved with that name. Otherwise, the

Option Definition
template is saved to the template selected from the

Name drop-down list.
From Enter the email address that the email is sent from.
Recipients Enter the email addresses to send to.
CC Enter the email addresses to copy the email to.
Subject Enter the subject of the email.
insert variable Selects a variable to insert.
Insert Inserts the selected variable.
Note: There are separate insert variable lists

and Insert buttons for the subject and the body
of the email.
Body Enter the text for the body of the email.
Evidence Files Attaches the evidence files. The format of the files
depends on the options selected.
Email Size Limitation Specifies the maximum size of the email and
attachments.
Send Sends the email.
Purge Events/Rule page
The purge task is used to delete incidents from the events table in the DLP Incident Manager or DLP Operational Events based
on defined criteria. Events purged from the incident or operational events list can be viewed on the history page. You can also

create purge tasks for the history page. When you purge incident history, you also purge the evidence files associated with the
incidents. Events purged from the history are lost forever.
Rule Properties
Option Definition
Name Task name. Required field, must be unique —

duplicate names are flagged.
Rule Criteria
Option Definition


Incident History page
This page describes the DLP Incident Manager history page. Items purged from the Incident Event List page continue to be
displayed on the history page.
Option definitions
Menu bar Present (Incident History page Drop-down list to display either
only) Data-in-use/motion, Data-at-rest
(Endpoint) (McAfee DLP Endpoint

data), or Data-at-rest (Network)

(McAfee DLP Discover data).
View Drop-down list to display the

Time (McAfee DLP Endpoint Drop-down list to display the

incidents only) time filter.
Scan (McAfee DLP Discover Opens the Select scan and run
incidents only) page to specify the scan and scan
instance to display results for.

sessions.
Incident display area Incident list Displays historical incidents

based on the current selections.
Note: To add or remove


page.


pages.
Go to page Specifies which page of the list to

display.

characters.

Release Redaction Opens an authorization dialog

box for entering user name and
password.

selected incidents.
Manage Labels Opens dialog boxes to attach,

View Allows the user to customize



parameters.
Export Device Parameters Exports the device parameters of

(for Data in-use/motion selected incidents to a CSV file
incident list only
and displays the file name as a
link. Displays an error message
if the incident is not a device
incident.
DLP Operations
Operational Event List page
Operational events provides administrators with a list of administrative events such as policy changes or deployments. Events
from McAfee DLP Endpoint and McAfee DLP Discover are listed, if both products are installed. The list can be filtered for easier
viewing.
The DLP Operations console displays all administrative events connected with McAfee DLP Endpoint operation, such as policy
changes, files being quarantined, or users logging on to Safe Mode. Events triggered by policy violations are displayed in a
separate console, DLP Incident Manager.
Actions definitions


Time Drop-down list to display the

time filter.

display filter. Use Edit to create a
filter. The filter can alternately be
use a filter between sessions.
Group by Drop-down list to organize data.
Event display area Event list Displays events based on the

current selections.

Select all in this page Selects all events displayed on

the page.
Select all in all pages Selects all events displayed on all

pages.
Go to page Specifies which page of the event

list to display.
Actions Add Comment Opens a text window to add a

comment. Maximum comment
length is 500 characters.



selected incidents.
Stakeholders Allows the administrator to add

a stakeholder to the selected
events.
Labels Opens a window to attach or

detach labels to the event. You
can also delete labels from the
database, which detaches them
from all events.
View Same operations as the View

field.
Filter Same operations as the Filter

field. Also allows you to
export the current filter to an
operational events task.
Operational event tasks
Use this page to set operational event tasks.
Option definitions
Option Definition
Operational Events (drop-down menu) Sets the display to operational events or operational
events history.
Set Reviewer Displays the Set Reviewer tasks.
Automatic mail notification Displays the mail notification tasks.

Option Definition
Purge operational events Displays the purge tasks.
Actions → Delete Deletes selected tasks.
Actions → New Rule Creates a rule according to the task type selected.
Actions → State Sets the state to Enabled or Disabled.
Operational event history
This page provides administrators with a list of operational events. Items purged from the Operational Event List page continue
to be displayed on the history page.
Option definitions

Time Drop-down list to display the

time filter.

sessions.

Event display area Event list Displays historical incidents or

events based on the current
selections.


page.

pages.
Go to page Specifies which page of the list to

display.

characters.


selected incidents.

