Using Endpoint Prevent Block does not prevent local drive file copy events. Incident still generated.

book

Article ID: 170322

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent

Issue/Introduction

A user wants to prevent a file from being copied on the local drive. For example, they want to prevent a file from being copied from c:\docs\ to c:\temp\.

When the file is copied there is an incident generated in the console for the local drive event, but the file copy is successful and not blocked.

The file is blocked if the file opened or if there is an attempt at uploading the file to an external site.

Environment

DLP 14
DLP 15

Resolution

This behavior is a known limitation of the product. Endpoint Prevent is working properly. Local drive events do not trigger Endpoint Prevent block, notify, or user cancel response rules.

See the DLP Administrator Guide under "About policy creation for Endpoint Prevent" for more details.