Content scanning is a complex and sensitive process that is influenced by various factors, such as file type, file size, the amount of text in the file, the number of detectors used, and the complexity of the detector's (use of regex, etc). All of these factors may affect the success of the process, the use of resources (CPU and Memory), and the scanning time.
When content scanning is used in prevention, all this is performed in real time and may have dramatic affect on the experience of the end user. Hence, in prevention, a delicate balance is advised in the way the tool is used to maintain user experience.
Content Scanning Thresholds
Several thresholds have been introduced at the Realm level to allow admin to set a limit for the number of files a user can copy/move in a single operation. These thresholds apply to prevention rules only.
These limits allow you to have control over user experience. You can configure what the Agent will do when Content Scanning fails because thresholds were exceeded or other content scanning related failures occurred.
In print prevention, file exceeds thresholds for content scanning are not enforced and agent will block the print.
Thresholds are defined at the Realm level when Enable Content Scanning is turned on.
You can set the following thresholds:
-
File Size Limit: Sets a limit for the file size. The maximum allowed is 1000MB. Default file size is 30MB.
-
Number of Files in Bulk: Sets the number of files that a user can copy/move in a single operation.
-
Time Extraction Limit: Sets a time limit for text extraction. The maximum time allowed is 10 minutes. Default time is 3 minutes.
-
Text Analysis Time Limit: Sets a time limit for the content scanning. The maximum time allowed is 60 minutes. Default time is 3 minutes.
-
Text Extraction Size: Sets the size of the text to be extracted. Maximum size is 150MB.
When the File Size Limit is exceeded, the Agent uses the configuration defined in the Realm. However, the Notification configured in Rule displays and not the Notification configured in the Realm.
Actions for Prevention
The table describes the actions taken in response to errors in Content Scanning defined in the Agent Realm when Prevention is enabled. (Processing > Prevention Enabled)
| Threshold | Description | Action | Notification Policy | OS |
|---|---|---|---|---|
|
Action to apply if file size exceeds threshold |
Applies to content scanning of files over the size limit. Sets a limit for the file size. The maximum allowed is 1000MB. Default file size is 30MB. |
Block |
Assigned |
Windows agent version 2.5.
|
|
Prompt |
Assigned |
|||
|
From Prevention Rule |
Rule |
|||
|
Action to apply on encrypted file |
Applies to content scanning of encrypted files. |
Allow |
None |
Windows agent version 3.8.0.
|
|
Block |
Assigned |
|||
|
Prompt |
Assigned |
|||
|
From Prevention Rule |
Rule |
|||
|
Action to apply when Cloud Assisted Service is unavailable |
Applies to special content scanning that involves the Cloud-Assisted Service (e.g., IDM), when scanning could not be completed due to Cloud-Assisted Service unavailable. |
Allow |
None |
Windows agent 4.3.0 |
|
Block |
Assigned |
|||
|
Prompt |
Assigned |
|||
|
From Prevention Rule |
Rule |
|||
|
Action to apply on Possible Match |
Applies to special content scanning that involves the Cloud-Assisted Service (e.g., IDM), when scan result indicates a Possible Match, which may be a false detection |
Allow |
None |
Windows agent 4.3.0 |
|
Block |
Assigned |
|||
|
Prompt |
Assigned |
|||
|
From Prevention Rule |
Rule |
|||
|
Action to apply for any other failure |
Applies to any other failure related to content scanning. |
Block |
Assigned |
Windows agent version 3.8.0.
. |
When an allow rule with a detector is configured on the realm, the agent processes the allow rule first and if the action meets a threshold the activity is allowed.
Actions
You can select one of the following options at the Realm level to define the behavior you want.
-
Apply Action from Prevention Rule: At the rule level, you either select Block or Prompt the user to provide a justification. (See ITM / Endpoint DLP Prevention Rules.).
-
Block and optionally assign End User Notifications: Content is blocked. If you want, you can assign an end user notification that will display when this occurs .
-
Prompt and optionally assign End User Notifications: The user is prompted to provide a justification. Justifications can be used with prevention rules to offer the user the option of continuing a prevented action by selecting a response. When a justification is selected, the action is allowed.
-
Allow: Allowing certain the files.
(For information about creating notifications, see Creating a Notification Policy for a Prevention Rule.)
Related Topic: