Data Control and Outlook 2007

Fine that the problem is identified. And before I go into an attempted explanation ... What I can't believe is that numerous Sophos technicians are putting me through all sorts of tests - you can always send feedback to Support and you should do so. Of course they should know, but as part of me heads a support group I understand the situation. Nevertheless your time has been wasted and you should state this (next time ask me first :smileyvery-happy: ... :smileywink:) 

DLP is tricky - and most of us never thought much about how it really works (and expect kinda magic although we know better about IT). Now here's what I think I understand so far:

Destination

As of now there are two distinct groups of destinations: Storage and Applications. If you are content with the Explorer-only restriction Storage is no problem. If you turn on storage monitoring DLP only permits one application to open for write to the device - Explorer. All other applications are denied access. DLP knows how to figure out what Explorer is about to do and thus can "easily" apply the rules.  

Applications is a different matter. There's one application DLP is confident about: Explorer.- the rest is rather arcane. All DP can do is watch for OPEN requests. As there are no file system semantics for OPEN_AS_SEND_ATTACHMENT or OPEN_FOR_BROWSER_UPLOAD (and if there were applications would attempt to do without them) it's guesswork. So DLP relies on the AV scanner to get notified of opens. Then it has to determine the application requesting the open. After that it gets messy - using the file: scheme a browser can potentially open any file. An email client opens an attachment just to display it - how could DLP know what the program is about to do? So it has to use heuristics to do the right thing.

There are also completely uncovered destinations like tethered connections (iTunes) or esoteric file systems. Your only choice in this case is not to use them.

Exemptions

Quite simple - your email client naturally uses an address book. This likely contains data which would trigger a PII rule. DLP of course can't know whether the application opens the file just to let you select a recipient or to attach it to an outgoing message. There are heuristics - if they err your application might not work. As Sophos is about protection and not absolute-security-before-everything-else-and-above-all certain locations known to contain a applications' configuration and data store are exempted. 

I have requested the exempted locations to be reviewed (as I've stumbled over Downloads) and John Stringer has promised it.

I hope it is clearer now.

Disclaimer: I'm not defending Sophos - client-side interception generally has its limits and if any of the vendors would have found a solution to the "put your pants on all legs at the same time if you are a spider" problem we would already have heard.

Christian

Fine that the problem is identified. And before I go into an attempted explanation ... What I can't believe is that numerous Sophos technicians are putting me through all sorts of tests - you can always send feedback to Support and you should do so. Of course they should know, but as part of me heads a support group I understand the situation. Nevertheless your time has been wasted and you should state this (next time ask me first :smileyvery-happy: ... :smileywink:) 

DLP is tricky - and most of us never thought much about how it really works (and expect kinda magic although we know better about IT). Now here's what I think I understand so far:

Destination

As of now there are two distinct groups of destinations: Storage and Applications. If you are content with the Explorer-only restriction Storage is no problem. If you turn on storage monitoring DLP only permits one application to open for write to the device - Explorer. All other applications are denied access. DLP knows how to figure out what Explorer is about to do and thus can "easily" apply the rules.  

Applications is a different matter. There's one application DLP is confident about: Explorer.- the rest is rather arcane. All DP can do is watch for OPEN requests. As there are no file system semantics for OPEN_AS_SEND_ATTACHMENT or OPEN_FOR_BROWSER_UPLOAD (and if there were applications would attempt to do without them) it's guesswork. So DLP relies on the AV scanner to get notified of opens. Then it has to determine the application requesting the open. After that it gets messy - using the file: scheme a browser can potentially open any file. An email client opens an attachment just to display it - how could DLP know what the program is about to do? So it has to use heuristics to do the right thing.

There are also completely uncovered destinations like tethered connections (iTunes) or esoteric file systems. Your only choice in this case is not to use them.

Exemptions

Quite simple - your email client naturally uses an address book. This likely contains data which would trigger a PII rule. DLP of course can't know whether the application opens the file just to let you select a recipient or to attach it to an outgoing message. There are heuristics - if they err your application might not work. As Sophos is about protection and not absolute-security-before-everything-else-and-above-all certain locations known to contain a applications' configuration and data store are exempted. 

I have requested the exempted locations to be reviewed (as I've stumbled over Downloads) and John Stringer has promised it.

I hope it is clearer now.

Disclaimer: I'm not defending Sophos - client-side interception generally has its limits and if any of the vendors would have found a solution to the "put your pants on all legs at the same time if you are a spider" problem we would already have heard.

Christian