Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 2 subscribers
  • Views 5840 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Endpoint not reporting blocked DVD drive, so cannot create exemption

Monkster

Hi,

 

I have setup a new Win10 desktop with DVD-RW drive. I need to create a Device Control exemption, but there is no entry in the "add exmption" screen for optical drive to enable me to create it. I also note there is no pop-up alert from Sophos to say it has blocked the drive.

If I disable Device Control on the PC the DVD can burn discs fine, when I re-enable it I cannot. So Sophos is definitely in control of it.

I haven't had issues with creating any device exemptions before so this is a strange issue.

Thanks in advance for any help!

Stephen.



This thread was automatically locked due to age.
  • 0

    Hello Stephen,

    you say that with other drives it works? In this case no alert, no pop-up, no entry in the DC log (you can set it to verbose on the endpoint), and nothing in the Windows Events log?
    Does the policy block all access or allow just R/O?

    Christian

  • 0 in reply to QC

    Hi,

     

    I've not made any exemptions using the machine before, but have had no problem making rules in the past from any other computer. We did get the roll-out of the latest version of End-Point in the last week or so.

    Correct, there's no pop-up, no alert, no entry in the device control log within Sophos End-Point on the PC itself, no entry in device control event log on Enterprise Console. I don't see anything obvious in Windows Event Log.

    The existing device control policy for the PC allows read only for optical drives.

    Thanks,

    Stephen.

  • 0 in reply to QC

    Switched on verbose logging, made no difference.

    When I pop a blank CD into the drive Windows informs me "Format Disc","You do not have sufficient rights to perform this operation". Likewise, when running the Cyberlink software it complains of lack of rights to access the burner. Disabling device control makes the errors go away.

  • 0 in reply to Monkster

    Hello Stephen,

    sorry, have been on vacation.
    The errors indicate that the drive is R/O, strange though that not even the verbose log has an associated message. ... or not so strange. Tried setting the policy to R/O, no log entry but the Windows message you describe. Unblocked the device, DC log said it had enabled access but there was an error. Indeed subsequently the DVD drive could only be disabled but enabling it failed (Windows claims there's a previous driver still in mempry and I have to reboot - won't do this now but I'll check again when I have time).

    Christian

  • 0 in reply to QC

    Hello Stephen,

    turned out that I had to reboot in response to the 10.6.4 upgrade.
    Looks like you don't get an alert/log entry when setting the drive R/O. Dunno if there's an article (and can't remember the tests from years ago). Seems you have to block to get an event and then you can add an exemption.

    Christian

Unfiltered HTML