Share via

DLP Policy Not Scanning Inside Compressed Files (Purview)

Mahmoud Hesham 5 Reputation points
2024-12-29T08:53:32.0033333+00:00

I'm trying to configure Microsoft Purview to scan inside compressed files (e.g., .zip, .rar) and apply Data Loss Prevention (DLP) policies to prevent sensitive data from being shared via email. However, I'm encountering the following issues:

I need to ensure that sensitive data labels are detected inside archives and trigger DLP policies when emailed.

Despite configuring the DLP policy, password-protected archives bypass detection.

Important: I do not want to block all encrypted/password-protected files – only the ones that contain sensitive data. Blocking every compressed file creates unnecessary disruption, but I need to ensure sensitive data isn't accidentally shared.

Could someone guide me on:

How to enable scanning for compressed files in Purview?

Whether Purview can extract and inspect contents of .zip files?

How to configure DLP to block only password-protected archives that contain sensitive data?

I would appreciate any detailed steps or links to relevant documentation.

Thank you!

Microsoft Purview
Microsoft Purview
A Microsoft data governance service that helps manage and govern on-premises, multicloud, and software-as-a-service data. Previously known as Azure Purview.
1,329 questions
Microsoft Defender for Cloud Apps
Microsoft Defender for Cloud Apps
A Microsoft cloud access security broker that enables customers to control the access and use of software as a service apps in their organization.
163 questions
Microsoft Defender for Endpoint Training
Microsoft Defender for Endpoint Training
Microsoft Defender for Endpoint: A Microsoft unified security platform for preventative protection, postbreach detection, and automated investigation and response. Previously known as Microsoft Defender Advanced Threat Protection.Training: Instruction to develop new skills.
19 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. AnnuKumari-MSFT 33,986 Reputation points Microsoft Employee
    2024-12-30T16:43:28.5633333+00:00

    Hi Mahmoud Hesham ,

    To enable scanning for compressed files in Microsoft Purview and configure DLP policies to prevent sensitive data from being shared via email, you can follow the steps below:

    1. Enable scanning for compressed files in Purview: By default, Purview does not scan the contents of compressed files such as .zip or .rar files. To enable scanning for compressed files, you need to configure a custom extractor in Purview. You can use the Azure Cognitive Search Blob Indexer to extract the contents of compressed files and make them available for scanning by Purview.
    2. Extract and inspect contents of .zip files: Once you have configured a custom extractor in Purview, you can extract and inspect the contents of .zip files. Purview will extract the contents of the .zip file and make them available for scanning by DLP policies.
    3. Configure DLP to block only password-protected archives that contain sensitive data: To configure DLP policies to block only password-protected archives that contain sensitive data, you can use the "Content contains sensitive information" condition in the DLP policy. This condition allows you to specify the sensitive information types that you want to detect, such as credit card numbers or social security numbers. You can also specify the file types that you want to scan, such as .zip or .rar files. Once you have configured the DLP policy, it will trigger a block action only when a password-protected archive containing sensitive data is detected.

    Additional resource: https://learn.microsoft.com/en-us/purview/dlp-policy-reference

    Hope it helps. Kindly let us know how it goes. Thankyou

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.