For the past couple of weeks, I’ve been investigating what triggers browsers to export files from my computer and which files are being targeted. The files range from simple text documents with no apparent value to PHA and PII data. I haven’t found any consistent pattern in the files being selected for export. Here’s what I’ve observed so far:

1. When closing files, folders, or applications, I received notifications that a file was attempting to be exported. If I blocked the attempt, the application would try again at least 2 to 3 more times, either within a few seconds or a few minutes.

2. I found repetition with the files being exported. The same set of files were selected for export 2 to 3 times. Regardless if the attempts were successful or failures a few days later another set of files were selected for export. This leads me to believe that the file type or content doesn’t matter—any file that can be copied and exported seems to be fair game. The system will try to export the numerous times making sure that it receives the latest version.

3. While downloading files from different websites, I received pop-ups asking me to allow or block the transfer of the file. Both files were publicly available documents. I denied the transfer, suspecting a DLP issue, but after repeated tests, I found the files in my download folder. However, when I tried to open the files in Edge, I received an error message stating they were corrupt. Oddly enough, the same files opened without any issues in Adobe Reader. The one thing to note is the program does not try to export every file I downloaded.

To address these concerns, I’ve tightened restrictions within my DLP settings, limiting the export of files by extensions, names, and other identifiers. Additionally, I’ve created an expression to match Social Security Numbers, which has proven effective in my initial testing. There’s still more to fine-tune, but my ultimate goal is to minimize or entirely eliminate unauthorized file exports.

If your antivirus solution doesn’t offer this type of protection, contact me. Sophos’ Intercept X Advanced includes this feature along with several others that could be highly beneficial to you.

To try it out for free to go Sophos website https://lnkd.in/eYF333Q8