DLP Configuration with Outlook/Web

Hi Fc0rp 

Could you please provide the screenshot of rules configured under DLP policy. You can check this link to check the configurations. Also, request you to check under endpoint if the policy is being received from Sophos UI> Run Diaginistic tool> policy> Sophos Anti-Virus. Are there any events or logs created under location: C:\ProgramData\Sophos\Sophos Data Control\Logs\. 

Here's the SS of the rules configured:

Rule 1: Block the excel files in general

Rule 2: Block the excel files with personalized words: "Clientes, Cliente, Precio, Precios" 

I hope it helps, 

Regards,

Can you confirm with a simple rule that DLP is working correctly?  Have you tried to attach a file in Outlook via the toolbar?  It might help to create  a simple baseline that DLP is working and then attempt to block more content as you go.

Hi

it work when I attached the file via the toolbar, but how I can block it when the user drag and drop the file (is the most common way).

Regards,

Please review my above post on how to set GPO or registry changes in order to change how Outlook handles attachments when users Drag and Drop, there is also info on this here: https://community.sophos.com/products/sophos-central/f/sophos-central/101874/dlp-does-not-flag-email-attachments-in-outlook-2016-with-drag-and-drop/370516

Note this will only work if Windows and Office 365 licensing is E1 or higher, due to no ability to alter Office 365 settings with the GPO in lesser licensing.  There are multiple links in the link above and my other post above that will help to resolve this.  

Best!

Here is the specific KB on the subject: https://community.sophos.com/kb/en-us/122603

Thanks for your prompt reply, another question, what happens if I modify the registry and just put in the path the C: it will work with the files stored in the C: HDD?

Anything can work if we want right?  lol

I would not, I would create a hidden folder on there desktops or somewhere in there user profile vs the root c:\ since many users may not have access to that directory or should not have access to that directory in terms of write and or execute.  For that matter than any user could see any other users attachments since they would all have read access to the C:\ root, unless you are going to do some fancy permissions but that just sounds like a headache.  Way easier to use the folder infrastructure already in place in Windows for example there desktop, create a hidden folder there, then you could simply run a power shell script every so often to delete all files in the hidden folder on the desktop.  Use an environmental variable like c:\users\%username%\desktop\outlookattachments\  to delete all files in all user profiles in that folder as well, set it with task scheduler to run once a week or month or whatever and you will have your data retention covered as well.

On a side note, it may also be possible to create it in a personal network drive as well something everyone has but only each user has access to, to again avoid someone figuring out how to read other users attachments between deletions.

Were you able to get this working?  I know it is a little bit of a pain given the multiple configuration aspects but once it is up and running it works pretty well.

Were you able to get this working?  I know it is a little bit of a pain given the multiple configuration aspects but once it is up and running it works pretty well.

Hello badrobot,

I'm trying to configure the path in the regedit in the C: but it doesn't work, also every time I restart the computer the path changed to the default, when i configured the regedit the Outlook application is closed.

The thing is I need to configure the C: HDD, in order to block any file uploaded through drag and drop method.

Regards,  

What is your Office 365 licensing level?

The Plan is the A3, and nothing yet!

You will need to change this is in the GPO with the Office ADMX templates ( I believe these are correct ones: https://www.microsoft.com/en-us/download/details.aspx?id=49030).

If you do this it will change the Office 365 setting for you, you should create a test OU for this at first though, use the instructions in previous replies to alter the GPO correctly.  

For future reference, you can find what is supported in different licensing levels of office 365 in the two links below.

Business:    https://docs.microsoft.com/en-us/office365/servicedescriptions/office-applications-service-description/office-applications-service-description 

Education:  https://docs.microsoft.com/en-us/office365/servicedescriptions/office-365-platform-service-description/office-365-education

For you, basically A3 & A5 have group policy support, so good for you!

There is also a good understanding of how to change the GPO settings here, although it is 2013 the same aspects will apply:  https://www.sourceonetechnology.com/setting-the-default-file-location-for-attachments-in-microsoft-outlook/