Highlighted
Respected Contributor.
Respected Contributor.
118 views

ZESService failed to disable USB Mass Storage Device while AV Scan is running

We noticed that the "ZESService" is not able to deactivate a USB mass storage device when an antivirus solution is scanning it.

ZES Agent Version 20.1.0.299

AV Solution: ESET Endpoint Antivirus Version 7.2.2055.0

After the scanning is finshed the devices will be disabled.

The security risk is available if the USB mass storage device contains very many files.
The device is thus accessible.

Is there a solution that ZES gets access to the device before the antivirus solution?

best regards

Andre

(The full log is available - if someone need it)

0 Likes
3 Replies
Highlighted
Micro Focus Expert
Micro Focus Expert

Supposedly, the 2nd time a USB Device is inserted, it can be fully identified w/o the drive fully initializing.  The initial insert for a usb device requires more initialization to get sufficient details used to determine if it should or should not be blocked.  

Clearly, ESET wants to grab the device and scan it w/o delay so it can ensure it is safe so it will be locking the files as fast as it programmatically can do so.  ZESM will be trying to do the same thing on the initial insert of the usb device on a given machine.  I'm not sure ZESM will always be able to win.  I know if there are open locks Windows will not allow the device to be disabled and most certainly ESET has protections against its processes locking the files from being terminated.

 I'm not sure if ESET has a setting to delay the scanning of an inserted device, which may help.  I'm not sure that is a setting they would want and even in your setup, that could open a hole on USB devices that are allowed.

--

How are you trying to limit the use of USB devices with ZESM?  Trying to block end-users from ALL Thumbdrives?  Permit Certain ones?  etc....

Depending on your goal, I may be able to think of some workarounds.  

 

--
Please give a hearty thumbs up to any post you find helpful!
To find articles by Craig Wilson simply follow the link: Craig Wilson's Tips!
0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

USB devices are generally permitted in the ZESM policy.
The default device access is "Disabled".
Device Group Access Settings:
- HID: Enabled
- Mass Storage Class: Disabled
- Printing Class: Enabled
- Scanning/Imaging (PTP): Enabled

And a list of 60 devices enabled.

best regards

Andre

0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Based on the USB USB Connectivity policy to disable USB attached storage drives, I  would expect that ZESM to attempting to Disable the USB attached  storage drive and  for multi layer policy enforcement set the File system and DAC drivers to block all access.      With the File System and DAC drivers blocking all drive access the User should not be able to Read, Write or Execute any files from the USB drive.   

 A storage device control policy is the preferred way of controlling, Read/Write, Read Only and Disabled access control settings for USB Storage devices.

If a user is still able to access/launch programs while being scanned by AV, you may want to open an SR and we can have the issue examined.

 

--
Please give a hearty thumbs up to any post you find helpful!
To find articles by Craig Wilson simply follow the link: Craig Wilson's Tips!
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.