Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 10 subscribers
  • Views 3395 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Data Loss Protection - Alerts being generated about "Controlled Items" IndexerVolumeGuid, WPSettings.dat, $Quota:$Q

Chris Haydon

Hi

 

We have a couple of Windows 10 Pro 1809 machines generating alerts (one every 15 minutes) about "Controlled Items" in the local event log - but can't see them in Central anywhere. We are 99% sure these relate to Data Loss Protection policies in some way; we don't have anything exciting defined that that I am aware of, just standard UK DLP policies in the base policy to prompt users. From what I can tell these are just normal parts of Windows.

This is causing people to moan that they are getting onscreen toast message popup on the screen and polluting the event log in the program (not a major problem but a pain to review them)

 

Any ideas on this as we slightly drawing a blank on what exactly the issue is; it doesn't seem to be a user activity.

Chris

 



This thread was automatically locked due to age.
  • 0

    Hello Chris,

    in the local event log
    there should be an Event Source that indicates which component issued the event. I'm not aware that Data Control logs Windows Events - or do I misunderstand the local event log. Could you show a sample of these alerts/events?

    I've heard of controlled items mostly in conjunction with Web Control (as in this thread and in this other). But these events show in Central AFAIK.

    The items (not sure about $Quota:$Q) you mention are in the normally inaccessible System Volume Information folder.

    Christian

  • 0 in reply to QC

    Hi

     

    Looking at the text log file its reporting C:\ProgramData\Sophos\Sophos Data Control\logs\DataControl.txt its logging the following line... but clearly that is a system service

     

    0190509 080049    A "block transfer" action was taken. The user tried to save or copy a file to a storage device without using Windows Explorer.
            Username: NT AUTHORITY\SYSTEM
            User action: File save or copy
            Data Control action: Block
            Destination path: F:\$Extend\$Quota:$Q
            Destination type: Removable storage
     
    the local "events" log is the one in the endpoint software rather than - from what I can see "Controlled items" is some web control events like blocking Google Translate as well as data control events
     
     
     
     
  • 0 in reply to Chris Haydon

    Hello  

    You might also want to look into disabling Secure Boot to see if this resolves the DLP error that is coming up in the endpoint as referenced in this article.

  • 0 in reply to Chris Haydon

    Hello Chris,

    looks like Windows is trying to write some more or less standard hidden files (and in addition quota entries) at regular intervals, this isn't really new behaviour but I've never seen that Data Control complains. Well, Quote is perhaps a little bit unusual if these are flash drives. Did these notifications suddenly start?

    Christian

Unfiltered HTML
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML