SEP indicates data was written to removable storage while DLP incident says the action was blocked.
search cancel

SEP indicates data was written to removable storage while DLP incident says the action was blocked.

book

Article ID: 276805

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent Endpoint Protection Cloud

Issue/Introduction

A report from SEP identified users had exfiltrated data via device control, while DLP says the action was blocked.

Cause

SEP uses a kernel driver fort his action while DLP uses a mini flter driver.

Resolution

As SEP uses kernel drivers for this(sysplant.sys and sydvctrl.sys) and it indicates data was written to USB this is accurate. 

DLP uses a file system filter driver, and does not trigger until the 'file close' operation is triggered. This is after the data is written. DLP then deletes the file if a block rule is triggered. DLP then restores the file to it's original location. 

This means both SEP and DLP are correct, data was written to USB but was then deleted by DLP. 

Additional Information

Drivers used by Endpoint Protection Client

How Does the DLP Endpoint Agent Block Data in Motion Requests(USB and Network monitor)

Powered by Wolken Software