Mobile Device Detection and Prevention

The Agent now supports detecting and preventing file exfiltration via the Media Transfer Protocol (MTP) to media devices, such as USB-connected mobile phones.

This feature is available from Windows 4.3.0. Contact your Proofpoint representative.

Windows Agents Support

All file copy or move actions using MTP are now monitored and reported to the backend with the Primary Category set to Copy to Media Device. Content scanning is also supported for this activity

Windows Agents support:

  • Detection and prevention of events to Android devices via Explorer only

  • Allow/prevent file movements when not via Explorer for Android devices

Administration Application

Prevention Rules

  • ActivityCopy to Media Device

  • Action: Block, Prompt the user to provide a justification and Allow actions are supported.

  • File Retention is supported.

For Windows:

Prevention is supported for Android devices only and only when file transfers are performed via File Explorer.

Action to apply for non file-explorer file movements to Media Device (Android)

To handle scenarios where transfers are initiated outside File Explorer, you can configure the setting Action to apply for non file-explorer file movements to Media Device (Android) to Block or Allow. This setting is configured in the Advanced Settings of the Agent Realm, (ProcessingEnable Prevention).

  • By default, this is set to Allow.

  • When set to Block, any file transfers to Android media devices performed outside of File Explorer are blocked.

Detection Rules

To create a rule to detect exfiltration to a mobile device in Conditions and Actions

  • To detect exfiltration to a mobile device: Primary Category / CategoryMedia Device Connect

  • If you want to specify the Device: DevicesDevice Name

Data Security Workbench

To analyze Mobile Device activity,

ActivityPrimary Category / CategoryMedia Device Connect

Known Issues (Windows)

The following are from Win Agent 4.3.0

  • When the Agent Realm is configured to block non-File Explorer file movements, any newly created folders or folders containing transferred files will not be deleted; however, their contents will be deleted.

  • If a media device is mapped to a network drive using third-party applications (e.g., MTPdrive):

    • When the Agent Realm is configured to Block non-File Explorer file movements, file copy actions may be reported twice: once as Copy to Media Device and redundantly as File Copy.

    • When the Agent Realm is configured to allow non-File Explorer file movements, file copy action will be reported as File Copy (and not as Copy to Media Device).

  • Performing a bulk file copy outside of File Explorer may trigger multiple user notifications instead of a single one, especially if the user closes the notifications quickly.

  • When using "Copy To" or "Move To" from the File Explorer ribbon, or performing a Drag & Drop to the Navigation Pane in File Explorer where the target folder is empty, the file transfer may be unnecessarily blocked.