Is Data Control buggy?

Question

Dear All,

Bit of background :- we are using Sophos 9.5 clients on XP and Windows 7 endpoints with SEC 4.5.x

I have implemented Data Control in Alert mode only across the firm. So far I have some interesting results. I have implemented just 4 rules, all UK, Bank Routing numbers, credit or debit, national id and PII. We use Lotus Notes for email and am I right in thinking that Data Control simply monitors Windows Explorer transfers, thus we can send a plain text email breaching the rules, but Sophos will never pick it up? It appears that way for me? Attachments are scanned but plain text in an email is not? is that right?

Also, on one OU I have implemented Data Control to Allow transfer on acceptance. What I have found here makes no sense to me at all. I create a blank Excel 2007 document and attaching that to an email breaches all rules and flags up a message box? I create the same file but save it as a 2003 xls file and I am not prompted? I have also added tons of attachments with all sorts of bank details and nothing is stopped, yet when I added a spreadsheet with a list of my servers it was flagged by the rules again!?

I have enabled verbose logging on my PC for data control but this adds nothing to normal logs, i.e. it does not drill down to the phrase that has breached the rule in the file, it simply records the file name of the document.

Please can anyone offer any advice as we are looking at creating a policy asap to combat DLP, but if the technology is failing its a no go-er.

Thanks in advance

Stuart

This thread was automatically locked due to age.

QC · Accepted Answer

Hello Stuart, am I right in thinking that Data Control simply monitors Windows Explorer transfers for transfer to removable storage, yes. For upload and attaching it's file open . So you are right that you can type in whatever you want. That's beyond ESDP's scope. This can only be controlled at the gateway. To repeat: The contents of the mail are not inspected. I have enabled verbose logging on my PC for data control but this adds nothing to normal logs This is true if you have only content rules . If you add a file rule "nothing" looks like: Filename: C:\Download\Liauser.htm No rules matched And it will also display the "partial" matches of the content rules. it simply records the file name of the document Hell , this is one of the logs which you get only in the language of the install. Guess you understand it nevertheless: 20101112 104641 Computername: CCCCCCCCC Filename: C:\Documents and Settings\XXXXXXXX\My Documents\SVN_Test3.xls File name: C:\Documents and Settings\XXXXXXXX\My Documents\SVN_Test3.xls File group: Spreadsheet File type: Microsoft Excel-OLE Content Control List Name: AT_SVNR Trigger weight: 10 Expression 0 : '(?:\d{4}([ ]?)(?:0[1-9]|[12]\d|3[01])(\1?)(0[1-9]|1[012])\2\d{2})' Type: Perl5 Weight: 3 Match 1 : Weight applied: 1 Context: oha SVNR ==>0815 111121<== SVNR 0815 Match 2 : Weight applied: 1 Context: 1121 SVNR ==>0815 111122<== SVNR 0815 Match 3 : Weight applied: 1 Context: 1122 SVNR ==>0815 11 11 23<== 2Pag Content Control List Name: AT_SVNR Trigger weight: 10 Expression 0 : '(?:\d{4}([ ]?)(?:0[1-9]|[12]\d|3[01])(\1?)(0[1-9]|1[012])\2\d{2})' Type: Perl5 Weight: 3 Match 1 : Weight applied: 1 Context: oha SVNR ==>0815 111121<== SVNR 0815 Match 2 : Weight applied: 1 Context: 1121 SVNR ==>0815 111122<== SVNR 0815 Match 3 : Weight applied: 1 Context: 1122 SVNR ==>0815 11 11 23<== 2Pag Matching rules: Microsoft Office documents _________________________________________________________________________ 20101112 104641 Maßnahme "Dateiübertragung zulassen" wurde ergriffen. Benutzername: XXX\XXXXXXXX Regelbezeichnungen: 'Microsoft Office documents' Benutzermaßnahme: Dateiöffnung Anwendung: Firefox 3 Data Control-Maßnahme: Zulassen Dateityp: Spreadsheet (Microsoft Excel-OLE) Quellpfad: C:\Documents and Settings\XXXXXXXX\My Documents\SVN_Test3.xls Please note that there are two blocks with the same timestamp - the first showing the details. There's something which seems to be a bug (don't have the time right now to test it thoroughly): If the rules haven't changed and if a file hasn't changed and if the rules previously permitted transfer (without prompt) a repeated upload/attach will not be logged (even if requested). Hmmm ... Anyway, adding a file rule for office documents might help you in getting more useful logs. Christian :5953