Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 0 subscribers
  • Views 19777 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Re: Data control scenario question

RogueViper

I have been playing around this afternoon with the data control policy. Managed to get a rule configured to block all file types apart from .7z to prevent the transfer of data via email and removable storage. 

Sophos is blocking the transfer of data onto a usb stick unless it's in a 7zip format which is good. But it's not blocking any email attachments that I am adding to the Office 2007 Outlook client. I can send any format out and Sophos doesn't prevent this.

Anyone have any ideas on how to fix this? 

:15443


This thread was automatically locked due to age.
  • 0

    Hello RogueViper,

    care to share your rules? If I understand you correctly you want them in 7z password protected format. Note that file type is not the same as extension (see here under true file type). Now as far as I can see there is no rule which lets you identify an encrypted archive (not considering the strength of the encryption method) and also while there's an archive file type there's no way to select or exclude specific ones.

    Re: Outlook - as you are working with file rules (as opposed to content rules) turning on verbose logging should give you a No rules matched message when the transfer has been detected but not blocked. If you don't get an entry at all please contact Support.  I've an open case concerning browser upload which is still under investigation.

    BTW - I did some tests and encountered scanning errors for files packed with 7-Zip (whether 7z or PK format) - the result is that data transfer is permitted (I'm still thinking about it - right now this is the same behaviour as with the AV scanner where it is probably better not to block in case of an error. But when it comes to DLP - isn't  block the desired behaviour?).

    Christian

    :15481
  • 0

    The rule is:

     For any file

    where the file type is

     Archive

    or Audio

    or Container

    or Database

    or Design

    or Disk container

    or Document

    or Encryption

    or Encryption - Sophos

    or Executableor Image

    or Information Rights Management

    or Interactive Media

    or Mailor Media Container

    or Medical image formats

    or Object code

    or Office password protected

    or Plain textor Presentation

    or Science/Engineering

    or Script/Markup

    or Spreadsheet

    or Videoor Virtualization Container,

    and where the destination is 

    Removable Storage

    or Outlook ,

    and excluding .7z,

    Block transfer.

    I don't think this policy will work particulary well at the endpoint level. As the .7z format is just an archive format and not a dedicated encryption format. Therefore you could bypass the rules by using 7zip but not bothering to encrypt it. We are considering looking at the Sophos Appliance solution instead now so we can have a complete data loss prevention for email by forcing the encryption of sensitive information and attachments. 

    :15487
  • 0

    Hi RogueViper,

    That rule should work. I'd advise turning on verbose logging within the data control policy and that should provide a clearer picture of what is going on. It is probably also worth logging a support call with Sophos so we can look into the issue in more detail.

    BTW I agree with your decision to look at the email appliance. It covers all outbound email (rather than just Outlook attachments on the endpoint) and is a more robust DLP / encryption solution for email.

    Best regards,

    John

    DLP Product Manager

    :15687
  • 0

    Very similar circumstance.  Just started playing with this neat feature.  Created a group and put just myself in it.  I exported a sample rule here:

    </rules>

    <?xml version="1.0" encoding="utf-16" ?>
    - <rules xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://www.sophos.com/xml/msys/datacontrol.xsd">
    - <contentRule action="overridableBlock" ruleRevisionId="728729f1-040a-4757-8656-5551c5e3026d" name="Bank routing numbers with qualifying terms" comment="Identify files containing ten or more bank routing numbers (American Banking Association and sort codes) with qualifying phrase.">
    <excludeFile name="ReadyBoost.sfcache" />
    - <destination>
    <device type="floppyDrive" />
    <device type="opticalDrive" />
    <device type="removableStorage" />
    <uploadApp value="Outlook" />
    <uploadApp value="Outlook Express" />
    <uploadApp value="Windows Mail" />
    </destination>
    <contentReferenceSet />
    - <predefinedContentReferenceSet>
    <content name="BankroutingnumberswithqualifyingtermsGlobal" quantity="1" />
    </predefinedContentReferenceSet>
    </contentRule>
    <contentConditions />

      The take away on this is that I discovered that Sophos and Readyboost are incompatible.  Even if I exclude the file name, Sophos blocks the usage of Readyboost.  And I just bought an SD card to take advantage of it.  The other take away is that  Data control does indeed prompt and block with a sample document if I try to save to a usb drive - but does nothing when emailing it.  Here's the DOC:
     

    Bob Smith

    Bank account details – 31926819
    Sort Code – 521051

    Mastercard card – 5487 5489 5225 6554

    Expires End – 11/12/12

    CCV – 875

    123-45-6789

    Note that I included 3 out of the 4 email clients in the rule.  Here's some log:

    20110907 170051Computer name: AKUHN-6320Filename: E:\ReadyBoost.sfcache
    No file type information
    Matching rules: Credit or debit card numbers with qualifying terms, File marked as "Moderately Sensitive" content., File marked as "highly sensitive" content., File marked as "sensitive" content., International bank account numbers, National identification numbers with qualifying terms, Personally identifiable information, US social security numbers with qualifying terms
    20110907 170051A "block transfer" action was taken. The user tried to save or copy a file to a storage device without using Windows Explorer.Username: NT AUTHORITY\SYSTEMUser action: File save or copyData Control action: BlockDestination path: E:\ReadyBoost.sfcacheDestination type: Removable storage20110907 170657Computer name: AKUHN-6320Filename: E:\ReadyBoost.sfcache
    No file type information
    Matching rules: Credit or debit card numbers with qualifying terms, National identification numbers with qualifying terms, Personally identifiable information, US social security numbers with qualifying terms
    20110907 170657A "block transfer" action was taken. The user tried to save or copy a file to a storage device without using Windows Explorer.Username: NT AUTHORITY\SYSTEMUser action: File save or copyData Control action: BlockDestination path: E:\ReadyBoost.sfcacheDestination type: Removable storage20110907 174012Computer name: AKUHN-6320Filename: E:\Bob Smith.docx
    No file type information
    Matching rules: Bank routing numbers with qualifying terms, Confidential documents, Credit or debit card numbers with qualifying terms, File marked as "Moderately Sensitive" content., File marked as "highly sensitive" content., File marked as "sensitive" content., International bank account numbers, National identification numbers with qualifying terms, Personally identifiable information, US social security numbers with qualifying terms
    20110907 174012A "block transfer" action was taken. The user tried to save or copy a file to a storage device without using Windows Explorer.Username: APPA\akuhnUser action: File save or copyData Control action: BlockDestination path: E:\Bob Smith.docxDestination type: Removable storage20110907 174100Computer name: AKUHN-6320Filename: E:\Bob Smith.docx

    So, I see some neat potential here, but the Readyboost issue stinks and the emailing getting around datacontrol when it's not supposed to isn't very useful.  I will assume for now that the error is mine, and would appreciate some help.

    Thanks.

    :16321

    Adam in DC

  • 0

    Hi,

    I'm afraid the ReadyBoost incompatability is a known issue (http://www.sophos.com/support/knowledgebase/article/63215.html ) and at the moment there are no plans to fix the conflict. Email upload monitoring should work just fine and I'd suggest contacting support to they can look into what might be going wrong.

    Best regards,

    John

    :16779
Unfiltered HTML