View Allows the user to customize




parameters.
User Information page
Use this page to view, import, or export user information.
Option definitions


display filter. Use Edit to create a
filter. The filter can alternately be
use a filter between sessions.

User information display area User information list Displays user information based
on the current view and filter
selections.
Tip: To add or remove

Select all in this page Selects all incidents displayed on

the page.
Select all in all pages Selects all incidents displayed on

all pages.

incident list to display.
Actions Delete Deletes the selected users.
Export to CSV file Gives the user the option

to view or save the
userinformationList.csv file.
Import from CSV file Opens a browse window to select

a CSV file to import.
Operational events – Incident detail page
This page displays detailed information for the selected event.
Option definitions
Option Definition
Severity Drop-down list to set the event severity.

Option Definition
Status Drop-down list to set the status.
Resolution Drop-down list to set the resolution
Reviewer Specifies the reviewer. Click the Edit button ( )to

open the Set Reviewer window to change the
assignment.
Stakeholders tab Displays the stakeholders assigned to the event.
Audit Log tab Displays the event history.
Comments tab Use to view and add comments to the event.
Actions → Add Comment Opens a text box for adding comments. Maximum
comment length is 500 characters.
Actions → Stakeholders Allows the administrator to add a stakeholder to

the event. Stakeholders receive an email notification
every time an incident is modified.
OK Returns to the Operation Event List page.
DLP Case Management

Case List page
Use this page to view and manage cases. You can filter the list for easier viewing.
Option definitions



Show closed cases Includes closed cases displayed

in the list.

a filter. Use Save to use a filter
between sessions.
Case display area Case list Displays cases based on the

current selections.

Select all in this page Selects all cases displayed on the

page.
Select all in all pages Selects all cases displayed on all

pages.
Go to page Specifies which page of the case

list to display.
Actions Delete Deletes the selected cases.
Export Selected Cases Opens an export target path

set-up window to send selected
events as a ZIP file.

New Creates an empty case with no

incidents assigned.
Note: You can assign

incidents from the Incident
List page.
Stakeholders Allows the user to add a

stakeholder to the selected cases.

New case page
Use this page to configure a new case.

Option definitions
Option Definition
Title Enter a unique name for the case definition. This

field is required.
Owner Specifies the user or user group assigned to the

case.
Click the Edit button ( ) to open the Set Reviewer
window to change the assignment.
Priority Specifies the severity. Select an option from the

drop-down list.
Status Specifies the status. Select an option from the drop-

down list.
Resolution Specifies the resolution. Select an option from the

drop-down list.

Case Management page
Use this page to view and modify case details and to view incident details assigned to a case.
Option definitions
Case Details area Case ID Displays the case ID.
Title Displays the case name.
Owner Specifies the user or user group

assigned to the case.
Click the Edit button ( ) to
open the Set Reviewer window to
change the assignment.
Priority Specifies the severity.
Status Specifies the status.
Resolution Specifies the resolution.
Labels Displays labels attached to the

case.
OK Returns to the Case List page.
Incidents tab Displays a list of incidents

The display area contains
incident details and options.
• Incident ID — Click the number

to view incident details.
• Move — Click to move the
incident to another case.
• Remove — Click to remove the
incident from the case.

Note: You can also use

the Actions menu to move or
remove incidents from cases.
Actions → Manage Labels Opens a dialog box to add or

detach labels.
Actions → Remove Incidents Removes the selected incidents

from the case.
Actions → Move Incidents Moves the selected incidents to a

new or existing case.
Comments tab Use to view and add comments

to the case.
• Comment text box — Enter

your comment in the text field.
• Add Comment — Click to add
the comment to the case.
Added comments are displayed

below the comment field.

detach labels.
Actions → Stakeholders Allows the administrator to

add a stakeholder to the
case. Stakeholders receive an
email notification every time an
Attachments tab Displays files attached to the

case. Click on the file name to
open the file. Click Delete to
delete the file.

Actions → Attach File Add an attachment to the case.
Actions → Delete Attachment Deletes selected attachments.

detach labels.
Stakeholders tab Displays the stakeholders


detach labels.

Audit Log tab Displays case history, such as

when a user updating something
in the case.

detach labels.

Move window
Use this window to move an incident from one case to another.

