Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 0 subscribers
  • Views 19159 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Re: Erroneous Device Control alerts

TEWhite

I have the Device Control setup to alert (via email) when a write event occurs on any USB drives.  This allows us to monitor the writting to removable media.  But, we are getting alerts when no files have changed.  We have disabled AutoPlay, and I have confirmed that no files have changed on the device (by reviewing the 'Date Modified' on the files).

We are using Windows 7, Windows Vista, and Windows XP Clients with Sophos Endpoint Security and Control 10.0 (Device Control 10.0.10).

I think this might be caused by the Windows OS updating the LastAccessTime in the NTFS filesystem.  Has anyone else tried to do this?  Is there a better way to tell when a file has been written to a removable device?

:36877


This thread was automatically locked due to age.
  • 0

    Hello TEWhite,

    as you've seen any write including meta-data triggers an event. Anyway - even if it would trigger only on "real" writes it would just indicate that a write occurred but nothing else. I've played a little and Data Control might suit your need better. A simple file rule with a single wildcard (*) for the name and Removable storage as destination should do.

    Warning: When in logging only mode neither Device nor Data Control will send an email alert (or a console event) for every detection. Thus if you write several files within a short time you get an email only for the first (although the others are written to the log) - at least that's what I've observed. Logging only mode is not really a monitoring tool but IMO rather for assessing (the probable impact on) your environment before you deploy blocking rules.

    Christian

    :36917
  • 0

    QC,

    Thank you for the quick reply.  I am trying to use the alerts to notify managers that someone is writing/changing files on their USB device.  So, one alert per event is perfect.

    I tried your Data Control suggestion.  I had to put in an exclusion (otherwise it would not save my rule).  I tested it, and it appears to only report some of the write events.  It did not seem to report (to the enterprise console, under the computer's details) renaming the file, copying a file on the USB device to the same USB device, nor deleting a file.  It did not report read events, which is good.

    This is better than 100+ alerts a day regarding device writes, but I do not believe it will satisfy our audit.  Do you think not reporting the rename, copy/paste, and delete events is correct, or could I have something configured wrong?

    :36941
  • 0

    Hello TEWhite,

    I've used the following rule:

    For any file
where the file name contains 
	*,
and where the destination is 
	Removable Storage,
Allow file transfer.

    it appears to only report some of the write events

    As said, it (seems to) skip additional events (e.g. the copy) within a certain interval (perhaps for the same device only). As for rename, it'd be interesting to check if a blocking (or by acceptance) rule intercepts it. Blocking by name is IMO of very limited use anyway. While technically a write a delete is not a transfer to and thus of no significance in terms of DLP..

    I do not believe it will satisfy our audit

    I think (personal opinion) that DLP is not designed as an audit tool - but maybe John Stringer (or someone from the DLP group) could comment on it.

    Christian

    :36957
Unfiltered HTML