search cancel

DLP Endpoint Agent Channel Filters - Unexpected behaviour

book

Article ID: 203040

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent

Issue/Introduction

You want to understand how agent channel filters work in relation to agent policies.

Environment

Release : 15.x

Component : Agent configuration, agent policies

Resolution

The order of filtering of agent data is: 

  1. Agent Configuration
  2. Policy

Anything filtered at step 1 is not available for evaluation in step 2

For example

  • If you have a protocol such as Removable Storage in a policy detection rule you will only get Incidents for removable storage devices from file types included in the agent configuration for monitoring on that channel
  • If you have a policy that is monitoring the Cloud Storage channel, but that channel is not selected on the agent configuration, you will receive no incidents

 

A complicating factor is the behaviour of True Type files on the agent configuration channel filters, which will recognize certain file types by a single signature. For example all Open Office type documents are seen as a single type. Thus filtering on .docx at the agent configuration level will also filter on .pptx, .xlsx etc. More details on True Type files here. At the policy level however, these file types can be distinguished.