Mobile Device Detection and Prevention
The Agent supports detecting and preventing file exfiltration via the Media Transfer Protocol (MTP) to media devices, such as USB-connected mobile phones.
Android devices are supported for Windows Agents and IOS devices are supported for Windows and Mac Agents.
For iTunes, support is based on user intent because the files are detected when dropped to iTunes app, not directly to the iPhone. iTunes app syncs the files with the iPhone. If the sync is stopped, files may not arrive on the iPhone.
Windows Agents Support
All file copy or move actions using MTP are now monitored and reported to the backend with the Primary Category set to Copy to Media Device. Content scanning is also supported for this activity.
This feature is available from Windows 4.3.0. Contact your Proofpoint representative.
Android devices are supported as described in the table below.
|
Win Agent |
Android Device
|
|---|---|
|
Device Type |
Supported |
|
Supported file operation |
Windows File Explorer |
|
File operation interception |
Based on actual file operation |
|
Rule actions |
File Retention not supported when file source is not accessible - e.g. when user do “file move” action |
|
Max files in bulk |
5,000 |
|
Prevention on file operation using unsupported app |
Files are deleted after copied to the media device. In some cases file delete may fail. |
|
File tracking |
Supported only when file path is available |
Action to apply for non file-explorer file movements to Media Device (Android)
To handle scenarios where transfers are initiated outside File Explorer, you can configure the setting Action to apply for non file-explorer file movements to Media Device (Android) to Block or Allow. This setting is configured in the Advanced Settings of the Agent Realm, (Processing > Enable Prevention).
-
By default, this is set to Allow.
Mac Agent Support
The Mac Agent supports detecting file exfiltration via the Media Transfer Protocol (MTP) to media devices, such as USB-connected mobile phones.
This feature is available from Mac 4.4.0. Contact your Proofpoint representative.
|
Mac Agent |
Android Device |
IOS Device |
|---|---|---|
|
Device Type |
Not Supported |
Supported |
|
Supported file operation |
NA |
Finder |
|
File copy method |
NA |
Drag & Drop |
|
File Sync |
NA |
Not detected and not blocked |
|
Justification action |
NA |
Sometimes custom justifications may not be available |
|
Resume action |
NA |
Resume action may fail if the target windows is not in focus |
The following are supported for Mac:
-
Detection and reporting of file transfer from Finder to iOS device using Drag & Drop
-
Detection and reporting of iOS Device mounting
Administration Application
Prevention Rules
(Windows only)
-
Activity: Copy to Media Device
-
Action: Block, Prompt the user to provide a justification and Allow actions are supported.
-
File Retention is supported.
Detection Rules
To create a rule to detect exfiltration to a mobile device in Conditions and Actions:
-
To detect exfiltration to a mobile device: Primary Category / Category > Media Device Connect
-
If you want to specify the Device: Devices > Device Name
Data Security Workbench
To analyze Mobile Device activity,
Activity > Primary Category / Category > Media Device Connect
Known Issues
Windows
The following are from Win Agent 4.3.0
-
When the Agent Realm is configured to block non-File Explorer file movements, any newly created folders or folders containing transferred files will not be deleted; however, their contents will be deleted.
-
If a media device is mapped to a network drive using third-party applications (e.g., MTPdrive):
-
When the Agent Realm is configured to Block non-File Explorer file movements, file copy actions may be reported twice: once as Copy to Media Device and redundantly as File Copy.
-
When the Agent Realm is configured to allow non-File Explorer file movements, file copy action will be reported as File Copy (and not as Copy to Media Device).
-
-
Performing a bulk file copy outside of File Explorer may trigger multiple user notifications instead of a single one, especially if the user closes the notifications quickly.
-
When using "Copy To" or "Move To" from the File Explorer ribbon, or performing a Drag & Drop to the Navigation Pane in File Explorer where the target folder is empty, the file transfer may be unnecessarily blocked.
Mac
When copying to a media device, if the destination is unavailable or out of focus when content scanning completes, the copy will fail.