DLP Issue - Content - Unable to detect credit card information

Hi,

just a noob question. I have tried to create a DLP rule content which supposed to detect if end users try send credit card information (in AU format) via email (Outlook, windows mail)

unfortunately, it does not do what it's suppose to do. any missing information I missed or should have included/excluded? pretty much followed all the information from knowledge base.

We have Sophos Central Admin 2013-2019

 

Thanks in advance

  • Hello Lena Abanes,

    it does not do what it's supposed to do
    hard to say why or what to change without any detail - the exact rule, an example of the content that should be blocked (I assume that's the desired result), and how the content is sent (attachment format and the method used to attach it to the message). 

    Christian

  • Hi  

    Please refer to this document which will help you to create a policy in the Sophos Central.

    If you haven't followed it or go through it, please go through this. Even after doing all the steps, you are not able to block it, please let us know.

  • In reply to Jasmin:

    Hi, Thank you for this.

    I am still having an issue related to DLP.  

    Scenario 1:

    Creted Content Policy to detect Credit Card Info - WORKED

     

    Scenario 2:

    Added new DLP Content Policy to detect the word "TFN" - FAILED

     

    Scenario 3:

    Removed the  policy created on Scenario 2. 

    Policy on Scenario 1 works again

     

    After Scenario 2 was completed, both Policy fails to function. 

    After deleting 2nd DLP policy, 1st DLP policy went on effect again.

     

    Question: How can we proceed creating a policy for different content rule? For Example, 

    1. DLP Policy 1 - Credit Card Info Content

    2. DLP Policy 2 - Drivers License Content

     

    Reason: We want to make sure, user receives an error message specific to content of the file being blocked.

    Hope I provided a clear information. Thank you

  • In reply to Lena Abanes:

    Hello Lena Abanes,

    not sure if it is incorrect use of terms or a misconception: both Policy  - only one policy is in effect at a time. A policy can have several rules, the policy is "violated" if at least one rule matches (I use double quotes as the Action could be Allow and log and the transfer is perhaps not considered a real violation). In case several rules match the most restrictive wins (Block → Confirm → Allow).

    an error message specific to content
    AFAIK the desktop message (optionally) includes the matching rule's name, a specific custom message is not possible though.

    Can't say why the single word did not match, could you show what exactly you created?

    Christian