USB protection exeption for ClickShare usb Device

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

USB protection exeption for ClickShare usb Device

L1 Bithead

Hello everybody,

 

if we block USB Drives/Windows drives our ClickShare (USB Screen Share Dongle) devices also get blocked.

But they don´t appear in the "Device Control Violations" list so we can´t exclude them from blocking. 

We tried to exlude the path for the *.exe on the ClickShare but this seems not to work.

 

How can we exlude these ClickShare?

 

bstrgrds 

7 REPLIES 7

L5 Sessionator

Hi @D.Meyer, thanks for reaching us using the Live Community.

 

You can create permanent device exceptions under Endpoints - Policy Management - Extensions - Device Permanent Exceptions, you need to fill this fields in Common or Custom device types:

 

jmazzeo_0-1733863406696.png

You should be able to get the product codes and serial numbers from the vendor.

 

If this post answers your question, please mark it as the solution.

 

JM

Hello Again,

 

we tried this but the clickshare still get blocked and the block action can´t be seen unter "device violations".

 

 

 

 

Do you have any other kind of Alert in the XDR console? If the device is associated with an application in the system, this one may have some behavior that is suspicious for the XDR Agent and it's being blocked by a protection module.

JM

Hello Jmazzeo,

 

unfortunately not. I see no incident related to this issue. 

 

I looked at the "traps.log" File and found this:

 

2024/12/20T15:00:16.057+01:00 <Information> Computer  [5124:7664 ] {trapsd:Main} ReportLowLevelEvent: 0x4040006a Data: 3A0000000100000002000000D42038815AE67755B84B8446C119897B0100000067E9364D25E3CE11BFC108002BE1031800000000000000000000
2024/12/20T15:00:16.057+01:00 <Information> Computer [5124:7664 ] {trapsd:DeviceControl} setting violation timer expiration to 0ms milliseconds
2024/12/20T15:00:16.057+01:00 <Information> Computer  [5124:9816 ] {trapsd:AuditService:ThreadPool:DeviceControlViolations:} Audit: priority = 0, event_type = 11, body = {
"eventCategory": 57,
"bus": "usb",
"classGuid": "XXXXXXX",
"className": "disk"

 

It looks like the Device controll blocks it.

 

 

L4 Transporter

RFeyertag_0-1734719485624.png

RFeyertag_1-1734719745807.png

This is what I found, as we had the issue. We solved it with the support. 

L2 Linker

@D.Meyer If your agent version is 8.6.0, there's a bug where the agent will continue blocking the device despite that the exception is in place. On top of that, the agent will not report back the event - hence it'll not show in the device violation page. Try reach out to support to create a SUEX. We got the same problem and the SUEX is the only workaround so far. TAC told us that 8.6.1 should solve this issue.

AC

 

@Antony_Chan I am also facing the same issue on endpoint running 8.6.0 and not on endpoint running 8.6.1 so I can confirm that the new version solved the issue.

 

Also found this while checking Cortex Help Center :

MISSAKIDIS475991_0-1736357423073.png

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/8.6/Cortex-XDR-Agent-Release-Notes/Addressed-I...

 

Version 8.6.1 is scheduled for General Availability on January 20, 2025

 

  • 631 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!