Hi
I think this may be designed behaviour but thought I would check [:)]
I set-up a policy for Device Control with the 'Enable monitoring mode' enabled and all 'Access Policy' options set to 'Allow'.
Once the policy was applied to my Endpoint I received three detection alerts for my Floppy disk drive, CD Rom and a USB device that was already plugged into the Endpoint. I then removed the USB device.
I then changed the policy by unticking the 'Enable monitoring mode' and setting the 'Access Policy' for 'Removable Storage' to 'Deny'.
On the Endpoint I inserted the USB device and received the pop-up window advising it was blocked. However, I did not receive a 'Medium' alert in the Dashboard for this device. I then checked the Reports section and saw the alert was listed.
As a test I inserted a new device and this time a Medium alert did appear in the dashboard.
Is this because we know the administrator has made a decision to block this type of device (since it had already been alerted) so we only log it to the Reports section and not the Dashboard? Or should we be alerting (to the dashboard) on a blocked device every time it is inserted whether it's been detected before or not?
Guest User!
You are not Sophos Staff.