Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 0 subscribers
  • Views 19778 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Re: Data control scenario question

RogueViper

I have been playing around this afternoon with the data control policy. Managed to get a rule configured to block all file types apart from .7z to prevent the transfer of data via email and removable storage. 

Sophos is blocking the transfer of data onto a usb stick unless it's in a 7zip format which is good. But it's not blocking any email attachments that I am adding to the Office 2007 Outlook client. I can send any format out and Sophos doesn't prevent this.

Anyone have any ideas on how to fix this? 

:15443


This thread was automatically locked due to age.
Parents
  • 0

    Very similar circumstance.  Just started playing with this neat feature.  Created a group and put just myself in it.  I exported a sample rule here:

    </rules>

    <?xml version="1.0" encoding="utf-16" ?>
    - <rules xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://www.sophos.com/xml/msys/datacontrol.xsd">
    - <contentRule action="overridableBlock" ruleRevisionId="728729f1-040a-4757-8656-5551c5e3026d" name="Bank routing numbers with qualifying terms" comment="Identify files containing ten or more bank routing numbers (American Banking Association and sort codes) with qualifying phrase.">
    <excludeFile name="ReadyBoost.sfcache" />
    - <destination>
    <device type="floppyDrive" />
    <device type="opticalDrive" />
    <device type="removableStorage" />
    <uploadApp value="Outlook" />
    <uploadApp value="Outlook Express" />
    <uploadApp value="Windows Mail" />
    </destination>
    <contentReferenceSet />
    - <predefinedContentReferenceSet>
    <content name="BankroutingnumberswithqualifyingtermsGlobal" quantity="1" />
    </predefinedContentReferenceSet>
    </contentRule>
    <contentConditions />

      The take away on this is that I discovered that Sophos and Readyboost are incompatible.  Even if I exclude the file name, Sophos blocks the usage of Readyboost.  And I just bought an SD card to take advantage of it.  The other take away is that  Data control does indeed prompt and block with a sample document if I try to save to a usb drive - but does nothing when emailing it.  Here's the DOC:
     

    Bob Smith

    Bank account details – 31926819
    Sort Code – 521051

    Mastercard card – 5487 5489 5225 6554

    Expires End – 11/12/12

    CCV – 875

    123-45-6789

    Note that I included 3 out of the 4 email clients in the rule.  Here's some log:

    20110907 170051Computer name: AKUHN-6320Filename: E:\ReadyBoost.sfcache
    No file type information
    Matching rules: Credit or debit card numbers with qualifying terms, File marked as "Moderately Sensitive" content., File marked as "highly sensitive" content., File marked as "sensitive" content., International bank account numbers, National identification numbers with qualifying terms, Personally identifiable information, US social security numbers with qualifying terms
    20110907 170051A "block transfer" action was taken. The user tried to save or copy a file to a storage device without using Windows Explorer.Username: NT AUTHORITY\SYSTEMUser action: File save or copyData Control action: BlockDestination path: E:\ReadyBoost.sfcacheDestination type: Removable storage20110907 170657Computer name: AKUHN-6320Filename: E:\ReadyBoost.sfcache
    No file type information
    Matching rules: Credit or debit card numbers with qualifying terms, National identification numbers with qualifying terms, Personally identifiable information, US social security numbers with qualifying terms
    20110907 170657A "block transfer" action was taken. The user tried to save or copy a file to a storage device without using Windows Explorer.Username: NT AUTHORITY\SYSTEMUser action: File save or copyData Control action: BlockDestination path: E:\ReadyBoost.sfcacheDestination type: Removable storage20110907 174012Computer name: AKUHN-6320Filename: E:\Bob Smith.docx
    No file type information
    Matching rules: Bank routing numbers with qualifying terms, Confidential documents, Credit or debit card numbers with qualifying terms, File marked as "Moderately Sensitive" content., File marked as "highly sensitive" content., File marked as "sensitive" content., International bank account numbers, National identification numbers with qualifying terms, Personally identifiable information, US social security numbers with qualifying terms
    20110907 174012A "block transfer" action was taken. The user tried to save or copy a file to a storage device without using Windows Explorer.Username: APPA\akuhnUser action: File save or copyData Control action: BlockDestination path: E:\Bob Smith.docxDestination type: Removable storage20110907 174100Computer name: AKUHN-6320Filename: E:\Bob Smith.docx

    So, I see some neat potential here, but the Readyboost issue stinks and the emailing getting around datacontrol when it's not supposed to isn't very useful.  I will assume for now that the error is mine, and would appreciate some help.

