StaticCache.dat and USB transfers - Purview DLP policies

Question

StaticCache.dat and USB transfers - Purview DLP policies

Buchanan, Thomas A 20

I have a Purview DLP policy set to audit files copied to a USB drive for a select group of users. When the end user initiates the transfer process, all of the files are audited and logged, but I also see an entry for StaticCache.dat. The StaticCache.dat file is always the same size regardless of the volume of files moved. I suspect that StaticCache.dat is being used as a temporary transport container, but that is just a guess on my part. StaticCache.dat appears to reside here C:\Windows\Fonts - staticcache.dat.jpg

Directory location - staticcache.dat directory.jpg

Has anyone else come across this and figured out a method to exclude this file from being audited?

Would it be better to add a policy condition to only look for the files I'm interested in capturing?

phemanth 14,560 Reputation points Microsoft External Staff

2025-03-03T05:41:43.0533333+00:00

@Buchanan, Thomas A '

Welcome to Microsoft Q&A platform and thanks for posting your query here.

It seems like you're encountering an issue with the StaticCache.dat file being audited during USB transfers. This file is likely being used by the system for caching purposes, which is why it appears consistently regardless of the volume of files moved.

To address this, you have a couple of options:

Exclude the StaticCache.dat File: You can create a condition in your Purview DLP policy to exclude this specific file from being audited. This can be done by specifying the file name or path in the policy settings.

Refine Your Policy Conditions: Instead of auditing all files, you can refine your policy to only audit files that match certain criteria, such as specific file types or sensitive information. This way, only the files you're interested in will be captured, and system files like StaticCache.dat will be ignored.

For more detailed guidance, please refer to the Microsoft documentation on configuring endpoint DLP settings

https://learn.microsoft.com/en-us/purview/dlp-configure-endpoint-settings?tabs=purview

https://learn.microsoft.com/en-us/answers/questions/2119291/monitoring-sensitive-files-moved-to-usb

I hope this information helps. Please do let us know if you have any further queries.

Kindly consider upvoting the comment if the information provided is helpful. This can assist other community members in resolving similar issues.
Buchanan, Thomas A 20 Reputation points

2025-03-03T13:59:40.2866667+00:00

Excellent recommendations. We've already attempted the StaticCache.dat exclusion which isn't working as expected.
phemanth 14,560 Reputation points Microsoft External Staff

2025-03-07T07:43:11.9266667+00:00
@Buchanan, Thomas A

Thanks for your feedback

Here are a few additional steps

Verify Policy Configuration: Double-check that the exclusion rule for StaticCache.dat is correctly configured in your DLP policy. Ensure that the file path and name are accurately specified.

Policy Update and Sync: Sometimes, policy changes may not take effect immediately. Try forcing a policy update and ensure that the endpoint devices are fully synced with the latest policy settings.

Diagnostic Tools: Use the diagnostic tools available in the Microsoft 365 admin center to analyze your DLP policy configuration. This can help identify any issues with the policy setup. You can find more information on running diagnostics here

Review Activity Logs: Check the activity logs to see if there are any errors or warnings related to the DLP policy. This can provide insights into why the exclusion might not be working.

Refine Conditions: If excluding StaticCache.dat directly isn't effective, consider refining your policy conditions further. For example, you could set the policy to only audit specific file types or sensitive information, which might help bypass system files like StaticCache.dat.
phemanth 14,560 Reputation points Microsoft External Staff

2025-03-11T05:05:17.41+00:00

@Buchanan, Thomas A Just checking in to see if the below answer helped. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Accepted answer

1 additional answer

Your answer

phemanth 14,560 Reputation points Microsoft External Staff

2025-03-03T05:41:43.0533333+00:00

@Buchanan, Thomas A '

Welcome to Microsoft Q&A platform and thanks for posting your query here.

It seems like you're encountering an issue with the StaticCache.dat file being audited during USB transfers. This file is likely being used by the system for caching purposes, which is why it appears consistently regardless of the volume of files moved.

