Hello! First of all, i'm realy sorry for my bad english! I hope that some people car excuse me and try to help me ;) I'm tring to create some DLP rules. My first step was to create content control lists in Global settings > Data Loss Prevention > Content control lists with parameters : MATCHING CRITERIA : Any of these terms TERMS : .*T[0-9]{0,14}.* OR .*REPODOO[0-9]{0,5}.* My second step was to create a rule in Global settings > Data Loss Prevention > Content control lists with parameters : CONDITIONS Required Where the file contains... AND Where the destination is... CONDITIONS File Contains: MyList Destination is: ALL ACTION Allow transfer if user confirms My third step was to create a policies in Endpoint Protection > Policies > Data Loss Prevention wich call MyRule and that i'm trying to appli to my computer or my user BUT, i'm never get any popup to prevent DLP. I'm look in HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\DataControl and i can see some file that mention MyRule. BUT angain, i'm never get any popup to prevent DLP. Can someone help me out? Thanks in advance

That is good to confirm. Can you now create a simple content rule without regex to see if that is also ok?

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How DLP works?

Xavier Francois over 1 year ago

Hello!

First of all, i'm realy sorry for my bad english! I hope that some people car excuse me and try to help me ;)

I'm tring to create some DLP rules.

My first step was to create content control lists in Global settings > Data Loss Prevention > Content control lists with parameters :

MATCHING CRITERIA : Any of these terms
TERMS : .*T[0-9]{0,14}.* OR .*REPODOO[0-9]{0,5}.*

My second step was to create a rule in Global settings > Data Loss Prevention > Content control lists with parameters :

CONDITIONS Required Where the file contains... AND Where the destination is...
CONDITIONS File Contains: MyList Destination is: ALL ACTION Allow transfer if user confirms

My third step was to create a policies in Endpoint Protection > Policies > Data Loss Prevention wich call MyRule and that i'm trying to appli to my computer or my user

BUT, i'm never get any popup to prevent DLP.

I'm look in HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\DataControl and i can see some file that mention MyRule.

BUT angain, i'm never get any popup to prevent DLP.

Can someone help me out?

Thanks in advance

This thread was automatically locked due to age.

Top Replies

Sophos User930 over 1 year ago in reply to Xavier Francois +1 verified

That is good to confirm. Can you now create a simple content rule without regex to see if that is also ok?

0 Sophos User930 over 1 year ago

Have you tried a more simple filename matching rule just to confirm that works? A regex content rule could have a few issues but a filename matching one would test quite a bit of the process first. Thanks.
Cancel
Vote Up 0 Vote Down

Cancel
0 Xavier Francois over 1 year ago in reply to Sophos User930

Hi!

Thanks for your answer.

I just try to implement a rule wich ask an user confirmation in case of filename contains "client" and it's work just like expected.
Cancel
Vote Up 0 Vote Down

Cancel
+1 Sophos User930 over 1 year ago in reply to Xavier Francois

That is good to confirm. Can you now create a simple content rule without regex to see if that is also ok?
Cancel
Vote Up +1 Vote Down

Cancel
0 Xavier Francois over 1 year ago in reply to Sophos User930

This don't work.

I made 1 first rule (with only a part of a line in my file) wich based on this list :

appli, update, see this new rule in windows registery, try but don't work. so i try an other :

but result is the same..
Cancel
Vote Up 0 Vote Down

Cancel
0 Sophos User930 over 1 year ago in reply to Xavier Francois

What is the destination our of interest? A file going to removable storage? Can you try dragging the test file that matches onto Chrome.exe if that is also a destination for the rule?
Cancel
Vote Up 0 Vote Down

Cancel
0 Sophos User930 over 1 year ago in reply to Sophos User930

I created a simple content matching rule, perhaps best described in terms of the registry:

Simple CCL expression:

Created a text file C:/Users/Administrator/Desktop/test.txt with the text wibblewobble.
Dragged this file onto Internet Explorer (I was on a 2016 server)

I turned up the logging of SFS and SSP to debug, for a second while I performed the test,

SFS log: "C:\ProgramData\Sophos\Sophos File Scanner\Logs\SophosFileScanner.log"
SSP log: "C:\ProgramData\Sophos\Endpoint Defense\Logs\ssp.log"

With Debug logging they fill/rotate quickly, so after the test I would change them back to defaults straight away.

In the SSP.log I see the result of the DLP scan:

2023-08-04T17:17:47.368Z [ 2480:65288] D Received reply message: {"metadata":{"isFiltered":false,"returnedResults":1,"sfsConfigHash":"6528fc873559f59cabd769ce69ba6cded4f1af488aafbb040de4d80d7852bc8c","totalResults":1,"uniquePaths":1},"results":[{"analyzers":{"dlp":[[{"ccl":"My test content CCL","matches":1,"score":1,"triggered":true}]]},"path":"C:/Users/Administrator/Desktop/test.txt","tftClassifications":[{"description":"ASCII text / 8-bit Unicode Transformation Format","group":"Plain text","name":"TFT/UTF8-A","threatLevel":2,"typeId":"ASCII/UTF-8"},{"description":"TEXT","group":"TEXT","name":"TEXT","threatLevel":0,"typeId":"TEXT"}]}]}

In the SSP.log, all lines related to DLP contain the string:

[DLP]

I hope that helps.
Cancel
Vote Up 0 Vote Down

Cancel
0 Xavier Francois over 1 year ago in reply to Sophos User930

Hello, and sorry for the delay in response.

I finally managed to get the alerts working after deleting everything I had done and starting over from scratch. However, I proceeded differently this time. I only created my list, and then from the policy section, I created my rule, and it worked as I intended.

Thank you for your help!
Cancel
Vote Up 0 Vote Down

Cancel