End point product: Data Loss Prevention 126.96.36.199
ePO Server: 4.8
Client OS : Windows 7
Total Client: ~5000
Events are getting generated in an exponential rate even when not all the clients are running.
The eventIDs are not duplicates, they are all individual events.
One client(system) is assigned per user, not like multiple users are using one system.
It seems like in every 10-11 seconds an event is getting created.
The Mode is in "Monitor".
I thought first that it's working as intended but when we are getting events (simply plug/unplug) in every 10-11 secs from one computer (for example) it does not seem usual.
Is there anything certain I should check in the Rules.
Fairly new in this field, any thoughts will be much appreciated and pardon any confusions.
The events are "plug/unplug" events.
When a user plugs in a USB device, an event is generated.
Also when a device is unplugged.
Which is fine because that's how it should behave but what's unusual is why these events are created so many times with unique eventIDs when the user is not plugging or unplugging that many times in reality.
Just wondering if you are seeing the message in a pair on every plug event?
ie when I plug my newish USB stick.
Device Class GUID: EEC5AD98-8080-425F-922A-DABF3DE3F69A
Device Class Name: Portable Devices
Device Name: LA-PUBLIC
Device Compatible ID: wpdbusenum\fs
Device Instance ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_LACIE&PROD_IAMAKEY&REV_1.00#000000000xxxxxxx&0#
Device Class GUID: 36FC9E60-C465-11CF-8056-444553540000
Device Class Name: Universal Serial Bus controllers
Device Name: USB Mass Storage Device
Device Compatible ID: USB\CLASS_08&SUBCLASS_06&PROT_50
Device Instance ID: USB\VID_059F&PID_1027\000000000xxxxxxx
Bus Type: USB
Vendor ID: 059F
Product ID: 1027
USB Serial Number: 00000000078C2F6F
USB Class: 08h - Mass Storage
This information can be found in device details and I don't have multiple messages for every plug event.
Each event has unique ID and there are about 10 to 11 seconds difference in between them.
It's not user specific either.
Get a machine for testing, and drill down your reporting on just that machine.
Plug and unplug (send alerts between each, or retreive them via EPO agent wakeup) things like USB keyboard, USB mouse, etc.
We had something similar just with a usb mouse ,because the driver had a 'low power' mode which turned off the mouse (not sure why anyone thought this would EVER be a good idea) and it caused it to generate a 'new' alert each time Windows 'saw' the device again.
Either way, narrowing down to a single machine and verifying what happens, when, and make sure you can control your variables would be a good first step - to take a step backwards and look at a smaller scope
I ran MER on some exceptionally high event gerating systems and found out lots of events were coming from source 'SDDisk2k' which is Winmagic Secure Doc.
Working on it to see why it's causing this issue.
However, thanks Keithdrone for your potential input, I already thought of that situation before but wasn't confirmed.
Isn't that the 12/8in1 MEDIA Card Reader Block like they use in HP with different media drives? This 3.5" device block itself is connected by USB to the Mainboard.
I am having the same problem. I have 638 pages of the same user on the same host in a 24hr period where every 5 to 6 seconds I get a unplug and plug in even. same issue with Zip drives and flash drives on other users. Using DCM and allow follow by a block rule for CD/DVD, USB HD, and Flash.