Skip to main content

Trellix DLPE | Basic Guide | DLPE Blocks Legitimate Applications or Files (False Positives)

Updated

Sometimes, DLPE policies may be too strict or misconfigured, causing them to block legitimate business applications, file transfers, or processes. For example, users may not be able to save documents to a network drive, send certain email attachments, or use collaboration tools like Microsoft Teams or Zoom. This usually results in user complaints and disruption to daily work.

 

1st Level Troubleshooting Steps

  1. Reproduce the Issue
    Work with the end-user to reproduce the problem. Take note of the application, file type, and activity being blocked (e.g., saving a PDF to a shared folder).
  2. Check DLPE Incident Management
    In ePO, open DLP Incident Management and search for recent incidents from the affected user. This will show you which DLP rule was triggered, helping to confirm whether it was a false positive.
  3. Review Rule Conditions
    In ePO, open the DLP Policy Catalog and look at the DLP policy rule that caused the block. Sometimes, the conditions may be too broad (e.g., blocking all “.docx” files instead of only files containing sensitive keywords).
  4. Use Exemptions or Whitelisting
    If the block is unnecessary, you can create exemptions for certain applications, users, or file paths. For example, you can whitelist a specific process (such as outlook.exe or teams.exe) or allow specific folders used by the business.
  5. Update the Policy and Wake Up Agent
    After making changes, enforce the updated policies on the endpoint by going to the System Tree > select the affected user's machine > Action > Agent > Modify Policies on Single System > Edit Assignment > Select the option Break Inheritance > Select the new updated policy > Click Save. Then send Wake Up Agent to the machine.
  6. Verify the machine is updated with the new policy revision ID
    In System Tree, select the affected user's machine, go into System Details > Products and verify the machine is updated with the new policy revision ID
  7. Retest to confirm issue resolved
    Back to affected machine, request end user to retest to confirm the false positive is resolved. Contact CSPG Support if issue persists, for in-depth troubleshooting.
Powered by Zendesk