Versions / Builds Affected
EndPointSecurity 2012 build 20120104Status
OpenProblem Summary
When accessing a PDF from a USB storage device, both access denied and access allowed events are logged.TT / JIRAID
126How to Identify
- Adobe Reader is installed
- User has full access on USB storage device
- When opening a PDF from a usb storage device, the user has access to it but 2 events are logged:
2012-08-13,14:33:46,372,3,"#00000618","#00000818","info ","DevicesController"," "Audit Failure", "Read only access denied"(2001)"
2012-08-13,14:33:46,372,3,"#00000618","#00000818","info ","DevicesController"," Event data: \\ABTEST\Administrator, CHIPSBNK v2.0.33 USB Device, File Path: D:\kbreport_languard9.pdf , Port_#0001.Hub_#0004, Storage Devices, Volume, USB, 1E3D, 2092, C:\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.exe, 2420, , 1179785, "
and
2012-08-13,14:33:46,372,3,"#00000618","#00000818","info ","DevicesController"," "Audit Success", "Read only access allowed"(2000)"
2012-08-13,14:33:46,372,3,"#00000618","#00000818","info ","DevicesController"," Event data: \\ABTEST\Administrator, CHIPSBNK v2.0.33 USB Device, File Path: D:\kbreport_languard9.pdf , Port_#0001.Hub_#0004, Storage Devices, Volume, USB, 1E3D, 2092, C:\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.exe, 2492, , 1179785, "Workaround / Fix Details
The only workaround (if the customer is getting false positive alerts on these events) is to create a email rule to delete the emails.
See the public article entitled: Both access allowed and denied events are created when opening a PDFRequired Actions
1. Give the customer the article above
2. Close the case.\