Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 1 subscriber
  • Views 8345 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Device Control - Phone not detected

LeeMill

We're trying to use Device Control to limit our users plugging in unauthorised USB devices. During testing we're seeing some devices, particularly phones, that aren't detected as storage but then allow disk access. One example device has a USB ID of  USB\VID_04E8&PID_6860&REV_0400&MI_00

In Windows 7 this registers as a portable device and then gives disk access.

Is there any mechanism to add 'custom' devices to be captured even when they are not initially detected?

:22479


This thread was automatically locked due to age.
Parents
  • 0

    Hello LeeMill,

    use the Support query form and from the I want to submit a drop-down select Device control request. To speed up things I quote the reply I've received from Support on such a request (please see the Notes). It's up to you whether you want to do this on spec or wait for Support to reply first.

    What To Do 
 1) From the Windows services list stop the Sophos Anti-Virus and Sophos Device Control services (Start | Run | services.msc). 
 2) Open the registry editor (Start | Run | regedit.exe). 
 3) Browse to: HKLM\System\CurrentControlSet\Services\SAVOnAccessControl (** Note 1)
 4) Add a new DWORD value within this key with the following data:
     Name: LogFlags
     Value: 000000FF 
 5) Browse to: HKLM\Software\Sophos\SAVService\Application (** Note 2)
 6) Add DWORD value within this key with the following data:
     Name: Debug
     Value: 1 
 7) Open the following file with Notepad.exe:
    %ProgramData%\Sophos\Sophos Anti-Virus\Config\factory.xml 
 8) Find the following line:
     <item itemName="DeviceControl">60</item> 
 9) Directly below this line add:
     <item itemName="Debug">0</item> 
    10) Save and close the file. 
11) Start the Sophos Anti-Virus and Sophos Device Control services that were stopped in step two. 
12) Check the following log to ensure it contains lines that have Debug: after the time stamp:
      %ProgramData% \Sophos\Sophos Device Control\logs\DeviceControl.txt 
13) Recreate the issue.
WARNING: This level of logging should only be used for debugging purposes and should not be left enabled, as it will greatly increase the size of the log files 
14) Run the Sophos Diagnostic Utility (SDU) on the computer and forward the output file. (** Note 3)
15) The additional logging should now be removed. To do so:
      Remove the registry entries add in steps four and six. 
NOTE: It is not necessary to remove the extra line added to the factory.xml file in steps seven to ten. 
  
 NOTES: 
  
On-access driver logging will be directed to the local log file:
 %ProgramData% \Sophos\Sophos Antivirus\logs\sav.txt. 
Device control service logging will be directed to the local log file:
 %ProgramData% \Sophos\Sophos Device Control\logs\DeviceControl.txt

    ** Note 1: On my Win7 the key is named SAVOnAccess . Can't say if this is Win7 vs. XP or 64bit vs. 32bit, anyway it is either the one or the other.

    ** Note 2: On a 64bit system the path is: HKLM\Software\Wow6432Node\Sophos\SAVService\Application

    ** Note 3: The SDU can be found here - please always check for the latest version. Once you have received the automated reply with the case id you can send the logs from within the SDU.

    As you have apparently several devices with a similar behaviour it's probably better to do it for one device first and wait what Support has to say.

    Christian

    :22489
Reply
  • 0

    Hello LeeMill,

    use the Support query form and from the I want to submit a drop-down select Device control request. To speed up things I quote the reply I've received from Support on such a request (please see the Notes). It's up to you whether you want to do this on spec or wait for Support to reply first.

    What To Do 
 1) From the Windows services list stop the Sophos Anti-Virus and Sophos Device Control services (Start | Run | services.msc). 
 2) Open the registry editor (Start | Run | regedit.exe). 
 3) Browse to: HKLM\System\CurrentControlSet\Services\SAVOnAccessControl (** Note 1)
 4) Add a new DWORD value within this key with the following data:
     Name: LogFlags
     Value: 000000FF 
 5) Browse to: HKLM\Software\Sophos\SAVService\Application (** Note 2)
 6) Add DWORD value within this key with the following data:
     Name: Debug
     Value: 1 
 7) Open the following file with Notepad.exe:
    %ProgramData%\Sophos\Sophos Anti-Virus\Config\factory.xml 
 8) Find the following line:
     <item itemName="DeviceControl">60</item> 
 9) Directly below this line add:
     <item itemName="Debug">0</item> 
    10) Save and close the file. 
11) Start the Sophos Anti-Virus and Sophos Device Control services that were stopped in step two. 
12) Check the following log to ensure it contains lines that have Debug: after the time stamp:
      %ProgramData% \Sophos\Sophos Device Control\logs\DeviceControl.txt 
13) Recreate the issue.
WARNING: This level of logging should only be used for debugging purposes and should not be left enabled, as it will greatly increase the size of the log files 
14) Run the Sophos Diagnostic Utility (SDU) on the computer and forward the output file. (** Note 3)
15) The additional logging should now be removed. To do so:
      Remove the registry entries add in steps four and six. 
NOTE: It is not necessary to remove the extra line added to the factory.xml file in steps seven to ten. 
  
 NOTES: 
  
On-access driver logging will be directed to the local log file:
 %ProgramData% \Sophos\Sophos Antivirus\logs\sav.txt. 
Device control service logging will be directed to the local log file:
 %ProgramData% \Sophos\Sophos Device Control\logs\DeviceControl.txt

    ** Note 1: On my Win7 the key is named SAVOnAccess . Can't say if this is Win7 vs. XP or 64bit vs. 32bit, anyway it is either the one or the other.

    ** Note 2: On a 64bit system the path is: HKLM\Software\Wow6432Node\Sophos\SAVService\Application

    ** Note 3: The SDU can be found here - please always check for the latest version. Once you have received the automated reply with the case id you can send the logs from within the SDU.

    As you have apparently several devices with a similar behaviour it's probably better to do it for one device first and wait what Support has to say.

    Christian

    :22489
Children
No Data
Unfiltered HTML