Http and Https Filter by network properties are not preventing incidents with data going to Sharepoint / Cloud Storage destinations

book

Article ID: 171708

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent

Issue/Introduction

When files are being saved or uploaded to a Sharepoint or cloud storage destination they are generating incidents. This happens when the ignore filter is configured in the agent configuration for that specifc http(s) web site.

This issue usally manifests as detection on files being saved from Microsoft Office products to cloud storage / sharepoint locations.

Environment

DLP 15.x

Resolution

First check the following items.
1. Check the Agent overview and verify the agent configuration matches the configuration that has the filter applied.
2. Verify that the agent configuration has been applied to the agent group and is updated.
3. Make sure the agent has an update configruation by checking the time / date stamp on the cg.ead file on the client or looking at the last update time in the Agent overview in enforce.

If the issue persists then check the format of the filter. A valid http(s) filter for web sites looks something like: (note the following is not valid for Sharepoint shares / Cloud storage)

-*test.com

While that filter will prevent incidents from generating http(s) incidents to the test.com web site it will not work for cloud sync applications.

As per the Administrator guide under Cloud Storage settings the filter must have an astrerisk after the filter entry. To properly filter sharepoint / cloud storage saves to test.com the filter entry must look like:

-*test.com*

After applying the above syntax to the agent configuration filter the agent will no longer generate incidents when saving to the share. See the admin guide for more details.