This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Blocked mtp/ptp device printer while installing

Hi there,

I do have a policy Block-USB devices with many exceptions.

 

Suddenly I got the message the device is blocked when installing a printer even when the printer ( MTP/PTP ) is on the exception list by model-id.

Model-ID: UMB\VEN_03F0&DEV_HP_PageWide_MFP_P57750&SUBSYS_J9V82B

In windows the user goes to setting>devices>printer&scanner > add a printer

Then windows find the printer and you can choose it to install it.

Then the massage pops up that it is blocked.

In Sophos central I found NO entry in this policy > peripheral exemptions > add exemptions to add this printer to the list .

It is already added to the list and till a few weeks ago it worked fine but now this printer model is blocked.

Is there a log-file where I can find what part will be blocked ?

But not the folder: C:\ProgramData\Sophos\Sophos Device Control > it is not existing!

 

In Sophos central client event I get this:

Sep 27, 2023 3:54 PM           Peripheral blocked: HP PageWide MFP P57750 [729989]

 

But when I install the printer not from the windows finding then choose manuell with the IP-address, then the installation works but the user need an admin-account.

Any idea ?

Many thanks

Thomas



This thread was automatically locked due to age.
Parents Reply Children
  • Hi Qoosh,

    many thanks for your answer. ( Because I'm the only IT person in our company I could not answer earlier )

    Now I analysed also the log-files and exported a peripheral report from central.

    In the logs I found this:

    SSP.log:

    2023-10-09T11:32:37.956Z [ 3904: 5956] A DeviceControl: Use of controlled device disabled, deviceType=mtp, deviceId=SWD\ESCL\19977B18-38D6-D9AD-8DBD-7A3679B629CD

    SSPDevCon.log:

    2023-10-09T11:32:37.928Z [11556: 8868] A "C:\\Program Files\\Sophos\\Endpoint Defense\\SSPDevCon.exe" disable SWD\ESCL\19977B18-38D6-D9AD-8DBD-7A3679B629CD

    in exported all-peripheral devices:

    mtp    HPC60996 (HP PageWide MFP P57750)    UMB\VEN_03F0&DEV_HP_PageWide_MFP_P57750&SUBSYS_J9V82B    SWD\DAFWSDPROVIDER\URN:UUID:19977B18-38D6-D9AD-8DBD-7A3679B629CD/19977B18-38D6-D9AD-8DBD-7A3679B629CD/SCANSERVICE    Client001    0    NT-AUTORITÄT\SYSTEM    Allowed

    The device ID is: 19977B18-38D6-D9AD-8DBD-7A3679B629CD in all three files.

    Now I found the same problem on many PC when connecting to this spezial printer model ( HP PageWide MFP P57750 ) and we do have four of them.

    Just the device ID is different. On other printer models all works fine!

    Could I add manually an exemption to the list of peripheral exemptions?

    I can not choose the devices because it is not listet.

    All exemptions are enforce by model ID and not by instance ID.

    On one PC I also reinstalled sophos intercept X but the same problem. There are no changes made on the printers.

    Core Agent: 2023.1.3.5

    sophos intercept X: 2023.1.1.7

    endpoint protection: 10.8.11.4

    many thanks

    Thomas

  • Thanks for following up.

    You can find the list of peripheral exemptions which are applied on the endpoints by checking the following registry key.
    -  HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\DeviceControl\ <highest number> \device_type_000006\exemptions

    Adding an entry locally will not work. The self-repair operations the endpoint performs will remove the extra registry entry. 

    Can you try the following? 
    - Clone the current policy
    - In the cloned policy, remove the exemption for this device and save the policy
    - Re-add the same exemption
    - Apply this cloned policy to one of the devices to test

    If this also does not work, I'd suggest raising a case through the Support Portal so further investigation can occur. If you can also send me your case ID via private message, I will try adding notes to the case to help out.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Many thanks for your ideas
    I now made a new policy where all devices are blocked.
    Then I tried to install the printer and it was blocked ( of course )
    Then I added this printer as exemption. ( it was listed )
    Then I uninstalled the printer and tried to install it again.
    Between every step I made Sophos update an rebooted the PC

    Same problem............

    In the registry I found these keys:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\DeviceControl\20231011110537553667\device_types\device_type_000008\exemptions\exemption_000005]
    "access"="allowed"
    "device_id"="UMB\\VEN_03F0&DEV_HP_PageWide_MFP_P57750&SUBSYS_J9V82B"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\DeviceControl\20231011110537553667\device_types\device_type_000008\exemptions\exemption_000006]
    "access"="allowed"
    "device_id"="mf\\pagewide_mfp_p57750&wsd&ip_scan"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\DeviceControl\20231011110537553667\device_types\device_type_000008\exemptions\exemption_000007]
    "access"="allowed"
    "device_id"="UMB\\VEN_05ca&DEV_RICOHMP_C306Z"

    With ricoh printer it works.

    It's cracy, with other printer models it works as it should and with this printer it worked till a few weeks ago.

    BTW: the registry key for this device is device_type_000008 not 000006.

    I now will open a ticket but first I will create a good dokumentation what I tested...
    I will send you the case ID
    Could you tell me how I can send a privat message?

    many thanks
    Thomas

    PS: in the log and also registry key use UTC time and I have to add two houres...to verify when it happened

  • You can send a private message either by hovering your cursor over the username of the desired user, or by opening the messages app. 

    Hover cursor over username:




    Messages app on the top right:
     

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids