This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DLP Blocking all transfers to USB drive for just some computers

Hello. I'm testing Sophos Endpoint Advanced on Windows 10 for a SMB. On our 2017 machines (HP EliteDesk 800 G3) *any* file transfer to a USB key is blocked. I see a Sophos pop-up telling me so. Furthermore, the cloud event log shows the key being inserted, but it does not have a record of the blocked transfers. The blocked transfers are visible on the client.

Meanwhile, the DLP works great for 2013 vintage machines (HP 6300 Pro towers). Users get the Allow/Block options. Everything is logged.

Both sets of machines have the same policy. When I disable DLP for the malfunctioning computers, the transfers work again. Where should I go to troubleshoot the issue?

If it’s any assistance, when I attempt to copy a file to the USB drive on the 2017 machines, I see two things essentially simultaneously:

  • A Windows 10 pop-up mid-screen telling me that to continue, administrative access rights are required. (Our users aren’t members of the Administrators group on their local machines.) Providing those rights has no effect, as I’ve already seen…
  • A Sophos Endpoint pop-up lower right telling me that “Transfer of file [filename] was blocked."

Thanks for any help you can provide.



This thread was automatically locked due to age.
  • We're having this exact same issue.  It doesn't occur on all machines though.  All of our computers are on the default policy still, but only some of them are experiencing this.  With the issue not popping up in sophos central's logs it makes it much harder to track.

  • Sophos tech support eventually came through for me on this. Sophos does not support HP's "Secure Boot" because Sophos DLP (and their buffer overflow protection, too) uses libraries that are not appropriately signed. See https://community.sophos.com/kb/en-us/120861.

    Their recommendation is to disable HP's security feature to enable their secure feature, which makes me feel :\

  • This did help.  Just FYI to anyone trying this method to fix it though, if you have Bitlocker installed and running on a Windows machine, make sure you have your key, or you're locked out of the machine and will have to reinstall Windows.

  • https://community.sophos.com/kb/en-us/120861

     

    As you mentioned in this KB. "Whilst of course it is not ideal to disable Secure Boot, doing so has the affect of reverting this particular aspect of Windows Security back to the level offered in Windows 7, so we do not believe it presents a significant security risk."

    So either you enable secure boot (which is what most people are doing with Windows 10) and are unable to use the DLP option in EP or Central or you need to enable TPM plus pin if you disable secure boot. That pin that eventually will end up on a post it note stuck to the laptop. This is not model specific this is all hardware out there, HP, Dell, Lenovo.

    We actually liked the DLP functionality in Sophos. However we are not removing secure boot from our Windows 10 deployments. 

  • Am I the only one who finds this frustrating and insane, Sophos need to provide a fix for this so that we can use the features that they have sold to us.

  • Hello h1tchiker er al.,

    a fix for this
    there's no easy fix for the (deprecated) AppInit_DLL functionality. Disputed from its inception it was nevertheless there. I don't think that Sophos closed their eyes to the changes. 

    Christian

  • I believe they did close their eyes to this. I have not once got a straight answer though either partner elevation or product support. If this feature is deprecated (aka not an option for windows 10) they should not be advertising it, in my opinion. I believe Sophos is missing the boat with Windows 10 management where others in the field offer the same options and at the same price point (not including nextgen options). 

    In full disclosure, we are moving away from their EP product and finding other solutions to meet our needs with DLP and EP. 

    This is no different then having Central not behind a 2FA for what seemed to be forever.