DLP and Azure Information Protection

We're evaluating Sophos Endpoint Protection in part for its DLP functionality. We've used Azure Information Protection to assign classification labels to certain documents in the past, and we'd like to configure Sophos DLP Policies to restrict how labeled files can be accessed.

According to the AIP documentation, each labeled Office / PDF file has a custom property titled set to "MSIP_Label_<GUID>_Enabled=True", where GUID is an identifier for the label.

I created a Custom Rule and Custom Content Control List as follows:

  • Rule: File Contains [CUSTOM LIST] and (?) destination is [all the available options].
  • Exclusions: None.
  • Action: Block.
  • Custom Control List: Exactly this phrase "MSIP_Label_<GUID>_Enabled" (GUID replaced, obviously).

However, Sophos is blocking all files, whether they are classified with that label or not. Any ideas of what I might be doing wrong?

  • Hello Guilherme Santos,

    it's an and, yes. Hm, I'd rather expect that nothing is blocked ... could you turn on (must be done on the endpoint) verbose logging for Data Control and then check or post the log? On second thoughts - are you using Central? I can't say if it's possible with Central and if, how to do it.

    Christian

  • In reply to QC:

    Hi Christian,

    Yes, I'm using Endpoint Protection managed with Central. I wasn't able to follow the instructions you posted, as the interface is different and doesn't seem to have the options described in the article, but I found a log for Data Control. It doesn't seem very helpful to me, but I'm posting it here just in case:

    20180112 175750    A "block transfer" action was taken. The user tried to save or copy a file to a storage device without using Windows Explorer.
            Username: XXXXXXXXXX
            User action: File save or copy
            Data Control action: Block
            Destination path: E:\Test.docx
            Destination type: Removable storage
    20180112 181332    A "block transfer" action was taken. The user tried to save or copy a file to a storage device without using Windows Explorer.
            Username: XXXXXXXXXX
            User action: File save or copy
            Data Control action: Block
            Destination path: E:\Test.txt
            Destination type: Removable storage