There is no justification or user choice available. The rule action is simply "Block." I would expect it to be copied and immediately deleted or not copied at all.

The thing is that in background after successful copy you can see FCAG.exe consuming CPU what actually means that DLP is doing the classification of the files and after that will decide what to do with the file. During whole process the file must remain reachable for the DLP processes.

If you are using keywords in classification then it takes time until DLP will finish analysis of all files. Also in client configuration in section for removable media devices you can find timeout after which the analysis will end and allow the copy of the file. That you can see in DLP incident manager as time out.

Instead of using Data Protection Rules, Device Control is more useful where read only can be set for recognized removable media devices. MTP devices are excluded from this rule unfortunately (mobile phones, tablets...) for this devices only Data Protection rules can make something like read only access.

No action can also happen when user will terminate the copy. 

Definitely the workflow is:

User copy data to USB, data are stored to USB, DLP will start analysis of the copied files, does signification and rules check. If the rule is matched then will do the configured action. During the whole operation files must be reachable for the DLP.

What you are saying does not mesh with what I am seeing. The file I am testing with is a 1kb text file with a trigger string in it. It's lightweight and quick. My guess is that I have something misconfigured.

I can't control by specific device due to the fact that I need to allow so many models of removable media.  In fact that is one of the issues I have with DLP. The device control rules don't work with data control rules which is really what I need. I can already control device access via other means. What I need is to simply find data outbound to removable media and block/delete if a rule is triggered.

I think I will ask support.

Here are my settings:

Policy catalog --> Data loss prevention 11.2 --> Windows client configuration policy

Device Control: block and allow charge, enforce immediately

Operational Mode and Modules: Device Control and full content protection, everything checked except for discovery - email, and outlook section.

Removable Storage Protection: normal delete mode, file analysis max time = 30 seconds, if time exceeded = block.

Interesting logs (there is no StormShield):

c:\programdata\mcafee\dlp\temp\logs\session#1\HDLP_agent_(11.9.2019)(8.17-12).log

2019-09-11 13:00:19.728 [10992] [WARNING][AgentStormShieldService::isPrerequisitesInstalled(301)]> Failed to find StromShield Util path in the registry
2019-09-11 13:00:19.728 [10992] [ERROR][AgentStormShieldService::checkConnectedUser(184)]> StormShield product doesn't installed
2019-09-11 13:00:19.728 [10992] [ERROR][AgentStormShieldService::getFileInfo(109)]> Unable to get connected user
2019-09-11 13:00:19.728 [10992] [ERROR][AgentStormShieldService::isFileEncrypted(158)]> getFileInfo failed for file c:\users\<username>\desktop\dlptest.txt user
2019-09-11 13:00:20.332 [10992] [OERROR] [Monitoring Service] [EvidenceService::renameEvidenceFileToRepBufFile] Error rename file in repbuf: {00000000-0000-0000-0000-000000000000}.xml.dlpenc.rep

c:\programdata\mcafee\dlp\temp\logs\session#1\HDLP_te_(11.9.2019)(8.17-18).log

2019-09-11 13:00:20.259 [10340] [OERROR] [Rights Management Service] [`anonymous-namespace'::myLoadFailureHook] Cannot find a DLL to load ("msipc.dll")
2019-09-11 13:00:20.259 [10340] [OERROR] [Rights Management Service] [McAfee::DLP::RMS::ADRMSWrap::init] Cannot load the required DLL.
2019-09-11 13:00:20.259 [10340] [OERROR] [Rights Management Service] [MsDRMTextExtractorHelper::ensure_ready] Cannot initialize AD RMS; DRM error=18.
2019-09-11 13:00:20.693 [10340] [OERROR] [Text Extractor] [KvManager::createKvFile] Failed to fpOpenFile (c:\users\<username>\appdata\roaming\microsoft\windows\recent\automaticdestinations\f01b4d95cf55d32a.automaticdestinations-ms). Error - 13. Time Spent: 0 milliseconds

based on the logs I am tempted to completely remove and then reinstall agent and DLP on this test machine.