This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

PC reporting thousands of repeated device control events

Hi,

We have device control enabled for USB removable storage, which works really well for us. I am now finding one PC is reporting the same device control event thousands of times and I'm not sure how best to deal with it.

The PC has an Epson multifunction printer attached which has USB pass-through and SD card sockets on the front. The printer is sharing these directly on the PC. The remote user reports that both sockets are empty. We don't have any other computers setup with the same model of printer. The laptop is running Windows 10.

We do need the sockets set as read-only to ensure there isn't way for the user to by-pass our controls, so currently things are working as they should. The problem is the fact this is being reported over and over in the event viewer on Enterprise Console making it difficult to see alerts for any other PC. Is there any way to stop this deluge of alerts without switching off the control?

Thanks!



This thread was automatically locked due to age.
Parents Reply Children
  • It's an Epson WorkForce WF-3520DWF

  • Hi,

    I would suggest raising a case with Support supplying the following information:

    1. Unplug the USB cable connected to the printer from the computer.

    2. Follow: https://community.sophos.com/kb/en-us/113594 to enable debug logging of Sophos Device Control.  
    Note: It is worth checking that you're getting extra logging in: "%ProgramData%\Sophos\Sophos Data Control\logs\DataControl.txt" once done.

    3. Start Process Monitor https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspx capturing, ensure that the System process is removed from the filter.

    4. Plug in the USB cable.  I assume you then see one or more drives appear in Explorer.

    5. Leave both Process Monitor and Device Control Logging for a while, maybe 2-3 minutes in order to generate the repeat events.

    6.  When the time is up:

    • Stop Process Monitor capturing and save all events as a .pml file.  Ensure nothing is excluded.
    • Stop the SAVService.
    • Make a note of the drive letters that appeared in Explorer, I assume something like E, F and G.
    • Run Sophos SDU (community.sophos.com/.../33533) to create a ZIP file of logs.

    Contact Support and Provide:

    1. Logfile.pml

    2. The SDU zip file (this should contain the datacontrol.txt file and the RMS logs as evidence of the events but might be worth checking).

    3. Details of the drive letters created although it should be obvious from the traces.

    You can then disable Device Control logging.

    I hope it helps.

    Regards,
    Jak

  • Hi,

     

    This appears to have resolved itself rather unexpectedly. Our server support company installed an overdue Service Pack for SQL Server. Since that was completed things have returned to normal.

    Thanks again to everyone for their suggestions.

    Stephen.