This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How DLP works?

Hello!

First of all, i'm realy sorry for my bad english! I hope that some people car excuse me and try to help me ;)

I'm tring to create some DLP rules.

My first step was to create content control lists in Global settings > Data Loss Prevention > Content control lists with parameters : 

  • MATCHING CRITERIA : Any of these terms
  • TERMS : .*T[0-9]{0,14}.* OR .*REPODOO[0-9]{0,5}.*

My second step was to create a rule in Global settings > Data Loss Prevention > Content control lists with parameters : 

  • CONDITIONS Required Where the file contains... AND Where the destination is...
  • CONDITIONS File Contains: MyList Destination is: ALL ACTION Allow transfer if user confirms

My third step was to create a policies in Endpoint Protection > Policies > Data Loss Prevention wich call MyRule and that i'm trying to appli to my computer or my user

BUT, i'm never get any popup to prevent DLP.

I'm look in HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\DataControl and i can see some file that mention MyRule.

BUT angain, i'm never get any popup to prevent DLP.

Can someone help me out?

Thanks in advance



This thread was automatically locked due to age.
Parents
  • Have you tried a more simple filename matching rule just to confirm that works? A regex content rule could have a few issues but a filename matching one would test quite a bit of the process first. Thanks. 

  • Hi!

    Thanks for your answer.

    I just try to implement a rule wich ask an user confirmation in case of filename contains "client" and it's work just like expected.

  • That is good to confirm. Can you now create a simple content rule without regex to see if that is also ok?

  • This don't work.

    I made 1 first rule (with only a part of a line in my file) wich based on this list : 

    appli, update, see this new rule in windows registery, try but don't work. so i try an other : 

    but result is the same..

  • What is the destination our of interest?  A file going to removable storage?  Can you try dragging the test file that matches onto Chrome.exe if that is also a destination for the rule? 

  • I created a simple content matching rule, perhaps best described in terms of the registry:



    Simple CCL expression:



    Created a text file C:/Users/Administrator/Desktop/test.txt with the text wibblewobble.
    Dragged this file onto Internet Explorer (I was on a 2016 server) 

    I turned up the logging of SFS and SSP to debug, for a second while I performed the test, 



    SFS log: "C:\ProgramData\Sophos\Sophos File Scanner\Logs\SophosFileScanner.log"
    SSP log: "C:\ProgramData\Sophos\Endpoint Defense\Logs\ssp.log"

    With Debug logging they fill/rotate quickly, so after the test I would change them back to defaults straight away.

    In the SSP.log I see the result of the DLP scan:

    2023-08-04T17:17:47.368Z [ 2480:65288] D Received reply message: {"metadata":{"isFiltered":false,"returnedResults":1,"sfsConfigHash":"6528fc873559f59cabd769ce69ba6cded4f1af488aafbb040de4d80d7852bc8c","totalResults":1,"uniquePaths":1},"results":[{"analyzers":{"dlp":[[{"ccl":"My test content CCL","matches":1,"score":1,"triggered":true}]]},"path":"C:/Users/Administrator/Desktop/test.txt","tftClassifications":[{"description":"ASCII text / 8-bit Unicode Transformation Format","group":"Plain text","name":"TFT/UTF8-A","threatLevel":2,"typeId":"ASCII/UTF-8"},{"description":"TEXT","group":"TEXT","name":"TEXT","threatLevel":0,"typeId":"TEXT"}]}]}

    In the SSP.log, all lines related to DLP contain the string:

    [DLP]

    I hope that helps.

Reply
  • I created a simple content matching rule, perhaps best described in terms of the registry:



    Simple CCL expression:



    Created a text file C:/Users/Administrator/Desktop/test.txt with the text wibblewobble.
    Dragged this file onto Internet Explorer (I was on a 2016 server) 

    I turned up the logging of SFS and SSP to debug, for a second while I performed the test, 



    SFS log: "C:\ProgramData\Sophos\Sophos File Scanner\Logs\SophosFileScanner.log"
    SSP log: "C:\ProgramData\Sophos\Endpoint Defense\Logs\ssp.log"

    With Debug logging they fill/rotate quickly, so after the test I would change them back to defaults straight away.

    In the SSP.log I see the result of the DLP scan:

    2023-08-04T17:17:47.368Z [ 2480:65288] D Received reply message: {"metadata":{"isFiltered":false,"returnedResults":1,"sfsConfigHash":"6528fc873559f59cabd769ce69ba6cded4f1af488aafbb040de4d80d7852bc8c","totalResults":1,"uniquePaths":1},"results":[{"analyzers":{"dlp":[[{"ccl":"My test content CCL","matches":1,"score":1,"triggered":true}]]},"path":"C:/Users/Administrator/Desktop/test.txt","tftClassifications":[{"description":"ASCII text / 8-bit Unicode Transformation Format","group":"Plain text","name":"TFT/UTF8-A","threatLevel":2,"typeId":"ASCII/UTF-8"},{"description":"TEXT","group":"TEXT","name":"TEXT","threatLevel":0,"typeId":"TEXT"}]}]}

    In the SSP.log, all lines related to DLP contain the string:

    [DLP]

    I hope that helps.

Children
  • Hello, and sorry for the delay in response.

    I finally managed to get the alerts working after deleting everything I had done and starting over from scratch. However, I proceeded differently this time. I only created my list, and then from the policy section, I created my rule, and it worked as I intended.

    Thank you for your help!