Option definitions
Option Definition
New case Select to move the incident to a new case.
Existing case Select to move the incident to an existing case.
OK Opens a window to select or create the case to move

the incident to.
Move to existing case window
Use this window to select the case to move an incident to.
Option definitions
Option Definition
Filter cases by Specifies a category and text string to filter by.
Go Applies the filter.
Case list Select a case to move the incident to.
OK Moves the case and closes the window.
Contacts and Users page
Use this page configure email notifications for case updates.

Option definitions
Option Definition
Users list Select the users to send notifications to.
Note: If no contacts are listed, you must

specify an email server for McAfee ePO and add
email addresses for users. Configure the email
server from Menu → Configuration → Server
Settings → Email Server. Configure users from
Menu → User Management → Users.

8| Managing data
Managing data
DLP predefined dashboards
The following table describes the predefined McAfee DLP dashboards.
Predefined DLP dashboards
Category Option Description
DLP: Incident Summary Number of Incidents per day These charts show total
incidents, and give different
Number of Incidents per breakdowns to help analyze
severity specific problems.
Number of Incidents per type
Number of Incidents per rule set
DLP: Operations Summary (All Number of Operational events Displays all administrative events.
products) per day
DLP: Operations Summary Agent Version Displays the distribution of

(These options are applicable to endpoints in the enterprise. Used
McAfee DLP Endpoint) to monitor agent deployment
progress.
Distribution of DLP products on Displays a pie chart showing the

endpoint computers number of Windows and Mac
endpoints, as well as the number
of endpoints where no client is
installed.
DLP Discovery (Endpoint): Local Displays a pie chart showing

File System Scan Status the number of local file system
discovery scan properties and
their states (completed, running,
undefined).

8| Managing data
DLP Discovery (Endpoint): Local Displays a pie chart showing the

Email Scan Status number of local email discovery
scan properties and their states
(completed, running, undefined).
Agent Status Displays all agents and their

status.
Agent Operation Mode Displays a pie chart of agents by

DLP operation modes. Operation
modes are:
• Device control only mode

• Device control and full content
protection mode
• Device control and content
aware removable storage
protection mode
• Unknown
DLP Discovery (Endpoint): Local Displays a pie chart showing the

Email Storage Scan Status number of local email storage
scan discovery properties and
their states (completed, running,
undefined).
DLP: Policy Summary (All Policy distribution Displays the DLP policy
products) distribution by version
throughout the enterprise. Used
to monitor progress when
deploying a new policy.
Privileged Users Displays the system name/user

name and the number of user
session properties.
Policy revision distribution Similar to Policy distribution,

but displays revisions – that is,
updates to an existing version.

8| Managing data
DLP: Policy Summary (These Enforced Rule Sets per endpoint Displays a bar chart showing the
options are applicable to McAfee computers rule set name and the number of
DLP Endpoint) policies enforced.
Bypassed Users Displays the system name/user

name and the number of user
session properties.
Undefined Device Classes (for Displays the undefined device

Windows devices) classes for Windows devices.
DLP: Endpoint Discovery DLP Discovery (Endpoint): Local Displays a pie chart showing the
Summary (These options are File System Scan Latest Status run status of all local file system
applicable to McAfee DLP scans.
Endpoint)
DLP Discovery (Endpoint): Displays a bar chart showing the

Local File System Scan Latest range of sensitive files found on
Sensitive Files systems files.
DLP Discovery (Endpoint): Local Displays a bar chart showing the

File System Scan Latest Errors range of errors found in systems
files.
DLP Discovery (Endpoint): Displays a bar chart showing the

Local File System Scan Latest classifications applied to systems
Classifications files.
DLP Discovery (Endpoint): Local Displays a pie chart showing

Email Scan Latest Status the run status of all local email
folders.

Email Scan Latest Sensitive range of sensitive emails found in
Emails local email folders.

8| Managing data

Email Scan Latest Errors range of errors found in local
email folders.
DLP Discovery (Endpoint): Local Displays a bar chart showing

Email Scan Latest Classifications the classifications applied to local
emails.
DLP Discover analytics

Data Inventory page - Raw Data display
Use this page to review scan data.
To use the Data Inventory - Raw Data page, begin by selecting a Scan from the drop-down list. You can filter the display by
selecting limiting values for one or more parameters with the filter Edit control. You can reuse unsaved filters throughout the
work session, or Save the filter for future use as either a public or private filter.
Option definitions
Option Definition
Actions → Choose columns This standard McAfee ePO option allows you to
customize the display. The columns chosen affect all
three displays (Dashboard, Grid, Raw Data) for the
selected scan.
Scan Drop-down list of available scans.
Group by Drop-down list to organize data. The groups appear

in the left pane, and selecting a group displays the
file data for that group.

