File properties filtering set to ignore still creates incidents or if set to monitor does not create incidents
search cancel

File properties filtering set to ignore still creates incidents or if set to monitor does not create incidents

book

Article ID: 174450

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent Data Loss Prevention

Issue/Introduction

You configure the agent configuration to ignore or monitor by file type.
You still receive incidents if set to ignore, or incidents are not created if set to monitor.

Environment

  • Windows or macOS endpoint
  • Data Loss Prevention (DLP)
  • Agent Configuration

 

Cause

You may not have the file extension monitored or ignored based on what you want.

You may not have applied your agent configuration to an Agent Group. Agent configuration application is an important step that must be done.

Resolution

Possible Reasons Channel Filters in Agent Configuration doesn't Work Properly

  1. Review what file types are monitored or ignored.
  2. You may have more than one Agent Configuration
  3. Check the order of monitoring or ignoring if it doesn't work correctly. The order does matter. 
  4. See if you use different filters for the endpoints that are located on or off the corporate network.

These suggestions apply to Application File Access, CD/DVD, Local Drive, and Cloud

Go to the Agent Configuration

Go to System > Agent > Agent Configuration then click on the "Channel Filters" tab.

You use the Filter by File Properties section to create and edit monitoring filters. Using this option lets you optimize performance and reduce false positives by filtering files before detection occurs. Based on the filters you set, the DLP Agent monitors or ignores data based on protocol, destination, file size, file type, or file path. Existing filters are listed in this section. The filters run in the order they appear in the list as determined by the Order column.

True file type filtering

The DLP Agent for Windows can filter specific types of files to monitor based on file signature data, also known as the true file type. File signature data, generally a short sequence of bytes at the beginning of the file, is used to identify or verify the file type. So, you cannot change the extension to prevent DLP from monitoring a file type.  For example, if a user changes the .doc file name extension to .jpg, the agent can identify the file based on its signature as a DOC file, and either monitor or ignore it based on the agent configuration filter.

Note: Text files (.txt) do not contain file signature data; consequently, the agent can only monitor or ignore these types of files based on the file extension. True type filtering is not possible for TXT files.

Note: Filtering on the DLP Agent for Mac occurs using the file extension only. True file type filtering is not supported for the DLP Agent for Mac. 

 

Powered by Wolken Software