search cancel

Copy to USB creating only one incident in v11.1 and above


Article ID: 159913


Updated On:


Data Loss Prevention Endpoint Prevent


When a user attempts to copy multiple files that contain sensitive information, an incident is only created for the entire copy.  The entire copy is blocked, but the incidents are not created.


There was a significant change in how we detect a copy to a USB drive on Endpoint Prevent for Windows 7 in 11.6.  10.5 used the driver to intercept file copy.  11.1 has moved this operation to user mode, where they hook the explorer process.  This change was made for stability reasons. This is expected behavior. 



On windows 7, the  hooks provided by OS do not allow granularity at single file level. This leads to the described behavior of one incident for a batch copy. Copy will continue until first file with sensitive data is detected. When DLP signals that a copy be blocked, subsequent copy operations will not be invoked, hence DLP does not get a chance to scan the file and generate incident.  This is inline with OS behavior, in a batch copy operation, one failure aborts the entire batch operation.