Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 17 replies
  • Subscribers 1 subscriber
  • Views 68386 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

I may have found a massive hole in Data Control which is slightly worring?

nerohero

It would appear that if you create a Data Control Policy which prevent users from emailing file types to unauthorised email destinations like gmail, webmail, hotmail and attach any document from a network directory it allows the email to be sent (Shocking).

If you attach a file from your local machine it blocks the file fine, it would seem that the Sophos agent has difficulties understanding mapped drives which it pretty shocking for a security product.

Note:

I have sent this information to Sophos to review and I may have missed something so don't take this as gospel.  This maybe an isolated issue which is happening in my environment.

Server 2003 R2 x64 SEC 4.7.0.13

Client Win7 x86 9.5

:15489


This thread was automatically locked due to age.
  • 0

    Hello John,

    thank you for your replies (and BTW this thread should perhaps be move to the dedicated DLP forum).

    Sorry, BAD might sound a little bit harsh - it's a relic of my days on the mainframe. Only after reading nerohero's post I took a closer look where the test-file resided. On the machines where I've encountered the problem (Win7, W2k8) I just downloaded it using IE and attempted to upload it again. On the virtual test machine where I tried to reproduce the problem I had copied it over to my Desktop. So yes, Downloads is a folder where a user typically saves a file ... Well, I assume engineering will assess which else.

    a relationship between the file exclusion setting and the behavior of the data control policy

    Is it correct that this applies to all exclusions? If I exclude .zip from AV scanning a DLP file rule won't catch them (not even when the transfer is to removable storage)?

    a deliberate design decision to exempt system folders

    No problem if it were SYSTEM - but you just can't lock down temp, caches, archives and configuration folders (I've seen users "backing up" complete external disks to such locations ...).

    Last but not least it is somewhat disappointing that both cases took (quite) some time to resolve - seems the information was only way "up".

    But - again, thank you for the detailed answer 

    Christian

    :15897
  • 0

    Hi Christian,

    The exclusions only apply to monitored applicatons and not storage monitoring (removable or optical). Fair point regarding non-system folders. I still stand by the point that the average user is less likely to store files in temp, cache and configuration folders. That's not to say we aren't looking at improved detection processes for monitored applications :) The good news is that DLP adoption is growing on the endpoint and the email appliance so investment is going to continue and we have some neat things on the roadmap. 

    John

    :15927
  • 0

    Hello John,

    to emphasize (and correct me if I'm wrong) I've added the text in red:

    The exclusions whether built-in or set in the AV on-access settings only apply to monitored applicatons and not storage monitoring

    On the other hand - the AV exclusions do apply to monitored applications. What is the reason for this?

    Christian

    :15937
  • 0

    Must say this is a problem for me - >95% of our documents are stored on networked locations and we hoped to be able to use Sophos endpoint to help identify potential data leakage. Not scanning files from a network location renders it ineffective for this purpose.

    Unticking exclude remote files fixes the issue but generates a significant performance impact especially for users at the end of slower network links.

    James

    :17695
  • 0

    I'll raise a feature request to see if we can only incur the remote scanning overhead when a data control rule condition is met rather than for all remote files.

    John

    :17709
  • 0

    I have to agree with James.  When data control is turned on for our home user's it creates a nightmare.  Through testing I have found that there are several factors that need to be met.  User's on Windows platforms, use IE8, and access our domain through an Aruba RAP.  IE is launched and the homepage is loaded anywhere from 30 to minutes later.  I've done several Wireshark captures to see what is creating the delay.  It appears that Data Control is hammering away at our NetApp filer creating all sorts of issues.  Note that we only have around 175 home users but if data control is turned on for them it will essentially bring the filer to its knees, rendering it useless.  If we are unable to scan our network drives there is no real use for Data Control as it is policy to save all files to the network and not to the local drive.  I can easily recreate this problem and would love to be able to use Data Control, however cannot until this issue is resolved.

    :18321
  • 0

    Hello CBC_Jason,

    perhaps you should create a new thread in the DLP board.

    I'm not sure I fully understand your configuration: You run with AV on the home computers, remote scanning turned off. Files are on NetApp (which doesn scanning or doesn't it). You want to control file uploads with IE and as these files are on the NetApp volumes you'd have to turn on remote scanning and this is causing issues?

    Can't speak for Sophos but I'd assume that Dev must take a closer look and you should contact Support with this issues.

    Christian

    :18367
Unfiltered HTML