This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ES1100 DLP for excel spreadsheets

I put DLP rules in place close on to a year ago with the ES1100 appliance, but it was brought to my attention recently that on excel spreadsheets my DLP rules arent triggerring. My ruleset might not work correctly with excel sheets, or there might be something else at play here.

What my custom ruleset does is look for the word "account" or any variation of that, and then it looks for up to 15 characters after for specific number strings. The spreadsheet in question had the word account as a column heading, 3 columns to the right and several account numbers below it that in an ordinary situation would have been flagged, but were not for the spreadsheet. How do Sophos DLP rules process excel spreadsheets? Does it read left to right on each row, then process each line with data the same way? Or does it look at column headers and read the data below? Any help would be appreciated.

:53095


This thread was automatically locked due to age.
  • I did a little more research on this. If I format the text in a single cell to read Account 12345678, the attachment is flagged. If I format Account in one cell, and the numbers in another cell, it doesnt work. So it has to be that it doesnt recognize data between cells as being connected, IE it doesnt match the character limit in my regex so it ignores it. I intitially put this in to cut down on false positives as before it was implemented we were getting thousands of matches a day due to phone numbers. I did some testing, and it looks like sophos reads the data in excel spreadsheets from left to right, I determined this by putting account number 12345678 in cell b1 and then putting account 87654321 in cell a2, the bounce email tells me that the values in cell B1 were flagged. This makes sense in normal word documents, but in excel data is typically formatted top down rather than left to right. Anyone have suggestion on how to write regex that would catch this, besides extending character limit or removing the word account from detection?

    :53105