Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 1 subscriber
  • Views 5860 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Device Control - Not Working As Expected

notesguru99

Dear All

I've been testing out the Device Control policies and for a few months I have been collecting all of the USB disks by 'detecting but allowing to run'.    I have noticed though that the IronKey Basic Edition devices are recognised as 'Removable Storage' and not 'Secure Removable Device' as described in this Sophos article  http://www.sophos.com/support/knowledgebase/article/63102.html

Never the less I have added both the Basic and Enterprise editions of the Ironkey's to the exempt policy for 'Removable Storage'.  I have blocked all other devices.

Testing this on 5 OU's, (we sync Sophos with Active Directory) 4 out of 5 OU's work.  On one OU the new policy has applied but all machines in this OU can accept any USB device and the message I receive via email from those machines is this:-

Device control failed a notify installation operation: deviceId=USBSTOR\DISK&VEN_&PROD_USB_DISK_PRO&REV_PMAP\0766090001AF&0, errorCode=0x80070005.

I have rebooted the machines in question but to no avail and I have the same model of PC in OU's that work too?  Is it just a timing issue? Slowly, slowly, catch yer monkey?

Also, experince with different USB devices differs greatly too.  For instance one model of USB disk installs itself as a floppy disk drive (B) whilst another common USB key is identified by Windows as a CDROM?  (This is after applying the block policy - pre policy the USB key behaved as normal). Thus both device types are fully accessed even though I have received messages from both machines indicating to me that the policy has been applied and said devices were blocked! 

I can't exactly block CDROM drives and unfortunately you cant exempt devices of this type either (maybe a wish list request there!).

So experience so far is that the device control does not control all USB devices, so beware if you think you can roll out Ironkeys across your enterprise safe in the knowledge that the savages can't plug any old USB key into their machine! Because they can!   Unless I am missing something here?

Thanks

:765


This thread was automatically locked due to age.
Parents
  • 0

    Thanks for the response.

    I see that you can actually exempt CDROM and FDD, so I could further nail down the USB sticks that act like these devices.  Incidentally, would it be Windows or the USB device identifying itself as a CDROM insead of a USB device?  For instance with the blocking in place my cheapo Kingston stick is a CDROM device but before the blocking policy it is a removable media drive F?   Is Windows allocating the next available storage media device for USB sticks?  If so, looks like a loop hole in the device control mechanism?

    Still no joy on the OU that is failing to enforce the blocking policy.  I have even reinstalled Sophos but still no joy.  Looks like I will have to open a support call.

    As for sending you my IronKey!!!  Unlikley ;-)  I could put you in touch with someone though that will give you a trial device?

    Cheers

    :848
Reply
  • 0

    Thanks for the response.

    I see that you can actually exempt CDROM and FDD, so I could further nail down the USB sticks that act like these devices.  Incidentally, would it be Windows or the USB device identifying itself as a CDROM insead of a USB device?  For instance with the blocking in place my cheapo Kingston stick is a CDROM device but before the blocking policy it is a removable media drive F?   Is Windows allocating the next available storage media device for USB sticks?  If so, looks like a loop hole in the device control mechanism?

    Still no joy on the OU that is failing to enforce the blocking policy.  I have even reinstalled Sophos but still no joy.  Looks like I will have to open a support call.

    As for sending you my IronKey!!!  Unlikley ;-)  I could put you in touch with someone though that will give you a trial device?

    Cheers

    :848
Children
No Data
Unfiltered HTML