Environment
- Carbon Black Cloud Console: All Versions
- Carbon Black Cloud Sensor: 3.6.0.1897 and Higher
- Microsoft Windows: All Supported Versions
Symptoms
- Local pop-up warnings about blocking USB Device
- Policy has "USB Device Blocking" > "Block access to all unapproved USB devices" ticked/enabled on Prevention tab
- USB Device blocking does not appear to work (able to copy files to/from USB without actual blocks)
Cause
Policy has Permissions rule for winlogon.exe
Applications at path: C:\Windows\System32\winlogon.exe
Operation Attempt: Performs any operation
Action: Bypass
Resolution
- Remove any configured "Performs any operation > Bypass" Permissions rules referencing winlogon.exe (or any other core Windows processes associated with interactive user sessions)
- Reboot Endpoint to clear memory of Permissions rule
Additional Notes
- The Permissions rule called out above for winlogon.exe grants the same permission to all other processes in the process tree of winlogon.exe
- Permissions rules using "Performs any operation > Bypass" require a system reboot to fully remove the rule from the Sensor
Related Content