URL, website or intranet exclusion in DLP check

Hello LirikVeigroeg,

Please have a look at this article:

How to configure data control exclusions

Perhaps the limitations of DLP may help you achieve what you need (otherwise, please provide more details):

Known limitations with data control

Regards,

Hello,

Unfortunately it is not the answer of my question.

The exclusion I looking for is based on a destination URL/website where user can/cannot upload files.

Endpoint DLP policy in my specific case is:

- Use rules for data transfers

- Where the file type matches "all file types"

- Where the destination is "Internet explorer" and "Firefox" and "Chrome", etc.

- Block transfer

So, we would like to create exclusion to allow transfer/uploads only for website such like Intranet.mydomain.com or crm.mydomain.com.

Do you have any option for that? I tried out with Global Scanning Exclusions, where you can put URL, but it seams does not work for DLP, what is strange.

Can you please advice, how to configure URL exclusion at all to be skipped in agent scanning.

I have the last version of Sophos endpoind agent.

Best,

Lirik

Hello,

Unfortunately it is not the answer of my question.

The exclusion I looking for is based on a destination URL/website where user can/cannot upload files.

Endpoint DLP policy in my specific case is:

- Use rules for data transfers

- Where the file type matches "all file types"

- Where the destination is "Internet explorer" and "Firefox" and "Chrome", etc.

- Block transfer

So, we would like to create exclusion to allow transfer/uploads only for website such like Intranet.mydomain.com or crm.mydomain.com.

Do you have any option for that? I tried out with Global Scanning Exclusions, where you can put URL, but it seams does not work for DLP, what is strange.

Can you please advice, how to configure URL exclusion at all to be skipped in agent scanning.

I have the last version of Sophos endpoind agent.

Best,

Lirik

Hello LirikVeigroeg,

The available rules for DLP are the ones listed when you set it up.  If you would like to request new functionality, please visit this page
Perhaps switching to "Allow transfer if user confirms" may help you in this case.

Also, to clarify, are you using Enterprise or Central? (The latest link you provided for exclusions is a Sophos Central link).
Per that link: "Exclude files, websites and applications from scanning for threats."  

DLP is not a threat related option, but a rule to control data. Thus, it will not be affected by a Threat exclusion. 

You can find more details about Data Control on page 18 of this document.

Regards,

Hello,

I'm using a Sophos Central.

Looks like, once I block uploads and data transfer to web browsers, the DLP functionality will not able to make exclusion based on exact URL or website, such our Intranet, Online banking, National Tax Agency and etc.

Am I right?

Best,

Lirik

DLP works at a file level with the destination being the browser process.  It has no concept of the site being accessed.

Regards,
Jak

Hi Jak,

I understand that. My idea is, if it is possible to be created more sophisticated engine that will able monitor https session for that browser process.

Do you think it is possible?

Best,

Lirik

Hello LirikVeigroeg,

I recommend that you reach out to a Sophos Partner to find out if there are any other Sophos products that might work for your needs.

Regarding the current functionality of DLP:
If you would like to request new features, please visit this page.

Regards,

Hello

I am wondering that Sophos Endpoint has Web Filtring, that means it checks http/https. So it is logical DLP to have similar functionality.

Website categories in web filtering are predefined, means agent has this information for active browsing sessions.

Many thanks,

Lirik

Hi LirikVeigroeg ,

If you would like to see features added to DLP, please feel free to make your suggestions here

Otherwise, can you please clarify what are you requesting?

Thanks!

Hello Lirik,

not that what you want isn't at least thinkable but a DLP doing this kind of thing would not only need to know the target address but also have access to the unencrypted data stream destined to it. Don't forget that usually a visit to a site results in several connections and some of them to other sites than the visited site proper. Furthermore, you can have more than one tab or window open. To determine what (unencrypted) goes where an add-on would be needed - given the variety of browsers and their frequent changes not a simple task (apart from the fact that add-ons can be disabled by the user).

Categories and filtering are all-or-nothing - either you are permitted to access a site or not. For HTTPS it even has to work at the lower level, the SSL/TLS connection initiation (Download Reputation doesn't work on Firefox AFAIK and Block risky file types works only for HTTP). There's no active session from the POV of Web Protection/Control.

Thus it is not possible to determine what goes where from outside the browser. What DLP does is assessing what kind of file/data that it will potentially try to upload the browser is about to read and allow or deny access to this file.

In short, the different features can't be stitched together to achieve what you want (i.e. exempt certain sites from DLP checking).

Christian