Issue
On Feb 9th, Microsoft released Edge version 110.0.1587.41. With this version installed, we have seen DLP rules for web browsers trigger on files present on the Desktop. This is due to Edge reading every file on the desktop.
Development is investigating what setting or feature of Edge is triggering these file-read actions.
Update Feb 14:
Sophos development has confirmed that Edge version 110 is reading all the files located on the user's Desktop. They have also confirmed that Edge version 109 gathers a list of all files on the Desktop, but does not read them.
Sophos DLP scanning for Internet Browsers monitors file reads made by the browser process, and processes through the selected rules. As Edge is reading all the files on the desktop, the scan and potential detections is occurring correctly.
Sophos has reached out to Microsoft to provide clarity on this behavior of Edge.
Applies to the following Sophos product(s) and version(s)
Sophos Endpoint Agent
Impact
When launching Microsoft Edge, DLP rules are set to apply to the Internet Browser: Microsoft Edge will be run against files on the Desktop (As Edge is reading those files).
If any match the DLP rules, an event will be seen Sophos Central, and they may be prompted to Allow or Block the files if the policy is set to “Allow transfer on acceptance by user”.
Current status
The issue is currently being investigated by development in the following Jira ticket: WINEP-46417
What to do
Our Development team is investigating this issue
Workaround
For DLP rules that have Internet Browser: Microsoft Edge selected, unselect it.
The impact of this workaround is that Edge is not monitored for these DLP rules. It is recommended that if DLP is required, use Application Control to block Microsoft Edge as well, to prevent its usage.
