DLP – False positives from SCCM ClientWebService

I need a solution

Hi, we’re running DLP Endpoint on a number of machines and I’m having issues trying to filter out false positives that are being generated by SCCM processes on our systems. I have a policy set up to identify and create incidents for credit card numbers, with the scope set to Narrow width. I’m seeing numerous incidents being generated that are false positives, example below.

Endpoint Location: On the Corporate Network 
Application: Microsoft Host Process For Windows Services    
URL: http://sccm-server.mydomain.local:8530/ClientWebService/client.asmx
Destination IP:  

The message body has 87 matches for what it beleives are credit card numbers, however upon inspection it’s definitely false positives:

<DriverVerVersion> 2814750890000385</DriverVerVersion><Class>{4D36E97D-E325…00:00Z</DriverVerDate><DriverVerVersion> 2814750890000385</DriverVerVersion><Class>{4D36E97D-E325…00:00Z</DriverVerDate><DriverVerVersion> 2814750890000385</DriverVerVersion><Class>{4D36E97D-E325…00:00Z</DriverVerDate><DriverVerVersion> 2814750890000385</DriverVerVersion><Class>{4D36E96C-E325…00:00Z</DriverVerDate><DriverVerVersion> 2814750890000385</DriverVerVersion>

In my Agent Configuration I’ve already added the SCCM server’s hostname and IP address to the Filter By Network Properties field in the formats below

IP Filters: -,

Domain HTTP Filters: -sccm-server.mydomain.local

However this doesn’t appear to have worked as I’m still getting events generated even after recycling the detection server and restarting the agents.

I’ve also tried editing the policy and adding an optional validator to the Credit Card policy to exclude beginning characters “<DriverVerVersion>” but when I try to save this it throws up an error as it contains non-digits.

What’s the best way to filter out this sort of traffic?




  • No Related Posts

Advisory: Sophos UTM 9 – Web Categorization Issues (Western Europe region)

On July 19th – Customers in Western Europe have reported slow or failing Web Categorization with a huge packet loss to the Categorization Servers.

Applies to the following Sophos product(s) and version(s)

Sophos UTM 9

Customers reported the following:

  • Slow Web Browsing (unusual high category time in http Log)
  • Blocked Websites due Filter block (web request warned, forbidden category detected)

2019/07/19: Issue is resolved

In case of Filter Block: Allow Uncategorized websites in Filter Action

No further status update.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.


  • No Related Posts

Devices getting software not assigned to them

I need a solution

This has been a ongoing random issue for about 1 1/2 now, these devices are not assigned to the filter nor any policies for the software yet the agent installs the software. We thought maybe it was dup GUID so we turned on the policy to correct GUID and that did find devices but the fact we have dup GUID is even odder, our imaging is doing sysprep and some of these dupe GUID on Mac devices that we don’t image, people have non-mac software beeing assigned to them  If our devices didn’t not get sysprepred we would having a whole ton of other issues and it would be more then just the 50 or so devices that showed.

Open a ticket but I have run out of ideas of what is even causing this or where to start, use to blame it on someone adding devices to filters by mistake but audits show those filters are not even updating



  • No Related Posts