How do fixed drive file filters work for Endpoint?
search cancel

How do fixed drive file filters work for Endpoint?

book

Article ID: 160557

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent Data Loss Prevention Endpoint Discover

Issue/Introduction

How filters for Fixed Drive/Folders work

Environment

DLP 15.X

Resolution

The Endpoint Agent applies the filters in the following order: 
 • Apply Ignore Files in Path filter first: 
  ○ If a match is found then apply Include Files in path filter to see if a more specific match is there
  ○ If a match is found then the file will be monitored
  ○ If a match is not found then the file will be ignored
 • If none of the filters in Ignore Files in path matches then apply Include Files in Path filter 
  ○ If a match is found then proceed to next step of applying Ignore File Types filter
  ○ If a match is not found then the file will be ignored
 • Apply Ignore File Types filter: 
  ○ If a match is found then apply file signatures corresponding to the file types configured in Include File Types filter
  ○ If a match is found then monitor the file
  ○ If a match is not found the apply Include File Types filter
 • Apply Include File Types filter: 
  ○ If a match is found then monitor the file
  ○ If a match is not found then ignore the file
 • Apply Ignore files smaller than and Ignore files larger than filters when the file is closed: 
  ○ If the file size is smaller than the Ignore files smaller than filter then it is ignored
  ○ If the file size is larger than the Include files larger than filter then also it is monitored
  ○ If the file size is equal to or in between the two size filter settings then it is monitored
  ○ If these two size filter settings are left blank then files with any size are monitored 


Example 1: Consider that the Agents are configured with the following configuration: 
Ignore Files in Path *\application data*
Include Files in Path *\agenttest*

Case A: User copies a file to c:\documents and settings\application data\microsoft folder, the file will match the “Ignore files in Path” filter but not the “Include files in Path” filter and hence the file will be ignored.
Case B: User copies a file to c:\agenttest folder. The file will be monitored.
Case C: User copies a file to c:\my documents folder. The file will not be monitored.


Example 2: Consider that the Agents are configured with the following configuration:
Ignore Files in Path *\application data* 
Include Files in Path *\agenttest* 
Ignore file types .tmp;.txt 
Include file types .doc;.xls;*.ppt 

Case A: The user renames a readme.doc file to readme.tmp and drops it under c:\agenttest\ folder drops. The file will match “Include files in Path” filter, it will then match the *.tmp Ignore file types filter, so the file should actually be ignored, however, since the file signature of readme.tmp will match the signature of *.doc files, the file will eventually be monitored.
Case B: User copies a readme.txt file to c:\agenttest folder. The will not be monitored.
 Case C: User copies expense_report.xls file to c:\agenttest folder. The file will be monitored.
Case D: User copies presentation.ppt file to c:\my documents folder. The file will not be monitored. 


A user can specify an exception to Ignore Files in path rule.

Example 3: Consider that the Agents are configured with the following configuration:
Ignore Files in Path *\application data* 
Include Files in Path *\application data\microsoft* 
Case A: User copies a file to c:\documents and settings\application data\microsoft folder, the file will match the *Ignore files in Path" filter and also the *Include files in Path" filter and hence the file will be monitored. 
Case B: User copies a file to c:\application data folder. The file will not be monitored. 

If a user configures the agent with the above configuration, it would result in files under c:\application data\microsoft, as ignored. 

Note: If a filter configuration is empty or left blank then that filter is not applied. File Size filters are applied at the end as the actual size for newer files are not known until the file is closed. Supported wildcards are * and ?.


Example 4: Consider if we have many machines where WeChat application is installed. WeChat randomly generates folder named FileStorage/File/ in any drive(Ex. D:\​test\​WeChat Files\​wxid_5g0ngt667jpg21\​FileStorage\​File). 
User needs to ignore detection of files after the path FileStorage\File\ on any drive for any channel and not specifically if the files under this path is accessed by WeChat.

Use below filter in Agent configuration > Channel filters > Add monitoring Filter > Select Ignore > Select Channel(Local drive or AFAC) > Select File Path > paste below path:

*\FileStorage\​File\*

This will ignore any path on any drives containing \FileStorage\​File\ path.

Additional Information

Important Note:

1. Enter one path per line in File path. If you specify any paths to include, DLP monitors only files in those paths. If you leave this field blank, DLP monitors all files except the files that you may have specified elsewhere.
2. File Path filter applies to local drive monitoring, cloud storage application monitoring, application file access, copy to share, and copy to local drives.
3. When you filter by file path, the drive letter is ignored and the specified path for every local drive on the agent is filtered.
4. For example, entering c:\temp causes c:\temp and d:\temp to be filtered on an agent with two local drives.