Whitelist/Exclude Incoming copy direction in Removable Storage Protection rules
McAfee SR#: 4-20015799251
I have an issue reported by an employee where they are copying files from an approved Removable Storage USB device to a network file share mapped as a drive.
We have a Removable Storage Protection rule to look for data copied in the OUTGOING direction only. The Incoming copy direction is not selected in either of the 3 rules we have configured.
When copying, the time jumps from 2 minutes to 32 minutes and the notification "Please wait while DLP analyzes your data" causing an unnecessary performance degrade when copying files TO a system.
I have even gone so far as to set an exception for the Incoming copy direction for the classification I have configured in the rule. It does not allow for Any Data All, Any User All, and Any Application All. It requires at least one value not be set to ALL.
I was informed by McAfee Support who was advised by Advanced Support that even without the Incoming copy direction selected, that it is "working as designed and to submit a PER which seems a bit ridiculous. If I don't select "Incoming - Copy to local drive" then I wouldn't expect that it would analyze any "Incoming" data being copied (which also seems a bit ridiculous since the product is "Data Loss" not "Data Gain" prevention).
The only way to prevent this is to turn off the Advanced file copy protection Module in the Windows Client Configuration policy which disables the sandbox and defeats the purpose of having Outgoing protection since it then analyzes data After it's copied to removable storage which can easily be unplugged once the file copy operation is completed.
Suggestion: Enable the Module to Not analyze files when the Incoming copy direction is not selected and/or enable the ability to select ALL within an exception for the Incoming copy direction, and/or just remove analyzing Incoming altogether since it defeats the purpose of the product in the first place.