Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 3 subscribers
  • Views 7809 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

PC reporting thousands of repeated device control events

Monkster

Hi,

We have device control enabled for USB removable storage, which works really well for us. I am now finding one PC is reporting the same device control event thousands of times and I'm not sure how best to deal with it.

The PC has an Epson multifunction printer attached which has USB pass-through and SD card sockets on the front. The printer is sharing these directly on the PC. The remote user reports that both sockets are empty. We don't have any other computers setup with the same model of printer. The laptop is running Windows 10.

We do need the sockets set as read-only to ensure there isn't way for the user to by-pass our controls, so currently things are working as they should. The problem is the fact this is being reported over and over in the event viewer on Enterprise Console making it difficult to see alerts for any other PC. Is there any way to stop this deluge of alerts without switching off the control?

Thanks!



This thread was automatically locked due to age.
Parents
  • 0

    Hello Monkster,

    so Device Control is working as it should (setting the sockets to R/O)? What errors are reported?

    It might be possible to suppress this (or these) errors (please see Centrally configuring the filtering of messages from workstations) it'd be tricky though to apply this (permanently) to just this one machine (if these codes can be suppressed at all).

    Christian

  • 0 in reply to QC

    It appears to be working (the user is around 400 miles from my location), but  I can't physically verify myself. Enterprise Console lists the Epson Printer as having a Read Only status, which would be correct.

    When I have the Console with the Device Control tab/view selected that laptop is showing as having an event count of 10.937!

     

    Thanks!

     

  • 0 in reply to Monkster

    Hello Monkster,

    so these are Events not Errors? Not sure if you can suppress these. Could you post some examples (if it's always the same how frequent it is)?

    Christian

  • 0 in reply to Monkster

    It's the same event over and over.

     

     

  • 0 in reply to Monkster

    Could I ask what the model of the printer is?

  • 0 in reply to Monkster

    Hello Monkster,

    looks like a brawl between the Epson driver or software and Device Control, the interval is slightly more than 2.5 seconds which would give approximately 1400 events per hour. AFAIK Device Control subscribes to Device Events, it seems that "something" periodically checks the device and enables full access whereupon DC immediately returns it to R/O. There's a 27 minutes gap - do you happen to know why?

    The bad news is that I don't know how to stop this war and don't have good tips how to find out. The good news is that it seems you can suppress these events, the drawback is you won't get any DC event at all from this machine. If you're interested send me a PM.

    Christian

  • 0 in reply to jak

    It's an Epson WorkForce WF-3520DWF

  • 0 in reply to Monkster

    Hi,

    I would suggest raising a case with Support supplying the following information:

    1. Unplug the USB cable connected to the printer from the computer.

    2. Follow: https://community.sophos.com/kb/en-us/113594 to enable debug logging of Sophos Device Control.  
    Note: It is worth checking that you're getting extra logging in: "%ProgramData%\Sophos\Sophos Data Control\logs\DataControl.txt" once done.

    3. Start Process Monitor https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspx capturing, ensure that the System process is removed from the filter.

    4. Plug in the USB cable.  I assume you then see one or more drives appear in Explorer.

    5. Leave both Process Monitor and Device Control Logging for a while, maybe 2-3 minutes in order to generate the repeat events.

    6.  When the time is up:

    • Stop Process Monitor capturing and save all events as a .pml file.  Ensure nothing is excluded.
    • Stop the SAVService.
    • Make a note of the drive letters that appeared in Explorer, I assume something like E, F and G.
    • Run Sophos SDU (community.sophos.com/.../33533) to create a ZIP file of logs.

    Contact Support and Provide:

    1. Logfile.pml

    2. The SDU zip file (this should contain the datacontrol.txt file and the RMS logs as evidence of the events but might be worth checking).

    3. Details of the drive letters created although it should be obvious from the traces.

    You can then disable Device Control logging.

    I hope it helps.

    Regards,
    Jak

Reply
  • 0 in reply to Monkster

    Hi,

    I would suggest raising a case with Support supplying the following information:

    1. Unplug the USB cable connected to the printer from the computer.

    2. Follow: https://community.sophos.com/kb/en-us/113594 to enable debug logging of Sophos Device Control.  
    Note: It is worth checking that you're getting extra logging in: "%ProgramData%\Sophos\Sophos Data Control\logs\DataControl.txt" once done.

    3. Start Process Monitor https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspx capturing, ensure that the System process is removed from the filter.

    4. Plug in the USB cable.  I assume you then see one or more drives appear in Explorer.

    5. Leave both Process Monitor and Device Control Logging for a while, maybe 2-3 minutes in order to generate the repeat events.

    6.  When the time is up:

    • Stop Process Monitor capturing and save all events as a .pml file.  Ensure nothing is excluded.
    • Stop the SAVService.
    • Make a note of the drive letters that appeared in Explorer, I assume something like E, F and G.
    • Run Sophos SDU (community.sophos.com/.../33533) to create a ZIP file of logs.

    Contact Support and Provide:

    1. Logfile.pml

    2. The SDU zip file (this should contain the datacontrol.txt file and the RMS logs as evidence of the events but might be worth checking).

    3. Details of the drive letters created although it should be obvious from the traces.

    You can then disable Device Control logging.

    I hope it helps.

    Regards,
    Jak

Children
  • 0 in reply to jak

    Hi,

     

    This appears to have resolved itself rather unexpectedly. Our server support company installed an overdue Service Pack for SQL Server. Since that was completed things have returned to normal.

    Thanks again to everyone for their suggestions.

    Stephen.

Unfiltered HTML