I used the following workflow:
1) Create a classification rule for creditcards
2) activate the following modules:
3) Change the Discovery Settings in the global proberties as follows:
(last line must be marked for testing.) Every time a new agent configuration is pushed, discovery scan will run. You may disable this in a productive environment.
4) Create a new discovery rule. Use the classification category defined in 1) (--> step 3 while editing the rule)
5) Choose the reactions in step 5: for example tagging / monitor
6) enrole the agent configuration
7) make sure the dlp agent recieves the new config
8) file should be tagged now
Thank you Dennis;
That is the method I used as well. I've also confirmed that our 'test files' will trigger other rules on other test machines (such as notification, send to evidence, etc.)
But following the intended discovery, we not only have no 'tagged' files (verified by using the 'Manual Tagging' feature on endpoints) but we see no evidence of any process 'crawling' the systems (Process Monitor/Explorer from Systernals used to verify)
As a last ditch effort, I uninstalled the agent from one of the test-endpoints, wiped, fresh install, re-deployed with 'run immediately' option still set, and nothing occurred.
Dennis, thank you for your quick response.
Yes, we've verified that they work
User popup, Justification, USB, Email, Web, File System, Printing, Clipboard, etc. They all result in auto-tagging, notification, send to evidence, etc.
Within EPO 4.6, when we go to System Tree and view product details for DLP, it shows the 'next discovery 2/2/2013 at 11pm'. This is incorrect, and has never changed regardless of the policies and schedules we attempt to apply.
I've also verified using the DLP Agent Diagnostic Tool that the policies and 'discovery rules' are applied to the endpoints, but the tool does not appear to provide schedule information.
CPU/Memory options are set liberally, only to pause if it hits 95% and no other programs are running on these test machines.
This has been resolved.
We had to access the policy for DLP from the EPO policies (such as from Policy Catalog or System Tree) for the DLP agent configuration.
For whatever reason, this agent configuration overwrites the agent configuration specified in the DLP interface.
If anyone knows how to sync these, that would be appriciated.