search cancel

URL within a file attachment is being detected as a 'Filename'

book

Article ID: 161824

calendar_today

Updated On:

Products

Data Loss Prevention Network Monitor Data Loss Prevention Network Prevent for Email Data Loss Prevention Network Discover Data Loss Prevention Endpoint Discover

Issue/Introduction

If a Microsoft Word document (.docx) has an URL which points to a monitored file extension false positives are seen.

Discover and Network Incident Snapshot shows match highlight for file name within a URL.

Example of false positive when using File Name rule looking for *.aspx

Cause

When DLP inspects a file attachment which includes a URL link within the document. DLP parses this file and reads the URL as a File Name or File Extension.

This applies to the following Rule Conditions.

  • File Name
  • File Type

Resolution

Add a compound rule to also look for File Size greater than 1 byte to avoid false positives when looking for File Name or File Type.

Example of modified policy that looks for File Name *.aspx and *.docx compounded with Size Rule.

Attachments