12-10-2024 05:14 AM
Hello everybody,
if we block USB Drives/Windows drives our ClickShare (USB Screen Share Dongle) devices also get blocked.
But they don´t appear in the "Device Control Violations" list so we can´t exclude them from blocking.
We tried to exlude the path for the *.exe on the ClickShare but this seems not to work.
How can we exlude these ClickShare?
bstrgrds
12-10-2024 12:44 PM
Hi @D.Meyer, thanks for reaching us using the Live Community.
You can create permanent device exceptions under Endpoints - Policy Management - Extensions - Device Permanent Exceptions, you need to fill this fields in Common or Custom device types:
You should be able to get the product codes and serial numbers from the vendor.
If this post answers your question, please mark it as the solution.
12-18-2024 01:29 AM
Hello Again,
we tried this but the clickshare still get blocked and the block action can´t be seen unter "device violations".
12-18-2024 09:26 AM
Do you have any other kind of Alert in the XDR console? If the device is associated with an application in the system, this one may have some behavior that is suspicious for the XDR Agent and it's being blocked by a protection module.
12-20-2024 06:28 AM
Hello Jmazzeo,
unfortunately not. I see no incident related to this issue.
I looked at the "traps.log" File and found this:
2024/12/20T15:00:16.057+01:00 <Information> Computer [5124:7664 ] {trapsd:Main} ReportLowLevelEvent: 0x4040006a Data: 3A0000000100000002000000D42038815AE67755B84B8446C119897B0100000067E9364D25E3CE11BFC108002BE1031800000000000000000000
2024/12/20T15:00:16.057+01:00 <Information> Computer [5124:7664 ] {trapsd:DeviceControl} setting violation timer expiration to 0ms milliseconds
2024/12/20T15:00:16.057+01:00 <Information> Computer [5124:9816 ] {trapsd:AuditService:ThreadPool:DeviceControlViolations:} Audit: priority = 0, event_type = 11, body = {
"eventCategory": 57,
"bus": "usb",
"classGuid": "XXXXXXX",
"className": "disk"
It looks like the Device controll blocks it.
12-20-2024 10:36 AM
This is what I found, as we had the issue. We solved it with the support.
12-23-2024 11:33 PM
@D.Meyer If your agent version is 8.6.0, there's a bug where the agent will continue blocking the device despite that the exception is in place. On top of that, the agent will not report back the event - hence it'll not show in the device violation page. Try reach out to support to create a SUEX. We got the same problem and the SUEX is the only workaround so far. TAC told us that 8.6.1 should solve this issue.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
