search cancel

DLP Endpoint policy to monitor or block by file type is not working as expected

book

Article ID: 257987

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent

Issue/Introduction

Policy is using a file type detection rule. Some file types may work as expected and others do not.

 

 

 

Environment

Release : 15.8, 16.0

Cause

If other detection rules are working but file type is not working it usually caused by one of two main reasons:

1. The policy is configured to use file type but the agent configuration has ignore filters (or lack monitor filters) for those file types on the applicable channels

2. The file type has a shared signature with other file types, those other file types have different priority and or monitor / ignore rules that supersede the rule for this file type. See True file type filtering.

Resolution

Go to the agent configuration System > Agents > Agent Configuration

Then edit the applicable agent configuration

Click on the Channel Filters tab. There you will see filters for channels. Verify the channel you are using is set to monitor the file type you want to monitor AND that there isn't an ignore filter for that file type with a higher priority. 

If you are unsure, a good test here is to create a priority 1 monitor file for the specific file type and apply it to the channel in question (http / email / etc). Then save the configuration and apply the configuration to the agent group and retest.

If the issue still persists then the file type may be shared with another file type. If you review the true file type filtering docs you will see that .zip and .jar have the same signature. This means that if you monitor for .zip file on a priority 1 rule and ignore .jar files on a priority 5 rule then .jar files will still be monitored because they have the same file type as .zip. The resolution is to filter the two file types the same.