How do fixed drive file filters work for Endpoint?

book

Article ID: 160557

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent Data Loss Prevention Enforce Data Loss Prevention Endpoint Discover

Issue/Introduction

How filters for Fixed Drive Folders work.

Resolution

The Endpoint Agent applies the filters in the following order:

  • Apply Ignore Files in Path filter first:
    • If a match is found then apply Include Files in path filter to see if a more specific match is there
    • If a match is found then the file will be monitored
    • If a match is not found then the file will be ignored
  • If none of the filters in Ignore Files in path matches then apply Include Files in Path filter
    • If a match is found then proceed to next step of applying Ignore File Types filter
    • If a match is not found then the file will be ignored
  • Apply Ignore File Types filter:
    • If a match is found then apply file signatures corresponding to the file types configured in Include File Types filter
    • If a match is found then monitor the file
    • If a match is not found the apply Include File Types filter
  • Apply Include File Types filter:
    • If a match is found then monitor the file
    • If a match is not found then ignore the file
  • Apply Ignore files smaller than and Ignore files larger than filters when the file is closed:
    • If the file size is smaller than the Ignore files smaller than filter then it is ignored
    • If the file size is larger than the Include files larger than filter then also it is monitored
    • If the file size is equal to or in between the two size filter settings then it is monitored
    • If these two size filter settings are left blank then files with any size are monitored 

Example 1: Consider that the Agents are configured with the following configuration:

Ignore Files in Path *\application data*
Include Files in Path *\agenttest*

Case A: User copies a file to c:\documents and settings\application data\microsoft folder, the file will match the “Ignore files in Path” filter but not the “Include files in Path” filter and hence the file will be ignored.

Case B: User copies a file to c:\agenttest folder. The file will be monitored.

Case C: User copies a file to c:\my documents folder. The file will not be monitored.

Example 2: Consider that the Agents are configured with the following configuration:

Ignore Files in Path *\application data*
Include Files in Path *\agenttest*
Ignore file types .tmp;.txt
Include file types .doc;.xls;*.ppt

Case A: The user renames a readme.doc file to readme.tmp and drops it under c:\agenttest\ folder drops. The file will match “Include files in Path” filter, it will then match the *.tmp Ignore file types filter, so the file should actually be ignored, however, since the file signature of readme.tmp will match the signature of *.doc files, the file will eventually be monitored.

Case B: User copies a readme.txt file to c:\agenttest folder. The will not be monitored.

 Case C: User copies expense_report.xls file to c:\agenttest folder. The file will be monitored.

Case D: User copies presentation.ppt file to c:\my documents folder. The file will not be monitored.

A new feature has been added in Vontu 7.1 whereby a user can specify an exception to Ignore Files in path rule, for example, Consider that the Agents are configured with the following configuration:

Ignore Files in Path *\application data*
Include Files in Path *\application data\microsoft*

Case A: User copies a file to c:\documents and settings\application data\microsoft folder, the file will match the *Ignore files in Path" filter and also the *Include files in Path" filter and hence the file will be monitored.

Case B: User copies a file to c:\application data folder. The file will not be monitored.

In Vontu 7.0, if a user configures the agent with the above configuration, it would result in files under c:\application data\microsoft, as ignored.

Note: If a filter configuration is empty or left blank then that filter is not applied. File Size filters are applied at the end as the actual size for newer files are not known until the file is closed.

Supported wildcards are * and ?.