Exam ZDTE Topic 1 Question 57 Discussion
Actual exam question for Zscaler's ZDTE exam
Question #: 57
Topic #: 1
Question #: 57
Topic #: 1
A security analyst is configuring Zscaler Data Loss Prevention (DLP) policies and wants to ensure that sensitive files are accurately identified and inspected. They ask about the methods Zscaler DLP uses to inspect files and detect potential data leaks.
What are the three levels of inspection that Zscaler DLP employs to accurately identify and inspect files?
What are the three levels of inspection that Zscaler DLP employs to accurately identify and inspect files?
Suggested Answer: B Vote an answer
The Data Protection section of the Zscaler Digital Transformation study guide explains that, before applying DLP dictionaries, IDM/EDM, or OCR, Zscaler must reliably determine the actual file type being inspected.
To prevent simple evasion techniques (for example, renaming an executable to .pdf), Zscaler performs a three-layer file-type inspection.
The documentation states that Zscaler first examines the file's "magic bytes" (the signature in the file header), then validates the MIME type reported by the content, and finally compares these to the file extension seen in the transaction. This layered approach ensures that if a user tampers with the extension or the declared MIME type, the underlying binary signature will still reveal the true file type, allowing the correct DLP engine and policy to be applied.
Other attributes like encryption status are indeed considered elsewhere in the DLP workflow (for example, to understand if a file can be decrypted or inspected), but the study guide is explicit that the three levels of file- type inspection are Magic Bytes, MIME type, and file extension, matching option B.
To prevent simple evasion techniques (for example, renaming an executable to .pdf), Zscaler performs a three-layer file-type inspection.
The documentation states that Zscaler first examines the file's "magic bytes" (the signature in the file header), then validates the MIME type reported by the content, and finally compares these to the file extension seen in the transaction. This layered approach ensures that if a user tampers with the extension or the declared MIME type, the underlying binary signature will still reveal the true file type, allowing the correct DLP engine and policy to be applied.
Other attributes like encryption status are indeed considered elsewhere in the DLP workflow (for example, to understand if a file can be decrypted or inspected), but the study guide is explicit that the three levels of file- type inspection are Magic Bytes, MIME type, and file extension, matching option B.
by Muriel at Jan 09, 2026, 07:04 PM
0
0
0
10
Comments
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Report Comment
Commenting
You can sign-up / login (it's free).