What "false-positive" I talk about here is not real false-positive, it looks more like a bug for notification. I don't know what is the exactly suited word in English because of my poor English, let me give you an example. Sometimes after DLP detects a event defined in a rule, if I don't close the process related, when I open a file which is not in defination and should not be detected using the same program and it shares the same process with first detected file, there is a notification for detection new opening (I defined notification in rule actions page.), but the file name (if existing) is not the filename which is not in defination. And normally I will not find the event in DLP Monitor. For Clipboard Protection Rule, if a definded file triggers the rule, I will not be able to copy content from all files opned by same process. After clsoe the process, all non-defined files are back to uncontrolled mode.
It is hard for me to do a test, for it is not always working in way.
Is this by design? or a bug? or I did something wrong on rule defination?
As tested and talked with McAfee support, DLP locks the process when one rule is triggered, releases only after process is closed, during the process locked there are events for the process.
This happens on Clipboard PR, Network Communication PR and Application File Access PR, the third is not very serious.
that is good to know. We have an App File Access PR which tracks tagged files when they are written to cd but when a user reads a file in CD media, it triggers. I think it is the same issue. I dont know how I will solve this. Please share your ideas if you have. I will much appriciate them.