This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos DLP not blocking transfer to USB not blocked

Hi All,

Having a real issue around a DLP policy I am trying to create. For context we do quite a bit of business with government organizations (hence I have had to redact some of these screenshots) and as such have a lot of sensitive data on site. My hope was to use keywords or 'terms' to create a list of all confidential terms and block any documents that contain these terms from leaving our devices.

I've setup a Custom Content Rule Configuration as follows:

If a document contains any of the listed terms it should block the user from transferring that document and data to all available destinations, (Internet Browser, Email Client, IM etc)

All the policy currently does is block me from deleting a document off a USB, but for some reason it does allow me to place the document on the USB in the first place. As the destination was a storage device this operation should have been blocked if the Policy was configured correctly but that is not the case. If I use the 'save as' function and choose an external storage device then the action is blocked from within word etc but not when I copy and paste or drag and drop the file in file explorer from an internal storage location to an external one.

I'm really confused by this. Why would this only stop me from deleting a file on the USB when the USB is not the destination as per the DLP ruling (in this example the recycle bin on the PC would be the destination) but it does not make any attempts to stop to me moving files to the USB destination (this is the whole point of the DLP policy above I would have thought).  

I have tested this by transferring word, excel and notepad documents to both email and USB and non of these files have been blocked but again, the only control I can see that has been implemented is it does not let me use the save as function to save externally nor delete a file off a USB (I can still delete these on the local PC, just not the USB). This seems really limiting and I wanted to know whether this is an issue with my configuration or the Sophos DLP policies functionality.

Any help with this is greatly appreciated! 


James Green

This thread was automatically locked due to age.