More on the latest variant of Petya/Petrwrap/Petyawrap ransomware outbreak here.
We'd love to hear about it! Click here to go to the product suggestion community
I am trying to create custom control lists for DLP and I would like to understand the limitations, if any.
1) When I create a custom CCL, it is impossible to create an additional second custom one. The only way is to clone the first custom CCL and then try to edit it.
2) Even when I try to edit the cloned custom CCL, when I edit the "Terms" with new expressions, I may add the new expression but I can not save the changes (SAVE button grayed out).
3) Is there a limit to how many "Terms" I may add to a custom CCL? After 8 or 9 terms, SAVE button is grayed out and additional terms are not saved in the custom CCL. This is actually the reason why I am trying to define more than one custom CCL.
4) Is there a limitation to the language for the terms? In particular, is Greek supported?
5) I understand that Terms are case INsensitive, am I correct?
Thanks in advance
In regard to the issue above, I made the following "funny" discovery.
When I enter the term: best and final, I may not save changes in the custom CCL! (bug?)
That means, if I do not use the term: best and final as criteria for my custom CCL, I may use as many terms as I wish (so far more than 30) and I can create as many custom CCLs as I want (so far 5), hence points (1), (2) and (3) of above are not applicable questions anymore.
I would appreciate however your feedback on items (4) and (5) below:
5) I understand that Terms are not case sensitive, am I correct?
PS: Just to clarify, I am trying to control files with term: best and final, since the expression is often used in procurement and sensitive commercial documents.
In reply to GNM:
you are using Central, aren't you? I'm assuming this because Save is used in Central whereas the on-premise SESC uses OK.The ES&C forum group is mainly for the on-premise, SEC-managed version, and actually this isn't even an endpoint software question as it's about the DLP policy (not DLPs behaviour on the endpoint). It's also not a general question regarding the creation of Rules or CCLs and thus I have moved the thread to Central.
Might add that on SEC I couldn't reproduce any of the issues described (but I didn't test Greek).
In reply to QC:
Confirmed, I am using Central. Thanks for moving my post to the appropriate section.
I have been working on the the issues throughout this morning and I may confirm the following:
Regarding items (1), (2) and (3), issues appears when I enter any term including the word "and" in it. If I do not use the word "and" in the term, no issue appears.
As of item (4), I am still testing.
As of item (5), I may confirm, terms are NOT case sensitive.
I list below the numbering of the issues, along with updates again for your convenience.
Thanks for your time.
(1) When I create a custom CCL, it is impossible to create an additional second custom one. The only way is to clone the first custom CCL and then try to edit it.
UPDATE: Happens only if term includes the word "and".
(2) Even when I try to edit the cloned custom CCL, when I edit the "Terms" with new expressions, I may add the new expression but I can not save the changes (SAVE button grayed out).
UPDATE: Happens only if new term includes the word "and".
(3) Is there a limit to how many "Terms" I may add to a custom CCL? After 8 or 9 terms, SAVE button is grayed out and additional terms are not saved in the custom CCL. This is actually the reason why I am trying to define more than one custom CCL.
(4) Is there a limitation to the language for the terms? In particular, is Greek supported?
UPDATE: Still checking.
(5) I understand that Terms are case INsensitive, am I correct?
UPDATE: Confirmed, terms are NOT case sensitive.
as to AND, the SEC policy editor gives you an error pop-up telling you that AND, OR, NOT and NEAR are reserved words (unless you use Exactly this phrase). Could this be the cause?
I do not get the pop up (site excluded from popup-blocker(s)), but if this is the case, that such limitation exists, it sounds about right!
Thanks for your help, I will post back about the Greek language issue.
This is a really enlightening answer. Thank you!
I'm having another issue regarding Custom DLP and CCCL in Sophos Central. Trying to apply regular expressions as shown in the next image:
The main one is:
So I created a notepad, a .docx and .xlsx with just the following data:
and it doesn't block the files when I attach them to a web mail (like gmail).
I already test that the agent is updating, the policy is applied, etc.
Thanks everybody for you help.
In reply to JoseCasanova:
the expression is correct. Tested and it triggered with plain text and csv, surprisingly not with docx or xlsx. Looks as if the RegEx isn't (correctly) applied to complex documents. I'm not aware of any documented restrictions and it'd be absurd if you couldn't apply your own expressions to documents. As said, in plain text it's correctly detected - if it's not there's perhaps something wrong with your setup. Want to mention this older thread in the DLP forum.
You can try with a more or less nonsensical expression like [a-zA-Z], check if it triggers in plain text. If it then doesn't trigger on office formates I'd suggest that you contact support directly.
well this is funny, you are right about the plain text and csv. I tried the same content with the next files types and it also worked: .rtf .doc .xls .ppt and .pdf
As you pointed out, it didn't work on .xlsx, docx and pptx.
This is a mayor hole and I'll report it to sophos support.
If anyone have encounter a workaround, it would be greatly appreciated.
Thanks again for all your help.
thanks for your findings. Guess we'll have to wait what Support has to say.The only workaround would be to block all cccx document types and that's likely not feasible.