8| Managing data
Filter Options
Option Definition

Edit Opens the McAfee ePO Edit Filter Criteria page.

Update Filter.

save the changes.
Data Inventory page - Grid display
Use this page to analyze and review scan data.
To use the Data Inventory - Grid page, begin by selecting a Scan Name from the drop-down list.
The display is user-configurable as to which parameters are displayed, and the order in which they are displayed by selecting
Actions → Choose Columns in the Raw Data view.
Example: Setting the Analytic Type to Files and selecting the File Size category displays the number of files in each size category
— small, medium, large, and extra large. Click the number to move to the Raw Data display for a complete list of the files. Add a
second category, for example File Extension. Click Expand Table to view the breakdown by subcategories. Add a third category,
or change the second category for a different breakdown.
Option definitions
Option Definition
Scan Name Selects the scan to be displayed. You can review data
from only one scan at a time.
Analytic Type For inventory scans, Files is the only option.

File Server, Box, and SharePoint classification and

8| Managing data
Option Definition
remediation scans have the option of either

Files or Classifications. Database classification and
remediation scans have the option of either Tables
or Classifications. The analytic type determines the
available categories.
Show Select the number of top entries to display: 5, 10, or

30.
Expand / Collapse Table Changes the display to view more or less data.
Select a category Selects the category for the data breakdown. For
example, File Size displays the number of files per
small (<100 KB), medium (100 KB–1 MB), large (1–5
MB), and extra large (>5 MB) categories.
Note: If the Analytic Type is set to

Classifications and any files have more than one
associated classification, the displayed file count
might be larger than the total number of files.
Data Inventory page - Dashboard display
Use this page to analyze and review scan data.
To use the Data Inventory - Dashboard page, begin by selecting a Scan Name from the drop-down list to analyze a specific scan.
Select an Analytic Type. The analytic type determines the available categories.
The display is user-configurable as to which parameters are displayed, and the order in which they are displayed by selecting
Actions → Choose Columns in the Raw Data view.
Option definitions
Option Definition
Scan Name Drop-down list to select the scan. The dashboard

displays data for only one scan at a time.

8| Managing data
Option Definition
Analytic Type For inventory scans, Files is the only option.

File Server, Box, and SharePoint classification and
remediation scans have the option of either
Files or Classifications. Database classification and
remediation scans have the option of either Tables
or Classifications. The analytic type determines the
available categories.
Filters You can select a filter for each category.

9| System health
System health
Appliance Management page
The following options are available from the Appliance Management → System Health pane.
Option definitions — Appliances pane
Option Definition
Tree view of appliances All appliances managed by the Appliance

Management extension in McAfee ePO are shown
in the tree view pane on the left of the screen.
In this pane, your appliances are displayed in ways
that suit your organization; organized by appliance
type, by country, by office, or by business group. Use
the McAfee ePO System Tree to create the structure
for organizing your appliances.
The color indicates the status of each appliance (or,
when nested, of groups of appliances):
— Appliance (or cluster of appliances) is
functioning correctly.
— Appliance (or an appliance in the selected
cluster) needs attention.
cluster) needs urgent attention.
cluster) is unreachable.
Appliance states Included in each System Health card is information

relating to the status of the appliances or cluster
members.
The possible states for an appliance or cluster
member are:
• Active — The selected node is working as expected

and is green.
• Shut down — The node has been intentionally shut
down and is blurred.
The center area of the user interface contains the system health cards.

9| System health
Each managed appliance has its own system health card, providing statistics and information about resources and load. Each
health card includes some standard information, and some information specific to the type of appliance being reported.
Note
If you select a group of appliances in the tree view, each appliance in that group has a health card displayed in the System
Health pane. If you select one appliance in the tree view, only the health card for that appliance is displayed.
Option definitions — Alerts pane

The information provided in the Alerts pane is dynamic — you are only shown information about any currently active alerts.
These alerts might be from the selected appliance or from the group of appliances selected in the Appliance tree.
Option definitions — Details pane

The information provided in the Details pane is dynamic — you are only shown information about the currently selected alert in
the Alerts pane.
Option definitions — General settings

The General settings available from Common Appliance Management 1.0.0 includes commonly used settings.
Option definitions
Option Definition
Date and Time Options for setting the date and time for your
appliances:
• Time zone — The default time zone is UTC.

