Data Loss Prevention

Question

Good morning community and thanks in advance. 
 While testing and testing the potential of sophos EndPoint protection, in the Data Loss Prevention section of the enpoint policies, I cloned the base policy and started working with a new cloned policy. 
 In which I activated "Use rules for data transfers" and added a new rule ("New File Rule, A rule that controls transfer of certain file types or names"). 
 Fill in the basic information, in conditions select "Where the file type matches.... Where the file name matches... Required Where the destination is...", in actions "Block transfer". 
 In conditions I have checked all of them to test. 
 And in the destination, all the options of "storage". 
 And in action "Block tranfer". 
 I finalize the rule, save the changes. 
 And in the section "Policy Enforced" I activate it. 
 To test it, I connect a USB to my pc and transfer some file, it lets me transfer the file without any problem. In principle this should not be the case. 
 Can anyone help me where is the problem?

Sophos User930 · Answer

C:\ProgramData\Sophos\Remote Management System\3\Agent\AdapterStorage\SAV\DATCAdapterConfig 
 Is the policy that should have been picked up by the client from Sophos Central. Does that look correct? 
 This policy is applied by SAVService.exe and should be stored in C:\ProgramData\Sophos\Sophos Anti-Virus\Config\machine.xml. 
 If you "Copy" this to the desktop. If you open it, do you see the DataControl section with all the rules? 
 
 as a start would show it was enabled. 
 The Sophos UI - Settings should also show Data Control is on/off if Tamper Protection is disabled so you can see the Settings. 
 
 Other than that, worth checking that, with a tool like Process Explorer, the Sophos_detoured_x64.dll has been injected by SophosED.sys into the Explorer.exe process: 
 
 This DLL should be injected into all processes as they start that are in the registry value DlpProcesses under: 
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\saervices\Sophos Endpoint Defense\Scanning\Config 
 At the time of writing these include: 
 EXPLORER.EXE IEXPLORE.EXE FIREFOX.EXE OUTLOOK.EXE MSIMN.EXE WINMAIL.EXE COMMUNICATOR.EXE THUNDERBIRD.EXE CONNECT.EXE WBXCOIEX.EXE CHROME.EXE MSEDGE.EXE SKYPE.EXE NOTES.EXE VIVALDI.EXE PLUGIN-CONTAINER.EXE 
 Hope it helps.

Data Loss Prevention

Top Replies