Explanation about false keylogger alerts

Version 2

    Details

    All Versions of Lumension Endpoint Security Device Control (LES DC) products

     

     

    DETAILS

    Sometimes, USB Keyboards (e.g. Dell and HP or USB switches) are detected as USB Key Loggers on some USB ports, while not on a certain USB port on the same PC.

     

    CAUSE OF THIS ISSUE

    This is not a bug, but the keylogger subsystem working as designed:

    •   The keyboard was originally plugged in into USB port A (example) when the LES DC client was installed, and info about associated USB hub was written into registry.
    •   USB keylogger detection system checks every 5 seconds for the USB hub ID for this keyboard and compares it with the stored one in the registry.
    •   If the user unplugs the keyboard and replugs it into a different USB port (say B), the USB hub ID changes, which creates a keylogger alert.

     


    Resolution

     

    First, educate end users that they should not plug their USB keyboard into a different USB port.

    If however the user wants to change USB port for his USB keyboard anyway (after moving his PC, or re-arranging USB plugs), he must request the LES DC administrator temporarily turn off the USB keylogger detection.

    • USB Keylogger options are set in the LES Management Console. They are accessed by going to Tools, then Default Options. On the resulting popup window, select the Computer tab and then the USB Key Logger setting.
    • To reset the original USB port registration, please contact Technical Support.
    • Then move his USB keyboard to a different USB port, which will result in the USB keylogger detection system rewriting the new USB hub ID into the registry (as the detection is switched off, it will only store the hub ID without complaining if the ID changes).
    • In theory, 5 seconds suffice to store the new value (as the system rechecks the values by default every 5 seconds, but this is configurable) and so an administrator can re-enable the USB keylogger detection if he wishes to.

    Please also refer to Keylogger whitelisting in LES article which explains how to implement Keylogger whitelisting in LES.