• Enable NTP — Enables your appliances to
synchronize time with the NTP servers you define.
Use the add and delete icons to add or
remove NTP servers from the list. Use the move
up and move down icons to arrange the servers
in your preferred order.
Note: If you Enable NTP, you cannot save

the General policy until you have configured at
least one NTP server.
Define each NTP server by entering the IP address

or domain name for the server.
DNS Define the DNS servers to be used by your

appliances.

9| System health
Option Definition
Note: Until you apply DNS server information

to your appliances or clusters, those appliances
use the default DNS information provided by
DHCP on your network.
Use the add and delete icons to add or remove

DNS Servers from the list. Use the move up and
move down icons to arrange the servers in your
preferred order.
Define the IP address for each DNS server.
Note: You cannot save the General policy

until you have configured at least one DNS
server.
Static Routing Manually define the routing options available to your

appliances. Use the add and delete icons to add
or remove information from the list. Use the move
up and move down icons to arrange the routing
information in your preferred order.
Define the Subnet and Gateway addresses for each
route.
SSH Define the Secure Shell (SSH) access settings for your
appliances.
Select your required option from the drop-down list:
• Don't allow remote login.

• Allow remote login for all hosts.
• Allow remote login for these hosts only.
Selecting Allow remote login for these hosts only
enables the Hosts table, allowing you to define the
hosts that accept remote login using SSH.
host information from the list. Use the move up
and move down icons to arrange the host systems
in your preferred order.

9| System health
Option Definition
The SSH host information can be host names

with wildcards (for example, *.domain.name), or IP
addresses with subnet masks.
Note: If you select Allow remote login for

these hosts only, you cannot save the General
policy until you have configured at least one SSH
host.
Logging By default, your appliances each store their own log

information locally. To configure the appliances to
remotely store their syslog information, select Store
log data remotely and define the syslog servers to
use.
syslog servers from the list. Use the move up and
move down icons to arrange the servers in your
preferred order.
Define each syslog server by specifying the Protocol
(either TCP or UDP), the domain name or IP address
for the Syslog Server, and the Port to use.
The default value for the Protocol is TCP, with the
default Port being 514.
Note: If you select Store log data remotely,

you cannot save the General policy until you
have configured at least one syslog server.
Note
To edit an entry in any of the tables on this page, first select the entry, then click the edit pencil icon.
Option definitions — SNMP settings

The SNMP settings available from Common Appliance Management → General → <policy name> includes the configuration
details for SNMP alerts and SNMP monitor settings.

9| System health
Option definitions - SNMP Alert settings
Option Definition
Enable SNMP alerts Enabling SNMP alerts allows your appliances to issue
SNMP alerts that are sent to your specified SNMP
trap destination.
Trap destination Enter the host name or IP address for the SNMP trap
manager to which your alerts are sent.
McAfee DLP Prevent and McAfee DLP Monitor do not
support IPv6.
Community name Enter the community name that your appliances and
SNMP managers use to identify the SNMP group.
Protocol version Select the protocol version used by your SNMP

manager.
Use the add and delete icons to add or remove SNMP trap destinations from the list. Use the up and down
icons to arrange the destinations in your preferred order.
Option definitions - SNMP Monitor settings
Option Definition
Enable SNMP monitor Enabling SNMP Monitor allows other devices to

query your appliances or cluster of appliances for
various system parameters.
Protocol version Depending on the selected protocol version, the

subsequent fields change as shown:
Fields displayed for Protocol versions v1 and v2c
Community name — Enter the community name
that your appliances and SNMP managers use to
identify the SNMP group.
Fields displayed for Protocol version v3

9| System health
Option Definition
• User name for authentication — Enter the user

name used for authentication against the SNMP
manager.
• Authentication protocol — Select either MD5 or
SHA authentication protocols.
• Privacy protocol — Select either DES or AES
privacy protocols.
• Authentication passphrase — Enter a passphrase
for authentication against the SNMP monitor
server.
• Privacy passphrase — Enter a passphrase for
privacy against the SNMP monitor server.
Allow SNMP monitor for all hosts Select either Allow SNMP monitor for all hosts, or
Allow SNMP monitor for these hosts only.
Hosts If you select Allow SNMP monitor for these hosts

only, ensure that you specify at least one remote
SNMP host in the Hosts table.
Option definitions — System Health

Only basic information is shown until you install a McAfee ePO extension for your McAfee product. This state exists only until the
required software has been correctly installed on your McAfee ePO server.
Option definitions
Option Definition
<Appliance name> Shows the name of the appliance or cluster that is

selected in the tree view of appliances.
Alerts If any alerts have been issued, the Alerts summary

icon changes to reflect the severity of the most
serious alert.
You can't see details of the alert until you install the
required McAfee ePO extension for your product.

