We'd love to hear about it! Click here to go to the product suggestion community
We're evaluating Sophos Endpoint Protection in part for its DLP functionality. We've used Azure Information Protection to assign classification labels to certain documents in the past, and we'd like to configure Sophos DLP Policies to restrict how labeled files can be accessed.
According to the AIP documentation, each labeled Office / PDF file has a custom property titled set to "MSIP_Label_<GUID>_Enabled=True", where GUID is an identifier for the label.
I created a Custom Rule and Custom Content Control List as follows:
However, Sophos is blocking all files, whether they are classified with that label or not. Any ideas of what I might be doing wrong?
Hello Guilherme Santos,
it's an and, yes. Hm, I'd rather expect that nothing is blocked ... could you turn on (must be done on the endpoint) verbose logging for Data Control and then check or post the log? On second thoughts - are you using Central? I can't say if it's possible with Central and if, how to do it.
In reply to QC:
Yes, I'm using Endpoint Protection managed with Central. I wasn't able to follow the instructions you posted, as the interface is different and doesn't seem to have the options described in the article, but I found a log for Data Control. It doesn't seem very helpful to me, but I'm posting it here just in case:
20180112 175750 A "block transfer" action was taken. The user tried to save or copy a file to a storage device without using Windows Explorer. Username: XXXXXXXXXX User action: File save or copy Data Control action: Block Destination path: E:\Test.docx Destination type: Removable storage20180112 181332 A "block transfer" action was taken. The user tried to save or copy a file to a storage device without using Windows Explorer. Username: XXXXXXXXXX User action: File save or copy Data Control action: Block Destination path: E:\Test.txt Destination type: Removable storage
In reply to Guilherme Santos:
I wasn't ablethat's what I feared.
looks like you're trying to save directly from an application to removable storage. It's in the message: without using Windows Explorer. DLP has to scan the file before it makes the allow/block decision - in case of a direct save the file does not yet exist and thus the save is not permitted.
It's interesting that you noticed that detail. I actually attempted to do Copy / Paste of the files from my desktop to a removable drive through Windows Explorer, so I'm not sure why the log is saying otherwise.
In any case, it looks like DLP in Sophos isn't developed enough for us, so I'll have to look for something else.
I'm not sure either but anyway I can't say if DLP would even "see" the AIP label. AFAIK DLP considers only content, not metadata.