URL, website or intranet exclusion in DLP check

Dear Sirs, we are in the middle of Proof Of Concept for using Sophos Endpoint DLP for our desktops and laptops, but we are facing a problem to add exclusion for particular websites such like intranet or CRM or any other internal application.

Looks like the DLP blocks all uploads once choose internet browser, does not matter what is destination, because destination cannot be granular and only can be specified at application level - internet browser, email client, etc, but not to specific domain such like https://intranet.mydomain.com.

Is there any workarounds to skip DLP check for exact web site.

For example in Web control or Threat Protection policy, you can create group of sites to be excluded, is there any option to mix both policy?

Many thanks,

Lirik Veigroeg

  • Hello LirikVeigroeg,

    Please have a look at this article:

    How to configure data control exclusions

    Perhaps the limitations of DLP may help you achieve what you need (otherwise, please provide more details):

    Known limitations with data control

    Regards,

  • In reply to Barb@Sophos:

    Hello,

    Unfortunately it is not the answer of my question.

    The exclusion I looking for is based on a destination URL/website where user can/cannot upload files.

    Endpoint DLP policy in my specific case is:

    - Use rules for data transfers

    - Where the file type matches "all file types"

    - Where the destination is "Internet explorer" and "Firefox" and "Chrome", etc.

    - Block transfer

    So, we would like to create exclusion to allow transfer/uploads only for website such like Intranet.mydomain.com or crm.mydomain.com.

    Do you have any option for that? I tried out with Global Scanning Exclusions, where you can put URL, but it seams does not work for DLP, what is strange.

    Can you please advice, how to configure URL exclusion at all to be skipped in agent scanning.

    I have the last version of Sophos endpoind agent.

     

    Best,

    Lirik

     

  • In reply to LirikVeigroeg:

    Hello LirikVeigroeg,

    The available rules for DLP are the ones listed when you set it up.  If you would like to request new functionality, please visit this page
    Perhaps switching to "Allow transfer if user confirms" may help you in this case.

    Also, to clarify, are you using Enterprise or Central? (The latest link you provided for exclusions is a Sophos Central link).
    Per that link: "Exclude files, websites and applications from scanning for threats."  


    DLP is not a threat related option, but a rule to control data. Thus, it will not be affected by a Threat exclusion. 

    You can find more details about Data Control on page 18 of this document.


    Regards,

  • In reply to Barb@Sophos:

    Hello,

     

    I'm using a Sophos Central.

    Looks like, once I block uploads and data transfer to web browsers, the DLP functionality will not able to make exclusion based on exact URL or website, such our Intranet, Online banking, National Tax Agency and etc.

    Am I right?

     

    Best,

    Lirik

  • In reply to LirikVeigroeg:

    DLP works at a file level with the destination being the browser process.  It has no concept of the site being accessed.

    Regards,
    Jak

  • In reply to jak:

    Hi Jak,

     

    I understand that. My idea is, if it is possible to be created more sophisticated engine that will able monitor https session for that browser process.

    Do you think it is possible?

    Best,

    Lirik

  • In reply to LirikVeigroeg:

    Hello LirikVeigroeg,

    I recommend that you reach out to a Sophos Partner to find out if there are any other Sophos products that might work for your needs.

    Regarding the current functionality of DLP:
    If you would like to request new features, please visit this page.

    Regards,