Data Loss Prevention

 View Only

About DaR Scans - Files sizes, compressed files ...

  • 1.  About DaR Scans - Files sizes, compressed files ...

    Posted Nov 22, 2023 02:26 AM

    Hi

    I'm looking for technical explanations of the following:

    • When I run a scan on a 30 MB logfile, I see in Windows-File explorer a certain file size, but what DLP shows as being scanned is a different size. Is that related to whatever Broadcom does in the memory with that file or how it chunks the file for scanning? I observed also different values, depending on what max scan size I've set in the DaR scanner (32 MB or 100 MB max file size limit). How can I be certain, that a file has in deed been completely scanned?
    • What about Zip files in zip files? Broadcom says in one article that DLP does not have a limitation in file-depth. I would assume that when I scan a zip file with further zip files in it, that at the end I get the same incident numbers as if I scanned the completely extracted files. However this is not true. Full extraction of the content resultes in far mor incidents. How is this explained? What are the relevant factors? If the total extracted files are in size bigger than the max file size limit configured? Is there some timing factor where DLP attempts scanning and then just skips to the next files? Is it related to the ways the file is unpacked in memory?

    I would really love to see a documentation how DLP scanning is done technically and where there are limitations.

    Thanks

    André