I may have found a massive hole in Data Control which is slightly worring?

Hi all,

I can confirm both of these issues are as designed.

You can enable the scanning of files from network locations by turning off the exclusion of remote files. The DLP functionality uses the same engine as the AV scanner so there is a relationship between the file exclusion setting and the behavior of the data control policy. I'll be the first to admit that this is quite obtuse and could be made clearer within the interface.

We made a deliberate design decision to exempt system folders from scanning to avoid triggering false positives when a monitored application accesses configuration files and file / database caches (e.g. local email archive or browser caches). It should be possible with group policy to lock down access to these system folders if you are concerned about users moving files into those locations.

Another option is to consider a layered DLP implementation so for example to also make use of endpoint data control for transfers onto removal storage, the Sophos Email Appliance to implement DLP controls on outbound email (scanning email content and attachments) and next year it should be possible to use either the web appliance or Sophos UTM to intercept sensitive data in outbound web traffic (at the moment the web upload function on the endpoint only scans attachments).

The intention of the current data control solution has always been to provide good protection from accidental data loss and many customers find it useful to use as a education tool for their users or just to silently monitor activity in the background. If users want to find a way to get data off an endpoint, and they are smart enough, then they will typically find a way. For example using dropbox... unless it is blocked by application control ;)

Hope this helps,

John

Product Manager

Hi all,

I can confirm both of these issues are as designed.

You can enable the scanning of files from network locations by turning off the exclusion of remote files. The DLP functionality uses the same engine as the AV scanner so there is a relationship between the file exclusion setting and the behavior of the data control policy. I'll be the first to admit that this is quite obtuse and could be made clearer within the interface.

We made a deliberate design decision to exempt system folders from scanning to avoid triggering false positives when a monitored application accesses configuration files and file / database caches (e.g. local email archive or browser caches). It should be possible with group policy to lock down access to these system folders if you are concerned about users moving files into those locations.

Another option is to consider a layered DLP implementation so for example to also make use of endpoint data control for transfers onto removal storage, the Sophos Email Appliance to implement DLP controls on outbound email (scanning email content and attachments) and next year it should be possible to use either the web appliance or Sophos UTM to intercept sensitive data in outbound web traffic (at the moment the web upload function on the endpoint only scans attachments).

The intention of the current data control solution has always been to provide good protection from accidental data loss and many customers find it useful to use as a education tool for their users or just to silently monitor activity in the background. If users want to find a way to get data off an endpoint, and they are smart enough, then they will typically find a way. For example using dropbox... unless it is blocked by application control ;)

Hope this helps,

John

Product Manager