This topic is for ITM / Endpoint DLP rules only.
Prevention rules let you stop data exfiltration. Prevention rules block exfiltration in real-time.
This topic includes:
- Exit Points Supported
- Enabling Prevention Rules
- ITM / Endpoint DLP Prevention Rules
- ITM / Endpoint DLP Prevention Rules
Exit Points Supported
You can block any files from being exfiltrated for any of the following exit points:
-
USB
-
Cloud Sync Folder (Supported for Windows Explorer only)
-
Web File Upload(From Mac Agent 3.7, Web File Upload is also supported for Mac Agents.)
-
Local Printer
-
Printer (printer name, printer type, user name)
Some examples of prevention rules include:
-
Blocking a specific user of group of users from exfiltrating to any USB.
-
Blocking a specific user or group of users from exfiltrating to a cloud sync folder, such as Google drive
-
Blocking all users from uploading files to the Web (Windows only)
-
Blocking users from printing by blocking users from printing to their local computer
Prevention upon copying/moving to Cloud Sync Folder or USB device is applied only upon exfiltration to these exit points from a source which is not that exact exit point. That is, upon copying/moving files within the same USB device or within the same Cloud Sync Folder (from/to) this activity will be detected, but it will not be prevented.
For Web File Upload, file change during rule processing or URL change will automatically fail the upload.
If the Agent fails to extract a field used in a Prevention Rule, then the entire Prevention Rule is skipped and will not trigger. For example, if a Prevention Rule is based on the True File Type field (File / Resources > Content Type > True File Type) and that field cannot be extracted due to encryption, the Prevention Rule will not trigger (this is true both positive and negative operators), even if all other fields/conditions in that Prevention rule match (evalute as TRUE).
Enabling Prevention Rules
Prevention rules are enabled per Agent Realm. You turn on/off Prevention Enabled in the Advanced Settings of the Agent Realm.
When enabled, content scanning is available for prevention rules. (See Content Scanning.)
Related Topics: