Block response rule does not block the copy of sensitive data to a local drive

book

Article ID: 169456

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent

Issue/Introduction

An endpoint policy in Symantec Data Loss Prevention Endpoint Prevent (DLP) is created to detect content being copied to the local hard drive. The policy fires and creates an incident, but the file copy is not blocked.

This is an unexpected behavior; the expectation is for the rule to block the copy of sensitive data.

Cause

The Endpoint block response rule is not triggered for the copy of sensitive data to the local drive from either USB or OneDrive.

See "Configuring the Endpoint Prevent: Block action" in the DLP Administration Guide, which is located at https://techdocs.broadcom.com/content/dam/broadcom/techdocs/symantec-security-software/information-security/data-loss-prevention/generated-pdfs/Symantec_DLP_15.7_Admin_Guide.pdf

 

 

Resolution

This behavior is expected. 

The block action is not triggered for a copy of sensitive data to a local drive.

Note : enabling "local drive" monitoring will  cause performance issues since DLP will start monitoring every file that gets created on local drive.