Thread Info
  • Locked Locked
  • Replies 5 replies
  • Subscribers 3 subscribers
  • Views 12246 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Exclusion for "Downloads" folder and Chrome

Antonio Cienfuegos S

Hi guys,

 

I'm facing a problem with DLP, so if you have any idea, it would be appreciated.

 

Right now, If I download a file with Chrome that matches the DLP rules, the file generates an event, even if I'm not uploading it and that generates a lot of False Positives/Information to analyse that shouldn't.

Tried adding the exception %userprofile%\Downloads\*.??? but it didn't worked. Adding Downloads\*.??? works, but that means that anything inside a "Downloads" folder in any part won't be scanned. Also, this means that the user would find out that "Downloads" its not being scanned and "steal" information by first copying the file there and then uploading it.

What can be done in this case? I only what to avoid all the FP that appears when a file is downloaded using chrome.

 Here is the info with my issue: https://community.sophos.com/kb/en-us/63016

But it doesn't provide any link or info on how to avoid the "hole".

 

Thanks!



This thread was automatically locked due to age.

  • Hello Antonio Cienfuegos,

    DLP can't tell what an application is about to do when it opens a file - all it can do is to ignore files that are opened for write. Looks like Chrome opens the files for read after downloading. I'm afraid there is no way to avoid the "hole". OTOH - what kind of content is it that users are permitted to download via browser but not to upload?

    Christian

  • in reply to QC

    Its a financial institution so they can download information to work with, but not upload through Chrome: We can have the information in the computer since it wont leave the bank but we can't allow the information to leave the computer.

    That's the short version.

  • in reply to Antonio Cienfuegos S

    Hello Antonio Cienfuegos,

    I see. As said, endpoint DLP is dumb, that is it isn't actually dumb but it has only limited information: Application (e.g. browser) is reading a file, it can't assess or glean what will be done with the file. So you can't avoid the FP.
    BTW - is the policy block (unconditionally, i.e. not Allow by acceptance)? If so, what's the consequence for the user after the fP upon the download?

    Christian

  • in reply to QC

    We have the policy in a few computers. testing the results but only monitoring. We haven't blocked anything yet. 

     

    That's why is the second part of the issue: I we can't avoid the hole, is there no other exceptions that we could use? Like the ones in AV? For example: %userprofile%\Downloads?

  • We have the same issue and what we have discovered is that the scan is actually happening when the user opens the file from the bar at the bottom of the browser.  If the user opens the file location by choosing "Show in folder" and then opens the file from Windows File Explorer, the DLP scan does not occur.  Additionally, if the user uses IE, Edge or Firefox the DLP scan does not occur, it is a Chrome specific issue.

     

Unfiltered HTML