Anyway to see which Device Control Rule is Blocking or Allowing

[Alexlsx86 0]

Is there anyway to see in the logs which rule is blocking or allowing devices?

I am having difficulty troubleshooting Device Control as it seems to be quite temperamental. I had it all working fine after some issues with it, which were resolved by recreating the rules exactly the same as before. 

We have now rolled ESET out with a few different rules but when trying to add a new device, it doesn't seem to be getting allowed. I don't want to have to delete it and recreate it every time, so I am wondering if I can see in then logs which rule is being activated, so I can make sure its not conflicting with another one.

[Marcos 5,074]

Did you check the Device Control logs for details? There you should see which of the rules blocked a particular device.

[Alexlsx86 0]

Just now, Marcos said:

Did you check the Device Control logs for details? There you should see which of the rules blocked a particular device.

Yes, and its not there that i can see...

I have looked on the users machine and enabled diagnostic logs and pulled them to the server, neither of them show it.

[Marcos 5,074]

Do you mean that you don't have any records like this in your Device Control log on the endpoint?

[Alexlsx86 0]

29 minutes ago, Marcos said:

Do you mean that you don't have any records like this in your Device Control log on the endpoint?

No, i do have that. 

I am blocking and allowing using Device Groups per Group of users. Some users have more devices that need allowing, like our Accounts department. So i want to see which rule/device groups are blocked, not single devices like 'Disk Storage', as i cant tell if for example;

"Accounts Devices Allow" Rule is working

or 

"Block All Devices" Rule is taking over

At the moment, no devices are working in the Accounts group when i set user or group permissions, but if i remove them, and have it on allow all (blank), they are allowed but everything else is blocked as per my "Block All Devices" rule.

This is no good, because it means everyone can use the devices in that current rule.

BUT

I cant tell which rule is working or not by it just saying 'Allowed' or 'Blocked' and the 'Device', because i also have other rules in place, other than the ones mentioned.

 

I hope that makes sense as i feel like i struggled to explain it properly, it seems more complicated than it should be but im not doing anything crazy, i'd assume its a fairly basic setup. Screenshots below-

Accounts Device Group

 

 

This rule has users assigned to it, i also tried the same users in a group, neither worked.

 

 

This is exactly the same rule, but no users assigned (blank) and it works

This rule blocks everything for all users and is at the bottom of the list. User list is empty, works fine.

Edited May 4, 2023 by Alexlsx86

[Marcos 5,074]

If you want to log when a rule is applied, use the warning or informative logging severity. However, "informative" records are not sent to ESET PROTECT.

Rules are applied in the order in which they appear in the list. The first rule that hits the condition is applied.

When rules are applied via an ESET PROTECT policy, you can choose if the policy rules will replace existing rules on endpoints, or if they will be appended or prepended to the existing rules.

Since there seems to be a problem with rules that have users assigned, I'd recommend raising a support ticket for further troubleshooting.

[Alexlsx86 0]

5 minutes ago, Marcos said:

If you want to log when a rule is applied, use the warning or informative logging severity. However, "informative" records are not sent to ESET PROTECT.

Rules are applied in the order in which they appear in the list. The first rule that hits the condition is applied.

When rules are applied via an ESET PROTECT policy, you can choose if the policy rules will replace existing rules on endpoints, or if they will be appended or prepended to the existing rules.

I had it on warning, I turned it onto diagnostic to see if it would show up, which it didn't. It doesn't show on either.

So if the rule meets a condition, it won't move down to the next rule at all? It will stop there?

Where is the setting in the policy in eset protect to change the append or prepend rules (sorry, not anywhere near a computer ATM) Maybe that's something I need to change too...

[Marcos 5,074]

2 minutes ago, Alexlsx86 said:

So if the rule meets a condition, it won't move down to the next rule at all? It will stop there?

Correct.

2 minutes ago, Alexlsx86 said:

Where is the setting in the policy in eset protect to change the append or prepend rules (sorry, not anywhere near a computer ATM) Maybe that's something I need to change too...

The first drop-down menu specifies how the rules are handled with regard to rules that might be defined in other policies, the second one defines how the rules are handled with regard to rules that might exist on endpoints.

[Alexlsx86 0]

17 hours ago, Marcos said:

Correct.

The first drop-down menu specifies how the rules are handled with regard to rules that might be defined in other policies, the second one defines how the rules are handled with regard to rules that might exist on endpoints.

I already had those on replace.

So, it doesn't look like i can actually see the ACTUAL rule that's being applied in the logs then, just that its either blocking or allowing and which device?

[Marcos 5,074]

Please provide logs collected with ESET Log Collector from an endpoint.