File type exception in Channel Filters is not working

search cancel

File type exception in Channel Filters is not working

book

Article ID: 439598

calendar_today

Updated On:

Products

Data Loss Prevention Core Package

Issue/Introduction

File Types have been set to ignore in the Enforce Console > System > Agents > Agent Configuration > select the Configuration > Channel Filter tab > Filter by File Properties.

For example:

Testing the file type on the Endpoint Agent, logs show DLP is still running detection on the file type instead of ignoring them.

Environment

Symantec Data Loss Prevention

Cause

Additional review of the logs show the ignore filter that includes *.mov is incorrect.

Filter: monitor: 0 | SizeTypeFilter: devices: 0, type: (.*\.dll)|(.*\.exe)|(.*\.sys) | 
Filter: monitor: 0 | SizeTypeFilter: devices: 1, type: (.*\.mov, .*\.mp3, .*\.mp4, .*\.xml, .*\.bin, .*\.prproj, .*\.mxf) | 

Each of the file types should be separated by an OR (|) and not comma separated for the regexe.
The first line with dll, exe, and sys has the expected format. The second line with mov is comma separated.

The console allows the admin to add file types on a single line with a comma. However, we expect a single file type per line.

Resolution

Confirm the list of file types in the ignore filter are entered on new lines instead of a single line that's comma separated.

Example of single line that's comma separated (incorrect):
*.mov, *.mp3, *.mp4, *.xml, *.bin, *.prproj, *.mxf
Example of new lines (correct):
*.mov
*.mp3
*.mp4
*.xml
*.bin
*.prproj
*.mxf

Additional Information

The requirement to use a new line is mentioned in Documentation.

https://techdocs.broadcom.com/us/en/symantec-security-software/information-security/data-loss-prevention/16-1/about-discovering-and-preventing-data-loss-on-endpoints/adding-and-editing-agent-configurations/channel-filters-settings/filter-by-file-properties-settings/configuring-file-filters.html#v23015404

Feedback

thumb_up Yes

thumb_down No