Why does Data Loss Prevention monitor all applications even if the AFAC channel is not active?
search cancel

Why does Data Loss Prevention monitor all applications even if the AFAC channel is not active?


Article ID: 172450


Updated On:


Data Loss Prevention Endpoint Prevent Data Loss Prevention


In the Agent Configuration, the AFAC channel is not selected, but even then Data Loss Prevention performs application monitoring. 


In general, DLP monitors every application by default on all channels enabled in the Agent Configuration.
This will take place for all applications not present on Application Monitoring settings.


When adding an application to the Application Monitoring list, means that we can exclude some or all channels for a specific application while still monitoring them for the others.

AFAC is just one of the channels which can be monitored by DLP - even when it's disabled, DLP will still monitor other channels such as HTTP, Printer, Clipboard, Removable Storage, Network Share, CD/DVD, Cloud Storage etc. If an application will try to perform an action directly involving one of the monitored channels, DLP will inspect that action.

White listing in the Application Monitoring is required then, because by default for all applications not added to the white list, DLP will apply the Agent Configuration channel settings and monitor these applications on these channels. The reason is that DLP can't foresee what applications will be installed on an endpoint. Using a reverse solution - in which a list of 'monitored' applications is created and DLP monitors only applications present on the list - might not be feasible because

a) there may be tens or hundreds of applications to be added to the list manually, and

b) sometimes administrators can be unaware about applications deployed on the endpoint by an end user. This is the reason why DLP follow the approach and attempt to monitor everything unless it's white listed.