ITM / Endpoint DLP Prevention Rules

This topic is for ITM / Endpoint DLP rules only.

Prevention rules let you stop data exfiltration. Prevention rules block exfiltration in real-time.

This topic includes:

• Exit Points Supported
• Enabling Prevention Rules
• ITM / Endpoint DLP Prevention Rules
• ITM / Endpoint DLP Prevention Rules

For more information about prevention rule supported actions, see Prevention Rules.

Exit Points Supported

You can block any files from being exfiltrated for any of the following exit points:

• Copy/Move to USB

• Copy/Move to Local Sync Folder

• File Upload to Web

• Print

• Paste Text from Clipboard

• Copy/Move to Network Drive

• Submitting Text Prompt to GenAI Websites

Some examples of prevention rules include:

• Blocking a specific user or group of users from exfiltrating to a cloud sync folder, such as Google drive

• Blocking all users from uploading files to the Web (Windows only)

• Blocking users from printing by blocking users from printing to their local computer

Prevention upon copying/moving to Cloud Sync Folder or USB device is applied only upon exfiltration to these exit points from a source which is not that exact exit point. That is, upon copying/moving files within the same USB device or within the same Cloud Sync Folder (from/to) this activity will be detected, but it will not be prevented.

For Web File Upload, file change during rule processing or URL change will automatically fail the upload.

macOS runs in case-sensitive mode. Make sure names are defined with the correct capitalization in rule conditions.

If the Agent fails to extract a field used in a Prevention Rule, then the entire Prevention Rule is skipped and will not trigger. For example, if a Prevention Rule is based on the True File Type field (File / Resources > Content Type > True File Type) and that field cannot be extracted due to encryption, the Prevention Rule will not trigger (this is true both positive and negative operators), even if all other fields/conditions in that Prevention rule match (evaluate as TRUE).

Enabling Prevention Rules

Prevention rules are enabled per Agent Realm. You turn on/off Prevention Enabled in the Advanced Settings of the Agent Realm.

When enabled, content scanning is available for prevention rules. (See Content Scanning.)

Related Topics:

ITM / Endpoint DLP Rules

Prevention/Endpoint Rules

Detection Rules

Alerts