Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 1 subscriber
  • Views 1612 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is Data Control buggy?

notesguru99

Dear All,

Bit of background :- we are using Sophos 9.5 clients on XP and Windows 7 endpoints with SEC 4.5.x

I have implemented Data Control in Alert mode only across the firm.  So far I have some interesting results.  I have implemented just 4 rules, all UK, Bank Routing numbers, credit or debit, national id and PII.  We use Lotus Notes for email and am I right in thinking that Data Control simply monitors Windows Explorer transfers, thus we can send a plain text email breaching the rules, but Sophos will never pick it up?  It appears that way for me?  Attachments are scanned but plain text in an email is not?  is that right?

Also, on one OU I have implemented Data Control to Allow transfer on acceptance.  What I have found here makes no sense to me at all.  I create a blank Excel 2007 document and attaching that to an email breaches all rules and flags up a message box?  I create the same file but save it as a 2003 xls file and I am not prompted?  I have also added tons of attachments with all sorts of bank details and nothing is stopped, yet when I added a spreadsheet with a list of my servers it was flagged by the rules again!?

I have enabled verbose logging on my PC for data control but this adds nothing to normal logs, i.e. it does not drill down to the phrase that has breached the rule in the file, it simply records the file name of the document.

Please can anyone offer any advice as we are looking at creating a policy asap to combat DLP, but if the technology is failing its a no go-er.

Thanks in advance

Stuart

:5930


This thread was automatically locked due to age.
  • 0

    Hello Stuart,

    am I right in thinking that Data Control simply monitors Windows Explorer transfers

    for transfer to removable storage, yes. For upload and attaching it's file open. So you are right that you can type in whatever you want. That's beyond ESDP's scope. This can only be controlled at the gateway. To repeat: The contents of the mail are not inspected.

    I have enabled verbose logging on my PC for data control but this adds nothing to normal logs

    This is true if you have only content rules. If you add a file rule "nothing" looks like:

        Filename: C:\Download\Liauser.htm
        No rules matched

     And it will also display the "partial" matches of the content rules.

    it simply records the file name of the document

    Hell, this is one of the logs which you get only in the language of the install. Guess you understand it nevertheless:

    20101112 104641	Computername: CCCCCCCCC
            Filename: C:\Documents and Settings\XXXXXXXX\My Documents\SVN_Test3.xls

    	File name: C:\Documents and Settings\XXXXXXXX\My Documents\SVN_Test3.xls
    	File group: Spreadsheet
    	File type: Microsoft Excel-OLE

    	  Content Control List Name: AT_SVNR  Trigger weight: 10
    	    Expression 0 : '(?:\d{4}([ ]?)(?:0[1-9]|[12]\d|3[01])(\1?)(0[1-9]|1[012])\2\d{2})'  Type: Perl5  Weight: 3
    	      Match 1 : Weight applied: 1  Context: 
    	oha
    	SVNR  ==>0815 111121<== 
    	SVNR 0815
    	      Match 2 : Weight applied: 1  Context: 1121
    	SVNR  ==>0815 111122<== 
    	SVNR 0815
    	      Match 3 : Weight applied: 1  Context: 1122
    	SVNR  ==>0815 11 11 23<== 

    	2Pag
    	  Content Control List Name: AT_SVNR  Trigger weight: 10
    	    Expression 0 : '(?:\d{4}([ ]?)(?:0[1-9]|[12]\d|3[01])(\1?)(0[1-9]|1[012])\2\d{2})'  Type: Perl5  Weight: 3
    	      Match 1 : Weight applied: 1  Context: 
    	oha
    	SVNR  ==>0815 111121<== 
    	SVNR 0815
    	      Match 2 : Weight applied: 1  Context: 1121
    	SVNR  ==>0815 111122<== 
    	SVNR 0815
    	      Match 3 : Weight applied: 1  Context: 1122
    	SVNR  ==>0815 11 11 23<== 

