Re: False negatives for DLP filters - Spreasheets

RSKadish · ‎03-29-2019

Hello all,

We are evaluating DLP on an ESA C170. Overall, it's going pretty well.

One of the DLP policies I turned on is the out-of-the-box "Suspicious Transmission (Spreadsheets to Webmail) policy. While it does trigger, I realized that it is also letting some emails with spreadsheets through. It's a pretty straightforward policy; it matches on recipients and attachment types. Every hit we've had so far has been HIGH severity, which seems to be the default for the policy.

Under what circumstances would this rule not trigger on an email going, say, to Gmail with an XLSX file attached?

Any help is appreciated!

Thanks,

- Steve

ppreenja · ‎08-21-2019

Hello Steve,

From the description of your issue, I believe you are hitting the below bug:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq02480

Work-around for the same is as below:
Create a copy of this policy with the additional option selected of: "Only apply to encrypted or password-protected attachments."

However, currently, there is no fix for the same and you can add yourself to the notification so that you get notified once a fix is in place.

I hope this helps!

Cheers,
Pratham

RSKadish · ‎08-22-2019

Hello Pratham,

Thanks for the assistance. However, we are not running the effected version (12.1.0-071) listed in that bug. We are running 11.0.2-044.

Best regards,

- Steve

ppreenja · ‎08-22-2019

Hello Steve,

Although Async OS version 11.0.2-044 is not mentioned it will also be affected by the same bug. Async OS version 12.1.0-071 is mentioned as it was detected first in the Async OS version 12.

Cheers,
Pratham

RSKadish · ‎08-23-2019

Thank you, Pratham! I will look into implementing the workaround.

Best regards,

- Steve Kadish