8 Replies Latest reply on Jul 14, 2015 9:50 AM by stephenacamille

    Unexpected behavior with DLP Rules


      Hi, I have an issue with DLP rules that I have configured. It's not behaving as expected. I'll try to explain properly.




      Device RulesIncludesExcludes
      External Removable DevicesAll External Removable Storage DevicesApproved Removable Storage Devices
      Approved External Removable DevicesApproved Removable Storage Devices


      Device DefinitionsParameterValue
      All External Removable Storage DevicesBus TypeBluetooth, Firewire, PCMCIA, USB
      Approved Removable Storage DevicesDevice Name*Several device names not relevant to list them all*


      When an approved device is plugged in, and looking in DLP Incident Manager, the behavior is as expected, showing up as the Approved External Removable Devices Rule. However when unplugged, it's showing both rules and the behavior appears to be of the one the most restrictive.