Pop-up behavior on the DLP Endpoint
search cancel

Pop-up behavior on the DLP Endpoint


Article ID: 269348


Updated On:


Data Loss Prevention Data Loss Prevention Endpoint Prevent


The goal of this article is to provide a brief description of how pop-ups on the DLP Endpoint function.

DLP allows three types of Pop-ups:

  • Block (Prevent) Rule*
  • Notify With User Cancel Rule*
  • Notify Rule*

Here we will mainly try to describe how the Notify with User Cancel Rule works. For simplicity it will be termed as User/Cancel pop-up henceforth.


DLP Agent 15.x

DLP Agent 16.x



DLP detection operates at a basic level within the OS, as such detection typically occurs on a per-file basis even when a user selects multiple files or even an entire folder, because at the OS level, each file copy is its own operation.
The exception to this is when a singular session contains multiple files and/or components such as emails or web posts or when files are within a single container object such as a zip file.

During each detection, the list of matching policies is identified and the unique list of response actions are identified from the policies applicable to that detection. Once the detection is done, next comes the phase where the user is notified there is a violation of certain policies. This is indicated by showing appropriate pop-ups configured as a response rule with the policy that is violated.


While each applicable response action is typically required and ordered by the response rule order, block actions take the highest priority and always override all other applicable response actions that are suppressed.  The other response actions are suppressed because a blocked file means the file was not transferred and other actions would no longer be applicable. 

Similarly, a response action of User/Cancel also overrides all other response actions (except a block action) as it can become a block.
The pop-up for User/Cancel is, by default, shown for 1 minute and after the timeout as per the setting, it is converted into a Block/Notify pop-up. This 1-minute timeout is set using the below settings.


Timeouts for UI

The UI.CONSECUTIVE_TRANSACTION_TIME.str setting optimizes the time between when pop-ups for violations of the same policy are shown to the user. Say for example, that the value set for this is 10 seconds and the user is copying a folder that contains multiple files violating the same policy, for such a scenario, the first pop-up is shown for the first file, if the second file is scanned within this timeout then no pop-up is shown and the timeout restarts from 0 and thus if until all the files are scanned and they were within the timeout value the pop-up is shown only once. In this case, the same justification supplied by the user is applied to all further incidents which can be seen from the incident snapshot where the value for supersedes is set to true. This is intentionally implemented to enhance user experience.

This is how auto-apply continues to all matching policies until reach the UI.CONSECUTIVE_TRANSACTION_TIME.str time of detection that generated the pop-up for that policy.

Other response actions allow a Justification to be given, once this is done, that justification can be cached to then auto-apply that same justification to other files violating the same policy waiting for a justification, without having to ask the user.

The UI.PREVENT_TIMEOUT.int setting is used when the User/Cancel pop-up turns into Block/Notify. If the user does not provide input on the Block/Notify by the time the timeout value is reached the default justification is added to the incident and the incident is persisted.