This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unwanted data control detections

We implemented Data Control policy and one of the policy I added is

       Ailment, disease and diagnosis lexicon (ICD-9) [USA]

This policy seems like detecting every thing , even job application which has no data which can flag this policy.

In Sophos Site I found this article

http://www.sophos.com/support/knowledgebase/article/113937.html

it seems like  this policy is still broken. Any ETA when this policy will be fixed?

:24347


This thread was automatically locked due to age.
  • Hello BopBop,

    the mentioned update is way in the past. I can neither say what needs to be fixed (except for the general "trigger-happy") nor when this will be. Might be Sophos is not aware that there is (still) an issue. Did a quick check and can't confirm every thing (but didn't expect really it to trigger with the documents at hand).

    Does turning on verbose logging reveal what's causing the detection? Anyway I'd engage Support directly.

    Christian

    :24365
  • Hi BopBop,

    As QC states the KBA is out of date and I've asked for it to be removed from the library. Can you contact Sophos support and provide them with samples of your verbose logs and we'll look into what is causing the false positives.

    As you can imagine with such large dictionaries there will always be a risk of matching a term that in one context would be worth investigating and in another be completely innocuous. We recommend using the list based CCLs in combination with other CCLs such as DOB with qualifying term or a custom MRN definition (in the US) or NHS patient identifier (in the UK).

    Best regards,

    John

    :24613
  • Hi BopBop and John,

    had the rule running for my machine and just two days ago the user guide for a NAS system triggered. Verbose logging revealed that a) there are at least 2341 expressions in the rule (the one with the said number matches for example hyperlink), the the required weight of 9 is not much, and c) all that was required to exceed it were 3 occurrences of arbitration, one of deficiency and 2 of mediation. Guess some little legal mumbo-jumbo will always suffice to trigger ... :smileyvery-happy:

    Christian

    :24631
  • Hmmm... doesn't sound ideal! I've asked the labs team to have another look at the CCL and see if we can remove some of the more generic terms.

    We are currently looking at putting in place an "ignore" list feature within the DLP engine which would enable the labs and customers to specify phrases or regular expressions to be ignored if they are matched by a DLP rule. This will help deal with customer specific false positives, such as those generated by a health organization's name containing the world "cancer". 

    Keep the feedback coming and we'll continue to work on improving the data and the underlying engine technology :)

    John

    :24679
  • Christian and John

    Thank you all for your reply. This is what I am finding

    With the Policy Ailment, disease and diagnosis lexicon (ICD-9) [USA]  I am noticing it flags legitimate document  which are transferred via USB or outlook and also every now and then flags documents which has nothing to do ICD9. So I am reluctant to  turn of the policy. The worst case scenario is that  if we have any auditing I have to filter thru all the documents  in this category and see which are legit and which are not.

    Interesting thing is I have few computers where this policy is flagging documents which shouldn’’’’t be flagged with this policy. If I copy same document to USB drive or Outlook from my own computer it doesn’’’’t flag anything ( as expected).

    I think I will run some diagnostics from the computers which are flagging these documents and send the diagnostic files to tech support.

    :24681