This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Data Control and Outlook 2007

I have a case open with Tech Support on this issue, but unfortunately, my confidence is low on a resolution.  They are unable to replicate my issue.  I have exported all of my Data Control rules, files involved, etc.  They just don't see the problem.

The problem is this:  I have a sample file with all of the triggers known to man-kind for triggering Data Control.  And it works perfectly whenever I copy the file to an external storage device such as a USB Drive or SD Card.  Works great.

But, I can open up an email and send this same file as an attachment without any detection whatsoever.  I've replicated this on two different machines in my environment.  One XP.  One Windows 7.  Using Outlook 2007.  Using Outlook Express.  Running Outlook in Safemode.  Copied from a local disk or network share.

The program is essentially useless if you can email confidential documents undetected like some kind of virtual Maginot Line.  I'd love some suggestions or feedback that might point me to a solution, since I'm probably going to have to figure this out myself.

:17511


This thread was automatically locked due to age.
Parents
  • Fine that the problem is identified. And before I go into an attempted explanation ... What I can't believe is that numerous Sophos technicians are putting me through all sorts of tests - you can always send feedback to Support and you should do so. Of course they should know, but as part of me heads a support group I understand the situation. Nevertheless your time has been wasted and you should state this (next time ask me first :smileyvery-happy: ... :smileywink:) 

    DLP is tricky - and most of us never thought much about how it really works (and expect kinda magic although we know better about IT). Now here's what I think I understand so far:

    Destination

    As of now there are two distinct groups of destinations: Storage and Applications. If you are content with the Explorer-only restriction Storage is no problem. If you turn on storage monitoring DLP only permits one application to open for write to the device - Explorer. All other applications are denied access. DLP knows how to figure out what Explorer is about to do and thus can "easily" apply the rules.  

    Applications is a different matter. There's one application DLP is confident about: Explorer.- the rest is rather arcane. All DP can do is watch for OPEN requests. As there are no file system semantics for OPEN_AS_SEND_ATTACHMENT or OPEN_FOR_BROWSER_UPLOAD (and if there were applications would attempt to do without them) it's guesswork. So DLP relies on the AV scanner to get notified of opens. Then it has to determine the application requesting the open. After that it gets messy - using the file: scheme a browser can potentially open any file. An email client opens an attachment just to display it - how could DLP know what the program is about to do? So it has to use heuristics to do the right thing.

    There are also completely uncovered destinations like tethered connections (iTunes) or esoteric file systems. Your only choice in this case is not to use them.

    Exemptions

    Quite simple - your email client naturally uses an address book. This likely contains data which would trigger a PII rule. DLP of course can't know whether the application opens the file just to let you select a recipient or to attach it to an outgoing message. There are heuristics - if they err your application might not work. As Sophos is about protection and not absolute-security-before-everything-else-and-above-all certain locations known to contain a applications' configuration and data store are exempted. 

    I have requested the exempted locations to be reviewed (as I've stumbled over Downloads) and John Stringer has promised it.

    I hope it is clearer now.

    Disclaimer: I'm not defending Sophos - client-side interception generally has its limits and if any of the vendors would have found a solution to the "put your pants on all legs at the same time if you are a spider" problem we would already have heard.

    Christian

    :17581
Reply
  • Fine that the problem is identified. And before I go into an attempted explanation ... What I can't believe is that numerous Sophos technicians are putting me through all sorts of tests - you can always send feedback to Support and you should do so. Of course they should know, but as part of me heads a support group I understand the situation. Nevertheless your time has been wasted and you should state this (next time ask me first :smileyvery-happy: ... :smileywink:) 

    DLP is tricky - and most of us never thought much about how it really works (and expect kinda magic although we know better about IT). Now here's what I think I understand so far:

    Destination

    As of now there are two distinct groups of destinations: Storage and Applications. If you are content with the Explorer-only restriction Storage is no problem. If you turn on storage monitoring DLP only permits one application to open for write to the device - Explorer. All other applications are denied access. DLP knows how to figure out what Explorer is about to do and thus can "easily" apply the rules.  

    Applications is a different matter. There's one application DLP is confident about: Explorer.- the rest is rather arcane. All DP can do is watch for OPEN requests. As there are no file system semantics for OPEN_AS_SEND_ATTACHMENT or OPEN_FOR_BROWSER_UPLOAD (and if there were applications would attempt to do without them) it's guesswork. So DLP relies on the AV scanner to get notified of opens. Then it has to determine the application requesting the open. After that it gets messy - using the file: scheme a browser can potentially open any file. An email client opens an attachment just to display it - how could DLP know what the program is about to do? So it has to use heuristics to do the right thing.

    There are also completely uncovered destinations like tethered connections (iTunes) or esoteric file systems. Your only choice in this case is not to use them.

    Exemptions

    Quite simple - your email client naturally uses an address book. This likely contains data which would trigger a PII rule. DLP of course can't know whether the application opens the file just to let you select a recipient or to attach it to an outgoing message. There are heuristics - if they err your application might not work. As Sophos is about protection and not absolute-security-before-everything-else-and-above-all certain locations known to contain a applications' configuration and data store are exempted. 

    I have requested the exempted locations to be reviewed (as I've stumbled over Downloads) and John Stringer has promised it.

    I hope it is clearer now.

    Disclaimer: I'm not defending Sophos - client-side interception generally has its limits and if any of the vendors would have found a solution to the "put your pants on all legs at the same time if you are a spider" problem we would already have heard.

    Christian

    :17581
Children
No Data