9| System health
McAfee DLP appliances system health cards

The system health information helps you manage all virtual and physical McAfee appliances on your network. Apart from the
Evidence Queue counter, the counters are not cumulative.
McAfee DLP Prevent health cards

The system health cards show the following information for each McAfee DLP Prevent appliance and cluster of appliances.
Note
In a cluster environment, the tree view displays a cluster master and two or more cluster scanners.
The primary statistics are displayed beneath the appliance name. These statistics are the two items of information that are
considered the most important for the appliance type.
To the right of the primary statistics are the other health statistics (area 4) for the appliance. These statistics vary, depending on
the type of appliance to which they relate.
Pane Information
System Health
• Evidence Queue — The number of files waiting to
be copied to evidence storage. The queue size is
real time.
• Emails — The number of messages that were
delivered, were permanently or temporarily
rejected, or could not be analyzed. The counters
show data from the previous 60 seconds.
• Web Requests — The number of received web
requests, and the number of web requests that
could not be analyzed. The counters show data
from the previous 60 seconds.
• CPU usage — The total CPU usage.
• Memory — The memory swap rate.
• Disk — The percentage of disk usage.
• Network — The network interfaces on the
appliance, showing information about received and
transmitted data. The counters show data from the
previous 60 seconds.
• Capture — (Optional) The following statistics are
shown when the DLP Capture feature is enabled on
the appliance.

9| System health
Pane Information
Estimated capacity (days) — The estimated

number of days remaining before the capture
storage reaches its capacity.
Oldest item (days) — The age of the oldest
captured item.
Searches running — The number of searches
currently in progress.
• OCR Scan — These statistics are shown when the

OCR feature is used on the appliance.
Total — Total number of images that are scanned

completely.
Queue Size — The number of images to be
scanned that are held in a queue.
Alerts Displays errors or warnings that relate to:
• System health statuses

• Evidence queue size
• Policy enforcement
• Communication between McAfee ePO and the
appliance
More information about an alert is available on the

Details pane.
McAfee DLP Monitor health cards

The system health cards show information for each McAfee DLP Monitor appliance and cluster of appliances.
Note
In a cluster environment, the tree view displays a cluster packet acquisition device, a cluster master, and two or more cluster
scanners.
The primary statistics are displayed beneath the appliance name. These statistics are the two items of information that are
considered the most important for the appliance type.
To the right of the primary statistics are the other health statistics (area 4) for the appliance. These statistics vary, depending on
the type of appliance to which they relate.

9| System health
Pane Information
System Health
• CPU usage — The total CPU usage.
• Memory — The memory swap rate, and memory
usage and swap usage details.
• Disk — The percentage of disk usage.
• Network — The network interfaces on the
appliance, showing information about received and
transmitted data. The following capture port 1
details are displayed for a standalone appliance
and cluster packet acquisition device:
Packets per second — The number of packets

processed by the McAfee DLP Monitor packet
acquisition device every second.
Packet drops — The number of packets dropped
at the network interface.
Details about dropped packets can be obtained
from your virtual application.
• Evidence Queue — The number of evidence files

waiting to be copied to evidence storage. The
queue size is real-time.
This statistic does not apply to a packet acquisition
device.
• Monitor — Monitors the following information
(these statistics apply to a standalone appliance
and cluster packet acquisition device):
Active flows — The current number of

conversations on your network tracked by the
McAfee DLP Monitor packet acquisition device.
Flows filtered — The current number of
conversations that are not scanned according to
filter rules.
Payloads scanned — Displays the number
of payloads analyzed by the McAfee DLP
Monitor packet acquisition device, which had
classifications applied, and matched against
the appropriate rules. A payload is a single
transaction on the network, such as a download
from a website.

