How removable file filters work for Endpoint
Endpoint Agent applies the filters in the following order:
Example: Consider a case where the agents are configured with the following removable drive filters:
Ignore File Types - .txt;.tmp
Include File Types - .doc;.xls;*.ppt
Case A: A user tries to copy a file, readme.tmp, to a removable drive. In this case the file will hit the *.tmp "Ignore File Types" filter, the Endpoint Agent will then try to match the file signatures of *.doc, *.xls and *.ppt against the *.tmp file. It will not match and the file will be ignored.
Case B: A malicious user tries to copy a readme.doc file by first renaming it to readme.tmp and then copying it to a removable drive. In this case the file will not only hit the *.tmp "Ignore File Types" filter but it will also match the signature for the *.doc files and hence the file will be monitored.
Supported wildcards are * and ?.