This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Exclusion for "Downloads" folder and Chrome

Hi guys,

 

I'm facing a problem with DLP, so if you have any idea, it would be appreciated.

 

Right now, If I download a file with Chrome that matches the DLP rules, the file generates an event, even if I'm not uploading it and that generates a lot of False Positives/Information to analyse that shouldn't.

Tried adding the exception %userprofile%\Downloads\*.??? but it didn't worked. Adding Downloads\*.??? works, but that means that anything inside a "Downloads" folder in any part won't be scanned. Also, this means that the user would find out that "Downloads" its not being scanned and "steal" information by first copying the file there and then uploading it.

What can be done in this case? I only what to avoid all the FP that appears when a file is downloaded using chrome.

 Here is the info with my issue: https://community.sophos.com/kb/en-us/63016

But it doesn't provide any link or info on how to avoid the "hole".

 

Thanks!



This thread was automatically locked due to age.
Parents
  • Hello Antonio Cienfuegos,

    DLP can't tell what an application is about to do when it opens a file - all it can do is to ignore files that are opened for write. Looks like Chrome opens the files for read after downloading. I'm afraid there is no way to avoid the "hole". OTOH - what kind of content is it that users are permitted to download via browser but not to upload?

    Christian

  • Its a financial institution so they can download information to work with, but not upload through Chrome: We can have the information in the computer since it wont leave the bank but we can't allow the information to leave the computer.

    That's the short version.

  • Hello Antonio Cienfuegos,

    I see. As said, endpoint DLP is dumb, that is it isn't actually dumb but it has only limited information: Application (e.g. browser) is reading a file, it can't assess or glean what will be done with the file. So you can't avoid the FP.
    BTW - is the policy block (unconditionally, i.e. not Allow by acceptance)? If so, what's the consequence for the user after the fP upon the download?

    Christian

Reply
  • Hello Antonio Cienfuegos,

    I see. As said, endpoint DLP is dumb, that is it isn't actually dumb but it has only limited information: Application (e.g. browser) is reading a file, it can't assess or glean what will be done with the file. So you can't avoid the FP.
    BTW - is the policy block (unconditionally, i.e. not Allow by acceptance)? If so, what's the consequence for the user after the fP upon the download?

    Christian

Children
  • We have the policy in a few computers. testing the results but only monitoring. We haven't blocked anything yet. 

     

    That's why is the second part of the issue: I we can't avoid the hole, is there no other exceptions that we could use? Like the ones in AV? For example: %userprofile%\Downloads?