7 Replies Latest reply on Jul 14, 2015 8:33 AM by curtisi

    LEM USB Defender False Positives

    shanegibeault

      We use USB Defender to ensure that employees working in HIPAA areas aren't able to leave with customer information.  Normally it works great.  We've white listed all the scanners, printers, and USB devices that are normal to use so we normally don't get any alerts.  For some reason, sporadically we'll get a USB Defender alert for an attached then detached Apple iPhone.  It's always with the same user, and always shows the detection time 30 days prior to the alert.  We've verified the employee doesn't have an iPhone, and her phone is left in the lockers outside of the HIPAA area during her shift.  Does anyone know why this very specific false positive pops up every 2-4 weeks?  Anytime we test USB defender it automatically alerts us, and we know it's working.  Why does this alert show a detection time 30 days ago, but the alert only pops up 30 days late?  Is there anyway other than white listing iPhones to prevent this false positive? Obviously we can't white list iPhones.

        • Re: LEM USB Defender False Positives
          curtisi

          USB Defender creates events in the Windows Application log when devices are attached and detached.  Can you check the logs on the origination machine to see what's happening?

           

          If I look in my Application log, I see events like this when I connect my phone:

           

          Log Name:      Application

          Source:        TriGeo USB-Defender

          Date:          7/6/2015 9:44:12 AM

          Event ID:      32003

          Task Category: None

          Level:         Information

          Keywords:      Classic

          User:          DOM\user.user

          Computer:      hostname.fqdn.dom

          Description:

          USB Device Attached

          Device ID: USB\VID_04E8&PID_6860\129ADAF8

          Serial number: 129ADAF8

          Device name: \\?\usb#vid_04e8&pid_6860#129adaf8#{a5dcbf10-6530-11d2-901f-00c04fb951ed}

          Device path: \\?\usb#vid_04e8&pid_6860#129adaf8#{a5dcbf10-6530-11d2-901f-00c04fb951ed}

          Friendly name:

          Description: SAMSUNG Mobile USB Composite Device

          Manufacturer: SAMSUNG Electronics Co., Ltd.

          Device setup class: USB

          Setup class guid: {36fc9e60-c465-11cf-8056-444553540000}

          ~~~~TRUNCATED~~~~

          Security descriptor: 

          Hardware IDs::

              USB\VID_04E8&PID_6860&REV_0400

              USB\VID_04E8&PID_6860

          Compatible IDs:

              USB\MS_COMP_MTP

              USB\Class_06&SubClass_01&Prot_01

              USB\Class_06&SubClass_01

              USB\Class_06

           

          It'd be interesting to know what the time-stamps in Windows on that log are.

            • Re: LEM USB Defender False Positives
              shanegibeault

              Here is the log from the reported insertion date.

               

              USB Device Found at Service Start

              Device ID: USB\VID_0461&PID_4D0F\6&144D1DE3&0&1

              Serial number: 6&144D1DE3&0&1

              Device name: \\?\usb#vid_0461&pid_4d0f#6&144d1de3&0&1#{a5dcbf10-6530-11d2-901f-00c04fb951ed}

              Device path: \\?\usb#vid_0461&pid_4d0f#6&144d1de3&0&1#{a5dcbf10-6530-11d2-901f-00c04fb951ed}

              Friendly name:

              Description: USB Input Device

              Manufacturer: (Standard system devices)

              Device setup class: HIDClass

              Setup class guid: {745a17a0-74d3-11d0-b6fe-00a0c90f57da}

              Capabilities:

                  Lock supported: No

                  Eject supported: No

                  Removable: Yes

                  Dock device: No

                  Unique ID: No

                  Silent install: No

                  Raw device ok: No

                  Surprise removal ok: Yes

                  Hardware disabled: No

                  Nondynamic: No

              Configurations:

                  Disabled: No

                  Removed: No

                  Manual install: No

                  Ignore boot: No

                  Net boot: No

                  Reinstall: No

                  Failed install: No

                  Cannot stop a child: No

                  Can remove ROM: No

                  No remove at exit: No

                  Finish install: No

                  Needs forced configuration: No

                  Partial log configuration: No

              Driver software key: {745a17a0-74d3-11d0-b6fe-00a0c90f57da}\0026

              Service name: HidUsb

              Device address: 1

              Bus number: 0

              Bus type guid: {9D7DEBBC-C85D-11D1-9EB4-006008C3A19A}

              Device type:

              Enumerator name: USB

              Legacy bus type: 15

              Hardware location: Port_#0001.Hub_#0003

              Physical device object name: \Device\USBPDO-4

              Security descriptor:

              Hardware IDs::

                  USB\VID_0461&PID_4D0F&REV_0200

                  USB\VID_0461&PID_4D0F

              Compatible IDs:

                  USB\Class_03&SubClass_01&Prot_02

                  USB\Class_03&SubClass_01

                  USB\Class_03

            • Re: LEM USB Defender False Positives
              cscoengineer

              The only time the detection time is different from the insertion time is when the agent looses connectivity to the manager.  Once the agent reestablishes connection, the queued data is dumped.

               

              Do you have an alert set up for agent disconnects?

              • Re: LEM USB Defender False Positives
                shanegibeault

                The alert came up again today, so I was able to capture it to show you.  It's the same "Detection Time" but the insertion happens every 1-2 weeks with the same information.  I checked the Windows event viewer on the users computer, and there is no record of this event even though the logs were still there dating back to 2012 when the employee started here.  The odd part is that the "Detection IP" shows coming from the company's old domain, even though we've migrated a year ago.  I deleted all her logs just to see if maybe it was stuck somewhere.

                 

                 

                 

                AppleLemEdit.PNG

                  • Re: LEM USB Defender False Positives
                    curtisi

                    We have literally tens of thousands of agents deployed, and if there was something generally wrong, we'd know.  That said, it may be that there is a queue file from a network outage that wasn't handled properly a long time ago and the Agent is re-sending it?  Maybe Support could help with that.

                     

                    On that machine, is there anything in this location?

                     

                    C:\Windows\SysWOW64\ContegoSPOP\spop\q or C:\Windows\SysWOW64\ContegoSPOP\spop\q\CommDataQueue