Defining a Data Discovery Task

Navigate to Data Protection → Data Discovery.

The Data Discovery screen appears.

On the Data Discovery toolbar, click Add.

The Add Discovery Task Target screen appears.

Select the targets to scan and click Add >>.

Note

You can only add endpoint agents as targets for a Data Discovery scan. DLP Network Monitor does not support Data Discovery scans.

Click Next.

The Add Discovery Task Condition screen appears.

Select templates with which to filter the target locations. Include:

Root path to the target location. The root folder cannot be a Windows Share folder or removable device, such as a USB device or DVD.
Priority of the scan. “High” moves this scan to the front of the queue.

Type the Scan Exceptions:

Note

Click the information icon next to the Scan Exceptions fields to display examples.

Include: Includes specific file types for the scan. Identify file types by *.<file type>, such as *.exe. Separate multiple file types with a “|”.

Exclude: Excludes specific files, file types, or folders during the scan. Identify file types by “*.<file type>”, such as *.exe. Separate multiple file types with “|”.

Specify an absolute path, if any. For example, c:\test\ or c:\test\example.doc

Note

DLP supports wildcard characters * and ?. * means all char. ? means one char or double byte word. For example, c:\test* matches any files whose absolute path begins with c:\test, such as c:\test\test.doc or c:\testXX\test.doc.

*\test\* matches all files whose path contains \test\. c:\test?test\*.* matches all files whose path contains c:\test?test\, such as c:\testXtest\1.doc.

Click Next.

The Add Discovery Task Action screen appears.

Select the system action to trigger in the event that DLP discovers sensitive information:

Log: Combine “Log” with any one of the remaining actions. However, you cannot combine “Log” with more than one other action.

Move to security folder: Type the security folder to which to move detected files upon discovery. The security folder cannot be a Windows Share folder or removable device, such as a USB device or DVD.

Note

DLP does not scan the security folder. Consequently, once DLP moves files to the security folder (including sub-folders), DLP does not scan or move those files again.

Encrypt: DLP automatically encrypts the detected files with sensitive data (using a pre-defined password) and stores the encrypted file on the DLP agent side.

* If action=encrypt for the file, c:\test.doc, the DLP agent scans and encrypts it as c:\test.doc.exe. When a user double-clicks c:\test.doc.exe, the alert screen appears and asks for a password to decrypt the file.

The default password for encrypted files is 12345678. It is recommended that you change this password at Administration → Agent Configuration → Agent Settings.

Note

Trend Micro highly recommends that you not use Move or Encrypt actions for whole drive scans. Only use Move or Encrypt when scanning specific folders. With Move and Encrypt actions, the original detected files no longer exist. If the detected files are important system files or configuration files for applications, Move or Encrypt could make the system or certain applications unstable.

Click Finish.

DLP adds the Data Discovery task to the tasks on the Data Discovery page.

To run the data discovery task immediately, select the task and click Run. You can also select the task and click Schedule Scan to schedule the scan for later.

Note

When an Endpoint agent receives multiple data discovery tasks, the agent performs the tasks one-by-one, in order. If you pause a data discovery task on the endpoint agent, the agent cannot execute any other data discovery task until the paused task resumes and completes.

$('#title').html($('meta[name=description]').attr('content'));