Automation scripts not triggering DLP incidents
search cancel

Automation scripts not triggering DLP incidents

book

Article ID: 408389

calendar_today

Updated On:

Products

Data Loss Prevention Core Package Data Loss Prevention Endpoint Prevent

Issue/Introduction

Custom automated scripts to test data transfer in files via removable storage [USB] channel do not trigger incidents with simple keyword policy. 

The results show error:

C:\Users\User\DLP\TEST_FOLDER>DLP_Test_Policy_USB_script.exe
C:\Users\User\AppData\Local\Temp\ONEFIL~2equests\__init__.py:109: RequestsDependencyWarning: urllib3 (1.26.9) or chardet (5.2.0)/charset_normalizer (2.0.12) doesn't match a supported version!

=== Symantec DLP Simulation Script ===
[+] Created local file with sensitive content: C:\Users\User\AppData\Local\Temp\onefile_14276_133967040316544576/Keyword_Test_File.txt

Traceback (most recent call last):
  File "C:\Users\User\AppData\Local\Temp\ONEFIL~2\DLP_Test_Policy_USB_script.exe.py", line 71, in <module>
  File "C:\Users\User\AppData\Local\Temp\ONEFIL~2\DLP_Test_Policy_USB_script.exe.py", line 55, in simulate_usb_transfer
  File "C:\Users\User\AppData\Local\Temp\ONEFIL~2\shutil.py", line 417, in copy
  File "C:\Users\User\AppData\Local\Temp\ONEFIL~2\shutil.py", line 256, in copyfile
PermissionError: [Errno 13] Permission denied: 'D:/Keyword_Test_File.txt'

While EDPA logs show event evaluation without incident:

Request Id #9514
Detection Request Details :

              Session Command : Single Request
              Request Type : Data In Motion Request
 
Dim Detection Request Details :
              Process Id : 14276
              Process Path : C:\Users\User\DLP\TEST_FOLDER\DLP_Test_Policy_USB_script.exe
              Application Name : DLP_Test_Policy_USB_script.exe
              User : User
              Domain : DOMAIN-COM
              Time Stamp : 07/11/2025 10:40:45
              Dim Event Type : Application file access
AFAC Detection Request Details :
 file: C:\Users\User\Links\desktop.ini
]
07/11/2025 11:40:45 | 24548 | INFO    | CoreServices.MessageLogger | MESSAGETYPE_SCHEDULE_DETECTION    MESSAGESOURCE_DETECTION_CACHE  07/11/2025 10:40:45 [req#9514 CrackingProcessPriority=NORMAL]
07/11/2025 11:40:45 | 24548 | INFO    | CoreServices.MessageLogger | MESSAGETYPE_START_DETECTION    MESSAGESOURCE_DETECTION_SCHEDULER  07/11/2025 10:40:45  [req#9514 CrackingProcessPriority=NORMAL]
07/11/2025 11:40:45 | 29928 | INFO    | Detection.SPIDocumentTypeDetector | Document type detected: [unknown]
07/11/2025 11:40:45 | 29928 | INFO    | Detection.ContentService | document type=ascii, text size=572
07/11/2025 11:40:45 | 24548 | INFO    | CoreServices.MessageLogger | MESSAGETYPE_DETECTION_RESULT    MESSAGESOURCE_DETECTION  07/11/2025 10:40:45  [req#9514 SUCCESS  no incidents]
07/11/2025 11:40:45 | 24548 | INFO    | CoreServices.MessageLogger | MESSAGETYPE_DETECTION_RESPONSE    MESSAGESOURCE_POSTPROCESSOR  07/11/2025 10:40:45  [
Request Id #9514 SUCCESS allow

Environment

Data Loss Prevention Endpoint Prevent

version 16.1 

Cause

This is caused by a GPO being present on the endpoint, which blocks USB drive access. 

Resolution

Once the USB exception is added and applied in the GPO, the scripting process is then able to capture the full data flow and hence trigger an incident.

Powered by Wolken Software