search cancel

Endpoint Prevent Block action places the blocked file into the Agent Quarantine folder

book

Article ID: 199723

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent

Issue/Introduction

When a file is blocked by the Endpoint Prevent Agent during a move operation, usually the file should be returned to its original location. However sometimes you may see that the file is not returned to the source folder but is instead placed in the Agent Quarantine folder. This is also reflected in the Block popup which shows the path in which the file is placed. 

Cause

This behavior is expected for the Cloud Storage channel, as putting the file back into the source location would force the Cloud Storage application to re-upload it to the cloud storage website, resulting in an upload loop and numerous incidents for the same action. Because of this, the file is instead put into the Quarantine folder.

However this can be also seen for other channels, such as Removable Storage. In this case, the reason is that the Agent is not able to determine the file's original location. 

This will be also reflected in the Incident Snapshot for the copy action, where usually the filename variable should include the full source path of the file. If the Agent isn't able to resolve the original location, filename will be populated with just the filename with no path. 

An example of when this could happen is when a folder is placed on a network share and then mapped as a local drive to be accessed from a laptop - and then used as the file source for a Removable Storage copy operation. From the end user's perspective, the file is placed on a locally-mounted drive but in reality it's placed on a network share which is not a local location. 

This will be also revealed in the Agent logs in FINEST logging level, which will show the following path for the file in the Detection Request Details:

DIM File Detection Request Details : 
 file: \\DfsClient\;K:0000000000b38a42\fileserver.domain.com\folder\filename.txt

Instead of a local folder, a network path is displayed. 

The following entry will also be present in the log:

CreateRecoveryFile(): original: \\DfsClient\;K:0000000000b38a42\fileserver.domain.com\folder\filename.txt, recovery: C:\Users\username\My Recovered Files\Others\filename.txt DD-MM-YYYY HH.MM.SS.MS AM\filename.txt

Resolution

This is an expected behavior for when the DLP Agent is not able to resolve the source path for a file that has been blocked - the file will be put in the Agent Quarantine folder then. The Quarantine folder path itself is configurable in the Agent Configuration setting on Enforce, in the Settings tab - setting section File Recovery Area Location