File type exclusions do not trigger when the type listed is a container.
No errors are received, but incidents are generated even when they match the file type set in the policy exclusion.
This will happen on a file type exclusion that is based against a content based rule if the “Apply Exception to:” option is set to 'Matched Component Only'.
When the detection server receives a message (in this case the ‘message’ would be a file), it will break the message into components. With a container file (CAB, ZIP, RAR) the components end up being the additional files that are packaged in that container. Additionally, the original container is considered a component as well.
If we utilize the ‘Matched Components Only’ option, the logic that follows is that we evaluate the rule first and subsequently we compare against the exception afterwards. With this logic, the content based rule will report false against the container file component itself as containers do not have content to be evaluated. Detection goes on to evaluate the exception (which will be true because it IS an encapsulated file), but since there was no match against the rule, there is no exception to apply, in which case an incident can be generated if violating data is found.
If we select the option for ‘Entire Message’ instead, we evaluate the exception first and if that reports as true, the entire message is ejected from detection and no incident is generated.
Configure the exception to apply against “Entire Message” to allow for the exception to be considered.