Data Control blocking writing a temp file on a removable disk

Hello JEFFERY,

Allow Transfer
should not result in the above action (please note that Allow on acceptance is a different thing). Nothing was blocked when I've tested it (though with only two instead of 8 rules). I'd suggest you turn on verbose logging on the endpoint (Sophos GUI, Configure data control. It should name the matching rule(s) which triggered an event.

Christian 

Sorry, after checking, one rule did have "Allow On Acceptance", I thought it would prompt the user, saying something like "You are transferring a document marked as 'Sensitive', are you sure you want to do this?"

Changing this to "Allow Transfer" fixed this, thankyou.

Hello JEFFERY,

one rule
thought as much [:)].

I thought it would prompt the user
well, it'd do if Explorer is used but for any other application the write is blocked. It's not immediately obvious why this is so - I'll try to explain. DC is intended to prevent data from getting outside and blocks transfer but not does not delete "forbidden" data - therefore the legitimacy must be determined before the transfer takes place and thus DC must be able to read assess the data while it's still "inside". DC covers transfer to a removable medium or to an application which potentially moves data to the outside. In the latter case it intercepts reads by known applications (with some limitations - please note that certain user folders might not be subject to DC as an application must be permitted to read user preferences and the like). In the former case though the content is usually not known before the write to the removable medium and thus any write by any application is blocked. The only exception is an Explorer copy where the source can be determined. So if a rule has block as (potential) action only Explorer is permitted to write.

And BTW: Allow and log is not guaranteed to report all transfers to SEC and therefore will not provide a complete audit-trail.

Christian 

Hello JEFFERY,

one rule
thought as much [:)].

I thought it would prompt the user
well, it'd do if Explorer is used but for any other application the write is blocked. It's not immediately obvious why this is so - I'll try to explain. DC is intended to prevent data from getting outside and blocks transfer but not does not delete "forbidden" data - therefore the legitimacy must be determined before the transfer takes place and thus DC must be able to read assess the data while it's still "inside". DC covers transfer to a removable medium or to an application which potentially moves data to the outside. In the latter case it intercepts reads by known applications (with some limitations - please note that certain user folders might not be subject to DC as an application must be permitted to read user preferences and the like). In the former case though the content is usually not known before the write to the removable medium and thus any write by any application is blocked. The only exception is an Explorer copy where the source can be determined. So if a rule has block as (potential) action only Explorer is permitted to write.

And BTW: Allow and log is not guaranteed to report all transfers to SEC and therefore will not provide a complete audit-trail.

Christian