ITM / Endpoint DLP Prevention Rules

This topic is for ITM / Endpoint DLP rules only.

Prevention rules let you stop data exfiltration. Prevention rules block exfiltration in real-time.

For a prevention rule to match, its Detectors must be included in the Data Classes of the Realm it’s assigned to.

• Enabling ITM / Endpoint DLP Prevention Rules: Describes how to enable Prevention Rules and the options.

• Prevention Rules Supported Actions: Describes the actions supported for each supported activity.

  • Allow Action on Prevention Rules: Describes how the allow action lets you create prevention rules that block sensitive file movements while allowing certain files based on specific criteria.

  • Data Redaction for GenAI: Describes how you can redact specific text when data is exfiltrated via GenAI prompt submission.

• Prevention Rules Filters and Fields: Describes the filters you can use in Prevention Rules.

• Prevention Rules - Retain File: Describes how to create prevention rules where files are retained in external storage.

• Print Detection and Prevention: Describes print prevention feature.

Some examples of prevention rules include:

• Blocking a specific user or group of users from exfiltrating to a cloud sync folder, such as Google drive

• Blocking all users from uploading files to the Web (Windows only)

• Blocking users from printing by blocking users from printing to their local computer

Rule Evaluation

Rules with an Allow action are evaluated before all other rule types for the same exit point or protocol.

Content scanning conditions are given priority during rule evaluation.

If at least one rule for a given exit point or protocol includes content scanning as a condition, those rules are evaluated before any other non-content-scanning rules (except Allow rules).

If content scanning is required and the scan fails, the resulting action is determined according to the applicable Realm settings.

If no content-scanning rule matches, or if scanning completes successfully without triggering an error, the system proceeds to evaluate the remaining applicable rules according to their defined order.

 

Prevention upon copying/moving to Cloud Sync Folder or USB device is applied only upon exfiltration to these exit points from a source which is not that exact exit point. That is, upon copying/moving files within the same USB device or within the same Cloud Sync Folder (from/to) this activity will be detected, but it will not be prevented.

For Web File Upload, file change during rule processing or URL change will automatically fail the upload.

macOS runs in case-sensitive mode. Make sure names are defined with the correct capitalization in rule conditions.

If the Agent fails to extract a field used in a Prevention Rule, then the entire Prevention Rule is skipped and will not trigger. For example, if a Prevention Rule is based on the True File Type field (File / Resources > Content Type > True File Type) and that field cannot be extracted due to encryption, the Prevention Rule will not trigger (this is true both positive and negative operators), even if all other fields/conditions in that Prevention rule match (evaluate as TRUE).

Related Topic:

ITM / Endpoint DLP Exit / Entry Points