DLP Securlet (DAR) policy to quarantine sensitive files fails to quarantine randomly when the policy is triggered.
A file that is locked by MSFT cannot be quarantined because the file cannot be moved and deleted. Several reasons for locks can occur.
CASB will attempt to quarantine the file 5 time with in interval of 3 minutes in between each retry. Symantec is examining the amount of time that a file is typically locked and may adjust the interval in the future. Symantec is also looking for a more explicit notification for the administrator.
Touching the file in OneDrive will cause the policy to trigger and attempt the quarantine again.
The file in this state will show as exposed content in CloudSOC and can be manually quarantined by selecting the file from the exposed content tab in the securlet.
This may have been previously limited. Testing as of CASB 3.151 shows O365 Securlet successfully performs quarantine on several test files that were locked.
State of File prior to Securlet performed remediation:
File Protection in Enabled state: