Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 0 subscribers
  • Views 11676 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DLP not logging, but stopping applications writing to removable storage

JEFFERY

Thread continued from here:

http://community.sophos.com/t5/Sophos-Endpoint-Security-and/Possible-Bug/m-p/19271#M7764

So all my VM's are stored on a removable disk, and i was getting an error: VERR_ACCESS_DENIED from VirtualBox, but no event logs from Sophos? Should it be logging?

Also the Credit Card rule was set to Allow transfer on acceptance by user and log event.

Does this mean the user should be prompted by Sophos to continue?

Jeffrey

:19273


This thread was automatically locked due to age.
  • 0

    Hello JEFFERY,

    you should get a File transfer blocked by Sophos balloon the first time (1) an application tries to write to removable storage with a text like Attempt to write ... blocked. Please copy the file using Windows Explorer. This will also be logged. As far as I can see subsequent attempts by the same application will only be logged (but without an indication that they have been blocked) if logging is set to verbose.

    (1) It looks like only the first attempt by a certain application during a login session will cause the pop up.

    Christian

    :19287
  • 0

    Hi Jeffery,

    Christian is correct. When a "request user authorization" or "block" action are used in a data control policy we restrict authorized file transfers to removable storage devices to Windows Explorer. When the applications you are using attempt to write to the removable storage device they are blocked by the Sophos agent. I appreciate that this can be fustrating but the solution is designed this way to enable Sophos to intercept data before it touches the removable storage device. One possible workaround is to explicitly exclude the locations the applications are attempting to write to within the Data Control rule. More detail can be found here: http://www.sophos.com/support/knowledgebase/article/113024.html  

    Best regards,

    John

    Product Manager

    :19289
  • 0

    Ok fair enough, thanks both for your help on this.

    Jeffery

    :19305
Unfiltered HTML