Copy to USB creating only one incident in v11.1 and above
Last Updated April 05, 2016
When a user attempts to copy multiple files that contain sensitive information, an incident is only created for the entire copy. The entire copy is blocked, but the incidents are not created.
There was a significant change in how we detect a copy to a USB drive on Endpoint Prevent for Windows 7 in 11.6. 10.5 used the driver to intercept file copy. 11.1 has moved this operation to user mode, where they hook the explorer process. This change was made for stability reasons. This is expected behavior.
On windows 7, thehooks provided by OS do not allow granularity at single file level. This leads to the described behavior of one incident for a batch copy. Copy will continue until first file with sensitive data is detected. When DLP signals that a copy be blocked, subsequent copy operations will not be invoked, hence DLP does not get a chance to scan the file and generate incident. This is inline with OS behavior, in a batch copy operation, one failure aborts the entire batch operation.
Imported Document ID: TECH219934
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe