3CX DLL-Sideloading attack: What you need to know
thanks for helping:
I am currently testing the DLP features of Sophos Endpoint but can't get any rule to work. I have even established a file based rule which I would expect to trigger in any case:
Allow transfer if user confirms
File type matches: spreadsheet
Destination is: [everything; email client, storage, voip, etc.etc]
Action: Allow transfer if user confirms
I have tried copying around a spreadsheet (xlsx) with sample data (to a removalble drive, USB, E-Mail-Message, Signal Messenger) and there's no reaction, pop-up, message or whatever.
I have checked the user: policy applied and enforced
I have updated the Sophos Endpoint Client and checked with the self-help tool: Updates/Policies applied
What am I missing here? Do DLP policies need some time until they are triggered or become fully active? Does implementing a policy need a reboot to activate the policy? I'm really frustrated.
Thanks for reaching out to the Sophos Community Forum.
Are you seeing any block events generated on the endpoint's local events log from the Sophos UI or in Sophos Central?
Try checking the following registry location to see if you can verify that the DLP rules are applied.- HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\DataControl
Thanks for your quick reply.
Qoosh said:Are you seeing any block events generated on the endpoint's local events log from the Sophos UI or in Sophos Central?
No, unfortunately not.
Qoosh said:Try checking the following registry location to see if you can verify that the DLP rules are applied.- HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\DataControl
That's odd (if I interpret this correctly):
The reg-key says 20221216203255770780 (so I assume that last update was on 2022-12-16 at 20:32 hrs) but the self-help tools says the Sophos Adapter received policies by 21:32:55 ??
But in any way: even around 20:32 something should have happened as there also was an acitive policy featuring "spreadsheets"...
Checking the sub-keys in the location will allow you to see more specifics on how the rule is configured.
You can try stopping and re-starting the "Sophos MCS Client" and "Sophos MCS Agent" services to see if this kicks off communication once again. A reboot will also trigger a full policy render on the endpoint when it checks in to Sophos Central.
I did a full reboot now (2022-12-17, 05:32 am) and this is what I see:
There is a file_rule now for spreadsheets - but the regkey says it is from 202212162100.... Still, the Endpoint's Self Help Toll states under "Policies" that Sophos Adapater received policies last at Dec 16, 22:00:57.
Furhtermore, even with this policiy - I suspect it shall trigger everytime a spreadsheet is copied around or tried to attach to an e-mail (I use Outlook) in any way - nothing happens (no pop-up, no alert in Sophos Central or at the Endpoint).
I am able to replicate this issue as well. The Outlook app does not generate the prompt to allow/block the transfer, whereas transferring files to removable media does.
I'd suggest raising a support case in relation to this issue. If you can provide me with your case ID via private message, I can follow up to add notes based on our findings here as well.
I am having the exact same error anything I try with DLP doesnt work, created a Policy per Computer, Selected block files type Images, Text and spreadsheets on any client email web USB, but it doesnt block anything the policy is enabled.
This seems to hae a bug