"Wanna" ransomware outbreak. Please see this Sophos article sophos.com/kb/126733 for advice on how to protect your organization. Immediate action recommended.
This article details the behaviour of the Device Control feature within Sophos Anti-Virus for Mac as well as showing the differences when compared to the Device Control feature for Sophos Anti-Virus for Windows.
Note: The Device Control feature within Sophos Anti-Virus for Mac is only available with Sophos Anti-Virus version 9.1.3 and above. Therefore on-premise customers can expect it to be available from April onwards.
Applies to the following Sophos product(s) and version(s) Sophos Anti-Virus for Mac OS X
This table identifies the storage types and policy options supported by Device Control in Sophos Anti-Virus for Windows, and Sophos Anti-Virus for Mac OS X.
Removable storage devices on Mac OS X include, but are not limited to, the following:
If the policy for Secure Removable Storage has been modified whilst Secure Removable Storage devices are attached to systems these devices will have to be removed from the system and then re-attached. Modifications include changing from Deny to Allow, Allow to Deny, or adding or removing an exemption.
For example, if the policy denies access to Secure Removable Storage and a Secure Removable Storage device is attached to the system it will be blocked. The policy is then modified to allow access to Secure Removable Storage. The device will remain blocked until it is removed and then re-attached.
The policy for Optical Drives covers both the physical drive as well as the optical media within it. The following media is supported: CD-ROM, CD-R, CD-RW, DVD-ROM, DVD-R, and DVD-RW.
The Optical Drive policy is evaluated at the point at which the filesystem attempts to mount the media. On Mac OS X this will result in access to the optical media being denied as well as the Optical Drive ejecting the media.
Optical media that has been 'sealed' as read-only can be accessed when the policy allows read-only access to Optical Drives. CD-R, CD-RW, DVD-R, and DVD-RW media that is still writable and not sealed will be blocked.
If a disc is being burned when the Device Control policy on the endpoint changes to only allow read-only access the current burning sessions will complete, and then the policy will be actioned.
Removable media encrypted using the built-in Mac OS X encryption (typically enabled through the Finder, using Disk Utility, or with Time Machine) cannot be used with 'Read-Only' mode. These devices will not mount. It will seem that the password is not accepted, even when the correct password is supplied.
If a disc is being burned when the Device Control policy on the endpoint changes to block access the current burning sessions will complete, and then the policy will be actioned.
There is special concern when blocking removable media encrypted using the built-in Mac OS X encryption. Always cancel the authentication prompt when displayed. Abrupt removal of the device without canceling the authentication prompt can lead to system instability.
The wireless device control policy on Mac OS X will only affect Airport devices. Other wireless devices that are connected via USB or other connector that do not appear as an 'Airport' device in the Operating System are not covered. This may include, but not be limited to, USB Modems (3G Dongles), Bluetooth Modems, and Smartphone tethering.
This policy option will restrict the OS X system to having either an active wireless link, or any Ethernet link.
Mobile devices that are blocked will not receive power via the USB (or other connector) port.
If Sophos Anti-Virus is installed on the host system all devices attached to it, and passed through to the VM, will be covered by Device Control.
If Sophos Anti-Virus is installed on the host system only devices passed to the host will be covered by Device Control. If, when prompted, the user selects to pass the device to the VM Device Control on the host is unable to interact with the device.
It is recommended that in this situation that Sophos Anti-Virus is installed on the VM and that Device Control is enabled.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.