Data Loss Prevention

My question is if the DLP sees that it can't open the file because it is compressed or encoded many times, can we configure it to block such files? I found info that password protected files can be blocked but noting about if the files is for example a zip that is compressed 200 times. By the way did not find the limit how deep the DLP can try to decode a file like 20 or 100? Also does the DLP have similar options like the Content Analysis Defer scanning, data trickling or patience pages?

The DLP manages this type of situation using analysis (content extraction) timeouts. 
If some file take too much time in the analysis, the thread will be canceled and the file will not be analysed.
You can be aware when this happens in the logs.
A special case is with Network Prevent for Email. The DLP is able to add a specific header the the email so the downstream MTA knows that the DLP did not fully analyse the email.
Using this header the downstream MTA can quarantine the email for further analysis.

The DLP is designed with the idea to not disrupt unwillingly the operation (not losing emails or delaying them for too long for example), this approach has some trade off.
Hope this helps
Elric
Original Message:
Sent: 03-07-2021 05:50 AM
From: Nikolay Dimitrov
Subject: Can the Data Loss Prevention block files that are compressed many times (zip, gzip etc.) or use other Multiple decoding evasion techniques?

My question is if the DLP sees that it can't open the file because it is compressed or encoded many times, can we configure it to block such files? I found info that password protected files can be blocked but noting about if the files is for example a zip that is compressed 200 times. By the way did not find the limit how deep the DLP can try to decode a file like 20 or 100? Also does the DLP have similar options like the Content Analysis Defer scanning, data trickling or patience pages?

Is the timeout  also used for arhived/compressed files? Is there informatiion to what dept the DLP tries to decompress a file and an option like in the Malware/Content Analysis like "maximum archive layers", so it can be set to how many layers  the DLP will try to decompress?
Original Message:
Sent: 03-09-2021 04:40 AM
From: Elric Osmont
Subject: Can the Data Loss Prevention block files that are compressed many times (zip, gzip etc.) or use other Multiple decoding evasion techniques?

The DLP manages this type of situation using analysis (content extraction) timeouts.
If some file take too much time in the analysis, the thread will be canceled and the file will not be analysed.
You can be aware when this happens in the logs.
A special case is with Network Prevent for Email. The DLP is able to add a specific header the the email so the downstream MTA knows that the DLP did not fully analyse the email.
Using this header the downstream MTA can quarantine the email for further analysis.

The DLP is designed with the idea to not disrupt unwillingly the operation (not losing emails or delaying them for too long for example), this approach has some trade off.
Hope this helps
Elric
Original Message:
Sent: 03-07-2021 05:50 AM
From: Nikolay Dimitrov
Subject: Can the Data Loss Prevention block files that are compressed many times (zip, gzip etc.) or use other Multiple decoding evasion techniques?

My question is if the DLP sees that it can't open the file because it is compressed or encoded many times, can we configure it to block such files? I found info that password protected files can be blocked but noting about if the files is for example a zip that is compressed 200 times. By the way did not find the limit how deep the DLP can try to decode a file like 20 or 100? Also does the DLP have similar options like the Content Analysis Defer scanning, data trickling or patience pages?

Yes the timeout is also used for container files with sub files.
There is no hard limit on the levels as it exists in antivirus.
I tested it once against a zip bomb. The dlp is saved by the timeout.
This kb seems to describe the situation but the wording is not clear:
https://knowledge.broadcom.com/external/article/160065/is-there-a-limit-to-the-depth-of-a-zip-f.html

------------------------------
Security Architect
DPS
------------------------------

Original Message:
Sent: 03-17-2021 06:10 AM
From: Nikolay Dimitrov
Subject: Can the Data Loss Prevention block files that are compressed many times (zip, gzip etc.) or use other Multiple decoding evasion techniques?

Is the timeout  also used for arhived/compressed files? Is there informatiion to what dept the DLP tries to decompress a file and an option like in the Malware/Content Analysis like "maximum archive layers", so it can be set to how many layers  the DLP will try to decompress?
Original Message:
Sent: 03-09-2021 04:40 AM
From: Elric Osmont
Subject: Can the Data Loss Prevention block files that are compressed many times (zip, gzip etc.) or use other Multiple decoding evasion techniques?

The DLP manages this type of situation using analysis (content extraction) timeouts.
If some file take too much time in the analysis, the thread will be canceled and the file will not be analysed.
You can be aware when this happens in the logs.
A special case is with Network Prevent for Email. The DLP is able to add a specific header the the email so the downstream MTA knows that the DLP did not fully analyse the email.
Using this header the downstream MTA can quarantine the email for further analysis.

The DLP is designed with the idea to not disrupt unwillingly the operation (not losing emails or delaying them for too long for example), this approach has some trade off.
Hope this helps
Elric
Original Message:
Sent: 03-07-2021 05:50 AM
From: Nikolay Dimitrov
Subject: Can the Data Loss Prevention block files that are compressed many times (zip, gzip etc.) or use other Multiple decoding evasion techniques?

My question is if the DLP sees that it can't open the file because it is compressed or encoded many times, can we configure it to block such files? I found info that password protected files can be blocked but noting about if the files is for example a zip that is compressed 200 times. By the way did not find the limit how deep the DLP can try to decode a file like 20 or 100? Also does the DLP have similar options like the Content Analysis Defer scanning, data trickling or patience pages?