DLP blocking existing file copy to USB device no rules in place apart from standard DLP UK templates

Hello Kishan,

I'm not a Central user but DLP behaviour is pretty much the same across the products.

being blocked, without a prompt
you do get a notification but you don't get a confirmation prompt - is this so? AFAIK there aren't any DLP policies in effect by default, so you must have created at least on policy and selected at least one rule for it - which one(s)? Also it's not clear what you mean by standard DLP UK templates (the Central version might offer more rules than the on-premise SESC though)?

Christian

I am not using central but I found for my local SEC I had to create some separate policies for some location.

Device Control I enabled (checked) "Enable device control scanning" and "Detect but do not block devices".  Then set the access level to full for all types.

Data Control I disabled (unchecked) "Enable data control scanning".  Then went in to "Manage Rules" and unchecked all.

I applied these two polices to the location that I needed to strip out any blocking that was happening.

FYI Sophos really doesn't do Data Lose Prevention.  It is more like Data Monitoring or maybe call it lite-weight DLP.  You can see this in the policy names "Data Control" and even if you look thru the "Data Control" configuration options DLP is never used.  Also Data Control monitoring doesn't apply to effectively.  Example: Outlook.  Only if you use the attach file function does it monitor but if you drag and drop it doesn't see that action.  Also Data Control doesn't keep a copy if the file so you will never know if you has a true event or not.

Also keep in mind that Data Control monitor is logging all of the file names and paths, so this means Sophos is storing confidential information in to form of Data Control monitoring log files.

They might not have the file but they do have the file name and path.  What if you are monitoring for Social Security Number.  The log could read C:\April\SSN\xxx-xx-xxxx\first last.docx.  Even if you block the copy to a USB Sophos would still have the information.

We only use Data Control for monitoring only and anything more gets the phone ringing.

Something to think about.

I am not using central but I found for my local SEC I had to create some separate policies for some location.

Device Control I enabled (checked) "Enable device control scanning" and "Detect but do not block devices".  Then set the access level to full for all types.

Data Control I disabled (unchecked) "Enable data control scanning".  Then went in to "Manage Rules" and unchecked all.

I applied these two polices to the location that I needed to strip out any blocking that was happening.

FYI Sophos really doesn't do Data Lose Prevention.  It is more like Data Monitoring or maybe call it lite-weight DLP.  You can see this in the policy names "Data Control" and even if you look thru the "Data Control" configuration options DLP is never used.  Also Data Control monitoring doesn't apply to effectively.  Example: Outlook.  Only if you use the attach file function does it monitor but if you drag and drop it doesn't see that action.  Also Data Control doesn't keep a copy if the file so you will never know if you has a true event or not.

Also keep in mind that Data Control monitor is logging all of the file names and paths, so this means Sophos is storing confidential information in to form of Data Control monitoring log files.

They might not have the file but they do have the file name and path.  What if you are monitoring for Social Security Number.  The log could read C:\April\SSN\xxx-xx-xxxx\first last.docx.  Even if you block the copy to a USB Sophos would still have the information.

We only use Data Control for monitoring only and anything more gets the phone ringing.

Something to think about.