This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ZESService failed to disable USB Mass Storage Device while AV Scan is running

We noticed that the "ZESService" is not able to deactivate a USB mass storage device when an antivirus solution is scanning it.

ZES Agent Version 20.1.0.299

AV Solution: ESET Endpoint Antivirus Version 7.2.2055.0

After the scanning is finshed the devices will be disabled.

The security risk is available if the USB mass storage device contains very many files.
The device is thus accessible.

Is there a solution that ZES gets access to the device before the antivirus solution?

best regards

Andre

(The full log is available - if someone need it)

Parents
  • 0  

    Supposedly, the 2nd time a USB Device is inserted, it can be fully identified w/o the drive fully initializing.  The initial insert for a usb device requires more initialization to get sufficient details used to determine if it should or should not be blocked.  

    Clearly, ESET wants to grab the device and scan it w/o delay so it can ensure it is safe so it will be locking the files as fast as it programmatically can do so.  ZESM will be trying to do the same thing on the initial insert of the usb device on a given machine.  I'm not sure ZESM will always be able to win.  I know if there are open locks Windows will not allow the device to be disabled and most certainly ESET has protections against its processes locking the files from being terminated.

     I'm not sure if ESET has a setting to delay the scanning of an inserted device, which may help.  I'm not sure that is a setting they would want and even in your setup, that could open a hole on USB devices that are allowed.

    --

    How are you trying to limit the use of USB devices with ZESM?  Trying to block end-users from ALL Thumbdrives?  Permit Certain ones?  etc....

    Depending on your goal, I may be able to think of some workarounds.  

     

    --

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

    Be sure to "Like" My (and a few others) Cool Solutions below! 

    https://community.microfocus.com/members/craigdwilson/bookmarks

  • 0 in reply to   

    USB devices are generally permitted in the ZESM policy.
    The default device access is "Disabled".
    Device Group Access Settings:
    - HID: Enabled
    - Mass Storage Class: Disabled
    - Printing Class: Enabled
    - Scanning/Imaging (PTP): Enabled

    And a list of 60 devices enabled.

    best regards

    Andre

  • 0   in reply to 

    Based on the USB USB Connectivity policy to disable USB attached storage drives, I  would expect that ZESM to attempting to Disable the USB attached  storage drive and  for multi layer policy enforcement set the File system and DAC drivers to block all access.      With the File System and DAC drivers blocking all drive access the User should not be able to Read, Write or Execute any files from the USB drive.   

     A storage device control policy is the preferred way of controlling, Read/Write, Read Only and Disabled access control settings for USB Storage devices.

    If a user is still able to access/launch programs while being scanned by AV, you may want to open an SR and we can have the issue examined.

     

    --

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

    Be sure to "Like" My (and a few others) Cool Solutions below! 

    https://community.microfocus.com/members/craigdwilson/bookmarks

Reply
  • 0   in reply to 

    Based on the USB USB Connectivity policy to disable USB attached storage drives, I  would expect that ZESM to attempting to Disable the USB attached  storage drive and  for multi layer policy enforcement set the File system and DAC drivers to block all access.      With the File System and DAC drivers blocking all drive access the User should not be able to Read, Write or Execute any files from the USB drive.   

     A storage device control policy is the preferred way of controlling, Read/Write, Read Only and Disabled access control settings for USB Storage devices.

    If a user is still able to access/launch programs while being scanned by AV, you may want to open an SR and we can have the issue examined.

     

    --

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

    Be sure to "Like" My (and a few others) Cool Solutions below! 

    https://community.microfocus.com/members/craigdwilson/bookmarks

Children
  • 0   in reply to   

    Hi Criag,

    that´s interesting situation with USB Connectivity policy vs. Storage Device Control policy. Are there more examples of choosing some policy instead of other ? Because I was in same position as Andre, customer asked for disabling access to USB flash drives and I used the USB Connectivity policy. 

    David