What does the red alarm clock icon mean on Mac DLP incidents

search cancel

What does the red alarm clock icon mean on Mac DLP incidents

book

Article ID: 424395

calendar_today

Updated On:

Products

Data Loss Prevention Network Monitor and Prevent for Email and Web

Issue/Introduction

We noticed that some Mac incidents show a red alarm clock that differs from the normal block icon. What is this icon and what is the impact of the resulting incident.
When you hover over the icon, the text suggests the file was allowed on timeout.

Cause

Due to the MAC Endpoint security framework, DLP is allotted a set amount of time to perform detection. When this time is surpassed the file in question must be released by the application.
If the file being worked on was an archive format, such as a ZIP, JAR, DOCX, XLSX, file then the file is allowed to be transferred even if PostProcessor.NOTIFY_WITH_CANCEL_DEFAULT_ACTION.int(16.0 and 16.1)
or
PostProcessor.NOTIFY_WITH_CANCEL_ON_MAC.int(16.1 and later) are set to '1' or 'block'

Resolution

DLP 25.1 contains new handling of the ESF timeout via caching for the HTTPs channels that help alleviate this concern.

DLP 26.1 will expand on this caching feature to include more detection channels.

Additional Information

Using the User Cancel Response Rule and the ESF Timeout for macOS Endpoints

Mac documentation:
https://developer.apple.com/documentation/endpointsecurity/es_message_t/deadline

Feedback

thumb_up Yes

thumb_down No