This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Re: Erroneous Device Control alerts

I have the Device Control setup to alert (via email) when a write event occurs on any USB drives.  This allows us to monitor the writting to removable media.  But, we are getting alerts when no files have changed.  We have disabled AutoPlay, and I have confirmed that no files have changed on the device (by reviewing the 'Date Modified' on the files).

We are using Windows 7, Windows Vista, and Windows XP Clients with Sophos Endpoint Security and Control 10.0 (Device Control 10.0.10).

I think this might be caused by the Windows OS updating the LastAccessTime in the NTFS filesystem.  Has anyone else tried to do this?  Is there a better way to tell when a file has been written to a removable device?

:36877


This thread was automatically locked due to age.
Parents
  • Hello TEWhite,

    I've used the following rule:

    For any file
    where the file name contains 
    	*,
    and where the destination is 
    	Removable Storage,
    Allow file transfer.

    it appears to only report some of the write events

    As said, it (seems to) skip additional events (e.g. the copy) within a certain interval (perhaps for the same device only). As for rename, it'd be interesting to check if a blocking (or by acceptance) rule intercepts it. Blocking by name is IMO of very limited use anyway. While technically a write a delete is not a transfer to and thus of no significance in terms of DLP..

    I do not believe it will satisfy our audit

    I think (personal opinion) that DLP is not designed as an audit tool - but maybe John Stringer (or someone from the DLP group) could comment on it.

    Christian

    :36957
Reply
  • Hello TEWhite,

    I've used the following rule:

    For any file
    where the file name contains 
    	*,
    and where the destination is 
    	Removable Storage,
    Allow file transfer.

    it appears to only report some of the write events

    As said, it (seems to) skip additional events (e.g. the copy) within a certain interval (perhaps for the same device only). As for rename, it'd be interesting to check if a blocking (or by acceptance) rule intercepts it. Blocking by name is IMO of very limited use anyway. While technically a write a delete is not a transfer to and thus of no significance in terms of DLP..

    I do not believe it will satisfy our audit

    I think (personal opinion) that DLP is not designed as an audit tool - but maybe John Stringer (or someone from the DLP group) could comment on it.

    Christian

    :36957
Children
No Data