To address this, you have a couple of options:

Exclude the StaticCache.dat File: You can create a condition in your Purview DLP policy to exclude this specific file from being audited. This can be done by specifying the file name or path in the policy settings.

Refine Your Policy Conditions: Instead of auditing all files, you can refine your policy to only audit files that match certain criteria, such as specific file types or sensitive information. This way, only the files you're interested in will be captured, and system files like StaticCache.dat will be ignored.

For more detailed guidance, please refer to the Microsoft documentation on configuring endpoint DLP settings

https://learn.microsoft.com/en-us/purview/dlp-configure-endpoint-settings?tabs=purview

https://learn.microsoft.com/en-us/answers/questions/2119291/monitoring-sensitive-files-moved-to-usb

I hope this information helps. Please do let us know if you have any further queries.

Kindly consider upvoting the comment if the information provided is helpful. This can assist other community members in resolving similar issues.
Buchanan, Thomas A 20 Reputation points

2025-03-03T13:59:40.2866667+00:00

Excellent recommendations. We've already attempted the StaticCache.dat exclusion which isn't working as expected.
phemanth 14,560 Reputation points Microsoft External Staff

2025-03-07T07:43:11.9266667+00:00

@Buchanan, Thomas A

Thanks for your feedback

Here are a few additional steps

Verify Policy Configuration: Double-check that the exclusion rule for StaticCache.dat is correctly configured in your DLP policy. Ensure that the file path and name are accurately specified.

Policy Update and Sync: Sometimes, policy changes may not take effect immediately. Try forcing a policy update and ensure that the endpoint devices are fully synced with the latest policy settings.

Diagnostic Tools: Use the diagnostic tools available in the Microsoft 365 admin center to analyze your DLP policy configuration. This can help identify any issues with the policy setup. You can find more information on running diagnostics here

Review Activity Logs: Check the activity logs to see if there are any errors or warnings related to the DLP policy. This can provide insights into why the exclusion might not be working.

Refine Conditions: If excluding StaticCache.dat directly isn't effective, consider refining your policy conditions further. For example, you could set the policy to only audit specific file types or sensitive information, which might help bypass system files like StaticCache.dat.
phemanth 14,560 Reputation points Microsoft External Staff

2025-03-11T05:05:17.41+00:00

@Buchanan, Thomas A Just checking in to see if the below answer helped. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Answer 1

@Buchanan, Thomas A

I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to accept the answer .

Ask: I have a Purview DLP policy set to audit files copied to a USB drive for a select group of users. When the end user initiates the transfer process, all of the files are audited and logged, but I also see an entry for StaticCache.dat. The StaticCache.dat file is always the same size regardless of the volume of files moved. I suspect that StaticCache.dat is being used as a temporary transport container, but that is just a guess on my part. StaticCache.dat appears to reside here C:\Windows\Fonts - staticcache.dat.jpg

Directory location - staticcache.dat directory.jpg

Has anyone else come across this and figured out a method to exclude this file from being audited?

Would it be better to add a policy condition to only look for the files I'm interested in capturing?

Solution: We resolved this issue by adding the file exclusions at the policy level. We also tried File path exclusions for Windows and Unsupported file extension exclusions in the Endpoint DLP setting but that did not work for us.

If I missed anything please let me know and I'd be happy to add it to my answer, or feel free to comment below with any additional information.

If you have any other questions, please let me know. Thank you again for your time and patience throughout this issue.

Please don’t forget to Accept Answer and Yes for "was this answer helpful" wherever the information provided helps you, this can be beneficial to other community members.

Answer 2

Buchanan, Thomas A 20

We resolved this issue by adding the file exclusions at the policy level. We also tried File path exclusions for Windows and Unsupported file extension exclusions in the Endpoint DLP setting but that did not work for us.

phemanth 14,560 Reputation points Microsoft External Staff

2025-03-10T02:57:19.45+00:00

@Buchanan, Thomas A Glad to know your issue has been resolved. Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others "I'll repost your solution in case you'd like to accept the answer.

Share via

StaticCache.dat and USB transfers - Purview DLP policies

1 additional answer

Your answer