Skip to main content

Investigate if the extension is missing the upload event

Question_md: Why was this incident not blocked?

Answer_md: First lets confirm dataset matches and is not based on Content Inspection. Copy/paste is blocked, upload wasn't which makes me say the extension is installed, otherwise we would have not blocked copy/paste.
Then reproduce the issue, I went to that site and I repro'd

Then open my system_monitor log, search for my event datasets for event.*upload.*helloCI :
you can see here source is SourceEtw SourceSelect it should be SourceExtension, so this is telling us the event is not being picked up by the extension but we know the extension is healthy

    2025-03-18 17:38:20.746967 -04:00 (25.03.06.3597-4f5f75+) {CyberhavenSystemMonitor3144/   45} [EventBlocker.cs:228/FindMatch                 PolicyEngine.EventBlocker     ] INFO : Datasets for event [SensorEvent Type=Upload Subject=[SensorSubject HostName=WSAMZN-5VS6ASMT.corp.amazonworkspaces.com User=antonio.anaya SessionId=1] [LocalFile 'D:\Users\antonio.anaya\Downloads\HelloCI.docx' Id='6020a7af;009e000000007b04' OnRemovableMedia:False DriveType:] -> SensorObjectWebPage Url=chat.baidu.com/search?extParams=%7B"enter_type"%3A"chat_url"%7D&isShowHello=1 FileName='HelloCI.docx' Title='百度AI搜索 - 办公学习一站解决 - Google Chrome - Antonio (aa-test)' Referrer='' IsIncognito='False'  browser_name=Google Chrome SourceEtw SourceSelect (LocalId: bac38c29-cf6e-4a5a-9e3f-f5d3208e4cb4,DlpScanLinkingId: 9f32c114-20f1-4dab-8317-f965daf67d3b,AgentVersion: 25.03.06.3597-4f5f75+,Actionable: True,OsType: windows,OsVersion: Microsoft Windows NT 10.0.17763.0)]: 0193022a-ecc5-755e-a428-fd52221687cd,0194dbb2-edd8-7ade-bae3-1a5a7b7a0c45,0194f25c-8ac7-7d25-9437-f6f451540cca,01956c99-15ad-7b71-bbf5-4588929dee7f,k7yzBZEBQtLZWqL0Ax6F,v0PxoI8BlO5wbMejsypP,01929697-3d09-7b55-8a96-43f0a89c03dd,019440de-c521-73eb-99d5-51714b104804,0194ddb3-1a51-75f0-9498-9fbdc6241815,NWDY6pABQtLZWqL0S6FN. Policy: v0PxoI8BlO5wbMejsypP-681118b3-03ab-4018-b777-2015c1e0f67d. Override: False. Result: MatchBlock - CallerInfo: [BackendEventsProcessor.cs/ProcessEvent]

So what I did to confirm the problem is with the extension, I changed my settings to

            "chrome_extension": {
              "browser_extension_state": "CUSTOM"
            },

Removed my extension, added it locally:
https://chrome.google.com/webstore/detail/cyberhaven-security-exten/pajkjnmeojmbapicmbpliphjmcekeaac

Enable developer mode, open service worker from the CH extension, attempt the upload and you can see in service worker no upload vs from dlptest.com I see the upload in service worker

if you can repro an issue like this please open a browser extension Jira bug.

Baidu.com test:

dlptest.com test: