Video Screencast Help

Application can't open file on read-only USB drive

Created: 08 Feb 2013 | 22 comments

Hi colleagues,

Can you please support me in resolving the following issue with SEP12:

When Application and Device Control policy makes USB drive read-only, Excel can't open files stored on USB drive.

 

I use following Application and Device Control policy:

It is copy of default Application and Device Control policy with enabled controls "Make all removable drives read-only [AC3]" and "Block writing to USB drives [AC4]"

 

Excel shows error "Microsoft Excel can't open or recover book because it is corrupted" when opening .xlsx file located on USB drive.

If this file is copied to local drive, it can be successfully opened.

 

Log of local SEP12 client, showing that writing is blocked is attached (Control Log Read-only USB drive.xlsx).

 

Same functions work fine in SEP11.

 

What must be done to make USB drive read-only and make files on it accessible by applications like MS Excel?

 

Thanks,

Maksim

Comments 22 CommentsJump to latest comment

_Brian's picture

This is caused because when Excel opens it tries to create a temp file in the same location. This is usually used for auto save and things of that nature. In the Application policy, you can exclude the EXCEL.exe process in the exclusion section.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Maksim Danilin's picture

1. I'm just wondering why SEP11 worked fine with the same policies and SEP12 can't.

2. I've tested: if you exclude temp files (name begins with ~$) from this policy, Excel still doesn't work because it attempts to open original file for writing.

3. If I exclude EXCEL.exe from this policy, this will not be read-only policy anymore, Excel will be able to write files to USB drive.

SebastianZ's picture

In both mentioned rules: "Make all removable drives read-only [AC3]" and "Block writing to USB drives [AC4]" if you edit them do you have "Read Attempt" set to "Continue processing other rules" or to "Allow Access"? - you will find it under Actions in the rule itself.

 

 

Maksim Danilin's picture

I have tried both of them, result is the same.

Now it is "Continue processing other rules".

Ambesh_444's picture

Yes, If You are facing problem reagarding excel, You should exclude the excel.exe from Application policy on SEPM.

 

Thank& Regards,

Ambesh

"Your satisfaction is very important to us. If you find above information helpful or it has resolved your issue. Please don't forget to mark the thread as solved."

Vikram Kumar-SAV to SEP's picture

The problem is just with xlsx or with xls aswell.

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

Maksim Danilin's picture

Result is the same - Excel can't open file.

But error message is different - "No access to file "Test2.txt". File may be corrupted, placed on server, that stoped responding, or is accessible for read only". And buttons are "Repeat" and "Cancel".

_Brian's picture

And this is the exact same policy you used in 11.x?

Overall, I can see why this is blocking Excel since it is trying to write to the USB, it just won't be allowed. I'm just wondering what changed in 12.1, assuming your policy hasn't been modified.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Maksim Danilin's picture

No, this is policy created from default preinstalled policy from Symantec. In 11 I did the same: created policy from default by enabling 2 rules.

I have tried to export policy from 11 and import it in 12, result was the same (Excel can't open file).

In log of SEP11 there are the same records: writing attempt must be blocked, but in fact it isn't. So with SEP11 Excel can open files on read-only USB drive.

_Brian's picture

I just tested using the policy and it works fine for me. Excel does create a ~$filename temp file and that action is blocked (per my log) however the actual Excel file does open fine.

Now with that being said, what version of 12.1 are you running? I'm running the latest, 12.1.2. I would recommend moving to 12.1.2 as a first step.

The fix notes for 12.1.2 contain multiple fixes related to the application and device control btu I'm not sure which would apply to your issue:

https://www.symantec.com/business/support/index?pa...

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Maksim Danilin's picture

I'm using SEPM version 12.1.2015.2015 (in SEPM console Admin -> Servers -> SEPM -> Version) and SEP client version as on screenshot below:

What is the version of your SEPM server and SEP client?

_Brian's picture

I'm on the same version as you. So far working as expected.

I've attached the policy I'm using so you can compare to yours

 

 

AttachmentSize
Application and Device Control policy.zip 18.4 KB

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Maksim Danilin's picture

I have imported your policy and it looks like:

So in your policy writing to USB drive is not blocked.

I've attached my policy, can you please try it?

What OS are you using? I'm running Windows 7 32bit.

AttachmentSize
Copy (2) of Application and Device Control policy.zip 16.41 KB
_Brian's picture

Sorry, I changed it right before I exported and attached. Even with "Block writing to USB drives" enabled, mine is still working fine.

With yours, my Excel file opens as expected although the ~$ temp file is still being blocked. Which is what I would expect. Bascially, I cannot write to and from...it is blocked with your policy

Is there anything special about this Excel file? Macros or anything.

What if you just try a simple Excel file with one line of text in it?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Maksim Danilin's picture

No, there is nothing special, it is ordinary file with 5 lines of text, I have attached it.

What OS do you use?

AttachmentSize
SYM test.xlsx 8.75 KB
_Brian's picture

I'm on 32bit XP. Let me test this file, I'll reply in the next 10 minutes.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

_Brian's picture

Yep, no problems here. Still acting as expected. I don't have a win7 32bit box to test on but I do have a win7 64bit box, that I can try on.

I'm wondering if this is a bug...

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Maksim Danilin's picture

If it is possible, can you please try on Windows 7 64bit and attach Control Log from SEP client?

_Brian's picture

Just tested on win7 64bit and it is working as expected, although the ~$text.xlsx file is still no being created.

Attached is my control log

 

AttachmentSize
test.zip 497 bytes

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.