USB Device Control Problems
Running 3.6.34. I started to play with this feature and am disappointed so far. My big issue is the very long time the policy changes take to go into effect, and am wondering if I am doing something wrong, though pretty sure not since the policy eventually took effect. First, I added a policy to block all USB devices. No effect, recognized anything I plugged in, even after doing an apply policy change from both Capture Client and Capture Client Management. Messed around for awhile, gave up for the day (Friday) and on Monday happened to reinsert the thumb drive to actually use it for something, and voila, blocked with pop-up from CC! Okay, got back to play, using the device info in the log, did an allow of that device based on its serial number. No dice, even after applying policy from client and management side. Tried it also by vendor and product IDs, still no love on Valentine's Day. I suspect later tonight or tomorrow it may take effect, but that is totally unacceptable. (update - worked 45 min later when I tried - still unacceptable) If a manager needs to whitelist something for a user it needs to take effect NOW, not tomorrow! Help!
As a related question, without involving device control at all, doesn't Capture Client have the smarts to scan a USB storage device that gets plugged in? If it can't then that's pretty sad, as that's been a basic function of antivirus programs going back 20+ years. If it can scan the device then what's the point of device control, since Capture Client has it covered?
Answers
Yesterday i had same with the ceo who has a new stick in use. Found the sick in the logs and set to allow . But it keeps blocking this new stick.
With your experience here i must confirm i now noticed both pcs are using 3.6.34
older versions didnt have this issue !
—Thomas
Ah, so they broke it! I hope they're aware of the issue, as I don't feel like going thorugh the pain involved in contacting support.
Cc seems to igore the policy updates for usb control since 3.6.34
—Thomas
I had some back and forth with support. They were not aware of problems with policies updating in 3.6.34, but offered to work with my setup to investigate. He did state that changes can take up to an hour, and when I asked if this was true even when clicking Update Policy on the client side his response was ambiguous.
Also, I asked what is the behavior of CC when you plug in a data device, with no device control configured. As I hoped to hear, Sentinel One will monitor the device for malicious activity, basically fully protect. Then what, may I ask, is the point of even blocking USB devices if they can't spread malware anyway?
His first response:
"Also for the second question when you insert the USB data source into host capture client will not scan the USB drive but SentinelOne sits on the Drivers of the USB and all peripherals, if a malicious activity is found either by cloud intelligence or background process it will be blocked by capture client hence will keep the host protected."
After I asked for clarification on some points:
"Also for the second question even when you insert the infected host your endpoint will be secured because if the infected endpoint does any malicious activity the sentinelOne cloud intelligence will block it and also you can run the manual scan as well."
Hope this helps.
I will add that my usage off the usb blocking is to have an overview about the usage of unconsolidated and unallowed media
I'm beginning to test this functionality out as well. What I am trying to find out is if allowing a USB device from the primary group will override a "block all" setting in another group. For instance, I'm testing the block all functionality within a test group with one system. If I go to allow the drive based off of the activities tab, it allows the device in the primary group policy, not the test group.
Having this delay in policies applying really hinders my ability to test functionality, and in a worst case scenario when someone needs something quickly, my desire to deal with any sort of issues that arise from this delay...
We're running CC 3.7.5 and I'd be curious if these issues are just on 3.6.34 or if they haven't even acknowledged the issue to begin with.