Data Loss Prevention Rules
Data loss prevention (DLP) rules allow you to define conditions for detection, specify actions to take, and identify any files to exclude from scanning.
Restriction
These DLP rules are different from email data control policies. For information on email data control policies, see Data control policy.
You can use these rules across multiple policies. For more information on creating rules, see Create a Data Loss Prevention Rule.
There are two types of DLP rules:
-
Content: A content rule details the action to take if a user attempts to transfer data that matches the Content Control Lists (CCLs) in the rule to the specified destination.
You use CCLs to match file content. See Content Control Lists.
-
File: A file rule details the action to take if a user tries to transfer a file with the specified file name or file type to the designated destination. For example, you can block the transfer of databases to removable storage devices.
When all the conditions listed in a rule are detected, the rule is matched, the action specified in the rule is followed, and the event is logged.
If a file matches rules that specify different actions, the rule that specifies the most restrictive action is applied.
Examples
- Rules that block file transfer take priority over rules that allow file transfer on user acceptance.
- Rules that allow file transfer on user acceptance take priority over rules that allow file transfer.
Note
SophosLabs can independently control the file types included in DLP. They may add or remove certain file types to provide the best protection.
Microsoft Office documents and CCLs
We check the metadata areas of Microsoft Office documents for CCLs. If we match the content in the metadata areas, we carry out the action specified in the rule.
| Metadata areas | Sub-areas |
|---|---|
| Document Properties | Title, Tags, Comments, Status, Categories, Subject, Hyperlink base, Company, and Manager |
| Document Content | Author, Page header, Page footer, Comments, Watermark, Footnote, Endnote, SmartArt graphic, and Embedded Excel charts |
Note
We can't check signature data. We can't find content that matches a CCL in signatures.
Manage Data Loss Prevention Rules
The Manage Data Loss Prevention Rules page lists the existing DLP rules and allows you to manage their use across multiple policies. Each rule's name, source, and type are displayed.
Go to My Products > General Settings. Under Data Loss Prevention, click Rules.
On this page, you can do as follows:
- Search for existing DLP rules.
- Filter the DLP rules by Rule Type.
- Create new custom rules. See Create a Data Loss Prevention Rule.
To edit a rule, click the name of the rule.
To view details of a rule, hover over the Information icon 
.
To export custom rules, click the Export icon 
. This creates an xml file containing the rule definition.
To clone a rule, click the Clone icon 
. See Clone a rule.
To delete a rule, click the Delete icon 
and then click Delete item to confirm deletion.
Clone a rule
To clone a rule, do as follows:
- Click the Clone icon .
- Enter the name for the cloned rule.
- Click Clone item. This adds the cloned rule to the list of rules.
- (Optional) You can edit the cloned rule by clicking its name from the list of rules.
File types that DLP can scan
DLP can scan a wide range of file types. The following file types can be scanned:
- Archive
- Audio
- Container
- Database
- Design
- Document
- Disk container
- Encryption
- Encryption - Sophos
- Executable
- Image
- Information Rights Management
- Interactive Media
- Medical image formats
- Media container
- Object code
- Office password protected
- Password repository
- Plain text
- Presentation
- Script/Markup
- Science/Engineering
- Spreadsheet
- Video
- Virtualization Container
More resources
The following video provides an overview of DLP and shows how to create DLP rules.
