CD/DVD Shadowing:  Method to Bypass Shadowing When Shadowing Can’t Be Performed

Version 1

    Details

    Lumension Endpoint Security (LES) Device Control v4.3 and higher

    When attempting to write raw data (data that cannot be shadowed) to a CD/DVD with shadowing enabled the write will fail. LES will generate the following log entries in the centralized LES logs:

    Type: ERROR
    Other: SWAVE_UNSUPPORTED_CDBURNING


    or

    Type: ERROR
    Other: SWAVE_CDSHADOW_ERROR


    Additionally, the below errors may be seen in the System EventLog:

    Type: Error
    EventID: SWAVE_UNSUPPORTED_CDBURNING
    Description: Unsupported CD/DVD burning mode, burning in process is cancelled.


    or

    Type: Error
    EventID: SWAVE_CDSHADOW_ERROR
    Description: Error during the processing CD/DVD shadow images, burning process is cancelled. CD/DVD drives are in read only mode until reboot.



    CAUSE

    When attempting to write raw data to the device, the file name cannot be determined, and thus the configured shadowing cannot be performed. LES, in this case, completely blocks the write attempt and does not perform any shadowing.

    RESOLUTION

    A new hidden global machine option has been introduced in LES Device Control v4.3. This option allows you the ability to override the Shadowing requirement in the event that it cannot be performed. This override is specific to CD/DVD drives. As this option is hidden, it is not possible to configure it using the LES Management Console. This option can be controlled by using the sxopt.exe tool provided with the installation software, located in bin\tools, to add the appropriate information to the database.

    The syntax for sxopt is as below:

    sxopt <servername> -g 66 -ca (this shows the option status)
    sxopt <servername> -s 66 <opt_value> -ca (this sets the option to opt_value)
    sxopt <servername> -d 66 -ca (this removes/unsets the option)

    The opt_value for this new option can be either 0, 1, 2, or 3:

    0: denies access, behavior is the same as if the option was absent
    1: switches filename shadowing to no shadowing and grants access
    2: switches full shadowing to no shadowing and grant access
    3: switches filename shadowing or full shadowing to no shadowing and grant access

    4: switches on full ISO image shadowing

    The following table illustrates the behavior of setting the above opt_values for both filename and full shadowing:

                                                                                                                   
        Opt Value    Filename Shadowing    Full Shadowing
        0 or No Value    - No shadowing generated
        - Write action is denied
        - No shadowing generated
        - Write action is denied
        1    - No shadowing generated
        - Write action is granted
        - No shadowing generated
        - Write action is denied
        2    - No shadowing generated
        - Write action is denied
        - No shadowing generated
        - Write action is granted
        3    - No shadowing generated
        - Write action is granted
        - No shadowing generated
        - Write action is granted
        4    - Full shadowing generated
        - Write action is granted and shadowed
        - Full shadowing generated
        - Write action is granted and shadowed