Using Endpoint Prevent Block does not prevent local drive file copy events. Incident still generated.


Article ID: 170322


Updated On:


Data Loss Prevention Endpoint Prevent


A user wants to prevent a file from being copied on the local drive. For example, they want to prevent a file from being copied from c:\docs\ to c:\temp\.

When the file is copied there is an incident generated in the console for the local drive event, but the file copy is successful and not blocked.

The file is blocked if the file opened or if there is an attempt at uploading the file to an external site.


DLP 14
DLP 15


This behavior is a known limitation of the product. Endpoint Prevent is working properly. Local drive events do not trigger Endpoint Prevent block, notify, or user cancel response rules.

See the DLP Administrator Guide under "About policy creation for Endpoint Prevent" for more details.