McAfee Data Loss Prevention 9.2.2 Product Guide

2Using McAfee DLP MonitorRules used by the capture engine• Number of results supported • Parts of speech excluded from capture• Time‐stamping files • Short word handling• Archive handling • Special character exceptions• Case insensitivity • Word stemming• Microsoft Office 2007 anomaliesDistributed searchingSearches that are distributed to more than one McAfee DLP appliance are handled through McAfee DLPManager.Although distributed searches default to All Devices, the Devices button on the Advanced Search pagesupports searches on specific McAfee DLP devices.Large-scale searchesSearches that take over 60 seconds to process run in background mode. When the search is complete,the user who is logged on is notified by email.Although distributed searches default to All Devices, the Devices button on the Advanced Search page supportssearches on specific McAfee DLP devices.Number of results supportedThe search engine imposes limitations on the number of search results supported by McAfee DLP.The search engine is designed to retrieve no more than 100,000 results at a time. If this limit isexceeded, match strings will not be retrieved, and hits on substrings might return overly broadresults.The dashboard incident list is limited to 5,000 results, but up to 150,000 incidents can be exported viaCSV. Export from dashboard is limited to 5K. If your search results exceed this number, narrow yourquery and repeat the search.Archive handlingWhen archived files are captured, they are opened and their contents are analyzed by the indexer.The search engine finds, extracts, and evaluates content in .zip, .gzip, and .tar archives, but only ifthe compressed file type is identified in the query.The following compressed file types are supported:• GZIP • Compress• ZIP • MS Cabinet• TAR • EncryptedZip• StuffIt • RAR• BinHex • TNEF38 McAfee Data Loss Prevention 9.2.2 Product Guide