This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Device Control - Not Working As Expected

Dear All

I've been testing out the Device Control policies and for a few months I have been collecting all of the USB disks by 'detecting but allowing to run'.    I have noticed though that the IronKey Basic Edition devices are recognised as 'Removable Storage' and not 'Secure Removable Device' as described in this Sophos article  http://www.sophos.com/support/knowledgebase/article/63102.html

Never the less I have added both the Basic and Enterprise editions of the Ironkey's to the exempt policy for 'Removable Storage'.  I have blocked all other devices.

Testing this on 5 OU's, (we sync Sophos with Active Directory) 4 out of 5 OU's work.  On one OU the new policy has applied but all machines in this OU can accept any USB device and the message I receive via email from those machines is this:-

Device control failed a notify installation operation: deviceId=USBSTOR\DISK&VEN_&PROD_USB_DISK_PRO&REV_PMAP\0766090001AF&0, errorCode=0x80070005.

I have rebooted the machines in question but to no avail and I have the same model of PC in OU's that work too?  Is it just a timing issue? Slowly, slowly, catch yer monkey?

Also, experince with different USB devices differs greatly too.  For instance one model of USB disk installs itself as a floppy disk drive (B) whilst another common USB key is identified by Windows as a CDROM?  (This is after applying the block policy - pre policy the USB key behaved as normal). Thus both device types are fully accessed even though I have received messages from both machines indicating to me that the policy has been applied and said devices were blocked! 

I can't exactly block CDROM drives and unfortunately you cant exempt devices of this type either (maybe a wish list request there!).

So experience so far is that the device control does not control all USB devices, so beware if you think you can roll out Ironkeys across your enterprise safe in the knowledge that the savages can't plug any old USB key into their machine! Because they can!   Unless I am missing something here?

Thanks

:765


This thread was automatically locked due to age.
  • Hi,

    If you'd be willing to send in samples of the IronKey devices we can check and update the Secure Removable Storage category to cover these drives (and then return them to you!). We are looking to build up better relationships with the manufacturers so we can get access to sample drives - but this isn't always possible. One point to note is that the category only includes devices that are 100% encrypted. If you drop me a PM or email we can work out the details.

    Regarding Optical Media drives (CD / DVD drives) it is possible to exempt drives from a block policy so in principal this could be used to authorize all models of integrated optical media drives and block any other drives appearing as optical media. The more sophisticated USB drives e.g. encrypted / U3 actually appear to the endpoint as two devices - an optical media or floppy drive which contains the "boot" / access software and a removable storage drive. In that happens then you should see two events reported back to SEC for each device type (depending upon the policy).

    Finally, to resolve the error and OU issue its probably best to give tech support a call and they can walk through troubleshooting steps. If there is a software issue it can be escalated through support and a defect raised and scheduled for resolution via maintenance (hopefully that won't be necessary).

    Hope this helps.

    Best regards,

    John

    :788
  • Thanks for the response.

    I see that you can actually exempt CDROM and FDD, so I could further nail down the USB sticks that act like these devices.  Incidentally, would it be Windows or the USB device identifying itself as a CDROM insead of a USB device?  For instance with the blocking in place my cheapo Kingston stick is a CDROM device but before the blocking policy it is a removable media drive F?   Is Windows allocating the next available storage media device for USB sticks?  If so, looks like a loop hole in the device control mechanism?

    Still no joy on the OU that is failing to enforce the blocking policy.  I have even reinstalled Sophos but still no joy.  Looks like I will have to open a support call.

    As for sending you my IronKey!!!  Unlikley ;-)  I could put you in touch with someone though that will give you a trial device?

    Cheers

    :848
  • I can understand why you don't want to send your Ironkey :) If you can provide a contact that would be neat.

    Its the USB device that identifies itself as a particular device type. I'm surprised the Kingston stick is changing what appears as - the device control policy shouldn't have this impact - it just acts upon the device types that Windows reports. Might be worth raising this support and letting them know the model version and also some before and after screenshots. If its a loop hole we'd been keen to close it!

    Thanks,

    John

    :866
  • I have opened a call with support about the policy not being applied and now I just need to run off some logs for further analysis.

    My contact at Ironkey will gladly send you a demo product to test with Sophos, but I can't for the life of me see how I can PM you? 

    Cheers

    :893