000026538 - How to prevent DLP Endpoint from monitoring certain files

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000026538
Applies ToRSA Data Loss Prevention Suite
DLP Endpoint
DLP Endpoint Enforce
IssueHow to prevent DLP Endpoint from monitoring certain files
In certain circumstances such as application not able to run or slow in processing due to DLP Endpoint, it might be desirable to prevent DLP Endpoint from monitoring certain files.
Resolution

To prevent DLP Endpoint Enforce from monitoring certain files, you need to add those files in the Tech Support Only section of the Endpoint Group Configuration in the Enterprise Manager. Bt default, the Endpoint currently ignores files with ".exe" and ".dll" extensions and also ignores files that start with "\\device\\","pipe\\".


As an example, one would need to enter the following in the Override Configuration under Tech Support Only section of the Endpoint Group configuration page:


<Advanced>
<FileIgnore>
<StartsWith>"partial path that you want to ignore"</StartsWith>
<StartsWith>root#</StartsWith>
<StartsWith>usb#</StartsWith>
<StartsWith>hid#</StartsWith>
<StartsWith>hdaudio#</StartsWith>
<StartsWith>\\device\\</StartsWith>
<StartsWith>\\systemroot\\</StartsWith>
<StartsWith>\\\\tsclient\\scard</StartsWith>
<StartsWith>pipe\\</StartsWith>
<StartsWith>global\\</StartsWith>
</FileIgnore>
</Advanced>


Few things to note here:


1) Endpoint will ignore any file that starts with the path, so if you open a Network share using the above option, then anything copied over to the share will NOT be monitored.


2) This setting is system wide, and will be applicable for ALL application running on the system.

Legacy Article IDa47203

Attachments

    Outcomes