Support Center > Search Results > SecureKnowledge Details
Downloaded file might be bypassed instead of being blocked by DLP
Symptoms
  • Downloaded file might be bypassed instead of being blocked by DLP in the following scenario:

    • DLP blade is enabled.
    • Threat Emulation blade is enabled.
    • Threat Emulation Connection Handling Mode is set to "Background" (Threat Prevention tab - open Profiles - select the relevant profile - click on Edit... button - go to Threat Emulation Settings - go to Advanced)
    • Threat Prevention Engine Fail Mode is set to "Allow all connections (Fail-open)" (Threat Prevention tab - open Advanced - go to Engine Settings)
Cause

Both DLP blade and Threat Emulation blade are inspecting the downloaded file. Threat Emulation might fail to process the file (e.g., no entitlement or internal error), and goes into Fail-open mode.

Although the logged action of DLP blade would be "Prevent", the actual action would be "Detect". As a result, the file would be bypassed.


Solution
Note: To view this solution you need to Sign In .