This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Data Loss Prevention - can't get policy to work

Hi,

thanks for helping:

I am currently testing the DLP features of Sophos Endpoint but can't get any rule to work. I have even established a file based rule which I would expect to trigger in any case:

Allow transfer if user confirms

File type matches: spreadsheet

Destination is: [everything; email client, storage, voip, etc.etc]

Action: Allow transfer if user confirms

I have tried copying around a spreadsheet (xlsx) with sample data (to a removalble drive, USB, E-Mail-Message, Signal Messenger) and there's no reaction, pop-up, message or whatever.

I have checked the user: policy applied and enforced

I have updated the Sophos Endpoint Client and checked with the self-help tool: Updates/Policies applied

What am I missing here? Do DLP policies need some time until they are triggered or become fully active? Does implementing a policy need a reboot to activate the policy? I'm really frustrated.



This thread was automatically locked due to age.
Parents
  • Hi Foxbot,

    Thanks for reaching out to the Sophos Community Forum. 

    Are you seeing any block events generated on the endpoint's local events log from the Sophos UI or in Sophos Central?

    Try checking the following registry location to see if you can verify that the DLP rules are applied.
    - HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\DataControl

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Thanks for your quick reply.

    Are you seeing any block events generated on the endpoint's local events log from the Sophos UI or in Sophos Central?

    No, unfortunately not.

    Try checking the following registry location to see if you can verify that the DLP rules are applied.
    - HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\DataControl

    That's odd (if I interpret this correctly):

    The reg-key says 20221216203255770780 (so I assume that last update was on 2022-12-16 at 20:32 hrs) but the self-help tools says the Sophos Adapter received policies by 21:32:55 ??

    But in any way: even around 20:32 something should have happened as there also was an acitive policy featuring "spreadsheets"... 

Reply
  • Thanks for your quick reply.

    Are you seeing any block events generated on the endpoint's local events log from the Sophos UI or in Sophos Central?

    No, unfortunately not.

    Try checking the following registry location to see if you can verify that the DLP rules are applied.
    - HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\DataControl

    That's odd (if I interpret this correctly):

    The reg-key says 20221216203255770780 (so I assume that last update was on 2022-12-16 at 20:32 hrs) but the self-help tools says the Sophos Adapter received policies by 21:32:55 ??

    But in any way: even around 20:32 something should have happened as there also was an acitive policy featuring "spreadsheets"... 

Children
  • Checking the sub-keys in the location will allow you to see more specifics on how the rule is configured.

    You can try stopping and re-starting the "Sophos MCS Client" and "Sophos MCS Agent" services to see if this kicks off communication once again. A reboot will also trigger a full policy render on the endpoint when it checks in to Sophos Central.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • I did a full reboot now (2022-12-17, 05:32 am) and this is what I see:

    There is a file_rule now for spreadsheets - but the regkey says it is from 202212162100.... Still, the Endpoint's Self Help Toll states under "Policies" that Sophos Adapater received policies last at Dec 16, 22:00:57. 

    Furhtermore, even with this policiy - I suspect it shall trigger everytime a spreadsheet is copied around or tried to attach to an e-mail (I use Outlook) in any way - nothing happens (no pop-up, no alert in Sophos Central or at the Endpoint).

  • I am able to replicate this issue as well. The Outlook app does not generate the prompt to allow/block the transfer, whereas transferring files to removable media does. 

    I'd suggest raising a support case in relation to this issue. If you can provide me with your case ID via private message, I can follow up to add notes based on our findings here as well.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids