Use Endpoint DLP to block uploads

Greetings to all,

As of today, I’m wondering if anyone has managed to resolve the issue of uploading documents or files to unauthorized sites. From my experience, I created a policy to block unauthorized domains.

While reviewing the behavior, I noticed that when a DLP (Data Loss Prevention) policy is created, it begins to protect documents that are generated from that point onward. However, documents that are already at rest are not scanned, so the policy ignores them until someone opens or modifies them. At that point, the policy starts to apply and the documents become protected.

The conditions under which these behaviors were observed are as follows:

• File types involved: .docx, .xlsx, .pdf, .txt......
• Documents or attachments are password-protected
• Documents are not labeled or classified with sensitivity labels

Here are the observations I’ve made:

• Uploading a recent document to a restricted domain: Blocked (expected behavior).
• Uploading an old document to a restricted domain: Allowed (should be blocked).
• Dragging a document from File Explorer: Blocked (expected behavior).
• Copying a document from File Explorer to a restricted domain: Allowed (should be blocked).

If anyone has any insights or has found a solution, it would be greatly appreciated.

Best regards.