An endpoint policy in Symantec Data Loss Prevention Endpoint Prevent (DLP) is created to detect content being copied to the local hard drive. The policy fires and creates an incident, but the file copy is not blocked.
This is an unexpected behavior; the expectation is for the rule to block the copy of sensitive data.
The Endpoint block response rule is not triggered for the copy of sensitive data to the local drive.
See "Configuring the Endpoint Prevent: Block action" in the DLP Administration Guide, which is located at https://techdocs.broadcom.com/us/en/symantec-security-software/information-security/data-loss-prevention/15-7/Related-Documents.html.
This behavior is expected.
The block action is not triggered for a copy of sensitive data to a local drive.