DLP Policy Fails to Quarantine a O365 Onedrive File.

book

Article ID: 208239

calendar_today

Updated On:

Products

CASB Security Advanced

Issue/Introduction

DLP Securlet (DAR) policy to quarantine sensitive files fails to quarantine randomly when the policy is triggered.

 

Cause

A file that is locked by MSFT cannot be quarantined because the file cannot be moved and deleted.

Resolution

CASB will attempt to quarantine the file 5 time with in interval of 3 minutes in between each retry.  Symantec is examining the amount of time that a file is typically locked and may adjust the interval in the future.  Symantec is also looking for a more explicit notification for the administrator.

Workaround:

Touching the file in OneDrive will cause the policy to trigger and attempt the quarantine again.

The file in this state will show as exposed content in CloudSOC and can be manually quarantined by selecting the file from the exposed content tab in the securlet.