McAfee Data Loss Prevention 9.2.2 Product Guide
McAfee Data Loss Prevention 9.2.2 Product Guide McAfee Data Loss Prevention 9.2.2 Product Guide
2Using McAfee DLP MonitorRules used by the capture engine• Number of results supported • Parts of speech excluded from capture• Time‐stamping files • Short word handling• Archive handling • Special character exceptions• Case insensitivity • Word stemming• Microsoft Office 2007 anomaliesDistributed searchingSearches that are distributed to more than one McAfee DLP appliance are handled through McAfee DLPManager.Although distributed searches default to All Devices, the Devices button on the Advanced Search pagesupports searches on specific McAfee DLP devices.Large-scale searchesSearches that take over 60 seconds to process run in background mode. When the search is complete,the user who is logged on is notified by email.Although distributed searches default to All Devices, the Devices button on the Advanced Search page supportssearches on specific McAfee DLP devices.Number of results supportedThe search engine imposes limitations on the number of search results supported by McAfee DLP.The search engine is designed to retrieve no more than 100,000 results at a time. If this limit isexceeded, match strings will not be retrieved, and hits on substrings might return overly broadresults.The dashboard incident list is limited to 5,000 results, but up to 150,000 incidents can be exported viaCSV. Export from dashboard is limited to 5K. If your search results exceed this number, narrow yourquery and repeat the search.Archive handlingWhen archived files are captured, they are opened and their contents are analyzed by the indexer.The search engine finds, extracts, and evaluates content in .zip, .gzip, and .tar archives, but only ifthe compressed file type is identified in the query.The following compressed file types are supported:• GZIP • Compress• ZIP • MS Cabinet• TAR • EncryptedZip• StuffIt • RAR• BinHex • TNEF38 McAfee Data Loss Prevention 9.2.2 Product Guide
Using McAfee DLP MonitorRules used by the capture engine 2Case insensitivityCase sensitivity is ignored by the search engine.For example, if a query is defined in ALL CAPS, the indexer retrieves and reports the matching contentwhether it is in uppercase or lowercase.Microsoft Office 2007 anomaliesThe indexer ignores certain Microsoft Office attributes because of the way those applications handlefonts, colors, macros, and page definition.• If two dictionary words are merged together, the merged word will not be found. For example,American and Recovery are two dictionary words. If they are merged into the wordAmericanRecovery, they will not be found.• If a word in a Microsoft Office document has different fonts and colors, the word will not be read asa whole and will not be found. For example, if all the letters in the word Recovery are of differentfonts and colors, it will not be found.• If a word continues across two different pages, it will not be found. For example, if the wordRecovery is spread across two pages (one page contains Rec and the second page contains overy),it will not be found.• Words in documents that use special Microsoft Office font features like WordArt, SmartArt, andwatermarks will not be found.• Words present in macros in Microsoft Office documents, and headers and footers in PowerPoint andExcel, will not be found.Negative searchesThe database cannot recognize queries that consist entirely of negative terms because a querycontaining only words that are not to be found is instructing the search engine not to search.For this reason, some scope of data within which the term will not be found must be defined.Proper name treatmentThe indexer treats proper names like keywords, so it is not necessary to capitalize them.Parts of speech excluded from captureThe capture engine excludes common parts of speech to prevent insignificant results from beingstored and retrieved.For example, the following parts of speech are ignored by the indexer:• a • else• and • while• this • with• thereforeUsers can deploy the Stop‐Word concept to define words the capture engine should ignore.McAfee Data Loss Prevention 9.2.2 Product Guide 39
- Page 1: Product GuideRevision AMcAfee Data
- Page 6 and 7: ContentsFind host names in data at
- Page 8 and 9: ContentsDelete views . . . . . . .
- Page 10 and 11: ContentsTypical scenarios . . . . .
