Sophos Data Control - Data Loss Prevention Policy

We are a SEC shop but making the transition to the Sophos Cloud. We have used the data control policies in SEC for years to monitor local activity on individual machines. Unfortunately the same rules and policies on SEC fail to allow Outlook to open in the cloud product. As a result our migration is on hold.

We can easily duplicate the issue as well as stop the issue by turning off the data protection rules locally. All Outlook add-ins were disabled to limit variables.

Has anyone seen this issue or currently using the Data control policies?

My support ticket is well over 6 weeks old now and we are doing the same troubleshooting over and over.

Edit tags
[edited by: GlennSen at 5:44 AM (GMT -7) on 24 Mar 2022]

Parents

0 Sophos User930 over 2 years ago

Have you narrowed it down to specific rules?

If you disable all the rules but leave data control enabled in policy does it work?

If you run Process Monitor when launching Outlook, do you see any access denied entries that data control could be blocking?

The other thing might be to enable SSPService trace logging by first disabling Tamper Protection, then setting:

[HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\EndpointDefense\LocalConfiguration]
"LogLevel"=dword:00000000

Restart "Sophos System Protection Service" service.

Reproduce the issue then check the log \Programdata\Sophos\Endpoint Defense\Logs\SSP.log.

Filter for all lines (Notepad++ is good for this) that contain [DLP]. Does that help in any way?

Don't forget to stop the service, remove the LogLevel DWORD and restart the service as the log is pretty verbose!
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 Sophos User930 over 2 years ago

Have you narrowed it down to specific rules?

If you disable all the rules but leave data control enabled in policy does it work?

If you run Process Monitor when launching Outlook, do you see any access denied entries that data control could be blocking?

The other thing might be to enable SSPService trace logging by first disabling Tamper Protection, then setting:

[HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\EndpointDefense\LocalConfiguration]
"LogLevel"=dword:00000000

Restart "Sophos System Protection Service" service.

Reproduce the issue then check the log \Programdata\Sophos\Endpoint Defense\Logs\SSP.log.

Filter for all lines (Notepad++ is good for this) that contain [DLP]. Does that help in any way?

Don't forget to stop the service, remove the LogLevel DWORD and restart the service as the log is pretty verbose!
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

0 Nicholas Pelczar over 2 years ago in reply to Sophos User930

I can confirm if I enable DLP but don't set a rule Outlook opens fine. If I add a canned Sophos content rule to monitor banking details and Outlook, then Outlook will not open. I ran through the Proc Mon stuff with support, they sent a few requests which I have completed by adding in exclusions or another one was to disable all Outlook add-ins, which is still in place (inactive) and I still have the issue.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Sophos User930 over 2 years ago in reply to Nicholas Pelczar

Starting with Outlook closed, did the SSP trace log help indicate anything when it was launched and it failed?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Nicholas Pelczar over 2 years ago in reply to Sophos User930

I am not able to access the log file at this time as it required elevated credentials. I did re-run a proc mon and reviewed it and don't see anything sticking out with a failure or error - a lot of successes.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel