Awhile back I attempted to see if Sophos has resolved DLP not blocking email attachments in Outlook 365 when they are dragged onto the email. I just tested this again and see it is still not working, has anyone figured out a fix for this. Basically if you attach a file to an email through a new message using the attach icon it is prompted and blocked but if the user drags and drops the attachment into the email sophos does not see it?
I made a case with Sophos on this-
The recommendation is to-
This is a known issue and it is because when a file is dragged into an email in Outlook 2013, it does not get dragged from the original location, it gets moved via a TEMP location and it is this TEMP location that triggers the file transfer action.
The default TEMP location is:
C:\Users\[USER]\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\<STRING>\
By default, this folder is an excluded location so any files transferred from here will not be detected by Data control.
Please see this article below in order to resolved this issue:
-----------------------------------------
Article ID: 122603
Title: Outlook 2013 - Data Control does not detect the copying of files to an email
URL: https://sophos.com/kb/122603
-----------------------------------------
The KB above is for Outlook 2013 but it applies to 2016, the path is different
Office 2013 - HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Security
Office 2016 - HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security
However, this does not work with Office 365, I made the appropriate changes to the registry. Reopened Outlook and dragged an attachment over that would set off DLP, nothing happens. Upon further examination with procmon I was able to determine that Outlook will change the registry back to-
C:\Users\[USER]\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\<STRING>\
This happens when a item is dragged over to the new email, basically Outlook does a registry check for the correct string prior to adding the attachment. What I want to know is it possible to give Sophos permission to scan the-
C:\Users\[USER]\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\<STRING>\
Any help on this would be great!
Just a heads up to this-
I created a case with Sophos, demonstrated that the registry is changing back after changing it per their recommendation. Collected the perfmon logs and SDU logs and sent them in, their response is listed below. However this troubles me a little, since the response essentially states that secure boot cannot be running in order for DLP to work. Essentially giving me a choice of 2 preferred security methods. But will still attempt the resolution all the same.
With regards to this issue, I see that secure boot is enabled on this machine. Unfortunately when Secure Boot is enabled, it disables the Microsoft APIs/DLLs that we call as part of our Data Control (DLP) feature in Sophos Endpoint product for Windows, since these have not been signed by Microsoft for use.
In order to use our DLP feature on the applicable Windows machines, you need to disable the Secure Boot feature as detailed in the following Microsoft article:
http://technet.microsoft.com/en-us/library/dn481258.aspx
Would you please follow the instruction and let me know if the issue is resolved or not?
Once done and if issue is still there, please close outlook and follow the below steps again:
Respectfully,
Badrobot
I have created a test workstations for this moving forward, I have disabled Secure Boot, modified the registry keys as instructed, however when I open outlook and drag an attachment to the email I still receive no prompt, as well the registry key HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Security is rewritten from C:\users\user\desktop\testfolder to a C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\Y3X5MWPJ\
However after looking at the temp folder, I see a file is added whether I attach the file via the menu or drag and drop. DLP catches the file if I use the menu but not drag and drop, either way this tells me Sophos has access to the folder location it would appear that the process of how the file is being transferred via Outlook to this temp location is what Sophos is missing?
Either way please advice, I took a copy of perfmon and the SDU during my testing of what you suggested and can send them your way once you send me a ftp location.
Respectfully,
Badrobot
I have raised your case to global escalation specialists (GES). GES engineers are the highest technical tier within support and are responsible for interacting with our development teams. A GES engineer will review your case and provide the necessary expertise necessary for resolution.
If the GES engineer requires further information, he/she may contact you directly.
Based on the case priority and complexity, he/she will contact you with their initial analysis within a maximum of 2 business days.
Often, GES will be able to provide a quick solution to the Level 2 Support engineer who will provide it to you. Otherwise, GES will take ownership of the case and work directly with you.
If GES identifies a product defect or needs further assistance, the Development Team will be engaged. For tracking and consistency in response, these engagements are all recorded and you will be provided the tracking number.
During regular meetings between GES and our Development Teams, all related open cases are discussed and an investigation timeline is agreed upon based on the priority of the defect. We consider both the technical severity of the problem and incident frequency in determining the priority of a defect. Please keep in mind that these meetings are held weekly for non-critical issues and therefore you may not receive an update for several days. Upon completion of the investigation, the Development Team will determine when the issue will be resolved. GES will communicate the plan to you. Once the fix has been released, you will be notified.
Respectfully,
Badrobot
I have raised your case to global escalation specialists (GES). GES engineers are the highest technical tier within support and are responsible for interacting with our development teams. A GES engineer will review your case and provide the necessary expertise necessary for resolution.
If the GES engineer requires further information, he/she may contact you directly.
Based on the case priority and complexity, he/she will contact you with their initial analysis within a maximum of 2 business days.
Often, GES will be able to provide a quick solution to the Level 2 Support engineer who will provide it to you. Otherwise, GES will take ownership of the case and work directly with you.
If GES identifies a product defect or needs further assistance, the Development Team will be engaged. For tracking and consistency in response, these engagements are all recorded and you will be provided the tracking number.
During regular meetings between GES and our Development Teams, all related open cases are discussed and an investigation timeline is agreed upon based on the priority of the defect. We consider both the technical severity of the problem and incident frequency in determining the priority of a defect. Please keep in mind that these meetings are held weekly for non-critical issues and therefore you may not receive an update for several days. Upon completion of the investigation, the Development Team will determine when the issue will be resolved. GES will communicate the plan to you. Once the fix has been released, you will be notified.
Respectfully,
Badrobot
This was resolved or answered, basically this will not work correctly if you are using Office 365 Business due to no GPO control with this version of Office 365.
You can see the differences here:
From Sophos Support-I spoke to Product Management about this, and they have indicated that the project to re-do DLP to allow for secure boot support is on the books for this year, but currently is slotted in for Calendar Q4 (Assuming no unforeseen delays during development.).
Respectfully,
Badrobot
