Yeah. I know that solutions.

But, well, hacking the ntldr (BlueScreen-by-design) or buying additional third party software (NoSafeMode) are no options for an enterprise company. - If a device has been blocked, it should remain blocked. In any case. Until the administrator unblocks it.

There is less to none host protection if a host boots up in 'windows safe mode' via F8. Users can access USB devices regardless whether access has been granted or not as well as there is no virus protection if they use usb devices at that time.

We now consider changing away from McAfee. Many roads leads to Rome.

Thank you anyway.

Let us know if you find a product that offers this feature. I once had to block SafeMode and used this dirty method.

George

Of course I did. But it ain't that easy. All this setting does is preventing users from stopping a service that does nearly nothing but inform the administrator after(!) the incident when the system is back up in regular mode. Neither usb device rules will be applied nor anti  virus services will be started in case of a safe mode boot. (See: https://community.mcafee.com/thread/31899?tstart=30 too.)

After I had a nice talk with McAfee stuff, I think this behaviour is 'by design'. At least I did a product enhancement request.

@George: We consider buying Lumension Device Control or Cynapspro or something like that.

Hi,

I have had similar discussions with McAfee re Safe Mode and DLP - the information I have is that the Safe Mode enhancement is expected post version 9.2. No indication of when this might be though.

Also, my recent experience of Lumension shows me that their product also does not protect in Safe Mode 😉

Russ

Russ,

this is not correct. Lumension (like many other products) does protect in safe mode. The lumension feature is called 'client hardening' and, as far as I know, it has to be enabled. We tried this in many tests (even with version 4.0.3) - it works. In the new versions you can configure RBAC too, so just named USB administrators are able to handle those services. All settings are copied to the machines so it doesn't make any difference whether you do a 'real' boot or not. O.K., F8 itself won't prevented - its just not the point - but the use of devices.

Quotation: "Sanctuary's Client Hardening feature will protect Sanctuary's clients for a possible tamper even if the user is an administrator." And: "Safe mode boot causes no threat to Sanctuary drivers, which continue to run even when you boot in this mode."

Hint: If a dlp software does have kernel mode drivers you will be on the right way. (Check out and compare i.e. Lumension, Cynapspro, DeviceLock, DriveLock)

Nachricht geändert durch erpede on 10.11.11 13:25:38 MEZ

on 10.11.11 13:26:38 MEZ

Thanks,

Might be an issue in the version we have tested (on the new LEMSS server) which has several 'features' not present in earlier versions - i.e. 4.0.4.

Lumension assure us they are working on them and they will be corrected in futures fixes or service packs.

Russ