Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 9 subscribers
  • Views 11058 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DLP does not flag email attachments in Outlook 2016 with Drag and Drop

bad robot

Hello, 

 

I have been enabling various DLP's at our company in test groups, I have them working well in terms of what data is getting flagged.  However in Outlook 2016 if a user selects attach a file the prompt comes up but if they drag and drop the same file in a new email the prompt does not come up.   I know this has to do with Outlooks Temp Secure folder which the location can be found in the registry at these locations-

Outlook 97: HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Outlook\Security
Outlook 98: HKEY_CURRENT_USER\Software\Microsoft\Office\8.5\Outlook\Security
Outlook 2000: HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Outlook\Security
Outlook 2002/XP: HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook\Security
Outlook 2003: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Security
Outlook 2007: HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\Security
Outlook 2010: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Security
Outlook 2013: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Security
Outlook 2016: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security

But I cannot get the folder location to change by altering the registry key, Microsoft just changes it back.  Is there some type of workaround for this?  I have looked for various 
settings that may help such as the GPO Outlook ADMX and so on but I cannot seem to find where to make the change to get this to work.  Any help would be appreciated greatly.

Thanks,



This thread was automatically locked due to age.
Parents
  • 0

    Hi Dane Seelen,

    I believe we have a reported issue with file not being flagged during drag and drop action in Outlook 2016. It would be great if you could open a support ticket and then PM the case datils for further follow-up.

    Regards,

    Gowtham Mani
    Community Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • 0 in reply to Gowtham Mani

    Already did lol, I opened one with Sophos and one with Microsoft, I will paste my open response to where I am at with Microsoft below, in regards to Sophos I am scheduling a remote session with them currently to look further into the issue.

    To Microsoft~

    I have attempted this again, without AV, with AV, newly installed outlook & re-completed the registry changes in the GPO just to be sure, basically I started from scratch.  The computer was fully updated running the latest Outlook/Sophos and Windows 10 Pro Updates.

     

    I applied the following 2 registry changes via GPO to the computer in question

     

    • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security\OutlookSecureTempFolder

     

    • HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\Outlook\Security\OutlookSecureTempFolder

     

    Both of which are set to alter the OutlookSecureTempFolder location to C:\Users\%username%\Desktop\Outlook

     

    • Where I have placed a hidden folder named Outlook

     

    I have then ran gpupdate /force and or logged in/out and or restarted the computer to apply the registry changes, (Double checking each to make sure there is no difference) the registry changes are applied, I can confirm this by checking the registry via regedit.  Once I have had them confirmed I opened procmon, then opened Outlook.  At this point I did not see anything changing the secure folder location in the registry, I refreshed and even reopened Regedit to make sure the folder path had not changed and still was  C:\Users\%username%\Desktop\Outlook, I then opened a new email and again nothing changing, repeated the process of reopening regedit to confirm, however once I drag and drop an attachment into an email.

     

     Procmon shows Outlook.exe  doing a RegSetValue to HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security\OutlookSecureTempFolder which alters the folder back too-


    C:\Users\%username%\AppData\Local\Microsoft\Widnows\INetChache\Content.Outlook\2I9V31IT

     

     What I am trying to figure out is what value in Outlook is re-writing this piece of registry code so that I can have it remain to C:\Users\%username%\Desktop\Outlook

     

    The response I got back was they are waiting to speak with a Microsoft Engineer.

  • 0 in reply to bad robot

    Also after reading through a few other forums on Sophos Community I have found that this issue also occurs if a user right clicks a file and uses the send as option built into Windows, the file is attached and DLP does not prompt anytype of alert status. 

     

    I would assume but also will confirm if I find a fix that these two aspects are related to the folder structure that Microsoft dumps the attachments into.

     

Reply
  • 0 in reply to bad robot

    Also after reading through a few other forums on Sophos Community I have found that this issue also occurs if a user right clicks a file and uses the send as option built into Windows, the file is attached and DLP does not prompt anytype of alert status. 

     

    I would assume but also will confirm if I find a fix that these two aspects are related to the folder structure that Microsoft dumps the attachments into.

     

Children
No Data
Unfiltered HTML