File Scanning Behavior and Caching

Proofpoint endpoint agents use intelligent caching mechanisms to optimize performance and avoid redundant scanning of unchanged files. This section explains when files are scanned, when cached results are reused, and how caching impacts detection and prevention behavior.

When a file is processed by the agent, it is typically scanned once and identified using a SHA256 hash. If the same file is encountered again without any modification, the agent may reuse the previous scan result instead of scanning the file again.

This behavior improves efficiency but can affect how repeated file operations are handled.

Caching Mechanisms

The agent uses two in-memory caching mechanisms:

  • Web Upload Caching (Prevention Flow): This in-memory cache is used in web upload prevention workflows to maintain file integrity during scanning. It stores the file’s SHA256 hash and destination URL to verify that the file has not changed before allowing an upload to resume. It is triggered when a prevention rule with a “prompt” action is applied, enabling uploads to automatically continue after validation, particularly when the same file is sent to the same destination. The cache is cleared upon agent restart or configuration changes.

  • Content Scanning Optimization Cache: This in-memory cache applies to both detection and prevention workflows and is used to improve performance by avoiding redundant scans. It stores the file’s SHA256 hash along with its associated scan results. When a file with the same hash is encountered again, the agent reuses the cached result instead of performing a new scan, provided the file has not changed. The cache persists only for the duration of the agent’s runtime and is cleared upon agent restart or configuration changes. There is no time-based expiration, meaning files do not age out of the cache based on time alone.

Impact on Detection and Prevention

Repeated File Handling: If a file is encountered again and its SHA256 hash has not changed, the agent reuses the cached scan result and does not perform a new scan. If the file has been modified, a new scan is triggered and detection and prevention rules are re-evaluated.

Rule Triggering Behavior: Because cached results are reused, detection and prevention rules may not trigger again for repeated actions involving the same unchanged file, even if those actions occur shortly after the initial event. This behavior is expected and designed to optimize performance.

 

Notes:

  • Be aware that unchanged files may not be re-scanned or re-trigger rules.

  • If repeated enforcement is required:

    • Ensure workflows account for caching behavior

    • Consider operational scenarios where agent restart or configuration updates may reset cache state