Application Resilience policies for Symantec DLP

You can activate an Application Resilience policy for Symantec DLP to collect information about the functional status of Symantec DLP installed on your Windows devices and view the results in reports. You can also configure the policy to attempt to repair or reinstall the application.

Application Resilience policies for Symantec DLP are supported on devices running:

  • a supported version of the Windows operating system

  • PowerShell version 5.1 or higher

    Due to PowerShell restrictions imposed by Microsoft, Application Resilience isn't supported for this application on devices running Windows 11 SE.

  • one of the following versions of Symantec DLP:

    • 15.x or higher

      Significant software changes in higher versions may cause health checks to become invalid.

In addition to checking the version, the following table describes the health checks performed:

If you select Report higher versions as Compliant, higher versions report Compliant without running health checks.

Component Test performed
Services Installed Running Signed by
  • EDPA service (edpa.exe)
  • WDP service (wdp.exe)
 P P

One of the signers entered in the policy configuration

By default, Signers contains "Broadcom Inc" and "Symantec Corporation".
Application name

The application uses the following name:

  • AgentInstall* (the asterisk [*] indicates the health check accepts any additional characters starting from that position in the application name)

You can configure an Application Resilience policy for Symantec DLP to enable the Application Resilience (RAR) component A lightweight software component of the Secure Endpoint Agent that detects the status of third party applications installed on a device. The component may also attempt to repair the third party application if it is non-compliant. The RAR component is deployed on a device only when the device is associated with a customized policy group and that policy group's Application Resilience policy is activated. to attempt to repair Symantec DLP if it's not functioning, or reinstall it if it's missing or can't be repaired.

Depending on the Absolute product licenses associated with your account, the Report and repair and Report, repair, and reinstall options may not be available.

The RAR component of the Secure Endpoint Agent can respond to the following issues:

Issue Resolution
Repair

One or more of the following services aren't running:

  • EDPA service (edpa.exe)
  • WDP service (wdp.exe)

The RAR component restarts the service.

One or more of the following services aren't installed and the service's executable can be detected on the device:

  • EDPA service (edpa.exe)
  • WDP service (wdp.exe)

The RAR component reinstalls each missing service.
Reinstall

Downgrades are not supported. If the version installed on a device is higher than the expected version, no action is taken.

One or more of the following services aren't installed and the service's executable cannot be detected on the device:

  • EDPA service (edpa.exe)
  • WDP service (wdp.exe)

The RAR component downloads and installs the configured version of the application.
Symantec DLP failed to be repaired, or the expected version isn't installed

If you want the Secure Endpoint Agent to reinstall Symantec DLP if it is non-functional or missing, you need to make the following files available for download:

  • the 64-bit, 32-bit, or both agent installers
  • endpoint_cert.pem
  • endpoint_priv.pem
  • endpoint_truststore.pem
  • install_agent.bat

To prepare the installers:

  1. Generate and download the Symantec DLP install package following the steps provided in the Symantec DLP documentation.
  2. Depending on whether the policy group contains 64-bit or 32-bit Windows devices, do one or both of the following:
    • Select the 64-bit installer, and the endpoint_cert.pem, endpoint_priv.pem, endpoint_truststore.pem, and install_agent.bat files and add them to a new ZIP file.
    • Select the 32-bit installer, and the endpoint_cert.pem, endpoint_priv.pem, endpoint_truststore.pem, and install_agent.bat files and add them to a new ZIP file.

    The ZIP files can have any name.

    Do not include any parent folders or subfolders in the ZIP file. Do not change the name of the install_agent.bat file.

The ZIP file or files can now be uploaded to the Secure Endpoint Console or hosted on your own server.

The RAR component looks for the following files names when checking pre-cached installers:

Component File name
Installer

Symantec_DLP.zip containing:

  • the agent installer
  • endpoint_cert.pem
  • endpoint_priv.pem
  • endpoint_truststore.pem
  • install_agent.bat

Before you activate an Application Resilience policy, you need to configure the policy. You need to configure the application version in addition to the settings in Configuring Application Resilience policies.

To configure the application version:

  1. Under Symantec DLP version, enter the version of Symantec DLP you expect to be running on your devices.

    • The target version must be a sequence of digits separated by a period.
    • You can use wild card "*" characters after the major version, for example, 15.*, 15.7*, or 15.7.0.*.

    Make sure the version you are entering is consistent with version 15.x or higher.

If you selected the Report, repair, and reinstall option, you also need to configure this setting in addition to the settings in Configuring Application Resilience policies.

To configure the Symantec DLP specific setting:

  1. [Optional] To only reinstall the application if it's missing, select the checkbox next to Do not reinstall or upgrade if the app is already installed. When this option is selected, the application is not reinstalled when either of the following conditions apply:

    • The application version is lower than the expected version.
    • The application can't be repaired.