You can use content scanning to scan files in order to detect and prevent exfiltration of data, such as credit card information, banking routing numbers and national identity numbers.
Content scanning is enabled at the Realm level.
(In the Administration app, select Endpoints > Agent Realms > Interaction > Enable Content Scanning.)
Content Scanning Detection and Prevention
Content Scanning and Detection Rules
To set up content scanning for detection rules:
-
Make sure Content Scanning is enabled (Agent Realm > Advanced Settings > Interactions > Enable Content Scanning).
-
Select the triggers to scan are turned on for the Agent Realm (Agent Realm > Advanced Settings > Interactions > Scan Triggers for Detection Rules > Choose Values)
-
Set up a detection rule with what you want to scan for.
For details, see Creating Detection Rules that Use Content Scanning.
Content Scanning and Prevention Rules
To set up content scanning for prevention rules:
-
Make sure Content Scanning is enabled and the triggers and detectors you want to scan are turned on for the Agent (Agent Realm > Advanced Settings > Interactions > Enable Content Scanning).
-
Set up a prevention rule with what you want to scan for.
-
Add the prevention rule to the relevant Agent Policy.
-
Assign this Agent Policy to the Agent Realm.
Content scanning for prevention scans source files to determine which files to block. When there is no source file available for scanning, the file will be blocked to prevent exfiltration of data.
To enable content scanning for prevention rules with MIP, from the Agent realm, select Advanced Settings > MIP Integration.
Resource Limitation
You can control the impact of content scanning on the endpoint resources.
At the optimized level, content scanning requires high CPU consumption during scanning. You can determine the resource level you want. The higher the level, the faster the scan and the greatest amount of resource consumption. A lower level, slows the scan but uses less resources.
The higher the scan time the higher the impact on CPU. You can optimize scan time with the Use of Content Scanning CPU Resources options:
-
Scan time optimized: Fastest scanning time with highest impact on CPU
-
Scan time favor: Fast scan time with high impact on CPU
-
Balanced: Long scanning time with low impact on CPU
-
CPU optimized: Longest scanning time with lowest impact on CPU
The table describes the modes and resource impact.
|
Mode |
Details |
Scan time |
Impact on Endpoint Resources |
Resources Usage |
|---|---|---|---|---|
|
Time optimized |
Fastest Scanning time / Highest impact on CPU |
Fastest |
Highest |
100% |
|
Time favor |
Fast Scanning time / High impact on CPU |
Fast |
High |
80%
|
|
Balanced |
Long Scanning time / Low impact on CPU |
Long |
Low |
40% |
|
Optimized for Resources |
Longest Scanning time / Lowest impact on CPU |
Longest |
Lowest |
20% |
To enable this option and configure the resources, in the Advanced Settings of the Realm, select Interaction > Enabled Content Scanning > Advanced Options > Use of Content Scanning CPU Resources. From Time Optimized dropdown menu, select the mode you want.
From Agent version 3.4.x, the content scanning component requires DLL files from the Microsoft redistributable package (2022). If Microsoft redistributable package, with the C:\Windows\system32\vcruntime140.dll file is not already installed on your computer, the agent bundle installation process will deploy the necessary DLL files silently, and a system restart may be necessary. If a Microsoft redistributable package is partially installed or an older version of the package is installed, it is advisable to install the most recent package from the Microsoft website (https://learn.microsoft.com/en-us/cpp/windows/latest-supported-vc-redist?view=msvc-170) before initiating the agent installation.
Content Scanning Features
-
Partial Text Extraction is an additional capability in Content Scanning that allows the Agent to scan only partial text. This feature attempts to ease the content scanning process. See Content Scanning Partial Text Extraction.
-
Thresholds and applied actions allow you to set the limits in order to have control over user experience. You can configure what the Agent will do when Content Scanning fails because thresholds were exceeded or other content scanning related failures occurred. See Content Scanning Thresholds.
-
Snippets contain the matched content detected, plus 20 characters before and after. This additional information helps you understand the context of the scanned content and is useful for validation. Snippets are reported as part of Activity in Explorations. (Agent Realm > Advanced Settings > Interactions > Enable Snippets )
Snippets might be included as metadata if Activity data is exported to a SIEM.
-
Content Scanning in Explorations lets you create exploration that let you review when scanned content is detected or blocked