Thomas - that is a great perspective & it did got me thinking for a while. Cause normally I would disable GET requests when working with a 'web prevent' however even an Endpoint Agent does capture a GET?
This changes the basis, a bit for me, when designing architectures. Thus, I did some research of my own - exported the agent configuration by querying the cg.ead using vontu_sqlite3 and found the below entry in the config file:
EnableHTTPGET int 0
You're seem to be right - yes there is a value on the agent as well to monitor GETs. However is disabled by default.
I also performed a few quick tests by trying to download an attachment vs. upload (ofcourse with a atachment only keywords policy) - and mine triggered only when uploading and not downloading. Has someone else, had a different result? please let me know as I am sincerely curious to know (how it works)
Unless otherwise, to my knowledge simple - policy based control with the default GET off should do the trick like I mentioned in my earlier post & I do stand to be corrected.
Let me know & it was great learning Thomas. Cheers!!!