Employees of a modern organization often have access to files including information concerning various significant business aspects of the organization. This information may include data on customers (or patients), contracts, deliveries, supplies, employees, manufacturing, or the like. Existing security techniques typically scan data as it is leaving an endpoint system to prevent loss of sensitive information. The above scanning relies on the ability of the endpoint system to intercept and parse data being output from a program. In some cases, however, the format of data intercepted by the endpoint system may not be known or a program may encrypt the data prior to outputting it. In addition, the endpoint system may not always be able to intercept data being output by a program.
An endpoint system may address the above limitations by preventing certain applications from accessing files that contain confidential information. For example, an endpoint system may block access to files containing confidential information by such applications as CD or DVD burning applications, compression or fingerprinting applications, etc. However, blocking of application file access incurs a false positive penalty. In particular, an application does not always access a file with intent to manipulate the file's data. Instead, an application may merely scan the metadata of a file, without opening the file for viewing or editing (e.g., to determine the file's properties for directory presentation reasons, etc.).