Duplicate incidents with a specific application on Endpoint Prevent.
search cancel

Duplicate incidents with a specific application on Endpoint Prevent.

book

Article ID: 275835

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

Multiple incidents are being generated for the same files repeatedly for certain applications, such as WeChat.

Environment

Search for evidence within the original file path that suggest it may be a folder that attempts to sync or transfer repeatedly, e.g. 'some/path/transfers/'
This is evidence that it may be expected application behavior to try repeatedly if the transfer fails, thus generating future DLP events.

Cause

While not cloud applications themselves. some applications may retry a file transfer if the initial one failed, such as if blocked by DLP

Resolution

Try the following to remediate the duplicate incidents:

1. If within acceptable risk, create a path filter within the channel filters to exclude the paths creating the duplicate incidents.

2. Within Application monitoring(either global or local) set the offending application as a cloud application, this will cause the files in the sync/transfer folder to be removed upon a block and stored in the 'my recovered files' location. This will, however, cause incidents generated by this application to be listed as cloud sync incidents within the DLP console instead of the prior incident type(varies)

3. If the incidents are very close together, but stop eventually, you can try increasing the UI.CONSECUTIVE_TRANSACTION_TIME.int. Increasing this setting makes consecutive transfers considered part of the same file activity, potentially eliminating duplicate.s 

Additional Information

About Channel Filter Configuration
About Global Application Monitoring
Advanced Agent Settings
Powered by Wolken Software