Classification Scan Engine Test

Data loss prevention (DLP) is an important issue for enterprise message systems because of the extensive use of email for business critical communication that includes sensitive data. In order to enforce compliance requirements for such data, and manage its use in email, without hindering the productivity of workers, DLP features make managing sensitive data easier than ever before.

DLP policies are simple packages that contain sets of conditions, which are made up of transport rules, actions, and exceptions that you create in the Exchange Administration Center (EAC) and then activate to filter email messages. One important feature of transport rules is a new approach to classifying sensitive information that can be incorporated into mail flow processing. This new DLP feature involves a Classification Engine that performs deep content analysis through keyword matches, dictionary matches, regular expression evaluation, and other content examination to detect content that violates organizational DLP policies. 

The Classification engine is also in charge of handling importing of new classification rules packages. These new classification rules packages allow administrators and independent service vendors to create packages to manage specific content. These customer packages are XML files that can be imported via the Exchange command shell.   These packages will need to be encrypted to be imported into Exchange 2013/2016. The Microsoft Classification Engine is in charge of decrypting the packages.

Errors in the operations and delays in the loading/content processing of the classification engine can severely hamper the execution of transport rules and the detection of sensitive content in emails. If these problems are allowed to persist, classified information may reach the wrong hands, resulting in organizational mayhem. To avert this, you need to run the Classification Scan Engine test at periodic intervals, check for errors in the engine’s operations, track the time taken by the engine to load and to scan the content, and capture errors and slow downs proactively.

Target of the test : An Exchange 2013/2016 server

 Agent deploying the test : An internal agent

Outputs of the test : One set of results for the Exchange 2013/2016 server being monitored

Configurable parameters for the test
  1. Test period - How often should the test be executed
  2. Host - The host for which the test is to be configured.
  3. port – The port at which the host listens.
Measurements made by the test
Measurement Description Measurement Unit Interpretation

Classification engine errors:

Indicates the number of Classification engine errors in the last minute.

Number

Ideally, the value of this measure should be 0. A non-zero value is indicative of engine errors and will warrant immediate investigation.

Average engine load time per load:

Indicates the average time taken by the engine to load.

Secs

A low value is desired for this measure. A consistent rise in this value is indicative of a bottleneck when loading.

Items scanned for classiciation rate:

Indicates the rate at which the content was scanned for DLP policy violations.

Processed/Sec

A steady drop in the value of this measure is indicative of a processing bottleneck on the engine. 

Detected classified items:

Indicates the number of items that have been detected as classified.

Number

 

Average classification scan time per item:

Indicates the time taken by the engine to scan the content and detect classified items.

Secs

A steady increase in the value of this measure is indicative of a processing bottleneck on the engine.