Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 1 subscriber
  • Views 1975 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

EPS 9 and Datacontrol with USB/mass storage drives

MawfTech

Hi,

Why does EPS v.9 data control not allow any access from other applications to USB or other Mass storage devices?

If I switch on data contol in 'observe only' mode, it immediately switches off all access to drives from applications (actually makes word 2000 crash randomly ??). We do see the warning saying use explorer to transfer file but come on, when looking at presentations or files from customers handed over on pen drives, we cannot update content and just click save? I now have to save as, stick it e.g. on my desktop then drag it back to the pen drive. Seems a  really bad option to me, duplication, version loss, copy shortcut instead of file - I can think of lots of problems this causes.

Are we ever going to get that fixed? Surely this is just a standard journal trigger (ok I realise FATx doesn't journalise but you can still capture directory triggers). Do we really have to have such a restriction?

I realise this has been brought up before and dismissed as a 'by design' feature. What a feature though, loss of standard capability!!!!! Even in 'observe only' mode.

Matt

:2032


This thread was automatically locked due to age.
  • 0

    Hi Matt,

    Longer term we're looking into ways to make the behavior of removable storage data control more transparent.

    Bit of background information: one of our design goals was to implement a solution which intercepted data prior to it touching the removable storage device (to avoid the scenario where the end user pulls out the device during a write). To achieve this we intercept data transferred onto removable storage using Windows Explorer but don't intercept individual application writes to the storage device. This is why the agent forces data to be transferred via Windows Explorer when a "request user authorization" or "block" rule is in place. Essentially its a trade off between data exposure, interception complexity and user transparency.

    In monitor / observe only mode the restriction is not active - although the data control rules will only trigger on transfers made using Windows Explorer.

    Hope this helps,

    John

    Product Manager

    :2040
  • 0

    Hello Matt,

    if you Allow file transfer and log event then only transfers using Explorer are monitored. Only if transfers are to be potentially blocked (either acceptance by user or block) the use of Explorer is enforced.If you turn on verbose logging you should see the action taken (and the reason for it).

    There's always a trade-off between freedom and security.

    Christian

    :2044
  • 0

    Hi John,

    Not quite the behaviour I see.

    If I go back to plain basics here and create one simple rule which is:

    For any file

    where the file contains

            matt content        (this is just a simple file contains 'abcwibble')

    and where the destination is

            removable storage

    Allow file transfer

    So just one really simple rule which is almost impossible to trigger. If I now enable data control scanning with just the one rule. I open up a pen drive that has a word file on it and double-click the word file. Word starts and immediately I'm put into read-only mode even though the file does not contain a match. If I try to save in word, I'm prompted for a location which if I deliberately point back at the pen drive to overwrite, word says no and Sophos triggers with the 'please use explorer' message.

    What you're saying is that it shouldn't get in the way in fact in this mode it won't detect from the application? I'm not seeing that John. Sophos is preventing the save to the device.

    Regards,

    Matt

    :2066
  • 0

    Ah ha! I see something. I had a second rule that did want acceptance by the user (thought it was log only too) so by having the second rule in there even though it won't get triggered cripples the apps from saving to the pen drive.

    So I can only really use this system if all rules are all monitor only. OK I'll make the change and re establish all the rules (some 20 odd) I initially made and all in log only mode. I don't really mind this sice for the most part, data leaks are caused by people dragging files from system to pen drives or other MSD's. People opening files directly on MSD's are usually just tweaking existing files so not to worried about that for now although I fully understand the implications.

    Thanks Cristian and John.

    Matt

    :2068
Unfiltered HTML