My first post here. We have recently implemented Netwrix Endpoint Protection in our environment. We have both latest server/client versions installed, but there is one annoying thing which I can’t solve.
Very often when accessing random sites (some local news websites, godaddy, chatgpt, challenges.cloudflare.com (this is kinda crucial one), we are getting pop-ups that text/plain file upload has been blocked.
I understand that these are some background website post updates, but it happens almost every time I am accessing specific websites. If website is kept open in background, popups keep appearing.
Our main goal is to block all web uploads, except ones we have whitelisted. Currently I am out of ideas how to solve this issue.
I’ve had idea if I could exclude text/plain checking from our main NTU block policy and create another one specifically scoping it, so we can log events, but show no popup notification for user.
We also tried to increase file size when web upload block should trigger, but sometimes those background POST updates are 70kb+.
Currently we have EPP installed on 6 - 8 devices, but early next year are planning to deploy it for entire company, and this could be quite huge issue for us, if not somehow workarounded/resolved.
Anyone has any suggestions?
P.S. if challenges.cloudflare.com are not whitelisted, some upload is being blocked and challenge can’t be passed.
You are right, this is a tricky one. As you correctly pointed out, modern websites generate a lot of background traffic (POST requests, telemetry etc.). Endpoint Protector is designed to ignore most of this noise and focus primarily on connections that can be used for actual file or data uploads. Completely ignoring all non-obvious upload activity is not feasible, as it would introduce false negatives and risk missing real data exfiltration.
From a best-practice standpoint, we generally recommend not blocking or reporting text/plain uploads just based on file type, but rather enforcing controls based on file content. I understand your security model is to block all uploads by default and then allow only whitelisted destinations. Given that requirement, your thinking is already on the right track.
You can create a separate policy scoped only to text file uploads and disable end-user notifications for that policy. This allows you to continue blocking and logging the activity without disrupting users with constant pop-ups. If a website becomes unusable, users can raise a ticket and you can then review and whitelist the URL as needed. Increasing the minimum file size threshold can also help reduce the number of background events being triggered, although it will not eliminate them entirely.
Overall, you are doing the right things. These policies tend to require some tuning over time, especially the early phase of the implementation, but it should become a lot smoother over time.