Setting up a new Peripheral control policy

I have been tasked with setting up a new peripheral control policy to restrict access to removable storage devices.  The access has been set to "control access by peripheral type and add exemptions".  Our secure removable devices has been setup to "allow" and we are able to copy to and from and write to files stored on encrypted USB keys.

The issue we have run into relates to removable storage devices.  The policy is set to "Read only" and we are not able to edit a file on the the removable storage.  But we are able to copy to and out from the removable storage.  I need to be able to prevent the movement of files on and off of unencrypted storage.

My hunch is that this could be controlled with the use of an additional data leak protection policy.  We are currently using UEFI secure boot across all machines and found we were getting similar issues covered in the follow link.  As a work around we disabled our "default" data control policy which resolved this issue.

community.sophos.com/.../120861

Has anyone had to configure a similar scenario?

Thanks

Kevin

  • Hello Kevin,

    this is not exactly Intercept X, is it? As far as behaviour is concerned it would fit Endpoint, the product is - I assume - Central.

    Now, the cited article mentions only DLP and BOPS but not Peripheral Control. The latter works by disabling or configuring a device accordingly, it does not act on a file level.
    prevent the movement of files on and off
    Read only is exactly this - it permits reading and thus a copy from a device. If you want no movement at all why don't you Block this category? It should not permit a copy to the device, that's definitely not how it's supposed to work. Just tested with a run-of-the-mill stick, paste first asks for administrator permissions and then nevertheless fails.

    Christian 

  • In reply to QC:

    Hi Christian

    We are indeed using Central Admin.  So in essence, what I am trying to achieve is not really an option with peripheral protection.  A read option provides the level of access required to copy and paste files to and from the stick.

    Thanks

    Kevin

  • In reply to kevin Whiteman:

    Hello Kevin,

    no, read only should not allow a copy to (and, as said, I have not been able to paste onto a device that had a read only policy applied).

    Christian

  • In reply to QC:

    Hi Christian

    Apologies for my slightly mangled thinking but we are only trying to prevent a copy to (paste to the USB).  Even with the read only policy applied we are still able to paste from another disk onto the device.  Writing to existing files on the USB disk are blocked though.  I have revoked and restored the policy but it still results in the same behaviour.  

    Thanks

    Kevin

  • In reply to kevin Whiteman:

    Hello Kevin,

    able to paste [... w]riting to existing files [...] blocked
    hm, sounds strange. Can you create a new file with Explorer? And can you delete existing files?

    Christian

  • In reply to QC:

    Hi Christian

    I can create a new .txt file via explorer.  But if I edit it and save it am not permitted.  Files can also be deleted.

    Thanks

    Kevin

  • In reply to kevin Whiteman:

    Hello Kevin,

    this is definitely not the expected behaviour. BTW - which Windows version(s)?
    If you set the policy to Block for the non-secure devices - is indeed the device disabled? This would show that the policy is correctly applied. If so, then there's a problem with permitting read only - or rather disallowing write. Dunno how the Central version interacts with the user but I assume Device Control also pops up the balloon telling about izs intervention when you insert the device (or change the policy).

    Christian

  • In reply to QC:

    Christian

    We are seeing this behaviour in both Windows 7 and Windows 10 1709.  I changed the policy to block and it performs as expected.  You are correct regarding device control in that interventions are displayed.  

    I have a call in the system with Sophos so will see what they can unearth.

    Thanks

    Kevin

  • In reply to kevin Whiteman:

    Hello Kevin,

    a call in the system with Sophos
    that would have been my suggestion. So it's not Windows 10 (I've only tested on Windows 7 Enterprise). As I'm curious I'd appreciate it if you could follow up when it's (hopefully) solved.

    Christian

  • In reply to QC:

    Christian

    I will keep you up to date of any developments.

    Kevin

  • Hi Everyone,

    The issue reported in this thread is resolved once the other peripheral exception policies were removed and a single policy with a read-only rule is set to the client.