ITM / Endpoint DLP Prevention Rules

This topic is for ITM / Endpoint DLP rules only.

Prevention rules let you stop data exfiltration. Prevention rules block exfiltration in real-time.

• Enabling ITM / Endpoint DLP Prevention Rules: Describes how to enable Prevention Rules and the options.

• Prevention Rules Supported Actions: Describes the actions supported for each supported activity.

  • Allow Action on Prevention Rules: Describes how the allow action lets you create prevention rules that block sensitive file movements while allowing certain files based on specific criteria.

• Prevention Rules Filters and Fields: Describes the filters you can use in Prevention Rules.

• Prevention Rules - Retain File: Describes how to create prevention rules where files are retained in external storage.

• Print Detection and Prevention: Describes print prevention feature.

Some examples of prevention rules include:

• Blocking a specific user or group of users from exfiltrating to a cloud sync folder, such as Google drive

• Blocking all users from uploading files to the Web (Windows only)

• Blocking users from printing by blocking users from printing to their local computer

Prevention upon copying/moving to Cloud Sync Folder or USB device is applied only upon exfiltration to these exit points from a source which is not that exact exit point. That is, upon copying/moving files within the same USB device or within the same Cloud Sync Folder (from/to) this activity will be detected, but it will not be prevented.

For Web File Upload, file change during rule processing or URL change will automatically fail the upload.

macOS runs in case-sensitive mode. Make sure names are defined with the correct capitalization in rule conditions.

If the Agent fails to extract a field used in a Prevention Rule, then the entire Prevention Rule is skipped and will not trigger. For example, if a Prevention Rule is based on the True File Type field (File / Resources > Content Type > True File Type) and that field cannot be extracted due to encryption, the Prevention Rule will not trigger (this is true both positive and negative operators), even if all other fields/conditions in that Prevention rule match (evaluate as TRUE).

Related Topic:

ITM / Endpoint DLP Exit Points