This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos DLP not blocking transfer to USB not blocked

Hi All,

Having a real issue around a DLP policy I am trying to create. For context we do quite a bit of business with government organizations (hence I have had to redact some of these screenshots) and as such have a lot of sensitive data on site. My hope was to use keywords or 'terms' to create a list of all confidential terms and block any documents that contain these terms from leaving our devices.

I've setup a Custom Content Rule Configuration as follows:

If a document contains any of the listed terms it should block the user from transferring that document and data to all available destinations, (Internet Browser, Email Client, IM etc)

All the policy currently does is block me from deleting a document off a USB, but for some reason it does allow me to place the document on the USB in the first place. As the destination was a storage device this operation should have been blocked if the Policy was configured correctly but that is not the case. If I use the 'save as' function and choose an external storage device then the action is blocked from within word etc but not when I copy and paste or drag and drop the file in file explorer from an internal storage location to an external one.

I'm really confused by this. Why would this only stop me from deleting a file on the USB when the USB is not the destination as per the DLP ruling (in this example the recycle bin on the PC would be the destination) but it does not make any attempts to stop to me moving files to the USB destination (this is the whole point of the DLP policy above I would have thought).

I have tested this by transferring word, excel and notepad documents to both email and USB and non of these files have been blocked but again, the only control I can see that has been implemented is it does not let me use the save as function to save externally nor delete a file off a USB (I can still delete these on the local PC, just not the USB). This seems really limiting and I wanted to know whether this is an issue with my configuration or the Sophos DLP policies functionality.

Any help with this is greatly appreciated!

Thanks

James Green

This thread was automatically locked due to age.

0 Gladys over 1 year ago

Hi James Green ,

Thank you for reaching out to the Sophos Community Forum.

Are you applying the policy to Windows devices? Can you please check the DLP Events Log if you can find any generated event relevant to the file transfer?

I suggest checking the affected devices to confirm if the policy has been received.

You may also check the following registry location to verify that the DLP rules are applied.
- HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\DataControl

Gladys Reyes

Global Community Support Engineer
Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question, please use the "Verify Answer" button.

The New Home of Sophos Support Videos! - Visit Sophos Techvids
Cancel
Vote Up 0 Vote Down

Cancel
0 James Green over 1 year ago in reply to Gladys

Morning Gladys and thank you for your prompt response!

I have looked in the DLP Events Log and nothing shows.

I have also checked the REG key file and I the only file that seemed to show a value of 1 was the "data_control_enabled" file in folder 20230810121318387342

When i go on Overview>Endpoint Protection Dashboard> Computers> "My PC" the policy is listed as an active policy but I'm guessing this is not properly deploying to the endpoint. Any advice why this is taking place? Other polices such as peripheral management seem to work fine.

Another thing to note, now even the protection from the deleting the file when it is stored on USB does not seem to work.

Thanks again :)
Cancel
Vote Up 0 Vote Down

Cancel
0 James Green over 1 year ago in reply to James Green

One extra thing to note, I get the below events when trying to 'Save As' the file to an external storage locations

This is the only function that I can see working as intended.

Thanks
Cancel
Vote Up 0 Vote Down

Cancel
0 Gladys over 1 year ago in reply to James Green

Hi James Green ,

Thanks for checking these logs. In this case, I suggest recreating the policy and see if it makes any difference. If it still doesn't work after recreating the policy, please log a support case and submit the SDU logs for further investigation.

You can also share the Case ID here once you have one, so we can monitor internally.

Gladys Reyes

Global Community Support Engineer
Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question, please use the "Verify Answer" button.

The New Home of Sophos Support Videos! - Visit Sophos Techvids
Cancel
Vote Up 0 Vote Down

Cancel
0 James Green over 1 year ago in reply to Gladys

Hi Gladys ,

Thanks for your help with this, I have deleted the policy and started again this time using users rather devices and I'm still getting the same error unfortunately.

I have raised support case 06904122 to get this looked into further.

Thanks
Cancel
Vote Up 0 Vote Down

Cancel