Prevention Rules
Prevention Rules are policies for managing data exfiltration.
With prevention rules you can create policies that block or prompt the user. In addition, allow activities is supported for Web Upload and Cloud Sync Folder and USB.
This topic includes:
Also, see ITM / Endpoint DLP Prevention Rules.
Prevention Rule Supported Actions
The following actions are supported:
-
Block: Activity is blocked. The end user is blocked with an end user notification.
-
Prompt the user to provide a justification. Activity is not blocked and the end user is prompted to select a response. (See Justifications.)
Prevention Rules are moving. Rules will remain accessible in their previous location temporarily, after a grace period they will be exclusively found in the new location. New location is Endpoints > Prevention Rules.
Prevention rules are enabled per Realm. You turn on/off Prevention Enabled in the Advanced Settings of the Agent Realm.
The table describes the activities, actions and filters supported for Prevention rules.
| Activity | Description | Action | Filters |
|---|---|---|---|
| USB |
Copy to USB |
Block |
Detector User File/Resources Devices
|
| Prompt the user to provide a justification | |||
|
Allow (Includes Trellix and BitLocker encryption.) |
|||
| Cloud Sync Folder |
Upload to Cloud Sync Folder (Supported for Windows Explorer only) |
Block |
Detector User Processes/Applications File/Resources Devices |
| Prompt the user to provide a justification | |||
|
Allow OneDrive, Google Drive, Box, Apple iCloud, Dropbox |
|||
| Upload files to the Web | Web File Upload | Block |
Detector User File/Resources |
| Prompt the user to provide a justification |
Prevention Filters
Depending on the target, you can filter by the fields described in the table.
| Field | Additional Information and Links | |
|---|---|---|
| User | User | |
| Group Names | ||
| Process/Application | Executable Name | Name of the executable file of the application |
| Files/Resources | Classification Labels |
MIP File Label |
| File Name | File name you want without the extension. Characters not supported by Windows OS are not supported and cannot be used (‘/’, ‘\’, ‘?’, ‘%’, ‘*’, ‘:’, ‘|’, ‘”’, ‘<’, ‘>’). You can also set a rule to intercept a specific a pattern of characters in a file name. Characters in a pattern are represented by ? character and can contain other characters and spaces within the pattern. Use this for a file name that contains a defined pattern of characters. For example ??_??_???? to represent a date format in the file name, such as myfile 21_02_2023. An example with spaces ?? ?? ??? would include myfile 21 02 2023 |
|
| Content Type |
Internally registered data type |
|
| Extension | File Extension | |
| Size | File Size | |
| Resource URL | Target URL the file is being uploaded to. | |
| Tracking Origin Resource URL | URL of the physical file that can be located on a different domain than the web page from which the download activity was triggered. | |
| Devices | USB Vendor Name | |
| USB Product Name | ||
| USB Serial Number | ||
| Device ID | ||
| Device Name |
File Retention
File Retention is available on request. Contact your Proofpoint representative.
When you set up a rule, you can enable file retention so that files are retained in external storage. (Currently Microsoft Azure Blob solution is supported.)
-
Retain the files: When this option is selected, files that meet the criteria defined in the prevention rule are retained in external storage. You must configure the retention external storage on the Agent realm level for this to work. This option can be used in addition to the blocking and justification options. (For details about file retention, see File Retention.)
Prevention Rule Examples
The following describes some prevention rule examples.
-
User groups endpoints: prevent any user who has given notice from copying important files to a USB. You maintain a list of these users or endpoints in conditions and add a rule that blocks users in the list from exfiltrating files to a USB.
-
File extension: prevent users from exfiltrating any .pdf file.
-
USB devices; prevent users from exfiltrating files to USBs if the serial numbers have not been approved.
-
Source URLs: prevent users from exfiltrating any tracked files that were (downloaded from) your CRM to a USB.
-
Classification label (MIP labels): prevent users from exfiltrating any tracked (downloaded from the Web) file with content that has been labeled to indicate this, using a label such as "confidential".
-
Cloud Sync provider: prevent users from exfiltrating to a provider other than the one your company uses. For example, your company uses Google Drive so you block files to Dropbox and iCloud
-
Detectors: prevent users from exfiltrating to files with specific detectors such as credit card numbers. (See Content Scanning.)
-
Uploading files to the Web: prevent users for exfiltrating files to the Google Drive.
Prevention Rule Flow
This describes the flow for a prevention rule.
-
From the Proofpoint Information and Cloud Security Platform, select the Administration app. Select Endpoints > Prevention/EndpointRules.
-
Click New Rule and from the Prevention Rule area and click Create Rule and the Select Action to Perform panel displays.
-
For a prevention rule, select Prevention Rule.
-
In General tab, complete the Name field and Description (optional) field.
-
Click Next to continue to the Activity and Action tab.
-
In the Activity tab, select from the list. In this example, USB Is selected. Click Next.
-
In the Settings tab, define the new rule using if/the logic. In the If section.
-
By default, the Activity you selected is displayed. In this example, Activity is USB. Click Add Row to add additional filters or conditions.
-
From the Select dropdown, select the Select Prevention Condition. From the Select Prevention Condition list, select User name List. Click Next.
-
In the Then area, select the action. Click Next.
-
From the Agent Policies, select the Agent Policies. Click Save.
Related Topic:
ITM / Endpoint DLP Prevention Rules