cancel
Showing results for 
Search instead for 
Did you mean: 
mccracker
Level 7

DLP - Multiple events getting generated in an exponential rate.

End point product: Data Loss Prevention 9.3.200.23

ePO Server: 4.8

Client OS : Windows 7

Total Client: ~5000

Problem:

Events are getting generated in an exponential rate even when not all the clients are running.

The eventIDs are not duplicates, they are all individual events.

One client(system) is assigned per user, not like multiple users are using one system.

It seems like in every 10-11 seconds an event is getting created.

The Mode is in "Monitor".

I thought first that it's working as intended but when we are getting events (simply plug/unplug) in every 10-11 secs from one computer (for example) it does not seem usual.

Is there anything certain I should check in the Rules.

Fairly new in this field, any thoughts will be much appreciated and pardon any confusions.

Thanks.

8 Replies
bphang
Level 10

Re: DLP - Multiple events getting generated in an exponential rate.

What events are you getting ?

0 Kudos
mccracker
Level 7

Re: DLP - Multiple events getting generated in an exponential rate.

The events are "plug/unplug" events.

When a user plugs in a USB device, an event is generated.

Also when a device is unplugged.

Which is fine because that's how it should behave but what's unusual is why these events are created so many times with unique eventIDs when the user is not plugging or unplugging that many times in reality.

Thanks.

0 Kudos
bphang
Level 10

Re: DLP - Multiple events getting generated in an exponential rate.

Just wondering if you are seeing the message in a pair on every plug event?

ie when I plug my newish USB stick.

Device Class GUID: EEC5AD98-8080-425F-922A-DABF3DE3F69A

Device Class Name: Portable Devices

Device Name: LA-PUBLIC

Device Compatible ID: wpdbusenum\fs

Device Instance ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_LACIE&PROD_IAMAKEY&REV_1.00#000000000xxxxxxx&0#

Device Class GUID: 36FC9E60-C465-11CF-8056-444553540000

Device Class Name: Universal Serial Bus controllers

Device Name: USB Mass Storage Device

Device Compatible ID: USB\CLASS_08&SUBCLASS_06&PROT_50

Device Instance ID: USB\VID_059F&PID_1027\000000000xxxxxxx

Bus Type: USB

Vendor ID: 059F

Product ID: 1027

USB Serial Number: 00000000078C2F6F

USB Class: 08h - Mass Storage

?

0 Kudos
mccracker
Level 7

Re: DLP - Multiple events getting generated in an exponential rate.

This information can be found in device details and I don't have multiple messages for every plug event.

Each event has unique ID and there are about 10 to 11 seconds difference in between them.

It's not user specific either.

0 Kudos
keithdrone
Level 10

Re: DLP - Multiple events getting generated in an exponential rate.

Get a machine for testing, and drill down your reporting on just that machine.

Plug and unplug (send alerts between each, or retreive them via EPO agent wakeup) things like USB keyboard, USB mouse, etc.

We had something similar just with a usb mouse ,because the driver had a 'low power' mode which turned off the mouse (not sure why anyone thought this would EVER be a good idea) and it caused it to generate a 'new' alert each time Windows 'saw' the device again.

Either way, narrowing down to a single machine and verifying what happens, when, and make sure you can control your variables would be a good first step - to take a step backwards and look at a smaller scope

0 Kudos
mccracker
Level 7

Re: DLP - Multiple events getting generated in an exponential rate.

I ran MER on some exceptionally high event gerating systems and found out lots of events were coming from source 'SDDisk2k' which is Winmagic Secure Doc.

Working on it to see why it's causing this issue.

However, thanks Keithdrone for your potential input, I already thought of that situation before but wasn't confirmed.

Cheers.

0 Kudos
bretzeli
Level 11

Re: DLP - Multiple events getting generated in an exponential rate.

Isn't that the 12/8in1 MEDIA Card Reader Block like they use in HP with different media drives? This 3.5" device block itself is connected by USB to the Mainboard.

"USB\CLASS_08&SUBCLASS_06&PROT_50"

0 Kudos
theglot
Level 7

Re: DLP - Multiple events getting generated in an exponential rate.

I am having the same problem.  I have 638 pages of the same user on the same host in a 24hr period where every 5 to 6 seconds I get a unplug and plug in even.  same issue with Zip drives and flash drives on other users.  Using DCM and allow follow by a block rule for CD/DVD, USB HD, and Flash.

0 Kudos