Hello Nguyen Nghia,
1. Not exactly, The Channels tab says Configured Applications > Application File Access is used to monitor applications that are configured on the Application Monitoring screen. In other words, the channel enables the feature, but the docs still tie it to apps configured in Application Monitoring, not literally every process on the box.by default, DLP monitors clipboard, print, network, and file system activity on all apps, but you add applications when you want DLP Agents to monitor files that applications open or read. That is a strong hint that Application File Access is special and is not the same as generic Local Drive monitoring.
A simple way to think about it:
-
Channel enabled + app allowed in Global Monitoring → incident can occur
-
Channel enabled + app blocked in Global Monitoring → no incident
-
Channel enabled + app blocked globally but allowed in Agent Config Application Monitoring → incident can occur, because the Agent Config override wins
https://techdocs.broadcom.com/us/en/symantec-security-software/information-security/data-loss-prevention/25-1/about-discovering-and-preventing-data-loss-on-endpoints/about-application-file-access-monitoring.html
https://techdocs.broadcom.com/us/en/symantec-security-software/information-security/data-loss-prevention/25-1/about-discovering-and-preventing-data-loss-on-endpoints/about-global-application-monitoring.html
2. DLP can show msedgewebview2.exe even if you did not add it directly, because the agent has a setting called FileSystem.MONITOR_APPLICATION_CHILD_PROCESS_FILE_ACCESS.INT, broadcom documentation states that default is 1. That means child-process Application File Access monitoring is on by default. So if a monitored app starts a helper process to read the file, the helper process can appear in the incident.
https://techdocs.broadcom.com/us/en/symantec-security-software/information-security/data-loss-prevention/25-1/about-discovering-and-preventing-data-loss-on-endpoints/adding-and-editing-agent-configurations/advanced-agent-settings.html?utm_source=chatgpt.com#:~:text=FileSystem.MONITOR_%20APPLICATION_CHILD_%20PROCESS_FILE_ACCESS.INT
The endpoint agent is capturing the event because the actual file open/read is being performed by the WebView2 runtime process itself, not by msedge.exe. msedgewebview2.exe is the Microsoft Edge WebView2 Runtime executable, and Microsoft says it is used by Microsoft 365 apps and other applications; for example, you can see multiple msedgewebview2.exe processes under Outlook, and other apps can use that same runtime too. https://learn.microsoft.com/en-us/microsoft-365-apps/deploy/webview2-install
3. As mentioned in answer of first question, Rules defined in Agent Configuration take precedence over Global Application Monitoring rules defined for the same application.
https://knowledge.broadcom.com/external/article/209012/understanding-agent-channels-and-applica.html
4. It is the Microsoft Edge WebView2 Runtime executable. It is a Microsoft runtime that allows native apps to embed web content using the Edge rendering engine. It is not the Edge browser itself and it is not exclusively Teams or Outlook. Outlook can host WebView2, and many Microsoft and third-party apps can use it.
https://learn.microsoft.com/en-us/microsoft-edge/webview2/