Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 17 subscribers
  • Views 3010 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Data Loss Prevention

PaLmd

Good morning community and thanks in advance.

While testing and testing the potential of sophos EndPoint protection, in the Data Loss Prevention section of the enpoint policies, I cloned the base policy and started working with a new cloned policy.

In which I activated "Use rules for data transfers" and added a new rule ("New File Rule, A rule that controls transfer of certain file types or names").

Fill in the basic information, in conditions select "Where the file type matches....
Where the file name matches...
Required
Where the destination is...", in actions "Block transfer".

In conditions I have checked all of them to test.

And in the destination, all the options of "storage".

And in action "Block tranfer".

I finalize the rule, save the changes.

And in the section "Policy Enforced" I activate it.

To test it, I connect a USB to my pc and transfer some file, it lets me transfer the file without any problem. In principle this should not be the case.

Can anyone help me where is the problem?



This thread was automatically locked due to age.
Parents
  • 0

    C:\ProgramData\Sophos\Remote Management System\3\Agent\AdapterStorage\SAV\DATCAdapterConfig

    Is the policy that should have been picked up by the client from Sophos Central.  Does that look correct?

    This policy is applied by SAVService.exe and should be stored in C:\ProgramData\Sophos\Sophos Anti-Virus\Config\machine.xml.

    If you "Copy" this to the desktop. If you open it, do you see the DataControl section with all the rules?

    as a start would show it was enabled.

    The Sophos UI - Settings should also show Data Control is on/off if Tamper Protection is disabled so you can see the Settings.

    Other than that, worth checking that, with a tool like Process Explorer, the Sophos_detoured_x64.dll has been injected by SophosED.sys into the Explorer.exe process:

     

    This DLL should be injected into all processes as they start that are in the registry value DlpProcesses under:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\saervices\Sophos Endpoint Defense\Scanning\Config

    At the time of writing these include:

    EXPLORER.EXE
    IEXPLORE.EXE
    FIREFOX.EXE
    OUTLOOK.EXE
    MSIMN.EXE
    WINMAIL.EXE
    COMMUNICATOR.EXE
    THUNDERBIRD.EXE
    CONNECT.EXE
    WBXCOIEX.EXE
    CHROME.EXE
    MSEDGE.EXE
    SKYPE.EXE
    NOTES.EXE
    VIVALDI.EXE
    PLUGIN-CONTAINER.EXE

    Hope it helps.

  • 0 in reply to Sophos User930

    Hi

    Could you please let us know if you have tried the above steps and still facing the issue? 

    Shweta

    Community Support Engineer | Sophos Technical Support
    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
    The New Home of Sophos Support Videos! - Visit Sophos Techvids
  • 0 in reply to Shweta

    So this should be done on every PC ??? 

    Facing the same challenge

Reply Children
No Data
Unfiltered HTML