Configuring VPN Remote Access for the first time on your Sophos XG Firewall? Check out this useful Community post!
Advisory: Sophos XG Firewall - Antivirus service stopped due to failed pattern update. Please visit this KBA for the latest updates
This article gives an overview of the Data Leakage Protection (DLP), content control, Content Control Lists (CCLs), and how to create and update lists of controlled content.
The following sections are covered:
Known to apply to the following Sophos product(s) and version(s) Sophos Endpoint Security and ControlSophos Email ApplianceSophos UTM ManagerSophos Central AdminSophos Firewall
The following products allow CCLs to be configured:
A Content Control List (CCL) identifies specific items of text based information within a structured or unstructured document or data flow. It may be designed to identify a single information type, for example a postal address, or it might identify combinations of information such as Person or banking identifiers with contact details [Australia]. These are used in a range of Sophos products to provide data protection features such as Data Control, DLP, and automated encryption.
SophosLabs Predefined Content Control Lists (PCCLs) provide expert definitions for common financial, medical and personally identifiable data types, for example, Credit or debit card numbers [Global], Social Security Numbers [USA], Postal addresses [Brazil],or Email addresses [Global]. To provide enhanced accuracy the predefined CCLs use a range of advanced techniques such as checksums, fuzzy logic and contextual scoring.
Predefined CCLs are ideal for information types used across many organisations on perhaps a global, regional or industry sector basis such as credit card numbers, UK postal codes or standardised medical patient forms.
Several Sophos products provide the ability to create your own custom Content Control List for identify information types that might, for example, be unique to your organisation or create alternatives of our Predefined CCLs tailored to your needs.
Note: For technical and other reasons we are not able to provide source code of our Predefined CCLs for you to adapt or extend.
A common cause of reports is the use of artificially generated data when testing DLP functionality. A lot of research and effort is made by us in order to not detect items that merely look like what is being searched for. Therefore artificial test data is often not real enough for us to detect.
For example, we are sometimes contacted for failing to detect test credit card numbers. This is typically due to the artificial card numbers having invalid check digits, the start digits being invalid or the spacing being incorrect for the brand of card.
Predefined CCLs are supplied with a default Quantity setting which will suit most but not all environments. Therefore, most Sophos DLP enabled products provide a means to adjust the quantity setting to adjust to your sensitivity requirements or to nature of your document content. See your product documentation for how to do this, Quantity setting adjustment is not yet available on the XG & UTM.
Note: The Quantity setting for PCCL is not necessarily a one to one relationship with the number of text string matches required to cause a PCCL detection. Not all matched information is of equal importance, so think of this setting as more of a sensitivity dial than as an absolute count.
To view the default quantity setting on the UTM and XG:
We often also provide a range of PCCL variants to either match how information is formatted in your organization, or to better suit high sensitivity or high accuracy requirements. For example, we have a range of PCCLs for USA Social Security Numbers:
Whether CCL are failing to detect information (false negative), detecting information that they should not (false positive), or not behaving in a correct manner, then contact Sophos Support (see Requesting CCL support) with the required details and sample documents.
Note: Often perceived detection failures are due to the information being corrupt such as a missing digit in a credit card number, invalid check digits, fake ID numbers or due to artificially created test data that is not quite valid (see "Why is CCL is failing our tests?").
For information types that exist across many organizations, then contact Sophos Support (see Requesting CCL support) to request the creation of a new Predefined CCL. That way, all customers will benefit from the full range of detection technology that is only available in Predefined CCLs.
If you need coverage for a country that we do not currently support, or only partially support, then contact Sophos Support (see Requesting CCL support) to request the creation of a new Regional CCL Set.
If the information to be detected is specific to just your organization or otherwise very specialized then consider creating a Custom CCL.
Depending on which product you are using, the procedure is different:
Advanced custom CCL creation and editing is available on some products:
This depends on the product being used:
Contact Sophos Support to raise CCL issues with the appropriate information below.
In all cases:
Issues with existing Predefined CCLs:
For new Predefined CCL requests:
For new regional coverage, you will be supplied with a data gathering form.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.