DLP Endpoint policy to monitor or block by file type is not working as expected
search cancel

DLP Endpoint policy to monitor or block by file type is not working as expected


Article ID: 257987


Updated On:


Data Loss Prevention Endpoint Prevent


Policy is using a file type detection rule. Some file types may work as expected and others do not.





Release : 15.8, 16.0


If other detection rules are working but file type is not working it usually caused by one of two main reasons:

1. The policy is configured to use file type but the agent configuration has ignore filters (or lack monitor filters) for those file types on the applicable channels

2. The file type has a shared signature with other file types, those other file types have different priority and or monitor / ignore rules that supersede the rule for this file type. See True file type filtering.


Go to the agent configuration System > Agents > Agent Configuration

Then edit the applicable agent configuration

Click on the Channel Filters tab. There you will see filters for channels. Verify the channel you are using is set to monitor the file type you want to monitor AND that there isn't an ignore filter for that file type with a higher priority. 

If you are unsure, a good test here is to create a priority 1 monitor file for the specific file type and apply it to the channel in question (http / email / etc). Then save the configuration and apply the configuration to the agent group and retest.

If the issue still persists then the file type may be shared with another file type. If you review the true file type filtering docs you will see that .zip and .jar have the same signature. This means that if you monitor for .zip file on a priority 1 rule and ignore .jar files on a priority 5 rule then .jar files will still be monitored because they have the same file type as .zip. The resolution is to filter the two file types the same.