If you upload a sensitive file to virustotal.com website in the Chrome browser, the file is successfully uploaded without triggering an endpoint HTTPS incident. If the same file is uploaded to any other website like dlptest.com in the Chrome browser, the file is detected by the DLP agent, and an incident is triggered.

DLP 15.8.x and 16.0

virustotal.com is a non-standard website that does not follow the expected behavior for posting data that the DLP agent relies on.

Starting with DLP 16.0 RU1 (16.0.1), Google and Broadcom collaborated on an SDK where DLP can query the Chrome SDK for the data being uploaded to a specific site so that DLP can do the detection. This increased capability allows detection of websites that do not follow the expected behavior for posting data that DLP relies on without having this new SDK to get the data from. Customers that require detection of these non-standard websites like virustotal.com need to upgrade to 16.0 RU1 switching to the new Chrome Content Analysis SDK.