search cancel

DLP Agent continues to generate incidents and pop ups after blocking an email in Firefox or IE

book

Article ID: 175654

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent

Issue/Introduction

The DLP Agent will continuously generate popups and incidents after blocking an email with PII in it. This only happens in IE or Firefox in windows and usually occurs with gmail or yahoo mail. 

This scenario happens when the following configurations are all set as follows:

  1. The data is typed in to the email (not detected from the paste channel or file attachment)
  2. The user is using a browser that supports inline https detection (See Article 165202)
  3. The Response rule for the policy is set to block the agent communication

 

Cause

Browser Mail clients will attempt to save a draft to the server as the user types in the data. Once an inline detection occurs that triggers a block the mail client will no longer be able to save the draft to the server. The mail client will continue to retry to save the draft that failed to save. The retry is usually three to five minutes.

Resolution

This is working as designed. The mail client draft save feature is in direct conflict with DLP blocking data. Each draft save contains slightly different data DLP will register it as a new incident with a new popup.

The workaround is to close the browser entirely and then open a new browser. This will clear out any drafts that the mail client is attempting to save. Additionally this can be prevented if the paste channel is monitored on the browser. Using the paste channel will block the data before it gets to the mail client therefore preventing the save draft / DLP block cycle from starting.