How do removable file filters work for Endpoint?

book

Article ID: 160458

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent Data Loss Prevention Enforce Data Loss Prevention Endpoint Discover

Issue/Introduction

How removable file filters work for Endpoint

Resolution

Endpoint Agent applies the filters in the following order:

  • Apply Ignore File Types filter:
    • If a match is found then apply file signatures corresponding to the file types configured in Include File Types filter
      • If a match is found then the file will be monitored
      • If a match is not found then the file will ignored
    • If none of the "Ignore File Types" filter matched then apply "Include File Types" filter
      • If a match is found then the file will be monitored, otherwise it is ignored
  • Apply Ignore Files smaller than:
    • If a match is found then ignore the file, no need to match any other filter
  • Apply Include Files larger than:
    • If a match is found then the file will be monitored
    • If not the file will be ignored
  • Apply Ignore files smaller than and Ignore files larger than filters when the file is closed:
    • If the file size is smaller than the Ignore files smaller than filter then it is ignored
    • If the file size is larger than the Ignore files larger than filter then also it is ignored
    • If the file size is equal to or in between the two size filter settings then it is monitored
    • If these two size filter settings are left blank then files with any size are monitored

Example: Consider a case where the agents are configured with the following removable drive filters:

Ignore File Types - .txt;.tmp

Include File Types - .doc;.xls;*.ppt

Case A: A user tries to copy a file, readme.tmp, to a removable drive. In this case the file will hit the *.tmp "Ignore File Types" filter, the Endpoint Agent will then try to match the file signatures of *.doc, *.xls and *.ppt against the *.tmp file. It will not match and the file will be ignored.

Case B: A malicious user tries to copy a readme.doc file by first renaming it to readme.tmp and then copying it to a removable drive. In this case the file will not only hit the *.tmp "Ignore File Types" filter but it will also match the signature for the *.doc files and hence the file will be monitored.

Note:

  • If a filter configuration is empty or left blank, that filter is not applied.
  • File Size filters are applied at the end as the actual size for newer files are not known until the file is closed.
  • Removable drives are not subject to file path filters and hence all folders on a removable drive are monitored by default.

Supported wildcards are * and ?.