Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 1 subscriber
  • Views 2198 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Data Control Policy

DC

I setup a test policy on our end points with the Sophos Social Security number CCL and I am trying to get it to email me but allow transfer when this type of data is transfered to a USB and/or CD. I created a test word doc with a fake SSN and the alert did not happen. I have configured SMTP on the anti-virus and HIPS policy and configured my e-mail address for both AV&Hips and data control policy.

Thanks,

DC

:1931


This thread was automatically locked due to age.
  • 0

    Hello DC,

    check the client's log (View data control log) and SEC's Data Control tab for a data control event. Might seem self-evident but if you don't get an alert you also don't get an email.

    Apart from the case that your test data simply don't match the rule the Allow file transfer and log event action might not behave as expected. Quoting from the Policy Setup Guide: When a data control policy only contains rules with the "Allow file transfer and log event" action, direct saves from within applications and transfers using the command prompt are not intercepted. This behavior enables users to use storage devices without any restrictions. However, data control events are still only logged for transfers made using Windows Explorer. Furthermore some tests I performed suggest only one alert is generated for a file when the resulting action is Allow file transfer and log event and further "use" does not raise additional events (until either the files or the rules are changed).

    Christian

    :2022
  • 0

    Hi,

    Couple of pointers / questions:

    • Check the correct quantity setting has been set correctly in the rule. This control how much of a particular data type should be indentified before the aciton is triggered.
    • The CCL in question (Social security numbers [USA]) is looking for SSNs in the following format "NNN-NN-NNNN" (where "N" is a number) can you provide more information on what your fake SSN looks like?
    • To find out more information on how the content analysis process is working through the matching process you can enable verbose data control logging on an endpoint. This shows details on what matched for each file scanned even if the trigger score is not reached.

    Generally the policy configuration guide for ESDP 9 provides some good guidelines on configuring data control: http://www.sophos.com/sophos/docs/eng/manuals/sesc_90_psgeng.pdf

    Best regards,

    John

    Product Manager

    :2024
Unfiltered HTML