About File Filters On Mac DLP Agents.
Article ID: 274441
Updated On:
Products
Issue/Introduction
File filters function the same way on mac and windows however there are some implementation differences to be aware of.
Environment
Release : 15.8, 16.0
Resolution
1. File filters are converted into regex patterns when the agent loads. Some conversions take place. For example the wildcard "*" will become ".*". Also some characters will automatically have escape characters added to them, such as "." will become "\."
2. The mac agent includes default path filters that are not part of any agent configuration. This includes the following:
| ACTION | TYPE | PATH/TYPE |
| IGNORE | SizeTypeFilter | .*\.ds_store |
| IGNORE | SizeTypeFilter | .*\.plist |
| IGNORE | SizeTypeFilter | .*\.dylib |
| IGNORE | Path Filter | /library/manufacturer/.* |
| IGNORE | Path Filter | /usr/.* |
| IGNORE | Path Filter | /applications/.* |
| IGNORE | Path Filter | /private/var/.* |
| IGNORE | Path Filter | /private/etc/.* |
| MONITOR | Path Filter | /system/volumes/.* |
| IGNORE | Path Filter | /system/.* |
| IGNORE | Path Filter | /library/internet plug-ins/.* |
| IGNORE | Path Filter | /library/application support/crashreporter/.* |
| IGNORE | Path Filter | /library/developer/.* |
| IGNORE | Path Filter | /library/caches/.* |
| IGNORE | Path Filter | /library/fonts/.* |
| IGNORE | Path Filter | /users/.*/library/saved application state/.* |
| IGNORE | Path Filter | /users/.*/library/keychains/.* |
| IGNORE | Path Filter | /users/.*/library/caches/.* |
| IGNORE | Path Filter | /users/.*/library/preferences/.* |
| IGNORE | Path Filter | /users/.*/library/developer/.* |
| IGNORE | Path Filter | /users/.*/library/safari/.* |
| IGNORE | Path Filter | /users/.*/library/cookies/.* |
| IGNORE | Path Filter | /users/.*/library/internet plug-ins/.* |
| IGNORE | Path Filter | .*/\.\.namedfork/rsrc/.* |
| IGNORE | Path Filter | /private/tmp/com\.google\.keystone/.* |
| IGNORE | Path Filter | /library/google/chrome/.* |
| IGNORE | Path Filter | /users/.*/library/google/.* |
| IGNORE | Path Filter | /users/.*/.*/\.trash/.* |
| IGNORE | Path Filter | /users/.*/my recovered files/.* |
| IGNORE | Path Filter | .*/\.dropbox\.cache.* |
3. During load, file filters are normalized to all lower case, however, during detection the file paths are also normalized to all lower case, this ensures that detection will still match in a case insensitive manner similar to windows agents.
4. OS and DLP variables are not supported. it is recommended you use the following syntax to exclude things such as corporate OneDrive directories /users/*/OneDrive/* This will get converted to /users/.*/onedrive/.* upon load.
5. If you want to ignore only the corporate OneDrive directories but still monitor personal OneDrive directories you can consider using the following syntax in the Ignore filter for Cloud Storage channel:
*/OneDrive - Corporate/*
*/OneDrive-Corporate/*
where Corporate is the name of the organisations OneDrive which will ignore the following for example:
/Users/*/Library/CloudStorage/OneDrive-Corporate/
/Users/*/Library/CloudStorage/OneDrive - Corporate/
/Users/*/Library/Group Containers/user.OneDriveStandaloneSuite/OneDrive-Corporate.noindex/OneDrive-Corporate/
/Users/*/Library/Group Containers/user.OneDriveStandaloneSuite/OneDrive - Corporate.noindex/OneDrive - Corporate/
Feedback
