Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 1 subscriber
  • Views 5858 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Device Control - Not Working As Expected

notesguru99

Dear All

I've been testing out the Device Control policies and for a few months I have been collecting all of the USB disks by 'detecting but allowing to run'.    I have noticed though that the IronKey Basic Edition devices are recognised as 'Removable Storage' and not 'Secure Removable Device' as described in this Sophos article  http://www.sophos.com/support/knowledgebase/article/63102.html

Never the less I have added both the Basic and Enterprise editions of the Ironkey's to the exempt policy for 'Removable Storage'.  I have blocked all other devices.

Testing this on 5 OU's, (we sync Sophos with Active Directory) 4 out of 5 OU's work.  On one OU the new policy has applied but all machines in this OU can accept any USB device and the message I receive via email from those machines is this:-

Device control failed a notify installation operation: deviceId=USBSTOR\DISK&VEN_&PROD_USB_DISK_PRO&REV_PMAP\0766090001AF&0, errorCode=0x80070005.

I have rebooted the machines in question but to no avail and I have the same model of PC in OU's that work too?  Is it just a timing issue? Slowly, slowly, catch yer monkey?

Also, experince with different USB devices differs greatly too.  For instance one model of USB disk installs itself as a floppy disk drive (B) whilst another common USB key is identified by Windows as a CDROM?  (This is after applying the block policy - pre policy the USB key behaved as normal). Thus both device types are fully accessed even though I have received messages from both machines indicating to me that the policy has been applied and said devices were blocked! 

I can't exactly block CDROM drives and unfortunately you cant exempt devices of this type either (maybe a wish list request there!).

So experience so far is that the device control does not control all USB devices, so beware if you think you can roll out Ironkeys across your enterprise safe in the knowledge that the savages can't plug any old USB key into their machine! Because they can!   Unless I am missing something here?

Thanks

:765


This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    If you'd be willing to send in samples of the IronKey devices we can check and update the Secure Removable Storage category to cover these drives (and then return them to you!). We are looking to build up better relationships with the manufacturers so we can get access to sample drives - but this isn't always possible. One point to note is that the category only includes devices that are 100% encrypted. If you drop me a PM or email we can work out the details.

    Regarding Optical Media drives (CD / DVD drives) it is possible to exempt drives from a block policy so in principal this could be used to authorize all models of integrated optical media drives and block any other drives appearing as optical media. The more sophisticated USB drives e.g. encrypted / U3 actually appear to the endpoint as two devices - an optical media or floppy drive which contains the "boot" / access software and a removable storage drive. In that happens then you should see two events reported back to SEC for each device type (depending upon the policy).

    Finally, to resolve the error and OU issue its probably best to give tech support a call and they can walk through troubleshooting steps. If there is a software issue it can be escalated through support and a defect raised and scheduled for resolution via maintenance (hopefully that won't be necessary).

    Hope this helps.

    Best regards,

    John

    :788
Reply
  • 0

    Hi,

    If you'd be willing to send in samples of the IronKey devices we can check and update the Secure Removable Storage category to cover these drives (and then return them to you!). We are looking to build up better relationships with the manufacturers so we can get access to sample drives - but this isn't always possible. One point to note is that the category only includes devices that are 100% encrypted. If you drop me a PM or email we can work out the details.

    Regarding Optical Media drives (CD / DVD drives) it is possible to exempt drives from a block policy so in principal this could be used to authorize all models of integrated optical media drives and block any other drives appearing as optical media. The more sophisticated USB drives e.g. encrypted / U3 actually appear to the endpoint as two devices - an optical media or floppy drive which contains the "boot" / access software and a removable storage drive. In that happens then you should see two events reported back to SEC for each device type (depending upon the policy).

    Finally, to resolve the error and OU issue its probably best to give tech support a call and they can walk through troubleshooting steps. If there is a software issue it can be escalated through support and a defect raised and scheduled for resolution via maintenance (hopefully that won't be necessary).

    Hope this helps.

    Best regards,

    John

    :788
Children
No Data
Unfiltered HTML