Block response rule does not block the copy of sensitive data to a local drive

book

Article ID: 169456

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent

Issue/Introduction

An endpoint policy in Symantec Data Loss Prevention Endpoint Prevent (DLP) is created to detect content being copied to the local hard drive. The policy fires and creates an incident, but the file copy is not blocked.

This is an unexpected behavior; the expectation is for the rule to block the copy of sensitive data.

Cause

The Endpoint block response rule is not triggered for the copy of sensitive data to the local drive. 

See "Configuring the Endpoint Prevent: Block action" in the DLP Administration Guide, which is located at https://techdocs.broadcom.com/us/en/symantec-security-software/information-security/data-loss-prevention/15-7/Related-Documents.html.

 

 

Resolution

This behavior is expected. 

The block action is not triggered for a copy of sensitive data to a local drive.