This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Blocked mtp/ptp device printer while installing

Hi there,

I do have a policy Block-USB devices with many exceptions.

Suddenly I got the message the device is blocked when installing a printer even when the printer ( MTP/PTP ) is on the exception list by model-id.

Model-ID: UMB\VEN_03F0&DEV_HP_PageWide_MFP_P57750&SUBSYS_J9V82B

In windows the user goes to setting>devices>printer&scanner > add a printer

Then windows find the printer and you can choose it to install it.

Then the massage pops up that it is blocked.

In Sophos central I found NO entry in this policy > peripheral exemptions > add exemptions to add this printer to the list .

It is already added to the list and till a few weeks ago it worked fine but now this printer model is blocked.

Is there a log-file where I can find what part will be blocked ?

But not the folder: C:\ProgramData\Sophos\Sophos Device Control > it is not existing!

In Sophos central client event I get this:

Sep 27, 2023 3:54 PM Peripheral blocked: HP PageWide MFP P57750 [729989]

But when I install the printer not from the windows finding then choose manuell with the IP-address, then the installation works but the user need an admin-account.

Any idea ?

Many thanks

Thomas

This thread was automatically locked due to age.

Parents

0 Qoosh 9 months ago

Hi Thomas,

Thanks for reaching out to the Sophos Community Forum.

I suggest checking "C:\ProgramData\Sophos\Endpoint Defense\Logs\SSPDevCon.log" and "SSP.log".

Do you know if the printer has had any recent firmware or software updates which could cause the device to be recognized differently by the computer?

Kushal Lakhan

Team Lead, Global Community Support
Connect with Sophos Support, get alerted, and be informed.
If a post solves your question, please use the "Verify Answer" button.

The New Home of Sophos Support Videos! - Visit Sophos Techvids
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Qoosh 9 months ago

Hi Thomas,

Thanks for reaching out to the Sophos Community Forum.

I suggest checking "C:\ProgramData\Sophos\Endpoint Defense\Logs\SSPDevCon.log" and "SSP.log".

Do you know if the printer has had any recent firmware or software updates which could cause the device to be recognized differently by the computer?

Kushal Lakhan

Team Lead, Global Community Support
Connect with Sophos Support, get alerted, and be informed.
If a post solves your question, please use the "Verify Answer" button.

The New Home of Sophos Support Videos! - Visit Sophos Techvids
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Thomas Meier2 9 months ago in reply to Qoosh

Hi Qoosh,

many thanks for your answer. ( Because I'm the only IT person in our company I could not answer earlier )

Now I analysed also the log-files and exported a peripheral report from central.

In the logs I found this:

SSP.log:

2023-10-09T11:32:37.956Z [ 3904: 5956] A DeviceControl: Use of controlled device disabled, deviceType=mtp, deviceId=SWD\ESCL\19977B18-38D6-D9AD-8DBD-7A3679B629CD

SSPDevCon.log:

2023-10-09T11:32:37.928Z [11556: 8868] A "C:\\Program Files\\Sophos\\Endpoint Defense\\SSPDevCon.exe" disable SWD\ESCL\19977B18-38D6-D9AD-8DBD-7A3679B629CD

in exported all-peripheral devices:

mtp HPC60996 (HP PageWide MFP P57750) UMB\VEN_03F0&DEV_HP_PageWide_MFP_P57750&SUBSYS_J9V82B SWD\DAFWSDPROVIDER\URN:UUID:19977B18-38D6-D9AD-8DBD-7A3679B629CD/19977B18-38D6-D9AD-8DBD-7A3679B629CD/SCANSERVICE Client001 0 NT-AUTORITÄT\SYSTEM Allowed

The device ID is: 19977B18-38D6-D9AD-8DBD-7A3679B629CD in all three files.

Now I found the same problem on many PC when connecting to this spezial printer model ( HP PageWide MFP P57750 ) and we do have four of them.

Just the device ID is different. On other printer models all works fine!

Could I add manually an exemption to the list of peripheral exemptions?

I can not choose the devices because it is not listet.

All exemptions are enforce by model ID and not by instance ID.

On one PC I also reinstalled sophos intercept X but the same problem. There are no changes made on the printers.

Core Agent: 2023.1.3.5

sophos intercept X: 2023.1.1.7

endpoint protection: 10.8.11.4

many thanks

Thomas
Cancel
Vote Up 0 Vote Down

Cancel
0 Qoosh 9 months ago in reply to Thomas Meier2

Thanks for following up.

You can find the list of peripheral exemptions which are applied on the endpoints by checking the following registry key.
- HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\DeviceControl\ <highest number> \device_type_000006\exemptions

Adding an entry locally will not work. The self-repair operations the endpoint performs will remove the extra registry entry.

Can you try the following?
- Clone the current policy
- In the cloned policy, remove the exemption for this device and save the policy
- Re-add the same exemption
- Apply this cloned policy to one of the devices to test

If this also does not work, I'd suggest raising a case through the Support Portal so further investigation can occur. If you can also send me your case ID via private message, I will try adding notes to the case to help out.

Kushal Lakhan

Team Lead, Global Community Support
Connect with Sophos Support, get alerted, and be informed.
If a post solves your question, please use the "Verify Answer" button.

The New Home of Sophos Support Videos! - Visit Sophos Techvids
Cancel
Vote Up 0 Vote Down

Cancel
0 Thomas Meier2 9 months ago in reply to Qoosh

Many thanks for your ideas
I now made a new policy where all devices are blocked.
Then I tried to install the printer and it was blocked ( of course )
Then I added this printer as exemption. ( it was listed )
Then I uninstalled the printer and tried to install it again.
Between every step I made Sophos update an rebooted the PC

Same problem............

In the registry I found these keys:
[HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\DeviceControl\20231011110537553667\device_types\device_type_000008\exemptions\exemption_000005]
"access"="allowed"
"device_id"="UMB\\VEN_03F0&DEV_HP_PageWide_MFP_P57750&SUBSYS_J9V82B"

[HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\DeviceControl\20231011110537553667\device_types\device_type_000008\exemptions\exemption_000006]
"access"="allowed"
"device_id"="mf\\pagewide_mfp_p57750&wsd&ip_scan"

[HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\DeviceControl\20231011110537553667\device_types\device_type_000008\exemptions\exemption_000007]
"access"="allowed"
"device_id"="UMB\\VEN_05ca&DEV_RICOHMP_C306Z"

With ricoh printer it works.

It's cracy, with other printer models it works as it should and with this printer it worked till a few weeks ago.

BTW: the registry key for this device is device_type_000008 not 000006.

I now will open a ticket but first I will create a good dokumentation what I tested...
I will send you the case ID
Could you tell me how I can send a privat message?

many thanks
Thomas

PS: in the log and also registry key use UTC time and I have to add two houres...to verify when it happened
Cancel
Vote Up 0 Vote Down

Cancel
0 Qoosh 9 months ago in reply to Thomas Meier2

You can send a private message either by hovering your cursor over the username of the desired user, or by opening the messages app.

Hover cursor over username:

Messages app on the top right:

Kushal Lakhan

Team Lead, Global Community Support
Connect with Sophos Support, get alerted, and be informed.
If a post solves your question, please use the "Verify Answer" button.

The New Home of Sophos Support Videos! - Visit Sophos Techvids
Cancel
Vote Up 0 Vote Down

Cancel