6 Replies Latest reply: Jul 29, 2014 11:12 AM by mccracker RSS

    DLP - Multiple events getting generated in an exponential rate.

    mccracker

      End point product: Data Loss Prevention 9.3.200.23

       

       

      ePO Server: 4.8

       

       

      Client OS : Windows 7

       

       

      Total Client: ~5000

       

       

      Problem:

       

       

      Events are getting generated in an exponential rate even when not all the clients are running.

       

       

      The eventIDs are not duplicates, they are all individual events.

       

       

      One client(system) is assigned per user, not like multiple users are using one system.

       

       

      It seems like in every 10-11 seconds an event is getting created.

       

       

      The Mode is in "Monitor".

       

       

      I thought first that it's working as intended but when we are getting events (simply plug/unplug) in every 10-11 secs from one computer (for example) it does not seem usual.

       

       

      Is there anything certain I should check in the Rules.

       

       

      Fairly new in this field, any thoughts will be much appreciated and pardon any confusions.

       

      Thanks.

        • 1. Re: DLP - Multiple events getting generated in an exponential rate.
          bphang

          What events are you getting ?

          • 2. Re: DLP - Multiple events getting generated in an exponential rate.
            mccracker

            The events are "plug/unplug" events.

             

            When a user plugs in a USB device, an event is generated.

             

            Also when a device is unplugged.

             

            Which is fine because that's how it should behave but what's unusual is why these events are created so many times with unique eventIDs when the user is not plugging or unplugging that many times in reality.

             

            Thanks.

            • 3. Re: DLP - Multiple events getting generated in an exponential rate.
              bphang

              Just wondering if you are seeing the message in a pair on every plug event?

               

               

              ie when I plug my newish USB stick.

               

              Device Class GUID: EEC5AD98-8080-425F-922A-DABF3DE3F69A

              Device Class Name: Portable Devices

              Device Name: LA-PUBLIC

              Device Compatible ID: wpdbusenum\fs

              Device Instance ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_LACIE&PROD_I AMAKEY&REV_1.00#000000000xxxxxxx&0#

               

               

              Device Class GUID: 36FC9E60-C465-11CF-8056-444553540000

              Device Class Name: Universal Serial Bus controllers

              Device Name: USB Mass Storage Device

              Device Compatible ID: USB\CLASS_08&SUBCLASS_06&PROT_50

              Device Instance ID: USB\VID_059F&PID_1027\000000000xxxxxxx

              Bus Type: USB

              Vendor ID: 059F

              Product ID: 1027

              USB Serial Number: 00000000078C2F6F

              USB Class: 08h - Mass Storage

               

               

              ?

               

              • 4. Re: DLP - Multiple events getting generated in an exponential rate.
                mccracker

                This information can be found in device details and I don't have multiple messages for every plug event.

                 

                Each event has unique ID and there are about 10 to 11 seconds difference in between them.

                 

                It's not user specific either.

                • 5. Re: DLP - Multiple events getting generated in an exponential rate.
                  keithdrone

                  Get a machine for testing, and drill down your reporting on just that machine.

                   

                  Plug and unplug (send alerts between each, or retreive them via EPO agent wakeup) things like USB keyboard, USB mouse, etc.

                   

                  We had something similar just with a usb mouse ,because the driver had a 'low power' mode which turned off the mouse (not sure why anyone thought this would EVER be a good idea) and it caused it to generate a 'new' alert each time Windows 'saw' the device again.

                   

                  Either way, narrowing down to a single machine and verifying what happens, when, and make sure you can control your variables would be a good first step - to take a step backwards and look at a smaller scope

                  • 6. Re: DLP - Multiple events getting generated in an exponential rate.
                    mccracker

                    I ran MER on some exceptionally high event gerating systems and found out lots of events were coming from source 'SDDisk2k' which is Winmagic Secure Doc.

                    Working on it to see why it's causing this issue.

                     

                    However, thanks Keithdrone for your potential input, I already thought of that situation before but wasn't confirmed.

                     

                    Cheers.