Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 15 subscribers
  • Views 2562 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Peripheral Control still does not enumerate InstanceIDs containing "&"

Ken Lux

Hi,

We wanted to issue company-owned USB drives and then use Sophos to block all other USB drives. This seemed straightforward - buy USB drives, plug them in with peripheral control in monitor mode to get the InstanceIDs of each USB stick, and then block USB storage with exceptions for the InstanceIDs collected in the previous step.

However, after we purchased the USB drives, we noticed that Sophos peripheral control does not enumerate the InstanceIDs of these USB sticks.

This problem was raised in the forum, and it appears that if the InstanceID has the "&" character in it, then Sophos Peripheral control leaves the InstanceID blank. Unfortunately, the response from Sophos was to discuss with them directly, and then the thread was locked: 

 https://community.sophos.com/intercept-x-endpoint/f/discussions/129497/base-policy---peripheral-control---no-instance-id-for-iphones 

Are there any plans to fix this bug?

Is there another way to block all USB drives except for certain specific USB drives (as opposed to a drive model)?

Thanks,

Ken



This thread was automatically locked due to age.
  • 0

    I just tested with my iPhone as a MTP device and it worked.For example, it shows the device in Device Manager as having the "Device Instance Path" as follows:

    USB\VID_05AC&PID_12A8&MI_00\6&6E4B797&0&0000

    I had a policy initially to block all devices so the device became disabled.

    Evidence of this at the client:

    In Sophos Central against the device:

    In the client log file: "C:\ProgramData\Sophos\Endpoint Defense\Logs\SSPDevCon.log".  We can see the SSPDevCon.exe command line tool being run to first disable the device and then to enable it when the policy was received. 

    2022-12-18T16:28:43.725Z [ 2720: 7564] A "C:\\Program Files\\Sophos\\Endpoint Defense\\SSPDevCon.exe" disable USB\VID_05AC&PID_12A8&MI_00\6&6E4B797&0&0000
    2022-12-18T16:28:43.857Z [ 2720: 7564] A SetDeviceState attempt 0 success
    2022-12-18T16:28:43.858Z [ 2720: 7564] A finished returning 0
    2022-12-18T16:43:20.912Z [13792:11920] A "C:\\Program Files\\Sophos\\Endpoint Defense\\SSPDevCon.exe" enable USB\VID_05AC&PID_12A8&MI_00\6&6E4B797&0&0000
    2022-12-18T16:43:21.193Z [13792:11920] A SetDeviceState attempt 0 success
    2022-12-18T16:43:21.194Z [13792:11920] A finished returning 0

    In the registry the state is persisted here:

    HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\EndpointDefense\DeviceControl\DisabledDevices
    mtp
    USB\VID_05AC&PID_12A8&MI_00\6&6E4B797&0&0000

    I then added this as an exemption in the policy from Central:

    The policy ended up here:

    HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\DeviceControl\20221218164320827504\device_types\device_type_000008\exemptions\exemption_000000
    access = allowed
    device_id = USB\VID_05AC&PID_12A8&REV_1201&MI_00

    where 20221218164320827504 is the latest policy revision.

    The device then became active in Device Manager.

    Maybe these steps will offer something to check.

  • 0 in reply to Sophos User930

    If you look at the screenshot you showed for setting peripheral exemptions, the Instance ID field is blank, and you are allowing by model, not by instance. So, in your case, any iPhone of the same model would be exempted, not just your iPhone.

    Here is what I see for a few removable storage devices:

    Though it looks like I found the answer elsewhere, devices with an Instance ID that has the 2nd symbol as "&" are devices without serial numbers encoded in their firmware, and Windows creates an Instance ID upon plugging them in - this Instance ID will NOT be the same across multiple computers.

    Maybe the DiskID could be used instead (I believe this should be constant across machines, but will change on a reformatting of the flash drive)?

Unfiltered HTML