Why Endpoint DLP Matters More Than Ever
In today's hybrid work environment, sensitive data doesn't stay neatly within the boundaries of servers and cloud platforms, it lives on laptops, workstations, and remote devices that travel in and out of corporate networks every day. A single unprotected file sitting in a local folder on an employee's endpoint can represent a significant risk, whether it contains personally identifiable information, financial records, or intellectual property.
This is precisely the problem that Symantec Data Loss Prevention (DLP) was built to solve. As one of the most mature and widely deployed DLP platforms in the enterprise security landscape, Symantec DLP provides organisations with deep visibility into where sensitive data lives, how it moves, and what happens to it across the network, in the cloud, and critically, on the endpoint itself.
At the heart of its endpoint capabilities is the DLP Agent, a component deployed on managed endpoints that continuously monitors file system activity, enforces policies, and reports back to the Endpoint Server. Through a feature called Endpoint Discover, security teams can actively scan local drives and folders on managed endpoints not just waiting for data to move, but proactively finding sensitive content wherever it rests.
What makes Symantec DLP particularly powerful is that detection alone is never the end of the story. Once a policy match is identified, the platform can take immediate, automated remediation action including quarantining the offending file before it can be accessed, shared, or exfiltrated.
In this Blog, we walk through a focused, real-world lab scenario that demonstrates exactly this end-to-end capability: scanning a specific local folder on a single managed endpoint, triggering a policy match, generating an incident, and automatically quarantining the matched file all through the Symantec DLP Endpoint Discover workflow.
What This Scenario Proves
This scenario validates several key aspects of a production-ready Symantec DLP deployment:
- Scoped endpoint scanning is possible and precise: Endpoint Discover targets can be configured to scan specific locations on endpoints, and filters can be used to target local drives, file types, or individual folders meaning you don't need to scan an entire machine to prove the point.
- The DLP Agent is the engine on the ground: It is the agent, running silently on the managed endpoint, that performs the file system scan, detects sensitive content, and collects the activity data that gets reported back to the Endpoint Server.
- Policy matches generate real incidents: When a file in the targeted folder matches the configured policy, an incident is generated and surfaced through the Endpoint Discover workflow giving your security team the visibility and audit trail they need.
- Remediation can be fully automated: Using the Endpoint Discover: Quarantine File response rule, the matched file can be automatically quarantined the moment a policy violation is confirmed, removing it from its original location and placing it in a protected quarantine directory.
This scenario is an essential validation exercise for any organisation rolling out or testing Symantec DLP in their environment. It proves not just that the platform can see sensitive data but that it can do something about it, instantly and reliably.
Prerequisites
Before starting, make sure the test endpoint has the Symantec DLP Agent installed and connected to the correct Endpoint Server. If the agent is disconnected, the scan starts when it reconnects, and incidents remain in the Agent Store until they can be transferred back to the server.
For this lab, create the following test content on the endpoint:
C:\Test_Endpoint_Discover\
Inside that folder, create:
C:\Test_Endpoint_Discover\test.txt
Add a simple unique string inside the file, such as:
Test
Also create a quarantine destination, such as:
C:\ED_Quarantine\
Step 1: Create a simple test policy
Create a basic test policy that matches the keyword Test. For this type of validation, the goal is predictability, not tuning. A simple keyword match makes it easy to verify the entire workflow from scan to incident to remediation.
Associate the policy with a policy group that will be used only for this Endpoint Discover test.
Step 2: Create the Quarantine response rule.
Now add the remediation part.
Go to: Manage > Policies > Response Rules.
Create a new response rule and add the action:
- Endpoint Discover: Quarantine File
Symantec describes Endpoint Quarantine as a response that removes a confidential file from its original location and places it in a secure folder, either locally or on a remote file share. It can also leave behind a marker file to notify the user that the file was quarantined.
Note: Endpoint Quarantine is available for DLP Agents running on Windows and Linux endpoints. The DLP Agent does not support Endpoint Quarantine on macOS endpoints.
Step 3: Create the Endpoint Discover target (File System).
In the Enforce Server administration console, go to:
- Manage > Discover Scanning > Discover Targets > New Target
- Select Endpoint > File System
- On General tab:
- Name the target.
- Select your Policy Group.
- Select at least one Endpoint Server where scans run.
- For the first test, choose Full scan (It’s the most predictable for testing).
This is the best option for an initial test because Symantec states that a full scan checks all files on the endpoint, and also recommends using a full scan when filters or scan definitions have changed and you want complete policy coverage.
Step 4: Target only one endpoint
On the Targeting tab, choose the Endpoint Server that manages the test machine. Then, in the Target Endpoints section, enter the exact hostname or IP address of the endpoint you want to test.
This is important because Symantec allows Endpoint Discover targets to be configured for specific endpoints by hostname or IP address. It also notes that wildcard characters are not supported in hostnames for this step.
Note: This step ensures the scan runs only on your chosen endpoint rather than across all connected systems.
Step 5: Filters (This is where you set the local path)
On the Filters tab, use the Include Filters field to narrow the scan to the test folder.
Example:
C:\Test_Endpoint_Discover\*
Symantec explains that if Include Filters are left empty, all items in the target are scanned. If values are added, only matching items are scanned. Folder paths are supported as include and exclude filters, and exclude filters take precedence if both are used.
Step 6: Save and start the scan
Save the target, then manually start the Endpoint Discover scan.
Endpoint Discover scans cannot be scheduled. They must be started manually, then either stopped manually, allowed to complete, or allowed to time out.
Because this test is restricted to one endpoint and one small folder, the scan should be easy to monitor and troubleshoot.
Expected result
If the DLP Agent is connected and the file still exists in the target folder when the scan runs, this is what should happen:
- The DLP Agent scans C:\Test_Endpoint_Discover\test.txt
- The keyword Test matches the policy.
- Symantec DLP generates an Endpoint Discover incident.
- The Quarantine File response rule moves the file to C:\DLP_Quarantine\
- A marker file can remain in the original location if you enabled that option.
Endpoint Discover incidents appear under the Discover tab in the Incidents section, and that quarantine response rules are one of the supported remediation methods for Endpoint Discover incidents.
How to Verify Success
After the scan completes, verify all of the following:
- The scan status shows Completed.
- The incident count increased for the scan.
- The incident appears under Incidents > Discover
- "test.txt" is no longer in C:\Test_Endpoint_Discover\
- The file now exists in C:\DLP_Quarantine\
- The marker file exists in the original path, if configured.
Conclusion
A simple folder-based Endpoint Discover test becomes much more valuable when you add a quarantine response rule. Instead of proving only that the DLP Agent can find sensitive content, the scenario proves the full response chain: scan, detect, create incident, and quarantine. For Windows and Linux environments, this is one of the clearest ways to demonstrate that Endpoint Discover is not only reporting risk, but actively helping to contain it.