We are deploying a new installation of the Netwrix Endpoint Protector. As best practice we started deploying the first Policy in Report Only mode → This policy should report every movement of files with extension .bak. To do so we created a custom dictionary with the extension .bak and applied it to the rule. Problem…whenever i choose Report Only Mode in Policy Action the Tab File Name under Deny List grayed out. Is this intended? How can i bypass this behavior and achieve the same result?
You’re correct, the File Name Denylist only works when the Policy Action is set to a blocking mode (Block Only, Block & Report, Block & Remediate). It’s not available under Report Only. Not sure why that is, but it is expected behavior.
As a capability, File Name Denylist is useful for basic visibility into file movements, but it can be bypassed without much effort. Long term, proper detection based on MIME type would be a far more reliable way to identify .bak files.
In the Policy Denylist section of a CAP policy, under Source Code, there’s a file type called BACKUP. I was hoping this would catch .bak files, but my testing shows it doesn’t. Could you give it a quick try on your side as well? If it behaves the same for you, I recommend submitting a feature/enhancement request in the Ideas portal, it would be a good file type to control. https://community.netwrix.com/c/products/endpoint-protector/ideas/109
