I may have found a massive hole in Data Control which is slightly worring?

Hi,

Just off the top of my head, have you excluded remote files in on-access scanning?

Regards,

Jak 

This is the exact message from Sophos

"We have escalated this issue for you and can confirm our 3rd line engineers are having the same issue so it is officially a "bug" now. They have asked for an export of your policy settings so they can see exactly what you see".

FYI

I have excluded the remote files but this shouldn't in theory bear any relevance but I do see where your coming from.

Out of interest, does it then detect the "upload" with remote files scanning enabled?

I will try this tomorrow and let you know but the conversation I had with 3rd line suggests that they tried this and failed.

You are quite correct and if I do uncheck "Exclude remote files" it does work however not many people would uncheck this because of the realtime scan being run on the remote server. (Sophos are aware of this issue)

Back to the "Bug"

I have been toying with the problem all morning and here are my results:

If you attach a file from your desktop and the root if you c:\ drive then this is fine everything is logged and rules are enforced.

The issue becomes apparent when you access your %USERPROFILE% it seems all locations within your userprofile with the exception of the desktop do not get enforced.

c:\Users\%username%\Desktop\test.txt = okay

c:\Users\%username%\test.txt = fail and all locations from here.

I think I may have an understanding of why this is happening a:\ we use roaming profiles and b:\folder redirects on " My Documents" to a remote server however the "My Documents" I can userstand but not the roaming proflies.

HI,

It sounds like the on-access component, well at least the driver is used to filter which files are opened. This would explain why it is subject to the exclusion as I know on-access exclusions are implemented in the driver?  Then, if the processes that is opening the file, as detected by application control identity is the application under the destination as selected in the policy, it subjects the file for examination.  To avoid applications opening their own files and triggering, I suspect there are a few inbuilt exclusions.

Regards,

Jak 
 

Hey Jak,

This is the official update from Sophos.

Hello Jason,

We have just had a reply back from our 3rd line engineers
who have been looking into this issue for you.

They said;

"Data
Control has certain inbuilt exclusions:-

The process exclusions in the
Factory.xml file
Windows directory
Program file directory
Users area,
(not including) My Documents, CD Burn Area and Desktop
Any instance of
desktop.ini and autoexec.bat, regardless of where they are on disk

This
is to prevent problems with applications generating alerts when accessing
data."

So in English that means it was designed to work that way due to
how Windows 7 works, however they also acknowledged that this needs looking into
further and are going to escalate it to see if in a future update this issue
could be resolved.

Sorry I can't be more help.

Hello nerohero,

thanks for posting the reply (although the formatting of the quoted text is somewhat confusing - but reading it twice I got it). Maybe it's the heat out(and in-)side but I'm inclined to say this is BAD (read: broken as designed). Apart from that - if this behaviour is documented it's not easy to find. Even Support doesn't seem to be aware of this, well, limitation (see DLP - browser upload on Win7 64bit not intercepted?).

Christian

Hi all,

I can confirm both of these issues are as designed.

You can enable the scanning of files from network locations by turning off the exclusion of remote files. The DLP functionality uses the same engine as the AV scanner so there is a relationship between the file exclusion setting and the behavior of the data control policy. I'll be the first to admit that this is quite obtuse and could be made clearer within the interface.

We made a deliberate design decision to exempt system folders from scanning to avoid triggering false positives when a monitored application accesses configuration files and file / database caches (e.g. local email archive or browser caches). It should be possible with group policy to lock down access to these system folders if you are concerned about users moving files into those locations.

Another option is to consider a layered DLP implementation so for example to also make use of endpoint data control for transfers onto removal storage, the Sophos Email Appliance to implement DLP controls on outbound email (scanning email content and attachments) and next year it should be possible to use either the web appliance or Sophos UTM to intercept sensitive data in outbound web traffic (at the moment the web upload function on the endpoint only scans attachments).

The intention of the current data control solution has always been to provide good protection from accidental data loss and many customers find it useful to use as a education tool for their users or just to silently monitor activity in the background. If users want to find a way to get data off an endpoint, and they are smart enough, then they will typically find a way. For example using dropbox... unless it is blocked by application control ;)

Hope this helps,

John

Product Manager

Hi Christian,

Just read your other posting (in the DLP forum) about "downloads" being exempted from scanning. Let me raise a defect with engineering for investigation. I agree that this location shouldn't be exempt from scanning. At the moment specific folders within the "users" folder are scanned and that should include any folder where the user would typically store or save files. Apologies for not first reading your other posting.

Best regards,

John