9| System health
Pane Information
Payload scan failure — Displays the number of

payloads that can't be analyzed if, for example,
an email message is corrupt or the time to
analyze the payload exceeds the analysis settings
configured in Policy Catalog → DLP Appliance
Management → General → Analysis Settings.
Payloads oversize — Displays the number of
payloads that exceed the limit configured in
Policy Catalog → DLP Appliance Management
→ General → Analysis Settings. McAfee DLP
Monitor analyzes data up to the configured limit,
even if the data is incomplete or has been
truncated.
McAfee DLP Monitor cannot analyze partially
extracted zip files.
• Capture — (Optional) The following statistics are

shown when the DLP Capture feature is enabled on
the appliance.
Estimated capacity (days) — The estimated

number of days remaining before the capture
storage reaches its capacity.
Oldest item (days) — The age of the oldest
captured item.
Searches running — The number of searches
currently in progress.
• OCR Scan — These statistics are shown when the

OCR feature is used on the appliance.
Total — Total number of images that are scanned

completely.
Queue Size — The number of images to be
scanned that are held in a queue.
Alerts Displays errors or warnings that relate to:
• System health statuses

• Evidence queue size
• Payload scan failures
• Policy enforcement

9| System health
Pane Information
• Communication between McAfee ePO and the

appliance
More information about an alert is available on the

Details pane.

10| Error messages
Error messages
If the appliance is not configured correctly, it tries to identify the problem and sends a temporary or permanent failure message.
The text in parentheses in the error message provides additional information about the problem.
Some error messages relay the response from the Smart Host so the McAfee DLP Prevent response contains the IP address,
which is indicated by x.x.x.x.
For example, 442 192.168.0.1 : Connection refused indicates that the Smart Host with the address 192.168.0.1 did not accept the
SMTP connection.
Temporary failure messages
Text Cause Recommended action
451 (The system has not been The initial setup was not Register the appliance with a
registered with an ePO server) completed. McAfee ePO server using the
Graphical Configuration Wizard
option in the appliance console.
451 (No DNS servers have been The configuration applied from Configure at least one DNS server
configured) McAfee ePO did not specify any in the General category of the
DNS servers. Common Appliance policy.
451 (No Smart Host has been The configuration applied from Configure a Smart Host in
configured) McAfee ePO did not specify a the McAfee DLP Prevent Email
Smart Host. Settings policy category.
451 (Policy OPG file not found in The policy configuration applied
• Confirm that the Data
configured location) from McAfee ePO was Loss Prevention extension is
incomplete. installed.
• Configure a Data Loss
Prevention policy.
• Contact technical support. The
configuration OPG file must be
applied with the policy OPG file.

10| Error messages
451 (Configuration OPG file not The configuration applied from

• Ensure that the Data Loss
found in configured location) McAfee ePO was incomplete. Prevention extension is
installed.
Prevention policy.
• Contact Technical Support. The
451 (LDAP server configuration This error occurs when both Check that the LDAP server is
missing) these conditions are met: selected in the Users and Groups
policy category.
• McAfee DLP Prevent contains
a rule that specifies a sender
as a member of an LDAP user
group.
• McAfee DLP Prevent is not
configured to receive group
information from the LDAP
server that contains that user
group.
451 (Error resolving sender based A policy contains LDAP sender Check that the LDAP server is
policy) conditions, but can't get the available.
server because:
• McAfee DLP Prevent and

the LDAP server have not
synchronized.
• The LDAP server is not
responding.
451 (FIPS test failed) The cryptographic self-tests Contact technical support.
required for FIPS compliance
failed
451 (Unable to verify data against The registered documents server Check your configuration to
the registered document server) is unavailable. confirm that the server is

10| Error messages
available, and the details you

entered are correct.
442 x.x.x.x: Connection refused McAfee DLP Prevent could not Check that the Smart Host can
connect to the Smart Host receive email.
to send the message, or the
connection to Smart Host was
dropped during a conversation.
Temporary failure messages
451 (The system has not been The initial setup was not Register the appliance with a
registered with an ePO server) completed. McAfee ePO server using the
Graphical Configuration Wizard
option in the appliance console.
451 (No DNS servers have been The configuration applied from Configure at least one DNS server
configured) McAfee ePO did not specify any in the General category of the
DNS servers. Common Appliance policy.
451 (Policy OPG file not found in The policy configuration applied
configured location) from McAfee ePO was Prevention extension is
incomplete. installed.
Prevention policy.
451 (Configuration OPG file not The configuration applied from

found in configured location) McAfee ePO was incomplete. Prevention extension is
installed.
Prevention policy.

