Microsoft Purview
A Microsoft data governance service that helps manage and govern on-premises, multicloud, and software-as-a-service data. Previously known as Azure Purview.
1,231 questions
DLP policy to detect .EXE files copied to removeable USB media
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(57.599999999999994, 62%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVS%3C/text%3E%3C/svg%3E)
Vuy Si
26
Reputation points
Hi,
I'm trying to workout why a DLP policy I've configured to alert when a particular file type is copied to removeable USB media is detecting .MSI files but not .EXE. Both filetypes are included in the policy so both should be detected.
I've used the same condition in another DLP targeting email exfiltration and .EXE files are detected when attached to an email.
I'm guessing it could be down to not enabling advanced classification but has anyone else encountered this issue before?
{count} votes
-
PRADEEPCHEEKATLA 90,241 Reputation points2024-08-05T09:49:26.58+00:00 @Vuy Si - Thanks for the question and using MS Q&A platform.
It seems like you are having trouble with a DLP policy in Microsoft Purview. Based on the information you provided, it is possible that the issue could be related to the advanced classification settings.
To confirm, have you enabled advanced classification for the DLP policy that is not detecting .EXE files? If not, you may want to try enabling it and see if that resolves the issue.
Additionally, it may be helpful to review the configuration of the DLP policy to ensure that the condition for detecting .EXE files is set up correctly. You may also want to check if there are any exclusions or exceptions in place that could be preventing the detection of .EXE files.
If you have already checked these settings and are still experiencing issues, it may be helpful to review the logs to see if there are any errors or warnings related to the detection of .EXE files.
I hope this helps! Let me know if you have any further questions.
-
Vuy Si 26 Reputation points
2024-08-06T06:27:43.7933333+00:00 @PRADEEPCHEEKATLA Thank you for for the response.
I'm also suspecting advanced classification but haven't turned this on to test in our production environment for fear of consuming network bandwidth on endpoints. I did test this in my M365 dev tenant with advanced classification turned on but there is no log of .exe files being copied to removeable USB device in the activity explorer.
I'm confident the policy configuration is correct as I have a similar condition looking for .exe files when sent externally via email and this is detected.
Which logs do you recommend to check for warning related to detection of .exe files?
-
PRADEEPCHEEKATLA 90,241 Reputation points
2024-08-08T10:22:05.4266667+00:00 @Vuy Si - If you suspect that the issue is related to advanced classification, you may want to check the logs in the Microsoft 365 compliance center to see if there are any warnings or errors related to the detection of .EXE files.
To access the logs, you can go to the Microsoft 365 compliance center and navigate to the "Search" tab. From there, you can select "Audit log search" and enter the relevant search criteria, such as the date range and specific activities you want to search for.
In your case, you may want to search for activities related to the DLP policy and the detection of .EXE files. You can also filter the search results by severity level to focus on any warnings or errors that may be related to the issue you are experiencing.
If you are still unable to find any relevant logs or information, it may be helpful to open a support ticket for further assistance. They can help you troubleshoot the issue and provide guidance on how to resolve it.
Hope this helps. Do let us know if you any further queries.
-
PRADEEPCHEEKATLA 90,241 Reputation points
2024-08-12T04:13:47.55+00:00 @Vuy Si - We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
-
Vuy Si 26 Reputation points
2024-08-17T06:20:39.98+00:00 No resolution yet, I have opened a support ticket and currently working with support to investigate. Will keep this thread updated.
-
PRADEEPCHEEKATLA 90,241 Reputation points
2024-08-22T08:38:09.81+00:00 @Vuy Si - Could you pleaseshare the support request number, which helps to track internally?
Once the issue has been resolved, please do consider sharing the solution, which might be beneficial to other community members reading this thread.
Sign in to comment
2 answers
Sort by: Most helpful
-
Deleted
This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Comments have been turned off. Learn more
-
Deleted
This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Comments have been turned off. Learn more