This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DLP Configuration with Outlook/Web

Hi everyone, 

 

I'm trying to configure two rules in the DLP in Sophos Central:

 

1-Just for block the transfer of Excel files through the email(outlook) or web 

2-Just for block documents excel, word, PDF with the words "Cliente", "Precio" through the email(outlook) or web 

 

When I set it up the rules and apply them to the endpoint it doesn't work, I'm actually using Windows 10 Enterprise, Office 365, and the last version of Sophos Endpoint.

 

I'm testing the rule with this simple scenario, Create new mail in outlook, attached the excel file (drag and drop) and sent the email to my personal Gmail account .

 

Someone can guide me, in order to solve this inconvenient.

 

Regards,



This thread was automatically locked due to age.
  • Hi  

    Could you please provide the screenshot of rules configured under DLP policy. You can check this link to check the configurations. Also, request you to check under endpoint if the policy is being received from Sophos UI> Run Diaginistic tool> policy> Sophos Anti-Virus. Are there any events or logs created under location: C:\ProgramData\Sophos\Sophos Data Control\Logs\. 

    Shweta

    Community Support Engineer | Sophos Technical Support
    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
    The New Home of Sophos Support Videos! - Visit Sophos Techvids
  • Hello Jose Pablo Delgado,

    I'm not using Office 365 so I can't test. I'm not aware though that the known limitations with DLP apply.
    Could you give the exact details of your rules (perhaps screenshots)?

    Christian

  • This can vary I went through a few cases with Sophos on it. Much of this depends on your licensing and having the ability to change Outlook (for example) in the GPO and where it will store an attachment when you drag an drop.  To run a simple test, attempt to attach a document in outlook by clicking the  attach file icon in a new email, DLP will block the attachment this way regardless of the GPO settings which will in turn let you know that your DLP rules are working.  However (simple explanation) if you drag an drop Outlook is using a different means to attach the attachment and Sophos is not capable of seeing this, so you must tell Outlook to store the attachment in a different location.  Again however this is not possible with certain licensing, most notably the Office 365 licensing Business or Business Premium since you are not able to control Office 365 with that licensing via the GPO.  I tried believe me, broke it all down with procmon to determine that Office 365 will just rewrite the registry setting when you open a new email with the business premium licensing.  But hey if you have e1 or higher for Windows 10 and Office 365 you should be great!

    Instructions to get it working can be found here-

    https://community.sophos.com/products/sophos-central/f/sophos-central/110155/dlp-email-attachment-not-being-blocked 

     

    Also I have found a good testing document is to simply create a word doc or excel spread sheet and add 5 or more fake names, with 9 digit numbers (social security), 16 digit, then 4 digit date, then 3 digit (credit card numbers) and some addresses.  Once you create this it should be flagged if you have an financial settings configured in DLP.

    Respectfully, 

     

    Badrobot

     

  • Those are the rules I used above, they flag quite a bit, after getting some of DLP going I got the head HR/Accounting Manager to work with me on testing.  The only thing that I noticed that can be annoying for end users is DLP may prompt more than once if the end user is uploading/downloading larger files, I have seen this in OneDrive Google Drive etc. etc..  But I am talking 200 to 300 MB files.

     

     And then make a fake excel like this, unless you have something real to work with.

    Respectfully, 

     

    Badrobot

     

  • Also, and sorry for multiple replies just keep thinking of things and it has been 6 months or so lol.  Outlook is designed to store attachments in a temp location and auto clean that location, if you change or alter that location you may affect the ability to clean up attachments in temp locations.  Additional considerations should be taken when doing this, especially if you are concerned with data leakage right?  You don't want a copy of every attachment just building up in some folder on each hard disk.

    Respectfully, 

     

    Badrobot

     

  • Here's the SS of the rules configured:

    Rule 1: Block the excel files in general

     

    Rule 2: Block the excel files with personalized words: "Clientes, Cliente, Precio, Precios" 

     

    I hope it helps, 

    Regards,

  • Can you confirm with a simple rule that DLP is working correctly?  Have you tried to attach a file in Outlook via the toolbar?  It might help to create  a simple baseline that DLP is working and then attempt to block more content as you go.

    Respectfully, 

     

    Badrobot

     

  • Hi

    it work when I attached the file via the toolbar, but how I can block it when the user drag and drop the file (is the most common way).

     

    Regards,

  • Please review my above post on how to set GPO or registry changes in order to change how Outlook handles attachments when users Drag and Drop, there is also info on this here: https://community.sophos.com/products/sophos-central/f/sophos-central/101874/dlp-does-not-flag-email-attachments-in-outlook-2016-with-drag-and-drop/370516

     

    Note this will only work if Windows and Office 365 licensing is E1 or higher, due to no ability to alter Office 365 settings with the GPO in lesser licensing.  There are multiple links in the link above and my other post above that will help to resolve this.  

     

    Best!

    Respectfully, 

     

    Badrobot

     

  • Here is the specific KB on the subject: https://community.sophos.com/kb/en-us/122603

    Respectfully, 

     

    Badrobot