An User Cancel response rule is applied to Endpoint Prevent. When customer open a Windows explorer and copy a confidential file to target location, DLP Endpoint agent pops up a alert windows. If customer select Allow, the file is copied as per design. However, if customer try to copy second confidential file to same target, the alert does not pop up any more and file is copied successfully.
This is by design. DLP Endpoint agent takes the Allow action in first copy as default action and allow to copy other files without popping up alert window.
Basically, there are three scenarios for pop-up alert for User Cancel response rule.
1. If customer click Allow when copying confidential files to USB, this action would be taken as default action.
2. If customer click on Cancel, there would be no default action taken. DLP Endpoint agent will pop up the alert next time when you copy confidential file to USB in same Windows explorer window.
3. If customer copy confidential file to another target in same Windows Explorer window, i.e Network Share, there is no default action set until customer selects Allow on pop-up alert.
Closing the current Windows Explorer and open a new one, all default actions on target are reset.