Skip to content

Data Loss Prevention Rules

You use data loss prevention (DLP) rules to specify conditions to detect, actions to take, and any files to exclude from scanning.

Restriction

These DLP rules are different than email data control policies. For information on email data control policies, see Data control policy.

You can use these rules across multiple policies. For help on creating rules see Create a Data Loss Prevention Rule.

There are two types of rules:

  • Content: A content rule details the action to be taken if a user attempts to transfer data that matches the Content Control Lists (CCLs) in the rule to the specified destination.

    You use CCLs to match file content. See Content Control Lists.

  • File: A file rule details the action to be taken if a user tries to transfer a file with the specified file name or file type to the designated destination. For example you can block the transfer of databases to removable storage devices.

When all the conditions listed in a rule are detected, the rule is matched, the action specified in the rule is followed and the event is logged.

If a file matches rules that specify different actions, the rule that specifies the most restrictive action is applied. For example:

  • Rules that block file transfer take priority over the rules that allow file transfer on user acceptance.
  • Rules that allow file transfer on user acceptance take priority over the rules that allow file transfer.

Note

SophosLabs can independently control the file types included in DLP. They may add or remove certain file types to provide the best protection.

Microsoft Office documents and CCLs

We check the metadata areas of Microsoft Office documents for CCLs. If we match the content in the metadata areas we carry out the action specified in the rule.

We check the following areas:

  • Document properties

    • Title
    • Tags
    • Comments
    • Status
    • Categories
    • Subject
    • Hyperlink base
    • Company
    • Manager
  • Author

  • Page header
  • Page footer
  • Comments
  • Watermark
  • Footnote
  • Endnote
  • SmartArt graphic
  • Embedded Excel charts

Note

We can't check signature data. We can't find content that matches a CCL in signatures.

Manage Data Loss Prevention Rules

This page lists the existing DLP rules and allows you to manage their use across multiple policies. The name, source and type is shown for each rule.

You can create new custom rules, and search existing rules.

You can also filter rules by Rule Type.

Click on the name of a rule to edit it.

To view details of a rule, click Information Information button..

To clone a rule, click Clone Clone button..

  1. Give a name for the cloned rule.
  2. Click Clone item. This adds the cloned rule to the list of rules.
  3. You can then amend it by clicking its name in the list.

To export custom rules, click Export Export button.. This creates an xml file containing the rule definition.

To delete a rule, click Delete Cross mark, click this to delete.. Click Delete item to confirm deletion.

To import rules:

  1. Click Import.
  2. Select the XML file containing the rules.
  3. Click Open.

    The rules are added to the list.