This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Confidential information doubt

Hi all,

I´m beggining to work with the Sophos DLP, so excuse me if my questions are considered to be "basic" :)

A new SEC customer have several xlsm files containing VBA code on it. They want to make sure that only this files are protected by DLP.

Most of the machines are Win7 using Outlook 2007/2010, however some Win8/Outlook2013 are also being used,

Those files don´t contain any particular message that we can use as a content filter rule criteria, so i was trying to use a File Type Rule using "Script/Markup", but despite it blocks those files, all the xlsx are also blocked (i´m assuming that this, is because XML is "contained" on the File Type.

Can you please help me to understant, if my approach to the issue is the best one, or does the customer has to create some data inside every spreadsheet that we can use as a "filter".

Thanks in advance,

:40991


This thread was automatically locked due to age.
  • Hellp RPLF,

    you've already found out that file type (or rather file type group) is not distinctive enough to select just these files. The description of the files itself is rather general - there's more than one way to put VBA code into {a certain type of office document}. 

    But first of all - what is the rationale for blocking these files? "Secret" or "proprietary" code (please note that DLP can anyway only protect against "accidental" loss/leakage? And which destination(s)? Now it sounds like the customer wants to prevent the xslm files (i.e. those with this specific extension) from leaking - for this purpose you can choose the file name as condition (in this case *.xslm). Of course it's always better to have a positive, non-ambiguous and "immutable" identifier.

    Christian

    :41081
  • Hi Christian,

    Thank you for your reply.

    The main reason for the customer wants to block these files to the outside, is manly due to "proprietary" code made on those VBA. Their objective is that those files are never sent to the outside (email, external storage, http, skype, etc).

    On this early stage (they are just trying it) we are using block by file type, but it would be great if you could lead me in what ways we could use to produce (as you reffer) a "immutable" identifier - we were thinking to create a string on those spreasheets, to allow us to create a content filter rule that we could use to block that data).

    :41085
  • Hello RPLF,

    I'm not Sophos and I'm not an expert (neither in MS Office nor DLP) therefore I can't say how to produce a reliable identifier for these VBA projects. Furthermore it might not suffice to do the scanning solely on the client - please see Known limitations with data control. This I suggest you follow the last sentence in the mentioned article and contact Support.

    Christian

    :41091
  • Hi Christian,

    I´ve been in contact with support. They advise me that we can configure by using Script/Markup as file type filter, and configuring some files extensions on the whitelist.

    The bigget drawback is that Sophos does not have a option to block password protected files, thus, this kind of files are not intercepted :smileysad:

    Regards,

    Rui

    :41187