This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

USB Device Active Scanning & Reproting.

Hi,

 I have a Customer using Sophos Enterprise Console 5.3.0. on Windows 2012 R2 64 Bit.

and client machines running Sophos Endpoint Security And Control 10.3 on Windows 7 Professional 64 Bit SP 1, a few 32bit and few Windows XP  32 Bit.

The customer has asked me the following queries w.r.t. USB devices (removable mass storage devices).

01. Since Sophos is having on access mechanism for removable mass storage and media, is there any way that we can change these settings and force Sophos to automatically scan USB and removable devices, as soon as they are plugged in or connected.

02. Customer needs to know, if we can generate a report, for all the USB devices that were connected and scanned by Sophos, and what was the outcome or end result of those scans. A completed report of only the USB device scans.

Can some one please help me and let me know, how do we achieve the above mentioned requirements, is that feasible with Sophos at the moment.  



This thread was automatically locked due to age.
Parents
  • Hello Samson Pacharne,

    AFAIK there is no scan-on-insert option (and furthermore no consolidated reporting).
    The idea to have report on all removable volumes is of course enticing ... but what exactly has your customer in mind? Depending on the size and contents of the volume a scan will take considerable time. Should it be possible to use and/or eject the device before the scan is complete? IMO this is generally not practicable on standard endpoints.

    Christian

  • Dear Christian,

    Thanks for your reply.

    The customer wants to generate the report on the Enterprise console, to check the current or past scan reports, particularly for the mass storage removable devices only, like which removable devices were connected and when, on what all workstations, and what was the result of the scan, were there any viruses detected. Was the scan completed successfully or was it paused/interrupted in between.

    Regards,

    Samson Pacharne

  • Hello Samson,

    I'm not Sophos, so all this is from my personal knowledge and view.
    For the scan-on-insert functionality (I've already outlined the intricacies in my previous post) feature requests have been posted. As said, IMO it'd be only practical for dedicated sheep-dips. You already get SD cards with 512GB, scanning of the internal (often not more than 1TB) drive should take place during off-hours for performance reasons but then a removable device should be fully scanned upon insert - this doesn't fit.

    Having said that, the management server is not designed as log collector. Even the endpoint does not record the source of an alert/event in its consolidated log (SAV.txt) although it records the summary and cancel/abort events. It's probably more work than just adding one or the other table and a few columns. The information just isn't there right now and with the focus currently on real-time, live, Cloud, you name it I don't think that such a feature would get top priority. Just my 2 cents though.

    Christian      

  • Hey Christian,

    Thanks a lot for all your help and support.

    Regards,

    Mr. Samson Pacharne.

Reply Children
  • we are looking at USB locking at the moment. the best way we have found around this is to block everything and only allow devices that you want on the network. for us we have some cameras/USB stick and SD cards. we are just going to allow the stuff we know and block everything else. you can also turn on USB monitoring that emails you when a usb device is plugged in.

    if thats any help Kurt.