Jump to content

Problem with secure USB drives


mteehan

Recommended Posts

Hello,

 

We use IronKey secure thumb drives and their newest ones are having issues working with ESET Endpoint Security and Windows 7 (they work fine on XP).

 

I was wondering if anyone else has had a similar experience and found a solution.

We've already added exclusions for the IronKey executable as well as setting up the appropriate rules under Device Control to allow access.

 

If you look in the device control logs, it says the device was allowed but it does not work.

 

Any help would be appreciated.

 

Thanks.

 

 

Link to comment
Share on other sites

Hello mteehan

 

Have you tried disabling device integtration to see if that helps ? :)

 

If you have it integrated, have you verified the correct workgroups and or users have permissions ? Is this what you were referring to with rules ?

 

Thanks

Link to comment
Share on other sites

Hello,

 

I have tried a temporary disabling of device integration and that does not fix it.

 

We do have an AD group set up to allow access to USB drives and that group does have permissions for all removable media.

Link to comment
Share on other sites

  • Administrators

I have tried a temporary disabling of device integration and that does not fix it.

Did you also restart the computer? Device control integration remains active until the next restart / shutdown.

As for the issue, it could be a general problem with Ironkey that might not be possible to resolve. We'd need to get a Process monitor log for analysis to see what's going on. Therefore I'd suggest contacting customer care and opening a ticket who will help you create the log and will subsequently pass it to the engineers for analysis.

Link to comment
Share on other sites

mteehan,

 

It is safe to say; there was some kind of block or rule set for the drive letters.

Changing them bypassed the rule, or block, however it may return.

 

Let us know if it does.

Thanks for your follow up, and end resolution.

Link to comment
Share on other sites

We're still not 100% it seems. That solution worked for one user (or at least they have not complained yet) but my own drive is still not working correctly.

 

As I mentioned before, this is only a problem on Windows 7. Not sure why that would matter but XP users have no issues.

 

We have a "Removable Media" group set up that allows access to USB drives and I am a member of this group. We have no blocks in place that take priority over our allow rules. The device logs show nothing being blocked on my machine, only "allow" actions. 

Link to comment
Share on other sites

  • Administrators

Please create a Process monitor log from the moment you connect the Ironkey thumb drive to a computer and attempt to access it. When done, compress the log, upload it to a safe location and pm me the download link. Also run ESET Log Collector and send me the archive created, attached to a personal message.

Link to comment
Share on other sites

Thanks Marcos, I sent you the logs.

 

It actually worked today, once, on a new USB port. It hasn't worked since. I didn't change anything so I have no idea what made it work. Unfortunately I didn't have anything running at the time but maybe the ESET logs will show something useful.

Link to comment
Share on other sites

  • Administrators

Thank you for sending the logs. Please let me know which module / driver you must disable so that the problem doesn't occur. Try the following steps, one at a time, and after each step check if the problem occurs:

1, disable Device control integration and restart the computer

2, rename C:\Windows\System32\drivers\eamonm.sys in safe mode

3, rename C:\Windows\System32\drivers\ehdrv.sys in safe mode

Link to comment
Share on other sites

Disabling device control integration did not fix it.

Renaming eamonm.sys DID fix the problem.

I didn't bother renaming ehdrv.sys since the previous step worked.

 

So I guess now I need a solution somewhere in the middle. Any thoughts?

Link to comment
Share on other sites

So I just did this:

  • Disabled real-time protection via the GUI
  • Plugged in the drive
  • It didn't work
  • Restarted my computer
  • Disabled real-time protection via the GUI
  • Plugged in the drive
  • It worked
  • Unplugged the drive
  • Plugged it back in again (real-time still disabled)
  • Now it doesn't work again

 

When real-time was disabled after renaming eamonm.sys I did try the drive multiple times so I know it did work reliably in that case.

Link to comment
Share on other sites

  • Administrators

Could you please install the latest ESS v7 (for home users) on such computer for a test and disable "Removable media access" in the real-time protection setup? Let me know if it solves the issue.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...