Incidents contain different match count lower than expected with Endpoint blocking enabled. Why does this occur?
The Endpoint Detection Engine may find fewer matches than expected when Endpoint Blocking is enabled. This is expected behavior.
For print/fax, clipboard, email, web and Instant Messaging protocols, the endpoint detection engine uses chunked text matching to examine incremental portions of files (“chunks”) via code injection or plugins. Each chunk is examined for matches individually, with a small overlay between chunks to avoid false negatives on chunk boundaries.
When endpoint blocking is enabled, the operation is blocked as soon as the cumulative processing of chunks matches or exceeds the number of matches required to trigger an incident; the remainder of the file is not processed further by detection and does not generate additional matches. Accordingly, files processed using chunked text matching may result in incidents with match counts that do not reflect all potential matches.
As an example, consider attempting to print a file which contains 10 potential matches, in violation of a policy that specifies 5 matches to trigger an incident. If the first chunk contains 7 matches, an incident showing 7 matches is generated and printing is blocked; the remaining potential matches are never counted. Attempting to move the same file to a USB drive (for example) would result in an incident showing all 10 matches, because chunked text matching is not used and the entire file is processed by detection.
Note: The default chunk size is 65534 bytes. The chunk size, Detection.CHUNK_SIZE.int, is configurable via Enforce console page > System > Agents > Agent Configuration > Advanced Agent Settings tab but changing this value is not generally recommended and any such change should be carefully tested prior to production implementation.