- Page 12 and 13: Contents12 McAfee Data Loss Prevent
- Page 14 and 15: PrefaceFind product documentationTi
- Page 16 and 17: 1McAfee DLP ManagerMcAfee DLP data
- Page 18 and 19: 2Using McAfee DLP MonitorHow data i
- Page 20 and 21: 2Using McAfee DLP MonitorTypical sc
- Page 22 and 23: 2Using McAfee DLP MonitorTypical sc
- Page 24 and 25: 2Using McAfee DLP MonitorTypical sc
- Page 26 and 27: 2Using McAfee DLP MonitorSearch bas
- Page 28 and 29: 2Using McAfee DLP MonitorUsing logi
- Page 30 and 31: 2Using McAfee DLP MonitorSupported
- Page 32 and 33: 2Using McAfee DLP MonitorSupported
- Page 34 and 35: 2Using McAfee DLP MonitorSupported
- Page 36 and 37: 2Using McAfee DLP MonitorSupported
- Page 40 and 41: 2Using McAfee DLP MonitorFinding in
- Page 42 and 43: 2Using McAfee DLP MonitorFinding in
- Page 44 and 45: 2Using McAfee DLP MonitorUse concep
- Page 46 and 47: 2Using McAfee DLP MonitorFind data
- Page 48 and 49: 2Using McAfee DLP MonitorFind data
- Page 50 and 51: 2Using McAfee DLP MonitorFind data
- Page 52 and 53: 2Using McAfee DLP MonitorSearching
- Page 54 and 55: 2Using McAfee DLP MonitorSearching
- Page 56 and 57: 2Using McAfee DLP MonitorSearching
- Page 58 and 59: 2Using McAfee DLP MonitorSearching
- Page 60 and 61: 2Using McAfee DLP MonitorSearching
- Page 62 and 63: 2Using McAfee DLP MonitorSearching
- Page 64 and 65: 2Using McAfee DLP MonitorFinding do
- Page 66 and 67: 3Managing McAfee DLP PreventHow McA
- Page 68 and 69: 3Managing McAfee DLP PreventConfigu
- Page 70 and 71: 3Managing McAfee DLP PreventConfigu
- Page 72 and 73: 4Using McAfee DLP DiscoverTypical s
- Page 74 and 75: 4Using McAfee DLP DiscoverTypical s
- Page 76 and 77: 4Using McAfee DLP DiscoverRegisteri
- Page 78 and 79: 4Using McAfee DLP DiscoverRegisteri
- Page 80 and 81: 4Using McAfee DLP DiscoverCrawling
- Page 82 and 83: 4Using McAfee DLP DiscoverCrawling
- Page 84 and 85: 4Using McAfee DLP DiscoverCrawling
- Page 86 and 87: 4Using McAfee DLP DiscoverOptimizin
Using <strong>McAfee</strong> DLP MonitorRules used by the capture engine 2Case insensitivityCase sensitivity is ignored by the search engine.For example, if a query is defined in ALL CAPS, the indexer retrieves and reports the matching contentwhether it is in uppercase or lowercase.Microsoft Office 2007 anomaliesThe indexer ignores certain Microsoft Office attributes because of the way those applications handlefonts, colors, macros, and page definition.• If two dictionary words are merged together, the merged word will not be found. For example,American and Recovery are two dictionary words. If they are merged into the wordAmericanRecovery, they will not be found.• If a word in a Microsoft Office document has different fonts and colors, the word will not be read asa whole and will not be found. For example, if all the letters in the word Recovery are of differentfonts and colors, it will not be found.• If a word continues across two different pages, it will not be found. For example, if the wordRecovery is spread across two pages (one page contains Rec and the second page contains overy),it will not be found.• Words in documents that use special Microsoft Office font features like WordArt, SmartArt, andwatermarks will not be found.• Words present in macros in Microsoft Office documents, and headers and footers in PowerPoint andExcel, will not be found.Negative searchesThe database cannot recognize queries that consist entirely of negative terms because a querycontaining only words that are not to be found is instructing the search engine not to search.For this reason, some scope of data within which the term will not be found must be defined.Proper name treatmentThe indexer treats proper names like keywords, so it is not necessary to capitalize them.Parts of speech excluded from captureThe capture engine excludes common parts of speech to prevent insignificant results from beingstored and retrieved.For example, the following parts of speech are ignored by the indexer:• a • else• and • while• this • with• thereforeUsers can deploy the Stop‐Word concept to define words the capture engine should ignore.<strong>McAfee</strong> <strong>Data</strong> <strong>Loss</strong> <strong>Prevention</strong> <strong>9.2.2</strong> <strong>Product</strong> <strong>Guide</strong> 39