    Thanks.

    :16321

    Adam in DC

Reply
  • 0

    Very similar circumstance.  Just started playing with this neat feature.  Created a group and put just myself in it.  I exported a sample rule here:

    </rules>

    <?xml version="1.0" encoding="utf-16" ?>
    - <rules xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://www.sophos.com/xml/msys/datacontrol.xsd">
    - <contentRule action="overridableBlock" ruleRevisionId="728729f1-040a-4757-8656-5551c5e3026d" name="Bank routing numbers with qualifying terms" comment="Identify files containing ten or more bank routing numbers (American Banking Association and sort codes) with qualifying phrase.">
    <excludeFile name="ReadyBoost.sfcache" />
    - <destination>
    <device type="floppyDrive" />
    <device type="opticalDrive" />
    <device type="removableStorage" />
    <uploadApp value="Outlook" />
    <uploadApp value="Outlook Express" />
    <uploadApp value="Windows Mail" />
    </destination>
    <contentReferenceSet />
    - <predefinedContentReferenceSet>
    <content name="BankroutingnumberswithqualifyingtermsGlobal" quantity="1" />
    </predefinedContentReferenceSet>
    </contentRule>
    <contentConditions />

      The take away on this is that I discovered that Sophos and Readyboost are incompatible.  Even if I exclude the file name, Sophos blocks the usage of Readyboost.  And I just bought an SD card to take advantage of it.  The other take away is that  Data control does indeed prompt and block with a sample document if I try to save to a usb drive - but does nothing when emailing it.  Here's the DOC:
     

    Bob Smith

    Bank account details – 31926819
    Sort Code – 521051

    Mastercard card – 5487 5489 5225 6554

    Expires End – 11/12/12

    CCV – 875

    123-45-6789

    Note that I included 3 out of the 4 email clients in the rule.  Here's some log:

    20110907 170051Computer name: AKUHN-6320Filename: E:\ReadyBoost.sfcache
    No file type information
    Matching rules: Credit or debit card numbers with qualifying terms, File marked as "Moderately Sensitive" content., File marked as "highly sensitive" content., File marked as "sensitive" content., International bank account numbers, National identification numbers with qualifying terms, Personally identifiable information, US social security numbers with qualifying terms
    20110907 170051A "block transfer" action was taken. The user tried to save or copy a file to a storage device without using Windows Explorer.Username: NT AUTHORITY\SYSTEMUser action: File save or copyData Control action: BlockDestination path: E:\ReadyBoost.sfcacheDestination type: Removable storage20110907 170657Computer name: AKUHN-6320Filename: E:\ReadyBoost.sfcache
    No file type information
    Matching rules: Credit or debit card numbers with qualifying terms, National identification numbers with qualifying terms, Personally identifiable information, US social security numbers with qualifying terms
    20110907 170657A "block transfer" action was taken. The user tried to save or copy a file to a storage device without using Windows Explorer.Username: NT AUTHORITY\SYSTEMUser action: File save or copyData Control action: BlockDestination path: E:\ReadyBoost.sfcacheDestination type: Removable storage20110907 174012Computer name: AKUHN-6320Filename: E:\Bob Smith.docx
    No file type information
    Matching rules: Bank routing numbers with qualifying terms, Confidential documents, Credit or debit card numbers with qualifying terms, File marked as "Moderately Sensitive" content., File marked as "highly sensitive" content., File marked as "sensitive" content., International bank account numbers, National identification numbers with qualifying terms, Personally identifiable information, US social security numbers with qualifying terms
    20110907 174012A "block transfer" action was taken. The user tried to save or copy a file to a storage device without using Windows Explorer.Username: APPA\akuhnUser action: File save or copyData Control action: BlockDestination path: E:\Bob Smith.docxDestination type: Removable storage20110907 174100Computer name: AKUHN-6320Filename: E:\Bob Smith.docx

    So, I see some neat potential here, but the Readyboost issue stinks and the emailing getting around datacontrol when it's not supposed to isn't very useful.  I will assume for now that the error is mine, and would appreciate some help.

    Thanks.

    :16321

    Adam in DC

Children
No Data
Unfiltered HTML