Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 10 subscribers
  • Views 1306 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DLP Policy to Allow & Block?

Craig Withers

I'm hoping someone else has ran into a similar situation and can provide an easy answer. 

In short, if we have a Rule in our base DLP policy which blocks USB transfers based on sensitive info (PII, etc.), but another Rule in the same policy with monitors and allows transfers, does the 'block USB transfer' rule still activate if it sees sensitive info, even though the 'monitor' rule conflicts with it. Basically, if the two Rules conflict, will the more restrictive one take precedence?

Some context, because I know this seems bizarre. But due to the problems with SecureBoot and Sophos Central, we can't just push out a rule that asks users to confirm potential sensitive info transfers, so I'm trying to find a way around it that will let users transfer normal files as they've always done but now give IT visibility of those transfers via Sophos Central, but still block transfers of sensitive info.

By all means, please ask me to clarify anything here; I realise it's a strange situation.



This thread was automatically locked due to age.
  • +1

    Hello Craig Withers,

    IMO the Central Admin Help is quite clear:

     If a file matches rules that specify different actions, the rule that specifies the most restrictive action is applied. For example:

    • Rules that block file transfer take priority over the rules that allow file transfer on user acceptance.
    • Rules that allow file transfer on user acceptance take priority over the rules that allow file transfer.

    I'm not sure what prevents from working in the UEFI vs. DLP article means. Whether it's just that just an Allow on acceptance rule unconditionally blocks or that Any action that triggers a Data Control rule also refers to Allow and log.

    Christian

  • 0

    I created the rule with giving the user the option to override, you still get an alert that they have done it but it avoids issues.  But for me that is for email, I have USB drives blocked completely.  I usually follow up on those who override them once a week.  But we do not have high turn over or anything and most people have been here forever and know what they are doing.

Unfiltered HTML
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?