URL, website or intranet exclusion in DLP check

Dear Sirs, we are in the middle of Proof Of Concept for using Sophos Endpoint DLP for our desktops and laptops, but we are facing a problem to add exclusion for particular websites such like intranet or CRM or any other internal application.

Looks like the DLP blocks all uploads once choose internet browser, does not matter what is destination, because destination cannot be granular and only can be specified at application level - internet browser, email client, etc, but not to specific domain such like https://intranet.mydomain.com.

Is there any workarounds to skip DLP check for exact web site.

For example in Web control or Threat Protection policy, you can create group of sites to be excluded, is there any option to mix both policy?

Many thanks,

Lirik Veigroeg

  • Hello LirikVeigroeg,

    Please have a look at this article:

    How to configure data control exclusions

    Perhaps the limitations of DLP may help you achieve what you need (otherwise, please provide more details):

    Known limitations with data control

    Regards,

  • In reply to Barb@Sophos:

    Hello,

    Unfortunately it is not the answer of my question.

    The exclusion I looking for is based on a destination URL/website where user can/cannot upload files.

    Endpoint DLP policy in my specific case is:

    - Use rules for data transfers

    - Where the file type matches "all file types"

    - Where the destination is "Internet explorer" and "Firefox" and "Chrome", etc.

    - Block transfer

    So, we would like to create exclusion to allow transfer/uploads only for website such like Intranet.mydomain.com or crm.mydomain.com.

    Do you have any option for that? I tried out with Global Scanning Exclusions, where you can put URL, but it seams does not work for DLP, what is strange.

    Can you please advice, how to configure URL exclusion at all to be skipped in agent scanning.

    I have the last version of Sophos endpoind agent.

     

    Best,

    Lirik

     

  • In reply to LirikVeigroeg:

    Hello LirikVeigroeg,

    The available rules for DLP are the ones listed when you set it up.  If you would like to request new functionality, please visit this page
    Perhaps switching to "Allow transfer if user confirms" may help you in this case.

    Also, to clarify, are you using Enterprise or Central? (The latest link you provided for exclusions is a Sophos Central link).
    Per that link: "Exclude files, websites and applications from scanning for threats."  


    DLP is not a threat related option, but a rule to control data. Thus, it will not be affected by a Threat exclusion. 

    You can find more details about Data Control on page 18 of this document.


    Regards,

  • In reply to Barb@Sophos:

    Hello,

     

    I'm using a Sophos Central.

    Looks like, once I block uploads and data transfer to web browsers, the DLP functionality will not able to make exclusion based on exact URL or website, such our Intranet, Online banking, National Tax Agency and etc.

    Am I right?

     

    Best,

    Lirik

  • In reply to LirikVeigroeg:

    DLP works at a file level with the destination being the browser process.  It has no concept of the site being accessed.

    Regards,
    Jak

  • In reply to jak:

    Hi Jak,

     

    I understand that. My idea is, if it is possible to be created more sophisticated engine that will able monitor https session for that browser process.

    Do you think it is possible?

    Best,

    Lirik

  • In reply to LirikVeigroeg:

    Hello LirikVeigroeg,

    I recommend that you reach out to a Sophos Partner to find out if there are any other Sophos products that might work for your needs.

    Regarding the current functionality of DLP:
    If you would like to request new features, please visit this page.

    Regards,

  • In reply to Barb@Sophos:

    Hello

    I am wondering that Sophos Endpoint has Web Filtring, that means it checks http/https. So it is logical DLP to have similar functionality.

    Website categories in web filtering are predefined, means agent has this information for active browsing sessions.

    Many thanks,

    Lirik

  • In reply to LirikVeigroeg:

    Hi LirikVeigroeg ,

    If you would like to see features added to DLP, please feel free to make your suggestions here

    Otherwise, can you please clarify what are you requesting?

    Thanks!

  • In reply to LirikVeigroeg:

    Hello Lirik,

    not that what you want isn't at least thinkable but a DLP doing this kind of thing would not only need to know the target address but also have access to the unencrypted data stream destined to it. Don't forget that usually a visit to a site results in several connections and some of them to other sites than the visited site proper. Furthermore, you can have more than one tab or window open. To determine what (unencrypted) goes where an add-on would be needed - given the variety of browsers and their frequent changes not a simple task (apart from the fact that add-ons can be disabled by the user).

    Categories and filtering are all-or-nothing - either you are permitted to access a site or not. For HTTPS it even has to work at the lower level, the SSL/TLS connection initiation (Download Reputation doesn't work on Firefox AFAIK and Block risky file types works only for HTTP). There's no active session from the POV of Web Protection/Control.

    Thus it is not possible to determine what goes where from outside the browser. What DLP does is assessing what kind of file/data that it will potentially try to upload the browser is about to read and allow or deny access to this file.

    In short, the different features can't be stitched together to achieve what you want (i.e. exempt certain sites from DLP checking).

    Christian