    	2Pag

    	Matching rules: Microsoft Office documents
    _________________________________________________________________________
    20101112 104641	Maßnahme "Dateiübertragung zulassen" wurde ergriffen.
    		Benutzername: XXX\XXXXXXXX
                    Regelbezeichnungen: 'Microsoft Office documents'
    		Benutzermaßnahme: Dateiöffnung
    		Anwendung: Firefox 3
    		Data Control-Maßnahme: Zulassen
    		Dateityp: Spreadsheet (Microsoft Excel-OLE)
    		Quellpfad: C:\Documents and Settings\XXXXXXXX\My Documents\SVN_Test3.xls

    Please note that there are two blocks with the same timestamp - the first showing the details.

    There's something which seems to be a bug (don't have the time right now to test it thoroughly): If the rules haven't changed and if a file hasn't changed and if the rules previously permitted transfer (without prompt) a repeated upload/attach will not be logged (even if requested). Hmmm ...

    Anyway, adding a file rule for office documents might help you in getting more useful logs.

    Christian

    :5953
  • 0

    Hi Stuart,

    QC is correct about data control on the endpoint not currently scanning email content. It will scan attachments but not email content - in fact clarification of what is / isn't scanned can be found in the "Policy Setup Guide": http://www.sophos.com/sophos/docs/eng/manuals/sesc_95_psgeng.pdf.

    If you want to scan email content then I'd recommend considering the Email Security appliance which also includes integrated DLP and is a much more flexible solution for email DLP. If you don't want to invest in additional gateway hardware then the good news is that the email appliance will soon be available as a virtual image.

    Again QC is correct about verbose logging. For content rules it should show exact details for what content was matched for all files scanned by the DC rules - even when a file doesn't trigger. If this isn't happening then I'd recommend calling support and they can help fix the issue or raise a defect.

    The Excel 2003 / 2007 problem sounds interesting. In principal the behaviour should be consistent but the internal format for Excel 2003 and 2007 if quite different and so there are likely to be differences in the content extraction carried out by the engine. Having said this we'd aim for the results to be consistent. Again if you can contact support and provide files samples and verbose log output we can have a closer look at what is happening.

    Best regards,

    John

    :5959
  • 0

    Hi Christian,

    When you uploaded the same file was it within a relatively short period? There is a small allowance for repeat uploads made in the solution to avoid creating a loop under certain circumstances. Again probably worth noting down the behaviour in detail and raising a support call.

    Best regards,

    John

    :5961
  • 0

    Thanks for the replies.

    After reading the help (which is always a good idea:smileywink:) I realise that it will not scan the email content, but the VMware image of the appliance sounds very interesting, so I will call our rep to arrange a trial when it is out.

    As for the Excel attachment issue, it affects other computer users too, so it is not just an issue on my test PC.  The scenario is if you create a blank excel spreadsheet in 2007 it will be stopped by Sophos as containing credit card numbers etc, but if you save the exact same file as a 2003 spreadsheet it sails through without any warnings.

    Could anybody else out there please try this procedure and see if you can reproduce my problem.  FYI I have set the PII content rule to find only 1 instance and then ask for authorisation.

    I think that the 2007 file format could be the issue because in reality the xlsx file is xml wrapped up in a zip file.

    Another quirk :smileysurprised: when I add an attachment Sophos begins a DLP scan of the 'file attach' dialog box before I have even selected a file to attach!?  So each time I do this now, my blank book1.xlsx is flagged for authorisation as soon as I click File > Attach!

    And on the logging side of things I have enabled a file content rule into the mix and I still see no more granularity than just normal logging.

    Another thing, is there a table of the actual matching rules? i.e. what format for the content rules, credit and debit card for example? Is it just looking for 8 numbers in one sequence?  Can I see this list?  Is it on my server or client PC?

    Support call time methinks.

    Thanks

    :5987
Unfiltered HTML