Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 15 subscribers
  • Views 2234 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos DLP not blocking transfer to USB not blocked

James Green

Hi All,

Having a real issue around a DLP policy I am trying to create. For context we do quite a bit of business with government organizations (hence I have had to redact some of these screenshots) and as such have a lot of sensitive data on site. My hope was to use keywords or 'terms' to create a list of all confidential terms and block any documents that contain these terms from leaving our devices.

I've setup a Custom Content Rule Configuration as follows:

If a document contains any of the listed terms it should block the user from transferring that document and data to all available destinations, (Internet Browser, Email Client, IM etc)

All the policy currently does is block me from deleting a document off a USB, but for some reason it does allow me to place the document on the USB in the first place. As the destination was a storage device this operation should have been blocked if the Policy was configured correctly but that is not the case. If I use the 'save as' function and choose an external storage device then the action is blocked from within word etc but not when I copy and paste or drag and drop the file in file explorer from an internal storage location to an external one.

I'm really confused by this. Why would this only stop me from deleting a file on the USB when the USB is not the destination as per the DLP ruling (in this example the recycle bin on the PC would be the destination) but it does not make any attempts to stop to me moving files to the USB destination (this is the whole point of the DLP policy above I would have thought).  

I have tested this by transferring word, excel and notepad documents to both email and USB and non of these files have been blocked but again, the only control I can see that has been implemented is it does not let me use the save as function to save externally nor delete a file off a USB (I can still delete these on the local PC, just not the USB). This seems really limiting and I wanted to know whether this is an issue with my configuration or the Sophos DLP policies functionality.

Any help with this is greatly appreciated! 

Thanks 

James Green



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to Gladys

    Morning Gladys and thank you for your prompt response!

    I have looked in the DLP Events Log and nothing shows.

    I have also checked the REG key file and I the only file that seemed to show a value of 1 was the "data_control_enabled" file in folder 20230810121318387342

    When i go on Overview>Endpoint Protection Dashboard> Computers> "My PC" the policy is listed as an active policy but I'm guessing this is not properly deploying to the endpoint. Any advice why this is taking place? Other polices such as peripheral management seem to work fine.

    Another thing to note, now even the protection from the deleting the file when it is stored on USB does not seem to work.  

    Thanks again :)

  • 0 in reply to James Green

    One extra thing to note, I get the below events when trying to 'Save As' the file to an external storage locations

    This is the only function that I can see working as intended.

    Thanks

  • 0 in reply to James Green

    Hi  ,

    Thanks for checking these logs. In this case, I suggest recreating the policy and see if it makes any difference. If it still doesn't work after recreating the policy, please log a support case and submit the SDU logs for further investigation.

    You can also share the Case ID here once you have one, so we can monitor internally.

    Gladys Reyes
    Global Community Support Engineer
    Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • 0 in reply to Gladys

    Hi  ,

    Thanks for your help with this, I have deleted the policy and started again this time using users rather devices and I'm still getting the same error unfortunately. 

    I have raised support case 06904122 to get this looked into further.

    Thanks

Unfiltered HTML