Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 0 subscribers
  • Views 19021 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Re: Erroneous Device Control alerts

TEWhite

I have the Device Control setup to alert (via email) when a write event occurs on any USB drives.  This allows us to monitor the writting to removable media.  But, we are getting alerts when no files have changed.  We have disabled AutoPlay, and I have confirmed that no files have changed on the device (by reviewing the 'Date Modified' on the files).

We are using Windows 7, Windows Vista, and Windows XP Clients with Sophos Endpoint Security and Control 10.0 (Device Control 10.0.10).

I think this might be caused by the Windows OS updating the LastAccessTime in the NTFS filesystem.  Has anyone else tried to do this?  Is there a better way to tell when a file has been written to a removable device?

:36877


This thread was automatically locked due to age.
Parents
  • 0

    Hello TEWhite,

    as you've seen any write including meta-data triggers an event. Anyway - even if it would trigger only on "real" writes it would just indicate that a write occurred but nothing else. I've played a little and Data Control might suit your need better. A simple file rule with a single wildcard (*) for the name and Removable storage as destination should do.

    Warning: When in logging only mode neither Device nor Data Control will send an email alert (or a console event) for every detection. Thus if you write several files within a short time you get an email only for the first (although the others are written to the log) - at least that's what I've observed. Logging only mode is not really a monitoring tool but IMO rather for assessing (the probable impact on) your environment before you deploy blocking rules.

    Christian

    :36917
Reply
  • 0

    Hello TEWhite,

    as you've seen any write including meta-data triggers an event. Anyway - even if it would trigger only on "real" writes it would just indicate that a write occurred but nothing else. I've played a little and Data Control might suit your need better. A simple file rule with a single wildcard (*) for the name and Removable storage as destination should do.

    Warning: When in logging only mode neither Device nor Data Control will send an email alert (or a console event) for every detection. Thus if you write several files within a short time you get an email only for the first (although the others are written to the log) - at least that's what I've observed. Logging only mode is not really a monitoring tool but IMO rather for assessing (the probable impact on) your environment before you deploy blocking rules.

    Christian

    :36917
Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?