Understanding Endpoint Database Fingerprinting (FPNE) Detection
- Article Number: 000017486
- Products: Forcepoint DLP, Forcepoint DLP Endpoint, Forcepoint One Endpoint
- Version: 8.7, 8.6, 8.5, 8.4, 20, 19, 18
- Last Published Date: June 17, 2020
Why can there be discrepancies between the trigger counts reported by DLP Endpoints and secondary DLP components (Protector/Email Security Gateway/Web Content Gateway) when using rules with Database Fingerprinting classifiers?
Every Forcepoint DLP component has its own Fingerprinting Database composed of structured and unstructured fingerprints. DLP servers and appliances, such as the Protector, ESG, and WCG, have an exact copy of the structured Fingerprinting DB that is synced with the Management Server's repository. These copies may grow in size to several gigabytes of data and beyond to match the amount of data being fingerprinted.
This consideration is different with the machines that the DLP Endpoint is installed on in order to consider the impact on the client machines. Instead, a special version of the structured Fingerprinting DB, called a FPNE (Fast Proof of Non Existence), is used. This prioritizes the prevention of data loss over the precise reporting of trigger counts, while also reducing false negatives. In some cases, this leads to discrepancies between the trigger counts reported by secondary components and the Endpoints for the same data. The Endpoint is still very effective at preventing data loss, but may identify fewer matches than the appliances due to the optimization of its Fingerprinting DB structure. False positives are a heightened possibility as well.
Points to consider when database fingerprinting classifiers are used:
Keywords: DLP Endpoint; Database Fingerprinting; FPNE; DLP Data Security Endpoint; DLP False Positive Incident; DLP Policy Issue; Incorrect Detection