This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Data Loss Prevention

Good morning community and thanks in advance.

While testing and testing the potential of sophos EndPoint protection, in the Data Loss Prevention section of the enpoint policies, I cloned the base policy and started working with a new cloned policy.

In which I activated "Use rules for data transfers" and added a new rule ("New File Rule, A rule that controls transfer of certain file types or names").

Fill in the basic information, in conditions select "Where the file type matches....
Where the file name matches...
Required
Where the destination is...", in actions "Block transfer".

In conditions I have checked all of them to test.

And in the destination, all the options of "storage".

And in action "Block tranfer".

I finalize the rule, save the changes.

And in the section "Policy Enforced" I activate it.

To test it, I connect a USB to my pc and transfer some file, it lets me transfer the file without any problem. In principle this should not be the case.

Can anyone help me where is the problem?



This thread was automatically locked due to age.
Parents
  • C:\ProgramData\Sophos\Remote Management System\3\Agent\AdapterStorage\SAV\DATCAdapterConfig

    Is the policy that should have been picked up by the client from Sophos Central.  Does that look correct?

    This policy is applied by SAVService.exe and should be stored in C:\ProgramData\Sophos\Sophos Anti-Virus\Config\machine.xml.

    If you "Copy" this to the desktop. If you open it, do you see the DataControl section with all the rules?

    as a start would show it was enabled.

    The Sophos UI - Settings should also show Data Control is on/off if Tamper Protection is disabled so you can see the Settings.

    Other than that, worth checking that, with a tool like Process Explorer, the Sophos_detoured_x64.dll has been injected by SophosED.sys into the Explorer.exe process:

      

    This DLL should be injected into all processes as they start that are in the registry value DlpProcesses under:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\saervices\Sophos Endpoint Defense\Scanning\Config

    At the time of writing these include:

    EXPLORER.EXE
    IEXPLORE.EXE
    FIREFOX.EXE
    OUTLOOK.EXE
    MSIMN.EXE
    WINMAIL.EXE
    COMMUNICATOR.EXE
    THUNDERBIRD.EXE
    CONNECT.EXE
    WBXCOIEX.EXE
    CHROME.EXE
    MSEDGE.EXE
    SKYPE.EXE
    NOTES.EXE
    VIVALDI.EXE
    PLUGIN-CONTAINER.EXE

    Hope it helps.

Reply
  • C:\ProgramData\Sophos\Remote Management System\3\Agent\AdapterStorage\SAV\DATCAdapterConfig

    Is the policy that should have been picked up by the client from Sophos Central.  Does that look correct?

    This policy is applied by SAVService.exe and should be stored in C:\ProgramData\Sophos\Sophos Anti-Virus\Config\machine.xml.

    If you "Copy" this to the desktop. If you open it, do you see the DataControl section with all the rules?

    as a start would show it was enabled.

    The Sophos UI - Settings should also show Data Control is on/off if Tamper Protection is disabled so you can see the Settings.

    Other than that, worth checking that, with a tool like Process Explorer, the Sophos_detoured_x64.dll has been injected by SophosED.sys into the Explorer.exe process:

      

    This DLL should be injected into all processes as they start that are in the registry value DlpProcesses under:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\saervices\Sophos Endpoint Defense\Scanning\Config

    At the time of writing these include:

    EXPLORER.EXE
    IEXPLORE.EXE
    FIREFOX.EXE
    OUTLOOK.EXE
    MSIMN.EXE
    WINMAIL.EXE
    COMMUNICATOR.EXE
    THUNDERBIRD.EXE
    CONNECT.EXE
    WBXCOIEX.EXE
    CHROME.EXE
    MSEDGE.EXE
    SKYPE.EXE
    NOTES.EXE
    VIVALDI.EXE
    PLUGIN-CONTAINER.EXE

    Hope it helps.

Children