Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 0 subscribers
  • Views 19307 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Re: Erroneous Device Control alerts

TEWhite

I have the Device Control setup to alert (via email) when a write event occurs on any USB drives.  This allows us to monitor the writting to removable media.  But, we are getting alerts when no files have changed.  We have disabled AutoPlay, and I have confirmed that no files have changed on the device (by reviewing the 'Date Modified' on the files).

We are using Windows 7, Windows Vista, and Windows XP Clients with Sophos Endpoint Security and Control 10.0 (Device Control 10.0.10).

I think this might be caused by the Windows OS updating the LastAccessTime in the NTFS filesystem.  Has anyone else tried to do this?  Is there a better way to tell when a file has been written to a removable device?

:36877


This thread was automatically locked due to age.
Parents
  • 0

    QC,

    Thank you for the quick reply.  I am trying to use the alerts to notify managers that someone is writing/changing files on their USB device.  So, one alert per event is perfect.

    I tried your Data Control suggestion.  I had to put in an exclusion (otherwise it would not save my rule).  I tested it, and it appears to only report some of the write events.  It did not seem to report (to the enterprise console, under the computer's details) renaming the file, copying a file on the USB device to the same USB device, nor deleting a file.  It did not report read events, which is good.

    This is better than 100+ alerts a day regarding device writes, but I do not believe it will satisfy our audit.  Do you think not reporting the rename, copy/paste, and delete events is correct, or could I have something configured wrong?

    :36941
Reply
  • 0

    QC,

    Thank you for the quick reply.  I am trying to use the alerts to notify managers that someone is writing/changing files on their USB device.  So, one alert per event is perfect.

    I tried your Data Control suggestion.  I had to put in an exclusion (otherwise it would not save my rule).  I tested it, and it appears to only report some of the write events.  It did not seem to report (to the enterprise console, under the computer's details) renaming the file, copying a file on the USB device to the same USB device, nor deleting a file.  It did not report read events, which is good.

    This is better than 100+ alerts a day regarding device writes, but I do not believe it will satisfy our audit.  Do you think not reporting the rename, copy/paste, and delete events is correct, or could I have something configured wrong?

    :36941
Children
No Data
Unfiltered HTML