This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

REQUESTS: post any requests for new Content Control Lists or additional file type support here

Please use this thread to post any requests for new Content Control Lists or additional file type support here.

If you prefer to keep your request private then please place the request via Sophos support and we'll follow up.

The types of requests we've received in the past include:

  1. Additional country support for PII (personally identifiable information) and confidential document markers.
  2. Support for industry specific regulations, for example PCI DSS (payment card industry) and HIPAA (US health care).
  3. Support for national or industry specific identifiers.
  4. Support for additional file formats e.g. CAD; encrypted formats; industry specific image formats

When you place a request with Sophos product management and SophosLabs please provide as much information as possible to help in the creation of the Content Control List. For example, often identifiers will use a inbuilt checksum (commonly Mod 10 or Mod 11 based) or will be displayed alongside what we refer to "qualifying terms". An example of a qualifying term might be "DOB" next to a date of birth format or "MRN" next to a medical record number.

For filetype requests please provide a selection of samples so the labs can use these for analysis.

:10795


This thread was automatically locked due to age.
  • Hi John,

    How about product licence keys?

    E.g. The regex would need to match:
    XXXXX-XXXXX-XXXXX-XXXXX-XXXXX

    Qualifying terms might be OS, Windows 7, XP.


    Thanks,
    Jak

    :11069
  • Hi Jak,

    Good idea - I'll raise a suggestion to get the labs to have a look at creating a CCL for product license keys. We may initially focus on Microsoft products. We have in the past seen malware which searches for licence keys and then sends them out to an external source.

    Regards,

    John

    :11113
  • Hi John, 

    Glad you liked that one, how about:

    CVs/Resumes?  I would think these have a collection of shared attributes that can be identified.  This would prevent such documents leaking from a HR perspective and could be used to prevent employees applying for other jobs via the browser upload/email clients route. :)

    Possibly the good old /etc/passwd files. http://linux.about.com/od/commands/l/blcmdl5_passwd.htm, this has a well defined syntax.  I'm sure there might be a category of common config files which may contain passwords or other options that people would sooner keep on the inside.

    Regards,

    Jak

    :11221
  • Hi Jak,

    I like the CV / Resume idea - although I'd have some concerns about the HR implications surrounding the implementation of such a rule! CV's may contain what is classified as sensitive personal data under the DPA and there are stricter regulations around how such data can be used / monitored. 

    Password files are interesting but I wonder how useful the DLP solution would be for finding such data. Someone canny enough to find such files in a form they could be cracked could probably also work out a way to get around the content monitoring solution.

    I'll add both to our request list and see what additional requests we gets along a similar line.

    Regards,

    John

    :11341
  • How about the ability to not only identify Files that are transferred , but also keep a copy of the exact files for review later ?

    .

    File types can be altered and then transmitted circumventing policies. 

    such as all DOC files get identified by sophos... then user changes it to a pdf or whatever type and now it doesnt see the move of the file as a problem

    .

    How about controls on all files in specific Folders or network drives ?  any file that is accessed or copied is identified and a copy is kept.  Any changes of a file name are kept.

    .

    keeping a copy of a file that is moved/manipulated/sent ... would be a very good thing

    :15899
  • Hello PAGAN,

    with content rules you should include all aplicable filetypes. Thus format wouldn't matter. For file rules it is not the extension which triggers a rule but the "true file type" - the initial sacn tries to identify the markes and deduce the "true" content.

    Keeping copies of files is far beyond the current product (i.e. the ESDP client components). First question is - where should they be kept? Windows provides a plethora of filesystem audit points - the challenge is to select those of interest and then analyse and interpret the collected data.
    DLP is a "natural" extension of AV scanning - identify a file's "real" type, scan for signatures and patterns, block or allow. Audit trails and version history are something different (and are usually done on the server side).

    Christian
    :15903
  • Hi,

    As QC states the TFT functionality detects file type based on the structure of the file so renaming the file won't "hide" it. You can also manually add file detecting based on the file extension.

    We have no immediate plans to take a "shadow" copy of a file that triggers a rule. I can see the value in having the option but it is complicated to implement in a consistent manner - for example you'd probably need to enable the administrator to configure where the "shadow" file was stored and ensure that store was appropriately secure. We are looking at how we can optionally collect more information on content that triggers a rule. One option is to collect additional information on each match and send that back to the management console for review (the table in the SEC database would need to be encrypted). I'd welcome other ideas.

    We've also had requests for monitoring files being copied from network drives onto local storage (at the moment we can monitor files copied from networked storage onto monitored media e.g. removable storage). This type of capability arguably strays from the current remit of detecting outbound data streams but it is on our feature request list.

    In the V10 / 10.1 releases were are planning to add the following capabilities:

    * Coverage for Google Chrome, Skype and Microsoft Lync

    * Report file size back for data control events

    * New content analysis engine with support for identifier validation e.g. Luhn checksum on credit card numbers (this is the same engine that has been used in the email appliance since we integrated DLP)

    Best regards,

    John

    :16085
  • Hi John,

    An outstanding request I have out to Scott Cressman is to better understand, or be able to identify, if the outbound message that hit a CCL was delivered with TLS encryption. These would take  a little less priority for me than those sent with no encryption.

    Thx, Suzie

    :16295

  • Hi

    we have a customer that requires a CCL for a personal number format in Denmark called CPR, please see the link bellow for details

    http://www.cpr.dk/publikationer/pnr-notat%20ny%20skrift.htm#Opbygning

    Thanks

    :18453
  • Hi,

    We are in the process of collecting information on national identifiers for Denmark and other countries within that region. We should be able to roll out the CCLs within the next couple of months. We just recently added support for South Africa.

    Best regards,

    John

    :18595