endpoint-sensor-coverage

Explore Articles

Endpoint Sensor Coverage

Cyberhaven Endpoint Sensor can trace and block specific user actions. The following table provides the Endpoint Sensor coverage to trace and block various user actions.

Category	User Action	Windows		macOS		Linux
		Tracing	Blocking	Tracing	Blocking	Tracing	Blocking
File Operations
Accessing files in generic apps	Creating a file within any app	Yes	No	Yes	No	Yes	Yes
	Creating a file within Google Workspace on supported browsers	Yes	No	Yes	No	Yes	No
	Opening existing files within any app	Yes	Yes	Yes	Yes	Yes	Yes
Accessing files in supported apps	Saving files in Microsoft Office	Yes	Yes	No	No	No	No
	Saving and exporting files in Microsoft Office	Yes1	Yes1	No	No	No	No
	Embedding Microsoft Office files in other documents (for example, .xslx in .pptx)	Yes1	Yes1	No	No	No	No
	Sending emails in Microsoft Outlook	Yes5	Yes	No	No	No	No
	Forwarding emails with attachments in Microsoft Outlook	Yes5	No	No	No	No	No
	Sending emails in New Microsoft Outlook (September 2023)	Yes8	Yes	Yes8	Yes	No	No
Archiving	Archiving with Explorer or Finder	Yes	Yes	Yes	Yes	No	No
	Archiving with 7zip	Yes	Yes	Yes1	Yes1	No	No
Copying or moving files on the endpoint device and generic apps	Using Explorer or Finder	Yes	Yes	Yes	Yes	Yes	Yes
	Using cmd.exe or PowerShell commands	Yes	Yes	N/A	N/A	No	No
	Using command line apps	Yes1	Yes	Yes1	Yes1	Yes	Yes
	Using any other apps	Yes1	Yes1	Yes1	Yes1	Yes	Yes
	Moving files to Recycle Bin or Trash	Yes	Yes	Yes	Yes	Yes	No
Uploading or downloading from the web	Uploading to supported browsers	Yes	Yes	Yes	Yes	Yes	Yes
	Downloading from supported browsers	Yes	Yes	Yes	Yes	Yes	Yes
	Inspecting Content and Tags in uploaded or downloaded files	Yes2	No	Yes2	No	Yes10	Yes10
Folder Operations
Copying or moving folders	Moving folders from one local drive to a different local drive, for example, from C:\ to D:\	Yes	Yes	Yes	No9	No	No
	Moving folders from local drive to USB and back	Yes	Yes	Yes	No9	No	No
	Moving folders from local drive to network share and back	Yes	Yes	Yes	No9	No	No
	Moving folders from local drive to cloud sync drive such as Google Drive and back	Yes	Yes	Yes	No9	No	No
	Moving folders from one USB to another USB	Yes	Yes	Yes	No9	No	No
	Moving folders from one network share to another network share	Yes	Yes	Yes	No9	No	No
	Moving folders within the same local drive, for example, from C:\* to C:\*	Yes	No7	Yes	No9	No	No
	Moving folders within the same USB	Yes	No7	Yes	No9	No	No
	Moving folders within the same network share	Yes	No7	Yes	No7	No	No
	Moving folders from a local drive C:\* to cloud sync folders on the same drive, for example, C:\users\*\OneDrive	Yes	No7	Yes	No9	No	No
	Moving folders from a local drive C:\*to cloud sync backup locations such as Documents, Desktop, etc.	Yes	No7	Yes	No9	No	No
Copy and Paste Operations
Copying and Pasting	Copying using keyboard shortcuts (Ctrl+C)	Yes	No	Yes	No	No	No
	Pasting using keyboard shortcuts (Ctrl+V)	Yes	No	Yes	No	No	No
	Copying using menus	Yes	No	Yes	No	No	No
	Pasting using menus	Yes6	No	Yes	No	No	No
Copying and pasting to apps	Copying and pasting to Outlook	Yes	No	No	No	No	No
	Copying and pasting to web apps on supported browsers	Yes	Yes	Yes12	Yes12	No	No
	Copying and pasting to all apps	Yes	No	Yes11	No	No	No
Print Operations
Printing	Printing to a physical printer on the network, or attached locally	Yes3	Yes3	Yes4	Yes4	No	No
File transfer using an external medium
Transferring files to removable media	Using Explorer or Finder	Yes	Yes	Yes	Yes	Yes	Yes
	Using other apps	Yes	Yes	Yes	Yes	No	No
Transferring files to Windows network drive	Using Explorer or Finder	Yes	Yes	Yes	No	No	No
	Using other apps	Yes	Yes	Yes	No	No	No
Transferring files to portable devices using media (MTP) and picture file transfer (PTP) protocols	Using Explorer or Finder	Yes	No	No	No	No	No
	Using other apps	No	No	No	No	No	No
Transferring files using FTP	Using Explorer or Finder	Yes	Yes	Yes	Yes	No	No
	Using other FTP clients	Yes1	Yes1	Yes1	Yes1	No	No
Transferring files using Bluetooth	Using Explorer or Finder	Yes	Yes	Yes	Yes	No	No

