Assigned App & Device control policy to block USB drives -- multiple computers began crashing & rebooting repeatedly!
I had a policy assigned to a test group that was set to block all 'Disk Drives' with an exception for Imation brand thumb drives. Everything was going smooth with the small test group, so I assigned it to the main workstations group. Within minutes, we started getting calls about computers rebooting over and over.
Looking into it, as soon as the SEP client started up, the computer crashed, no errors, the screen just went black, and the computer began booting up again. As soon as we realized this was related to the policy change (and affecting multiple computers) I withdrew the policy, but I ended up having to boot 8 computers to safe mode, and disable the symantec services and app to get the pc to boot into normal mode all the way.
I don't know what went wrong with the process, but this is definitely something that I need to track down the cause of so I can avoid it in the future!
Comments
Gai-jin
By disallowing all "disk drives"...
When the system boots up it disables the PHYSICAL HDD in the machine. IDE and or SATA.
You might want to change that policy to disallow all "Storage Devices" And than include the exception for your USB thumb drives that you choose.
Note: if you disable all "storage volumes" anything storage connected via Ethernet/Fiber/etc. will also cease to function, because Windows uses a generic ID for all those devices...
Jason -- I understand what
Jason -- I understand what you're saying, but if that's correct, then there is a drastic flaw in the how-to that I followed to set up the policy!
From Here: http://service1.symantec.com/support/ent-security....
Add Disk Drives and the Hardware Device to allow to the Devices Excluded From Blocking list:
1. In the SEPM, Under View Policies, select Application and Device Control
2. Right click your Application and Device Control Policy and select Edit.
3. Select the Device Control view.
4. Under the Blocked Devices section, click Add, select Disk Drives and click OK. (If Disk Drives isn't listed, it is already added as a Blocked Device).
5. Under Devices Excluded From Blocking, click Add.
6. Select the device you added in the previous section and click OK.
7. Click OK to the Application and Device Control policy window. SEP clients in Client Groups that currently have this policy assigned will get the changed policy from the SEPM.
On top of that, the policy was applied to a test group of 5 computers yesterday and this morning, and none of these had any issues. I don't know if 100% of the computers that received the policy all had the issue, since I withdrew it and re applied the old policy as soon as I found out. I expected that more than 8 computers would have gotten the update in that time, but it's possible that only those 8 did.
I just reassigned the same
I just reassigned the same policy back to one of our IT computers that was in the original test group, and once again it worked as expected. Can anyone from Symantec confirm whether the expected behavior from blocking Disk Drives is as Jason described it or not?
I did see on one of the systems after a reboot windows described the issue as having momentarily lost communication with the hard drive, so that would support Jason's description, but if that's the case, why is it working differently on different machines?
If not, what caused symantec to crash the system on load?
Would you like to reply?
Login or Register to post your comment.