Content Scanning

You can use content scanning to scan files in order to detect and prevent exfiltration of data, such as credit card information, banking routing numbers and national identity numbers.

Content scanning is enabled at the Realm level.

(In the Administration app, select Endpoints > Agent RealmsInteractionEnable Content Scanning.)

Content Scanning Detection and Prevention

Content Scanning and Detection Rules

To set up content scanning for detection rules:

  • Make sure Content Scanning is enabled (Agent RealmAdvanced SettingsInteractionsEnable Content Scanning).

  • Select the triggers to scan are turned on for the Agent Realm (Agent RealmAdvanced SettingsInteractionsScan Triggers for Detection RulesChoose Values)

  • Set up a detection rule with what you want to scan for.

For details, see Creating Detection Rules that Use Content Scanning.

Content Scanning and Prevention Rules

To set up content scanning for prevention rules:

  • Make sure Content Scanning is enabled and the triggers and detectors you want to scan are turned on for the Agent (Agent RealmAdvanced SettingsInteractionsEnable Content Scanning).

  • Set up a prevention rule with what you want to scan for.

  • Add the prevention rule to the relevant Agent Policy.

  • Assign this Agent Policy to the Agent Realm.

Content scanning for prevention scans source files to determine which files to block. When there is no source file available for scanning, the file will be blocked to prevent exfiltration of data.

To enable content scanning for prevention rules with MIP, from the Agent realm, select Advanced SettingsMIP Integration.

Resource Limitation

You can control the impact of content scanning on the endpoint resources.

At the optimized level, content scanning requires high CPU consumption during scanning. You can determine the resource level you want. The higher the level, the faster the scan and the greatest amount of resource consumption. A lower level, slows the scan but uses less resources.

The higher the scan time the higher the impact on CPU. You can optimize scan time with the Use of Content Scanning CPU Resources options:

  • Scan time optimized: Fastest scanning time with highest impact on CPU

  • Scan time favor: Fast scan time with high impact on CPU

  • Balanced: Long scanning time with low impact on CPU

  • CPU optimized: Longest scanning time with lowest impact on CPU

The table describes the modes and resource impact.

Mode

Details

Scan time

Impact on Endpoint Resources

Resources Usage

Time optimized

Fastest Scanning time / Highest impact on CPU

Fastest

Highest

100%

Time favor

Fast Scanning time / High impact on CPU

Fast

High

80%

 

Balanced

Long Scanning time / Low impact on CPU

Long

Low

40%

Optimized for Resources

Longest Scanning time / Lowest impact on CPU

Longest

Lowest

20%

To enable this option and configure the resources, in the Advanced Settings of the Realm, select Interaction > Enabled Content Scanning > Advanced Options > Use of Content Scanning CPU Resources. From Time Optimized dropdown menu, select the mode you want.

From Agent version 3.4.x, the content scanning component requires DLL files from the Microsoft redistributable package (2022). If Microsoft redistributable package, with the C:\Windows\system32\vcruntime140.dll file is not already installed on your computer, the agent bundle installation process will deploy the necessary DLL files silently, and a system restart may be necessary. If a Microsoft redistributable package is partially installed or an older version of the package is installed, it is advisable to install the most recent package from the Microsoft website (https://learn.microsoft.com/en-us/cpp/windows/latest-supported-vc-redist?view=msvc-170) before initiating the agent installation.

Content Scanning Features

  • Partial Text Extraction is an additional capability in Content Scanning that allows the Agent to scan only partial text. This feature attempts to ease the content scanning process. See Content Scanning Partial Text Extraction.

  • Thresholds and applied actions allow you to set the limits in order to have control over user experience. You can configure what the Agent will do when Content Scanning fails because thresholds were exceeded or other content scanning related failures occurred. See Content Scanning Thresholds.

  • Snippets contain the matched content detected, plus 20 characters before and after. This additional information helps you understand the context of the scanned content and is useful for validation. Snippets are reported as part of Activity in Explorations. (Agent RealmAdvanced SettingsInteractionsEnable Snippets )

    Snippets might be included as metadata if Activity data is exported to a SIEM.

  • Content Scanning in Explorations lets you create exploration that let you review when scanned content is detected or blocked