Our current Email DLP solution has a way for us to mark an email item as a false postive, then it 'releases' it and lets the email continue on. I am looking for a way to do that with McAfee DLP. We have users that are allowed to write non-PII to a USB drive. Sometimes a log , or something similar,is copied out to a USB drive and that log may contain a string that resembles PII (SSN, CC, SIN) and McAfee DLP blocks the user from copying it to the USB drive. The user receives a pop-up notice telling them why they have been blocked and giving them a department to contact for more info. So the user contacts that department (who we have set up to review Incidents) and complains that they were not writing PII to the drive. The reviewer has a look and determines that the event was a false positive. I would like for the reviewer to be able to 'release' the document so that the user can copy it to their USB drive. Is this possible? I realize there is an option somewhere to do a DLP bypass, but doing this would then allow the user to write actual PII to the drive if they were so inclined.
If this use case isn't feasible, is there another solution that someone out there is using for a similar situation?
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.