Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 1 subscriber
  • Views 5859 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Device Control - Not Working As Expected

notesguru99

Dear All

I've been testing out the Device Control policies and for a few months I have been collecting all of the USB disks by 'detecting but allowing to run'.    I have noticed though that the IronKey Basic Edition devices are recognised as 'Removable Storage' and not 'Secure Removable Device' as described in this Sophos article  http://www.sophos.com/support/knowledgebase/article/63102.html

Never the less I have added both the Basic and Enterprise editions of the Ironkey's to the exempt policy for 'Removable Storage'.  I have blocked all other devices.

Testing this on 5 OU's, (we sync Sophos with Active Directory) 4 out of 5 OU's work.  On one OU the new policy has applied but all machines in this OU can accept any USB device and the message I receive via email from those machines is this:-

Device control failed a notify installation operation: deviceId=USBSTOR\DISK&VEN_&PROD_USB_DISK_PRO&REV_PMAP\0766090001AF&0, errorCode=0x80070005.

I have rebooted the machines in question but to no avail and I have the same model of PC in OU's that work too?  Is it just a timing issue? Slowly, slowly, catch yer monkey?

Also, experince with different USB devices differs greatly too.  For instance one model of USB disk installs itself as a floppy disk drive (B) whilst another common USB key is identified by Windows as a CDROM?  (This is after applying the block policy - pre policy the USB key behaved as normal). Thus both device types are fully accessed even though I have received messages from both machines indicating to me that the policy has been applied and said devices were blocked! 

I can't exactly block CDROM drives and unfortunately you cant exempt devices of this type either (maybe a wish list request there!).

So experience so far is that the device control does not control all USB devices, so beware if you think you can roll out Ironkeys across your enterprise safe in the knowledge that the savages can't plug any old USB key into their machine! Because they can!   Unless I am missing something here?

Thanks

:765


This thread was automatically locked due to age.
Parents
  • 0

    I can understand why you don't want to send your Ironkey :) If you can provide a contact that would be neat.

    Its the USB device that identifies itself as a particular device type. I'm surprised the Kingston stick is changing what appears as - the device control policy shouldn't have this impact - it just acts upon the device types that Windows reports. Might be worth raising this support and letting them know the model version and also some before and after screenshots. If its a loop hole we'd been keen to close it!

    Thanks,

    John

    :866
Reply
  • 0

    I can understand why you don't want to send your Ironkey :) If you can provide a contact that would be neat.

    Its the USB device that identifies itself as a particular device type. I'm surprised the Kingston stick is changing what appears as - the device control policy shouldn't have this impact - it just acts upon the device types that Windows reports. Might be worth raising this support and letting them know the model version and also some before and after screenshots. If its a loop hole we'd been keen to close it!

    Thanks,

    John

    :866
Children
No Data
Unfiltered HTML