Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 3 subscribers
  • Views 1611 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Verbose/Debug Logging Problems

Anthony Stevens

Hi,

I need to set up verbose logging on a client PC to test device control and it looks like it isn't running correctly.

I've been through the Knowledge Base article here: https://community.sophos.com/kb/en-us/113594 and set it up as explained in the Registry Editor & factory.xml file. But, when I restart the Anti-Virus and Device Control services, the logs don't show that Debug is active.

20190507 153125 Device control has started on this machine.
20190507 153126 Device control failed to disable device: deviceId=IDE\CDROMHL-DT-ST_DVD+-RW_GTA0N__________________A1C0____\5&23276773&0&5.0.0, errorCode=-5.

20190507 153126 Use of controlled device type 'Optical drives (CD/DVD)' has been disabled by the administrator.
20190507 153126 Use of controlled device type 'Optical drives (CD/DVD)' disabled: deviceId=IDE\CDROMPLDS_DVD+-RW_DU-8A5LH___________________DD11____\5&8C2135F&0&1.0.0, status=present.
20190507 160506 Device control has stopped on this machine.
20190507 161014 Device control has started on this machine.
20190507 220116 Device control has started on this machine.
20190508 083744 Device control has stopped on this machine.
20190508 084951 Device control has started on this machine.
20190508 090310 Device control has started on this machine.
20190508 090438 Device control has stopped on this machine.
20190508 090623 Device control has started on this machine.

I made the debug logging change on the 8th May 2019 and the service stop and starts were to test debug is active or not. I was under the impression that the logs should show something like Debug: ............................................ for example.

Is there anything I'm likely missing perhaps please?

Thanks. 



This thread was automatically locked due to age.
  • 0

    Hello Anthony Stevens,

    device [...] isn't running correctly
    are you referring to the Failed to disable? Never found out (or bothered to find out) what the cause is. Primary question is whether the device can be accessed or not.

    As for debug logging: Indeed, seems it doesn't work as stated in the article. Haven't tried it lately but it used to work (there was an additional key involved, I've set it when I tested just now). You should open a case with Support.

    Christian

  • 0 in reply to QC

    Thank you for the response back.

    The real reason why I'm checking with verbose logging is because the device control works and ends up disabling the CD/DVD-ROM drives on our desktops as intended, but for some reason it keeps trying to find the model of CD/DVD Drive that is installed in a Dell Optiplex 3020. (Which is one of the Dell models we own in the company.) It tries to find that first, fails and then on second attempt, finds the actual model installed and successfully disables it.

    It doesn't help we need to receive emails about device control in case someone plugs something in they shouldn't do and the device control service will restart to find the drive again, haha.

    Anyway, I'll try adding that additional registry key mentioned first and if that doesn't work, I'll raise a case with them then.

    Anthony.

  • 0 in reply to Anthony Stevens

    Hello Anthony,

    trying to find the model of CD/DVD Drive that is installed in a Dell Optiplex 3020
    could it be that other computers have been installed with an image taken from the 3020? I vaguely remember a case with some device that "was there somewhere in Windows" even though neither physically present nor visible in the Device Manager.

    Christian

  • 0 in reply to QC

    We can only say it is a possibility. The image in question was created back in 2016 before I started at the company and my colleagues can't remember themselves if that happened or not.

    I did just narrow down the error to only occurring in one department of desktops, which all use the same image and that makes sense now.

    But, I find it strange that could happen even though we run a sysprep process before the image is captured. Is it likely that some information on this non-existent drive is kept within the registry or somewhere else, that could cause Sophos to point at that drive first then? (Shot in the dark you could say.)

    Well, we are going to be migrating our OS later this year anyway and we know it's working correctly despite the error. We may just roll with it for the time being since it's only an annoyance technically and see what happens after the migration is complete.

    Thanks,
    Anthony

  • 0 in reply to Anthony Stevens

    Hello Anthony,

    some information on this non-existent drive is kept within the registry or somewhere else
    unfortunately I don't remember the exact details (if I ever knew them). Incomplete/inconsistent device information so that certain APIs find the device but others fail. The debug information would, I think, reveal what piece of information is retrieved by Device Control. Can't say if this enough information to remove the phantom without breaking something. Just searched for the DeviceID of my DVD drive and compared it to what I find with the ID of the drive that was previously installed. Obvious differences but nothing that would immediately suggest how it could look like for a phantom. Probably not worth digging deeper if it's not more than an annoyance.

    Christian

Unfiltered HTML