Data Transfer Policy failed to block uploads to Office 365

book

Article ID: 171875

calendar_today

Updated On:

Products

CASB Security Standard CASB Security Premium CASB Security Advanced CASB Audit CASB Gateway CASB Gateway Advanced Data Loss Prevention Cloud Package

Issue/Introduction

Worked through the process to create a Data Transfer via Gatelet Policy, chose the Action Upload segment and configured to Block File yet the process failed to block the upload to Office 365 following the Reach Agent Block warning in CloudSOC (CSOC).

Cause

Confirmed Office 365 handles file uploads outside the normal processes so a file is unable to be blocked by the Gatelet Policy.

Further clarification: Office 365 makes two requests when a file is uploaded as follows:
  • Upload process creates an empty “place-holder” file
  • Upload process creates a container file to hold the upload content
Following these O365 processes; CSOC processes perform content analysis on the content file, which triggers the Block File action, and blocks the file based on the CSOC Policy configurations. 
 
However, when CSOC performs content analysis, the first request gets created which is nothing but an empty file with the same name. It is this secondary place-holder file which cannot be blocked as it doesn’t meet the content criteria to match that outlined in the CSOC Policy.

Resolution

This is currently being reviewed by Symantec Corp for supportability in a future CloudSOC release.