Ignoring .zip files also ignores Microsoft Office files

book

Article ID: 184508

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Discover

Issue/Introduction

When creating a filter in an agent configuration to ignore zip files, it is also ignoring Microsoft Office files (.docx, .xlsx, .pptx, etc).

Cause

This is caused by the signatures of the files being very similar. Rather than filtering on just the file extension itself, DLP looks at the hex of the file to determine file type. The hex signature of .zip files is the same as the beginning of the hex signature of Microsoft Office files.

Environment

DLP 15.0 and higher

Resolution

  1. Create a "Monitor" filter to specifically monitor Microsoft Office extensions.
  2. Create an "Ignore" filter to look for the .zip extension.
  3. Ensure the Monitor filter is placed with higher priority than the Ignore filter.