Skip to content

Data Loss Prevention Policy


This Data Loss Prevention policy protects endpoints. If you want to protect against data loss via email, you should use Data control policies in Email Security. See Data control policy.

Data Loss Prevention (DLP) controls accidental data loss. DLP enables you to monitor and restrict the transfer of files containing sensitive data.

For example, you can prevent a user sending a file containing sensitive data home using web-based email.

You do this by creating rules. You then add the rules to policies, as described below. You can then apply these policies to users, computers and Windows servers.

Data Loss Prevention (DLP) policies include one or more rules that specify conditions and actions to be taken when the rule is matched. When a DLP policy contains several rules, a file that matches any of the rules in the DLP policy violates the policy. A rule can be included in multiple policies. You can add text to the messages shown on protected endpoints or Windows servers when the rules are triggered. There are two types of message:

  • A confirmation notification that asks the user to confirm the file transfer.
  • A block notification that informs the user that they cannot transfer the file.

You can create custom policies or policies from templates. The templates cover standard data protection for different regions. You can apply these policies to users, computers or Windows servers. See About Policies.


SophosLabs can independently control the file types included in DLP. They may add or remove certain file types to provide the best protection.

Set up policy

Go to My Products > Endpoint > Policies to apply DLP.

To set up a policy, do as follows:

  • Create a Data Loss Prevention policy. See Create or Edit a Policy.
  • Open the policy's Settings tab and configure it as described below. Make sure Use rules for data transfers is turned on. See Data Loss Prevention Rules.

  • Choose whether you want to create a policy from a template or a custom policy.

    • To use a template, select a region and a template and click Create from Template. This adds a pre-defined rule to the policy.

      To add more rules, click Add.

    • To create a custom policy, click Create Custom Policy and click Add. Choose whether you want to an use existing rule or create a new rule. Select the rules you want to add and click Add.

  • Turn on the options in the Messages For End Users area and click the option names to add your own message to the standard confirmation and block notifications. Each message can have a maximum of 100 characters.


    You can turn off either or both of these messages. The standard notification is shown on the endpoint or server. If you leave the message box blank the standard notification is shown.

    1. Enter the message text.
    2. Click Finish.

Performance considerations

When using Data Loss Prevention policies, be aware that the following factors affect the performance of all file transfer operations.

File size

Because content rules check the whole file content for protected data, the time required increases with the file size.

The file size doesn't affect file rules, which only check the file name or type.

Number of rules

Because rules are checked sequentially for each file, the time required increases with the number of rules a policy uses.