DLP and Azure Information Protection

We're evaluating Sophos Endpoint Protection in part for its DLP functionality. We've used Azure Information Protection to assign classification labels to certain documents in the past, and we'd like to configure Sophos DLP Policies to restrict how labeled files can be accessed.

According to the AIP documentation, each labeled Office / PDF file has a custom property titled set to "MSIP_Label_<GUID>_Enabled=True", where GUID is an identifier for the label.

I created a Custom Rule and Custom Content Control List as follows:

  • Rule: File Contains [CUSTOM LIST] and (?) destination is [all the available options].
  • Exclusions: None.
  • Action: Block.
  • Custom Control List: Exactly this phrase "MSIP_Label_<GUID>_Enabled" (GUID replaced, obviously).

However, Sophos is blocking all files, whether they are classified with that label or not. Any ideas of what I might be doing wrong?

  • Hello Guilherme Santos,

    it's an and, yes. Hm, I'd rather expect that nothing is blocked ... could you turn on (must be done on the endpoint) verbose logging for Data Control and then check or post the log? On second thoughts - are you using Central? I can't say if it's possible with Central and if, how to do it.

    Christian

  • In reply to QC:

    Hi Christian,

    Yes, I'm using Endpoint Protection managed with Central. I wasn't able to follow the instructions you posted, as the interface is different and doesn't seem to have the options described in the article, but I found a log for Data Control. It doesn't seem very helpful to me, but I'm posting it here just in case:

    20180112 175750    A "block transfer" action was taken. The user tried to save or copy a file to a storage device without using Windows Explorer.
            Username: XXXXXXXXXX
            User action: File save or copy
            Data Control action: Block
            Destination path: E:\Test.docx
            Destination type: Removable storage
    20180112 181332    A "block transfer" action was taken. The user tried to save or copy a file to a storage device without using Windows Explorer.
            Username: XXXXXXXXXX
            User action: File save or copy
            Data Control action: Block
            Destination path: E:\Test.txt
            Destination type: Removable storage
  • In reply to Guilherme Santos:

    Hello Guilherme Santos,

    I wasn't able
    that's what I feared.

    looks like you're trying to save directly from an application to removable storage. It's in the message: without using Windows Explorer.
    DLP has to scan the file before it makes the allow/block decision - in case of a direct save the file does not yet exist and thus the save is not permitted.

    Christian

  • In reply to QC:

    Hi Christian,

    It's interesting that you noticed that detail. I actually attempted to do Copy / Paste of the files from my desktop to a removable drive through Windows Explorer, so I'm not sure why the log is saying otherwise.

    In any case, it looks like DLP in Sophos isn't developed enough for us, so I'll have to look for something else.

    Thanks,

    Guilherme

  • In reply to Guilherme Santos:

    Hello Guilherme,

    I'm not sure either but anyway I can't say if DLP would even "see" the AIP label. AFAIK DLP considers only content, not metadata.

    Christian