Data Control Not Working

Question

Is anyone else experiencing issues with Data Control policies not working ? During an external audit, we discovered both ssn and credit card numbers were able to bypass the policies we had set in place. These policies had worked before. Now, I get to pull all emails matching the polices via Exchange. We have bank account policies that we will test next. We called Sophos, and they are going to investigate.

Software engine	v4.5.0.1
Threat definitions	558000.0.20190222.156

This thread was automatically locked due to age.

Software engine 
 v4.5.0.1

Threat definitions 
 558000.0.20190222.156

Red_Warrior · Answer

Hi John, 
 
 I had a look at your appliance:

Your issue is with rule number 3 and 4 
 
 lets address number 3 first 
 configuration / policy / data control / outbound 
 click rule #3 
 under rule config 
 select CCL tab 
 
 You have 3 different rules here with varying quantity. 
 ie: 3 rules for bank account numbers / information 
 global credit card 
 and international banking numbers. 
 
 the larger issue is at the bottom where you have "2 of the ccls must match" 
 
 In order for this rule to ever trigger you must match rules in its entirety... including ALL criteria. 
 
 For example: 
 if bank account details needs. 
 fname mnam lname address 1 address 2 postal .. etc ect .. 
 with a qty of 3.. 
 in order for this to ever hit you must have 3 complete records... then 3 record MUST match. 
 
 because you also have a qty of 2 .. that means that 2 separate rules must match completely, including all hits and required numbers. 
 
 In order to fix this.. 
 separate the banking / credit card and global into 3 rules. 
 leave the qtys at the default 
 make sure the number of rules to match is 1 
 
 I would avoid using global qualifiers as the chance of FP is higher. 
 I would also avoid rejecting the mail unless you have rules on your exchange server to handle such rejection notices. (you may wish to discard or quarantine the message) then under the additional actions create a rule to notify the sender .. this will tell postmaster to actually generate a new message and deliverer it back to the user.. so exchange will see it as a "normal" message. 
 
 It's important to also note, DLP rules are not designed to catch a single instance of anything.. they are more meant to help prevent data dump-age.. (doesn't mean you cant of course, but you will need to be aware that your chance for a false positive is greater, and the recommended quantities are apart of how the rule actually works) .. so if its 10, and you change it to 1.. you can expect more FP's, than if you change it to 7 or 5. 
 
 In your case the reason your dkim rule is hitting is because its tagging everything, I would expect that .. the stuff your seeing in the logs from outputting the hits are partial hits.. If ALL of the hits were noted then the "main action" of the message would hit on your DLP rules) 
 
 keep in mind any change to DLP rules can take up to 10 whole mins to take effect.. if you make or change rules ensure you leave enough time for the milter to restart and the appliance to reload all of the policy.