1. User action is recorded but not linked to the original document.
2. Content is only inspected when the policy action is set to Warn, and not Block. In cases where an upload or download action is blocked, inspection is based on previously scanned content or tags.
3. Limited to Microsoft Word, Microsoft Excel, and supported browsers. Learn about supported browsers: supported browsers.
4. The macOS Endpoint Sensor records print operations as a file open event against the printer process.
5. Tracing is limited to email attachments.
6. Review the full list of supported paste actions.
7. The following are the reasons why blocking is not supported in some cases when moving folders.
   • When folders are moved within the same drive, USB, or network share, there is no risk of data leaks, except in the case of cloud sync folders.
   • Moving folders within the same location is very fast (usually less than 1 second) and adding file checks could slow down the process significantly.
8. Tracing support for New Microsoft Outlook is limited to email attachments within domain accounts. For example, if the Cyberhaven add-in for the new Microsoft Outlook is deployed on a Microsoft account on cyberhaven.com domain, then only activities within that domain are tracked, regardless of any other configured accounts.
9. Blocking move folder operations on macOS is currently disabled starting with version 24.09 due to potential performance impact. This feature can be re-enabled through a configuration change. If you would like to enable this feature, contact Cyberhaven Support.
10. On Linux, tracing and blocking are supported through content inspection, but this functionality does not extend to Tags.
11. macOS tracing of copy and paste action from any app has the following limitations,
    • When sensitive content is pasted into a new or existing file that has not yet been saved, the copy/paste action is traced and recorded. However, content inspection will not include the pasted sensitive data until the file is saved. This is because content inspection is performed on the file on disk, not in memory.
    • Events generated from copy/paste actions traced for new, unsaved files will not contain file name or path information. Once the file is saved, actions performed on it are treated as separate events, and the data lineage is not linked to the initial copy/paste action.
    • Some applications may force-disable the ability to track copy and paste actions, preventing the sensor from tracing these actions.
    • Tracing in non-browser applications is reliably supported only for applications using the English language.
12. Event tracing is not supported between Incognito and non-Incognito windows of the same browser session. However, tracing functions correctly between Incognito windows within the same session and between Incognito windows and other processes, even those in separate browser sessions.

NOTE

The Endpoint Sensor can only record upload events as app access (open) events for unsupported browsers. As a result, the sensor captures the destination application, causing the events to display the destination files as .exe files.

Change Log

• Updated on 03/24/2025: Added a footnote to macOS copy-pasting to browser.
• Updated on 03/14/2025: Added macOS tracing support for copy-paste to all apps.
• Updated on 02/20/2025: Removed the following from “Accessing files in generic apps”.
  • Editing and saving a file in apps
  • Performing "Save As" or "Export" operations in apps
• Updated on 01/22/2025: Added Linux blocking coverage.
• Updated on 01/14/2025: Added condition no. 9 to the coverage table and updated macOS blocking coverage for folder operations.