Block response rule does not appear every time the policy is violated.

book

Article ID: 159742

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent

Issue/Introduction

Block response rule does not appear every time the policy is violated.
A test can be run by trying to copy confidential data to a USB device every 2-3 seconds. However, an incident gets created for every violation.

Cause

It is working by design. It takes the cache from the previous value.

Resolution

A setting exists under Advanced agent setting of Agent configuration:

UI.CONSECUTIVE_TRANSACTION_TIME.int

Details: Maximum time, in seconds, in between two file operations to be considered as a single transaction. Default value is 10 seconds. Please make it to 1, save and apply changes so that the new configuration takes effect.