10| Error messages

451 (FIPS test failed) The cryptographic self-tests Contact technical support.
required for FIPS compliance
failed
Permanent failure messages
Error Cause Action
530 Authentication required MTA doesn't send AUTH Configure MTA to send AUTH
credentials. LOGIN credentials.
530 Authentication required - The Smart Host doesn't present Configure the Smart Host to send
AUTH conversation is required AUTH as part of its response AUTH LOGIN credentials.
for onward delivery to the McAfee DLP Prevent
appliance's EHLO request.
504 Error: Supported The Smart Host doesn't support The Smart Host must support
authentication mechanism the LOGIN mechanism for the LOGIN mechanism for
unavailable for onward delivery authentication. authentication.
550 Host / domain is not McAfee DLP Prevent refused the Check that the MTA is in the list
permitted connection from the source MTA. of permitted hosts in the McAfee
DLP Prevent Email Settings
policy category.
550 x.x.x.x: Denied by policy. TLS The Smart Host did not accept a Check the TLS configuration on
conversation required STARTTLS command but McAfee the host.
DLP Prevent is configured to

10| Error messages
Error Cause Action
always send email over a TLS

connection.
ICAP error messages
Error Cause Action
500 (LDAP server configuration This error occurs when both Check that the LDAP server is
missing) these conditions are met: selected in the Users and Groups
policy category.
• McAfee DLP Prevent contains a
rule that specifies an end-user
as a member of an LDAP user
group.
• McAfee DLP Prevent is not
configured to receive group
server that contains that user
group.
500 (Error resolving end-user A policy contains LDAP sender Check that the LDAP server is
based policy) conditions, but can't get the available.
server because:
• McAfee DLP Prevent and

the LDAP server have not
synchronized.
• The LDAP server is not
responding.

COPYRIGHT
Copyright © 2022 Musarubra US LLC.
Trellix, FireEye and Skyhigh Security are the trademarks or registered trademarks of Musarubra US LLC, FireEye Security Holdings US LLC and
their affiliates in the US and /or other countries. McAfee is the trademark or registered trademark of McAfee LLC or its subsidiaries in the US
and /or other countries. Other names and brands are the property of these companies or may be claimed as the property of others.

Mcafee Data Loss Prevention 11.6.x Interface Reference Guide 11-1-2022

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Mcafee Data Loss Prevention 11.6.x Interface Reference Guide 11-1-2022

Uploaded by

Copyright:

Available Formats

McAfee Data Loss Prevention 11.6.

DLP Settings page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

General settings page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Advanced settings page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Classification settings page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Incident Manager settings page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Operations Center settings page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Case Management settings page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

MVISION Cloud server page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Backup & Restore settings page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Edit Permission Set: Data Loss Prevention page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Edit Permission Set: DLP Help Desk Actions page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Edit Permission Set - Appliance Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Edit Permission Set — Appliance Management Common Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Edit Permission Set: DLP Appliance Management Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

DLP Help Desk page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Policy Catalog settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Active Rule Sets page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Policy Validation page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Windows Client Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Advanced Configuration page for Windows client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Clipboard Protection page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Content Tracking page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Corporate connectivity page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Debugging and Logging page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Device control page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Discovery (Endpoint) page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Email Protection page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Shared Storage and Evidence page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Operational Mode and Modules page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Printing Protection page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Removable Storage Protection page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Screen capture protection page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

User Interface Components page for Windows client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Web Protection page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Client configuration Whitelist. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Add or edit the client configuration whitelist. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Mac OS X Client Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Advanced Configuration page for macOS client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Content Tracking page for Mac OS X client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Corporate connectivity page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Debugging and Logging page for Mac OS X client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Discovery (Mac) page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Shared Storage and Evidence page for Mac OS X client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Operational Mode and Modules page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

User Interface Components page for Mac OS X client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Shared Storage and Evidence page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Registered Documents page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Rights Management page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Text Extractor page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

DLP Appliance Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

McAfee DLP Capture Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

McAfee DLP Monitor Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

McAfee DLP Prevent Email Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

McAfee DLP Prevent Web Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Users and groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Classification Criteria page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Application content fingerprinting Criteria page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Box content fingerprinting criteria. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Location content fingerprinting Criteria page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

SharePoint content fingerprinting criteria page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Web Application content fingerprinting criteria page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Choose from existing values page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87