search cancel

How Does the DLP Endpoint Agent Block Data in Motion Requests(USB and Network monitor)

book

Article ID: 162723

calendar_today

Updated On:

Products

Data Loss Prevention

Issue/Introduction

This document is designed to give an overview of the detection and prevention process of the DLP endpoint agent. Please note this document assumes that the value for 'FileSystem.ENABLE_VEP_FILE_ELIMINATION.int ' is set to the default value of '3'. And that a response rule of 'Endpoint Prevent: Block' is being utilized.

Resolution

Scenario 1: Existing sensitive / non-sensitive file from USB or Network share opened    OR
Scenario 2: A sensitive file is copied from Endpoint local drive to a USB or Network Share using Command Line where a non-sensitive file of same name is already present
 

  1. When a user opens an existing file from USB or Network share, DLP gets notification about this File Open operation.
  2. DLP saves a snapshot of the file on a temp location on the Endpoint.
  3. If after adding the new data, the overall result is such that the file that will now be saved to the USB or Network share is found sensitive, then in cases of Block type response rule, the Block action will take place.
  4. Due to this, file copy operation fails.
  5. Since the file copy operation failed, DLP by default always quarantines the user file (the file that user wanted to save) to a ‘My Recovered Files’ folder (as seen on the Block popup) in its original format along with an associated Readme file. No Quarantine response rule is required for this action to take place because DLP is programmed to do this ALWAYS.
  6. Finally, depending upon the Agent Advanced setting FileSystem.ENABLE_FILE_RESTORATION.int, DLP again copies the previously saved snapshot file back to the Network Share. Default value of this setting is 1 which indicates that the snapshot file will be restored.
    • Please note, As of DLP version 14.0.1 File Restoration options is not an included feature of the Mac DLP Agent


Scenario 3: A sensitive file is copied from Endpoint local drive to a USB or Network Share using Explorer where a non-sensitive file of same name is already present
 

  1. When a user copies a sensitive file from the Endpoint Local Drive to USB or Network share, DLP gets notification about this File Copy activity.
  2. When the user copies the sensitive file to the USB / Network Share, then in cases of Block type response rule, the Block action will take place.
  3. Due to this, file copy operation fails.
  4. Note that in this case alone, the file quarantine action DOES NOT take place.