Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 2 subscribers
  • Views 4709 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Data Control not scanning all files, quantity not type.

AlistairMillington

Hi.

I have recently become the caretaker for our Sophos endpoint systems. We have 3 sites that Sophos is running as AV, two of those sites also have the Device and Data control running. They are working well and all of this was set up by a member of staff who has now left.

We now want to roll out the Data and Device Control to the third site, which I am trying to do. I have set up test policies and have a PC that is running the test, all of this inside the enterprise console.

It reports the Device Control perfectly, telling me what is plugged in and when. However Data Control only reports 'some' files. For example he transfers 6 files and only two report. the files are a mixture of .doc or .jpeg or .pdf files. Or it might be the first two are reported then everything after that is missed or ignored. As if the service decides it wants to stop or sleep.

We have tried document and text files etc, onto and from the USB stick and all get ignored. Unplug and reinsert doesn't help, rebooting doesn't help either.

Overnight has meant it started again, reporting the two files that were copied, then nothing after that.

This is a Citrix machine, however we have the system working on VDI elsewhere and it works fine.

 

Any thoughts of help much appreciated.



This thread was automatically locked due to age.
Parents
  • 0

    Hello AlistairMillington,

    long time since I played with Data Control, we don't use it in production. Haven't seen that it gets mum for an extended period regardless of what you do. If the service crashed you should notice (and anyway a reboot should start it). Which action did you select, BTW? Allow and log? I vaguely remember that DC is parsimonious with the events (and also log entries) it creates - and perhaps more so when only monitoring. Might also depend on whether you've tested with File or Content rules.
    Anyway this wouldn't explain longer periods of silence. I'd turn on verbose logging on the endpoint and check the local DC log. If you used monitor only check the behaviour with a block rule.

    Christian       

Reply
  • 0

    Hello AlistairMillington,

    long time since I played with Data Control, we don't use it in production. Haven't seen that it gets mum for an extended period regardless of what you do. If the service crashed you should notice (and anyway a reboot should start it). Which action did you select, BTW? Allow and log? I vaguely remember that DC is parsimonious with the events (and also log entries) it creates - and perhaps more so when only monitoring. Might also depend on whether you've tested with File or Content rules.
    Anyway this wouldn't explain longer periods of silence. I'd turn on verbose logging on the endpoint and check the local DC log. If you used monitor only check the behaviour with a block rule.

    Christian       

Children
  • 0 in reply to QC

    Hi QC and thankyou for the advice.

    We have rules monitoring for file type and content in the other sites, so I duplicated that set of rules for this test. 

    I am not sure on the allow and log, we check and record it then allow it. Rather than stop it from being copied (remember this is a test) but I can't see where it might be logged other than in the console against that Machine.

    I will take a look at the event logs on that machine, see if there is anything there. I am about to start blocking as we may have to settle with just blocking them outright instead.

     

    Regards

    Alistair

  • 0 in reply to AlistairMillington

    Hello Alistair,

    the endpoint's Sophos GUI has a Data Control section where you (a SophosAdministrator) can configure DC (disable/enable it, specify the logging level and other log options) and view the log (which can alsobe found  under %ProgramData%\Sophos\...). 

    Christian

Unfiltered HTML