This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Data Control Policy - security hole?

I have created a new data control policy where destination is optical or removal storage, allow transfer and log event and for any of the default files. The policy works to a degree however there are some interesting results.

I have two excel doc's, now if I open doc A and file save as to the removable media nothing gets logged nor do I receive a triggered email? on the client this doesn't even register that an event had taken place? and in the sec console nothing?

If I drag & drop doc B to the removable storage bingo, events are logged both on the client and sec console and I receive my triggered email.

I have sent Sophos all the information, diag logs and even the XML policy however  still no joy?

:23167


This thread was automatically locked due to age.
Parents
  • Hi nerohero,

    As QC describes the behaviour you are experiencing is as designed as we only hook the explorer process for monitoring writes to storage devices. This decision was made to minimize the impact on system stability but I agree it would be preferable for the solution to log all writes to removable storage or optical media no matter what the source when in audit only mode.

    When a request user authorization or block action is specified within a rule then all writes to removable storage or optical media that don't originate from explorer are blocked.

    I've raised a feature request to request a change to the solution for audit only mode.

    Best regards,

    John 

    Product Manager

    :23375
Reply
  • Hi nerohero,

    As QC describes the behaviour you are experiencing is as designed as we only hook the explorer process for monitoring writes to storage devices. This decision was made to minimize the impact on system stability but I agree it would be preferable for the solution to log all writes to removable storage or optical media no matter what the source when in audit only mode.

    When a request user authorization or block action is specified within a rule then all writes to removable storage or optical media that don't originate from explorer are blocked.

    I've raised a feature request to request a change to the solution for audit only mode.

    Best regards,

    John 

    Product Manager

    :23375
Children
No Data