cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Cisco Secure Email Support Community

Product Support Talos Support Cisco Support Reference + Current Release
Gateway Reputation Lookup Open a support case Secure Email Guided Setup
Gateway: 14.0.1-033
Cloud Gateway Email Status Portal Support & Downloads docs.ces.cisco.com
Email and Web Manager: 14.0.0-418
Email and Web Manager Web & Email Reputation Worldwide Contacts Product Naming Quick Reference
Reporting Plug-in: 1.1.0.136
Encryption Bug Search
Encryption Plug-in: 1.2.1.167
Cloud Mailbox Notification Service
Outlook Add-in(s): More info

1320
Views
0
Helpful
4
Replies
RSKadish
Beginner

False negatives for DLP filters - Spreasheets

Hello all,

We are evaluating DLP on an ESA C170.  Overall, it's going pretty well.  

One of the DLP policies I turned on is the out-of-the-box "Suspicious Transmission (Spreadsheets to Webmail) policy.  While it does trigger, I realized that it is also letting some emails with spreadsheets through.  It's a pretty straightforward policy; it matches on recipients and attachment types.  Every hit we've had so far has been HIGH severity, which seems to be the default for the policy.

Under what circumstances would this rule not trigger on an email going, say, to Gmail with an XLSX file attached?

Any help is appreciated!

Thanks,

- Steve

 

4 REPLIES 4
ppreenja
Cisco Employee

Hello Steve,

From the description of your issue, I believe you are hitting the below bug:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq02480

Work-around for the same is as below:
Create a copy of this policy with the additional option selected of: "Only apply to encrypted or password-protected attachments."

However, currently, there is no fix for the same and you can add yourself to the notification so that you get notified once a fix is in place.

I hope this helps!

Cheers,
Pratham

Hello Pratham,

 

Thanks for the assistance.  However, we are not running the effected version (12.1.0-071) listed in that bug.  We are running 11.0.2-044.

 

Best regards,

- Steve

Hello Steve,

Although Async OS version 11.0.2-044 is not mentioned it will also be affected by the same bug. Async OS version 12.1.0-071 is mentioned as it was detected first in the Async OS version 12.

Cheers,
Pratham

Thank you, Pratham!  I will look into implementing the workaround.

 

Best regards,

- Steve Kadish