Endpoint blocking enabled with an incident match count value but incident reports a different match count value.
search cancel

Endpoint blocking enabled with an incident match count value but incident reports a different match count value.

book

Article ID: 160771

calendar_today

Updated On:

Products

Data Loss Prevention Data Loss Prevention Endpoint Suite Data Loss Prevention Endpoint Prevent

Issue/Introduction

Incidents contain match count different than the policy defined match count when Endpoint blocking enabled versus without Endpoint blocking enabled.

Why does this occur?

Environment

DLP All Versions

Cause

Differences in matching technologies and count requirements involved.

Resolution

The Endpoint Detection Engine may find fewer matches than expected when Endpoint Blocking is enabled. This is expected behavior.

  • When matching print/fax, clipboard, email, web and Instant Messaging protocols, the endpoint detection engine uses chunked text matching to examine incremental portions of files (“chunks”) via code injection or plugin. 
  • Each chunk is examined for matches individually, with a small overlay between chunks to avoid false negatives on chunk boundaries.

When endpoint blocking is enabled, the operation is blocked as soon as the cumulative processing of chunks matches or exceeds the number of matches required to trigger an incident; the remainder of the file is not processed further by detection and does not generate additional matches. 

  • Accordingly, files processed using chunked text matching may result in incidents with match counts that do not reflect all potential matches.

Consider the following comparisons between print and move of content examples:

  • Attempting to print a file which contains 10 potential matches and violate a policy that specifies 5 matches are required to trigger an incident. 
    • If the first chunk contains 7 matches, an incident showing 7 matches is generated and printing is blocked.
      • The remaining potential matches are never counted.
  • Attempting to move the same file to a USB drive would result in an incident showing all 10 matches
    • Chunked text matching is not used with that action.
    • The entire file is processed by detection.

To improve detection accuracy and reduce false negatives, the engine includes a buffer from the previous chunk, defined by Detection.CHUNK_OVERLAP.int, allowing overlap between chunks.
However, this overlap can sometimes lead to false positives, especially when a match occurs exactly at the boundary between two chunks.

Note: The default chunk size is 65534 bytes.

  • The chunk size, Detection.CHUNK_SIZE.int, is configurable via Enforce console page
    • System > Agents > Agent Configuration
    • Advanced Agent Settings tab
  • Changing this value is not generally recommended
  • Any change to this should be carefully tested prior to production implementation

The default value for Detection.CHUNK_OVERLAP.int is 45 bytes.

Powered by Wolken Software